The Alureon rootkit was first seen in 2006. PCs usually get infected by manually downloading and installing Trojan software, and has been seen bundled with the rogue security software Security Essentials 2010. When the dropper is executed, it first hijacks the print spooler service (spoolsv.exe) to write a filesystem at the end of the disk; it then infects low level system drivers such as those responsible for PATA operations (atapi.sys) to implement its rootkit. While Alureon has also been known to redirect search engines to commit click fraud, Google has taken steps to mitigate that for their users by detecting it and warning the user. Once installed, it blocks access to Windows Update and attempts to disable some anti-virus products.
The malware drew considerable public attention when a software bug in its code caused some 32-bit Windows systems to crash upon installation of security update MS10-015. The malware was using a hard-coded memory address in the kernel that changed after installation of the hotfix. Microsoft subsequently modified the hotfix to prevent installation if an Alureon infection is present, while the malware author also fixed the bug in his code.
In November 2010, the press reported that the rootkit has evolved to the point that it is able to bypass the mandatory kernel-mode driver signing requirement of 64-bit editions of Windows 7 by subverting the master boot record, something that also makes it particularly resistant on all systems to detection and removal by anti-virus software.
1. Press the \”Ctrl,\” \”Shift\” and \”Esc\” keys at the same time to bring up the Task Manager.
2. Click on the \”Processes\” tab.
3. Select \”gnllh.exe\” and click \”End Process.\”
4. Repeat Step 3 for \”nzbxn.exe,\” \”playercodec1000.exe,\” \”zcodec1000.exe\” and \”kdepd.exe.\”
5. Close the Task Manager
Delete Registry Values
6. Go to the \”Start\” menu and click \”Run.\”
7. Type \”regedit\” and hit \”Enter\” to launch the Registry Editor.
8. Navigate to the following keys and then delete all values in the right pane of the window:
9. Close the Registry Editor.
10. Go to the \”Start\” menu and click \”Search.\”
11. Select the hard drive from the drop-down menu and check the \”All Files and Folders\” option.
12. Type \”freevideo\” and hit \”Enter.\” Delete all of the found items and repeat for \”hqvideo.\”
13. Close the window and restart your computer.
Alureon trojan virus removal tool
Download the TDSSKiller.exe file (on the link below) on the infected (or potentially infected) computer.
Run the TDSSKiller.exe file.
Wait for the scan and disinfection process to be over. It is necessary to reboot the PC after the disinfection is over.