I started receiving messages from AVAST that a malicious URL was blocked. These would occur in bunches, then after a pause, they would recur. The problem seemed to be in one of the SVCHOST.EXE processes. I was getting blue screens due to ATAPI.SYS when I tried to restore to an earlier restore point, which was unsuccessful. A scan by AVAST identified the problem as an ALUREON Trojan. I downloaded MBAM and TDSSKiller and ran some scans. TDSSKiller found a filesystem in a hidden partition which I told it to delete. I no longer am getting the malicious URL blockages, but I would like to know if my computer is now malware free. What should I do now? Thank you for any help you can provide.
hey and welcome to the forum irosenstein
i think this might need an expert on so please fallow this guide and post the result here. then a expert will check the logs for you.
You shouldn’t really run TDSSKiller and some stronger tools without guidance from a malware removal specialist, as many of the latest versions of these rootkits, can if removed incorrectly leave your system in tatters.
So you should follow the instruction in the link given by mikaelrask.
Okay – I loaded MBAM, updated it and ran a Quick Scan. It found no threats. Here is the scan result:
Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org
Database version: v2012.04.25.05
Windows XP Service Pack 2 x86 NTFS
Internet Explorer 6.0.2900.2180
Kari :: KAREN [administrator]
4/25/2012 10:42:14 AM
mbam-log-2012-04-25 (10-42-14).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 272776
Time elapsed: 1 hour(s), 34 minute(s), 36 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
Then I downloaded OTL, selected all users, pasted the Custom Scan script and ran the Quick Scan. The OTL.txt and Extras.txt are attached.
I will now proceed to load aswMBR.exe and I will post again when that is done. Thanks.
OK, I will try and get essexboy to take a look at your logs.
Hi could you attach the TDSSKiller log as well as aswMBR please
Hi –
I am attaching the aswMBR log as well as the latest TDSSKiller log.
Let me know what else you may need. Thanks for your help.
That looks OK are you experiencing any problems ?
Hi –
The computer is not as responsive (sometimes need to click several times to open files) as it was before the infection, but I guess I can live with that. Mostly, I just want to be sure the infection is totally gone, as I understand that Alureon is a password stealing trojan and I do not want to connect with any sites where my logons and passwords might be stolen.
Are there any other scans I should be doing?
P.S. TDSSKiller found a bunch of suspicious objects (unsigned files). Are these false positives?
No they are just unsigned files… But, the MD5’s are good
It could be well worth your while updating to SP3 and then running a little TLC on the system
Since my last post, I had some more BSODs caused by atapi.sys, very unresponsive system, then I lost internet connectivity. I finally decided to wipe the hard drive and reinstall windows. Also I am updating to SP3. Hopefully this will resolve my issues. I want to thank you all for your time and efforts on my behalf.
Not a problem at all, I have found that XP really enjoys an annual re-install ;D