Removing another pest -- Alureon.E

[Panama Red]

Yesterday, I had the thrill of disinfecting an XP machine. Once Malwarebytes came up clean, I rebooted and MS Security Essentials came up red to notify me that it had detected Alureon.E. As is the case with so many of these Alureon varieties, MSSE detects it and says it removes the threat but when you reboot, it's still there. Internet research revealed no easy solution for removal and the most reliable sites were offereing "log posting" assistance to those seeking help. Some sites were offering an "Automatic Removal Tool" but the sites weren't ones I was familiar with. That's when I decided to find my own way of removing this pest.
If you use the "Show Details" options in MSSE, you'll probably notice that Alureon.E is residing in "boot/xxxx/HardDisk3" or I'd suspect HardDisk2 if your pc doesn't have a Recovery partition. The HP I was cleaning did have the Recovery partition. The HP only showed 2 partitions in My Computer but Disk Management showed a small, 2mb area behind the Recovery Partition. Now, here's the "how to remove" part.
Download and install the Free Easus Partition Manager. Open the program and the graphic should reveal a Hidden patition on the end of the drive. Select that Hidden partition from the list of partitions and select Delete Partition. Click on Apply and the offending partition will magically disappear. In my case, it was added to the adjacent Recovery Partition.
Next, get your XP Home or XP Pro installation disk (you can use XP Pro disk for XP Media Center) and boot to the disk. When you get the options to Install Windows XP or Press "R" for Recovery Console, press R. The command prompt will start. Select your boot partition, typically C, and press Enter without entering a password when asked for the Administrator password (unless you've installed one previously). At the C: prompt, type "fixmbr" and say Yes to the change. Then type "fixboot" and also say Yes. Both commands are done without the "-". Reboot your computer and the pest should be gone!
The fixmbr and fixboot operations are a bit different in Vista and Windows 7 since those OS's use Windows Recovery instead of the older Recovery Console. Here's an article on how to use the Bootrec command in Windows Recovery.
Keep in mind, the actual removal of Alureon.E was done AFTER the computer was thoroughly cleaned using RKill, TDSSkiller, Malwarebytes and MS Security Essentials. I hope this helps others remove this pest but I make no guarantees. You still need a good understanding of how to run the previously mentioned antimalware tools.

[Petef56]

Quote:

Originally Posted by Panama Red Download and install the Free Easus Partition Manager. Open the program and the graphic should reveal a Hidden patition on the end of the drive. Select that Hidden partition from the list of partitions and select Delete Partition. Click on Apply and the offending partition will magically disappear. In my case, it was added to the adjacent Recovery Partition.

I'm so glad you posted this! If you recall a month or so back we had discussed PCs that would not start to windows after cleaning the HD as a slaved drive using a test computer. Well, about a week ago I had the same thing happen and I discovered a "hidden partition" as you describe above. I used GPARTED to view the HD partitions and deleted that hidden partition and the computer restarted! So this hidden partition thing is key to cleaning certain types of infections.

One other thing. Using all three.. Malwarebytes, SuperAntiSpyware, and MSE (or NOD32) is NOT ENOUGH! We really need to add one more tool... a rootkit detector. My preference is TDSS Killer (free by Kaspersky). I found that TDSSKILLER will somtimes find & delete a rootkit on a slaved drive, but not always. This means you have to run TDSS Killer on the HD after it's been initially cleaned as slaved and reinstalled back to the original computer.

Thanks for posting about the "hidden partition" thing. I was going to post about the same issue after I had used that fix on some other computers to better test my theory. You got it! I'm pretty sure of it now.

---pete---

[GreyBat]

Just joined the forum to add my 2 cents!

VERY pleased to find this simple way of getting rid of Alureon.e. In my case, I spent most of yesterday scanning and XP Pro system with Malwarebytes and VipreRescue, and each time there were additional infections found. Finally decided to reformat and reinstall XP. I moved My Documents to and external drive, ran setup (XPPro SP3) deleted the current partition and recreated 2 new ones, then installed. Soon after completing, I installed MSE and the first scan popped up Alureon.E. Deleted it and re-booted. Still there! Meanwhile I was searching for details about the virus, and found your post. Went to Admin Tools|Disk Management, and found a small partition which I deleted. THEN went back to MSE and deleted the infection. File not found, it said.

Rebooted, and, just to be safe, install EaseUS, wiped the now unallocated area, and expanded my data partition to use the space. Then did fixmbr (note said I had "non-standard boot record. Was I sure I wanted to fix it?" I said yes, and likewise to fixboot. And it seems fine now. MSE is green with delight!

So thanks again for the tip.

Graham

[David M]

How did this thread get over 1300 views? What causes that?

[glc]

Search bots.