Trojan Alureon.FO found on this site

[3HaloODST]

I made the mistake of using IE9 to visit this website (I always use Firefox) and COMODO Firewall as well as Windows Defender detected tons of suspicious activity. It mentions Alureon.FO. No clue which advertisement did it (I figure it was one of the ads) but it certainly did it. Just a heads up everyone. Now running scans with AVG, HouseCall, and Malwarebytes to see if everything was blocked (think COMODO and Windows Defender blocked it.) Funny thing is AVG hasn't said a word about it, but I'll be running a manual scan.

All I know so far is that it created a file named C:\TEST\Sample.exe, then deleted itself. It attempted to elevate it's privileges but was stopped by UAC (UAC may be annoying to many of you folks but it's times like this that I'm thankful that I keep Windows 7 UAC on the strictest level.)

EDIT: Malwarebytes found Rootkit.TDSS.EXPD1 located in the %TEMP% directory. I was able to successfully remove it and luckily it was not able to get through any of my defenses. So it didn't execute or anything.

EDIT2: Windows Defender finished, came up clean, still running AVG, Spybot, going to also run TDSSKiller.exe.

EDIT3: TDSSKiller didn't find anything. Neither did SpyBot. AVG still running.

EDIT4: AVG came up clean on both Windows 7 and Windows 8. Guess I can stop worrying now. Never using IE again.

 

[Ilya]

All I know so far is that it created a file named C:\TEST\Sample.exe, then deleted itself. It attempted to elevate it's privileges but was stopped by UAC

Based on the above, it sounds like it might have been executed after all. It is very possible that your computer is still infected - some of these bugs are very hard to get rid off. At a very least, make sure to restart your computer in Safe Mode (via F8 ) and repeat a full scan. And it is not always easy to figure out where the initial infection came from. Some of these bugs are triggered by browser plugins, e.g. activated when you view an ad that uses Java or Flash. So, if the bug manifested itself and was detected when you opened some ad in your browser, doesn't necessarily mean that it came from that ad. In any case, make sure to update your Java, Flash, Adobe Reader and any other plugins that you use - a lot of holes have been found in those plugins lately. Also make sure to clear the browser history and cookies, run Windows Update and make sure it succeeds. Good luck!

Sent from my iPhone using SatelliteGuys

 

[3HaloODST]

Yeah I was in Windows 7 at the time and UAC blocked whatever test.exe was attempting to do so I assume it deleted itself in an attempt to erase it's tracks. I ran TDSSKiller.exe and it didn't find anything either. I also made sure to boot into Windows 8 and ran AVG to make sure there was no trace of any rootkits. I also checked %WINDIR%\system32\DRIVERS\atapi.sys for signs of modification and it is the original file, so no signs of the rootkit. Apparently this is the rootkit that the news was talking about, those that were infected would lose their Internet connection as the FBI compromised the DNS servers that were originally malicious, and now they're shut down.

I went through this guide: Rootkit.TDSS - from Wiki-Security, a source for malware detection and computer security and the computer exhibits none of the symptoms of infection and an hour's worth of scans including a scan from a completely different operating system came up clean (see previous post to see scans done,) so I think that the computer is fine.

One thing I know for sure though, is that the trojan came from this website. This website was the only thing I had open in IE9, didn't have FF open, I was browsing the forum as a guest, and suddenly the computer goes crazy warning me about this trojan/rootkit. I assume that it was embedded in one of the advertisements, most likely. I am running Firefox with adblock and everything's peachy now.

Oh, and Windows Update is up-to-date (I work on computers for a living so I always keep stuff like that updated on all the machines I use) plus plugins such as Flash, Java, etc. are also up-to-date.

 

[Scott Greczkowski]

Your a pub member and don't see ads.

All scans well and no other reported issues. Since you don't see ads anyways I do not believe that it came from here. It could have been something laying dormant just waiting for you to start IE. I have seen that happen before on machines here at the office.

 

[jayn_j]

Scott, he said he was not logged on in the IE session, so he was seeing the ads.

 

[Scott Greczkowski]

Ahh I missed that. Sorry! When I read the first message I was reading it on my phone.

 

[3HaloODST]

Yeah, I was sitting in awe at the abundance of ads, so used to no ads, I know you gotta do what you gotta do but hopefully we can isolate whatever ad has this junk in it and get rid of it.