Alureon.E creatng a separate partition untouchable by System Sweeper/ Forefront?
Has anyone else seen this? This is the second time in 2 weeks that we've seen a new partition created by Alureon.E that stores the malware in separate 1MB location. Any ideas on how to clean this? You can see the partition under computer
management/ disk management, but if you try to delete it, it throws an error.
January 4th, 2012 10:36am
For information about Security updates, visit the Microsoft
Virus Solution and Security Center
for resources and tools to keep your PC safe and healthy. If you are having issues with installing the update itself, visit
Support for Microsoft Update
for resources and tools to keep your PC updated with the latest updates.
Regards,
Miya
Miya Yao
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
January 6th, 2012 1:26am
What software is giving you this message?
January 18th, 2012 10:40am
The base problem that Clay is seeing is a TDL4 bootkit infection.
A very extremely serious malware which cannot be fixed (initially) whithin Windows booted off the HDD.
Measures must be taken to boot off a CD then take a look at partitions on the HDD, properly reset the active/boot flag to the correct partition, then delete the bootkit partition.
Again, you can't do any first fixes booted off your HDD Windows.
For a reference on this malware, you can review this blog reference by negster22
http://secure-computer-solutions.com/blog/2011/11/a_new_tdl4_with_a_stealthy_new.html
and if Clay is still around, I have not seen it first hand, however, I have helped 2 Windows users remove and resolve their issues.
ref
http://forums.malwarebytes.org/index.php?showtopic=103838&hl=&fromsearch=1
http://forums.malwarebytes.org/index.php?showtopic=103469&hl=&fromsearch=1
Maurice Naggar ~ MVP (Oct 2002 - Sept 2010)
Free Windows Admin Tool Kit Click here and download it now
January 18th, 2012 12:28pm
Chuck,
I was getting this error in MS Standalone System Sweeper, part of the MS DART 7 boot disk.
Maurice. This picture was actually taken while I was booted to the CD. System Sweeper is basically Forefront/ MSE on a boot CD. I've been cleaning rootkits for years now, using System Sweeper, but this one was a little different in
that it created it's own partition to store the malware. I was just wondering if anyone else had seen this before. Thanks for all of the responses! It was new to me.
Clay
January 18th, 2012 1:19pm
I have seen a fair amount of this lately too. I've also had to resort to making repairs while booted from DART and not the native system on the computer. So far I've had moderate success... /Tony
Free Windows Admin Tool Kit Click here and download it now
February 1st, 2012 10:05am
Tony,
I take it you were able to do fixes with DART. (?)
If not, I've had success using GParted Live CD to reset active partion & delete the hidden bootkit partition, using negster22's article as a guide.
See
http://secure-computer-solutions.com/blog/2011/11/using_gparted_to_edit_the_part_1.html
HTHMaurice Naggar ~ MVP (Oct 2002 - Sept 2010)
February 1st, 2012 12:35pm
Clay, the easiest way to resolve this is by going to
1. Start > right-click Computer > Manage > Disk Management.
2. Look for that partition without a drive letter then delete it.
3. Restart the computer then run a full scan again.
Important note: Some cases result to a 'no boot' situation. Do this at your own risk.Val Ramirez
Free Windows Admin Tool Kit Click here and download it now
May 12th, 2012 3:34pm
I'd note, that before deleting the "malicious" partition, make sure to identify & mark the partition that is supposed to be boot as Active, before deleting the malicious one.Maurice Naggar ~ MS-MVP (Oct 2002 - Sept 2010) DTS-L
May 12th, 2012 4:09pm