A close encounter involving evaluation and extraction of the potent and tricky Fakesysdef Aka Alureon rootkit.

A client a short while ago brought a laptop into shop suffering with what was described as:

“I’m receiving the bogus screens of HDD S. M. A. R. T. on my laptop notifying me to pay for a full license in an effort to do away with the infection on my hard disk. I also receive an Avast! messages that a process called MAL interfered with process explorer. exe on my Windows XP system. I performed a scan with Avast, which indicated an infested file and a boot scan observed the Alureon-K virus. After the reboot, everything was gone! empty desktop, empty Software and empty data directories. The files are still there, though, due to the fact I ran several more scans which scanned all the docs. ”

A short while ago I’ve witnessed variations of the fixsysdef, aka Rogue. fakeHDD, wipe the notebook bare like this. This malware will store docs and shortcuts in temporary folders so prior to anything at all else I scan the system with RogueKiller. RogueKiller effectively located and updated multiple registry records which contributed to the bare desktop and missing programs folder. More particularly RogueKiller updated the registry entries: HKCU[...]Advanced: Start_Show* from a value of 0 to 1.

Next I employ the valuable program OTL. I perform an Old Timers’ OTL scan on all users and the resulting log suggests a few corrupt browser helper objects along with a suspect startup object: C: Documents and Settings%User%Local SettingsApplication DataGoogleChromeApplicationchrome. exe. Old Timers’ OTL additionally shows the location of the fakeHDD scanner: C: Documents and Settings%User%Application DataMicrosoftInternet ExplorerQuick LaunchSMART_HDD. lnk. I quickly produce an OTL recovery script and apply the fix.

The OTL log additionally indicates an illegitimate mount point. I execute a scan and cure with TDSS Killer and this effectively solves the issue. After this the notebook functions much smoother and Avast! no longer triggers an alarm.

An excess concern arises together with the Printers and Faxes directory which is entirely empty. Attempting to add a printer produces the error: ‘Operation could not be completed. The print spooler service isn’t running’. Restarting the service manually is not successful. I attempt to fix the spooler service along with the clean spooler tool to no avail. The print spooler service document has become compromised and needs to be replaced. I utilize Old Timers’ OTL to locate the original system file:


and the following command to restore the original file:

: Docs
C: WINDOWSsystem32spoolsv. exe|C: WINDOWSsystem32dllcachespoolsv. exe /take the place of

The spooler service is now backup and running. The computer can now access and print to all connected devices.

After confirming the operation of the pc I notice that flash player isn’t really working or updating in the Firefox web browser. To proceed with this fix I first download the Adobe Flash uninstaller from the adobe site. Once the Adobe flash player has been successfully removed I download the updated player, from the adobe website, for both Internet Explorer and Firefox.

I attempt to verify the proper operation of the notebook again, and this time via my checklist I notice the Windows Update service won’t begin – this pc is not receiving any windows updates. For this fix I make use of the Farbar service scanner. Here is a little background on the service scanner:

Farbar Service Scanner, is a small portable tool that enables you to detect internet connectivity defects owing to corrupted or missing Windows services. Certain malware, such as TDSS, may delete or corrupt Windows services, which would cause your computer to no longer have LAN connectivity. When FSS is run it can display a detailed report on the services, driver services, their configurations and the files that are accountable for network connectivity.

Farbar Service Scanner suggests windows security service has not started. I speedily produce a dos script to force clean up a few directories and force reboot these services:

net stop bits > junk. txt
net stop wuauserv >> junk. txt
regsvr32 /u wuaueng. dll /s >> junk. txt
del /f /s /q %windir%SoftwareDistribution*. * >> junk. txt
del /f /s /q %windir%windowsupdate. log >> junk. txt
regsvr32 wuaueng. dll /s >> junk. txt
net begin bits >> junk. txt
net start DcomLaunch >> junk. txt
net begin RpcEptMapper >> junk. txt
net begin wuauserv >> junk. txt
wuauclt. exe /resetauthorization /detectnow >> junk. txt
net start >> junk. txt
NetSH WinHTTP reset proxy >> junk. txt

After executing the script the Windows update service still will not begin. I like to employ my trusty Windows fixit tool, Windows Repair (All In One), when faced with a computer as compromised as this. Windows Repair All In One effectively automates the process of running a check disk and system file checker – it additionally repairs things such as file permissions and windows updates service.

After accomplishing the scan and fix with Windows Repair (All In One) everything operates wonderfuly, Windows update functions properly and the pc is smooth and silent.

Posted in Virus, Malware And Spyware Removal

Leave a Reply

Call Us!
Call us for a free analysis.
(818) 674-0941
Poke us