How I Finally Got Rid Of This Evil, Insidious, Irksome, Malicious, Time-Wasting, God-Awful Virus That Can Ruin Your Computer, Steal Your Passwords, Take Control of Your Hard Drive, Delete Your Files, and Rob Hours of Your Valuable Time
I just spent about 5 hours cleaning the alureon.a trojan off an infected Windows 7 machine. This is a very, very insidious virus, which can infect the master boot record, disable anti-virus software, spoof DNS entries in order to steal usernames, passwords, and credit cards, and it can corrupt random files.
Here’s How We Learned of and Finally Fixed the Infection:
1. We have an up-to-date version of Norton 2012 Internet Security running on the Windows machine. It indicated no problems at all, even after routine full system scans! Norton totally failed to catch this threat.
2. We started to see occasional blue-screen-of-death problems with the machine, which prompted me to do a Windows Update. I noticed when doing this that several of the downloaded updates had failed to install. I got a useless error code of FFFFFFFE – Unknown Error, which wasn’t explained in any of the Microsoft documentation. Hmmm… Checking the Windows Update logs, there were three updates, stretching back to April, that had not been successfully installed. I just couldn’t get these to install after repeated attempts – each time I’d get the same nonsensical error.
3. I downloaded and updated the free Microsoft Security Essentials (MSE) utility from here. It indicated that the computer had been infected with “Trojan:DOS/Alureon.a” and offered to clean it. That was the first concrete indication that there was any infection at all.
4. I applied this fix that MSE offered but was told that the virus could not be completely removed until I downloaded and ran the “Windows Defender Offline” utility. In order to run this, you need to burn the executable onto a CD.
5. I booted the machine using this CD and used the utility to do a full system scan. It did not find any problems.
6. Upon restarting the machine, the Microsoft Security Essentials utility again indicated an infection. I went through this cycle two or three times again – MSE would show that there was an infection, offer to clean it, say it was cleaned and that the machine needed to be restarted, but when I did this, the same thing would happen again.
7. I scrupulously followed the manual master boot record repair instructions on Microsoft’s support forum here. In order to do so, you need to use a Windows 7 CD to boot the machine, open a command line and run the bootrec command to manually repair and rebuild the master boot record. Upon a restart, MSE again found the trojan.
8. I finally downloaded a removal utility called TDSSKiller from here. I ran this, which indicated the presence of Rootkit.Boot.Pihar.c. I’m not sure if this is a separate trojan or just an alias for alureon.a…but I used the utility to repair the machine and future scans came up clean.
Conclusion: Only TDSSKiller seems to be able to fix this problem. Norton, MSE, and the manual instructions provided by Microsoft all failed. Norton didn’t even detect the problem. This is a very, very sophisticated virus, and it can infect you without your knowledge, without standard anti-virus applications knowing about it, and it is maddeningly difficult to remove. I think ultimately the best way of catching this is to ensure all Windows updates have been downloaded and successfully installed. I wish Windows would throw a bigger warning if an update failed to install, as that should not normally happen.
Lessons Learned: We’re very careful about opening attachments, visiting suspicious sites, etc. Nevertheless, the computer was infected. I think the one thing we should have done differently that probably would have prevented the infection would be to have our day-to-day user account not be an admin account. I of course do this on my linux machines, which are my primary computers – but Windows just defaults to have the account you set up have root privileges! I should have caught this problem but didn’t. And I’m not convinced it would have prevented the infection (though I think it would have), but it might have at least alerted us that something weird was going on with a webpage/USB trying to modify a system file.