Alureon-G@mbr [Rtk] MBR:\Partition4 !!! Please help me essexboy

Hi,

Avast found a Rootkit virus and *win32:Fake Sysdef - A[Trj], but it doens’t delete the rootkit.
I did everything step by step as you said: "Topic: Logs to assist in cleaning malware ", for which thank you very much.
I think I erased (?) *win32:Fake Sysdef - A[Trj], because now I returned back all my shortcuts.
My request to you, is if you can help me to clear my computer completely, before I reinstall it again.

I have done everything: Malwarebytes, OTL, aswMBR, RogueKiller and farbar service scanner, just in case.
I tried and GETxPUD.exe…xpud_0.9.2.iso, burn with BurnCDCC + USB with “dumpit” , but xpud_0.9.2. does not work because there are no drivers for my chipset…, also tried driver.opt …ect. Xorg Drivers…ect. I research the network and still no drivers for my chipset.
I also tried and Microsoft Safety Scanner (64x_msert.exe) and he erase - win32:Fake Sysdef - A[Trj].
I also tried and HitmanPro 3.6 (64-bit) , threats found=0
I have not tried only TDSSKiller!!!

And so after 4 days of reading and fighting I came here.
So now things are:

1.Avast detects the following threat over and over:
In boot scan: NtCreateFile - log Error:0x0000022 {Acces Denied}
In the desktop environment shows: MBR:\.\PHYSICALDRIVE0/Partition4 Alureon-k[Rtk] , normally I have only two / C & D + 100MBSystem Primary Partition /, now I have 4 partition:
PC»Manage»Disk Management» Disk0 Basic 111.79GB:
-(100MB NTFS System Primary Partition OK!)
-(50.05GB ((C:)) Healthy Boot OK!)
-(61.63GB DATA ((D:)) Healthy Primary Partition OK!)
»»» (9MB Unallocated) and (??? 1MB Healthy Active,Primary Partition)««
2.Malwarebytes:
At startup displays an error: " [OpenEvent]Failed to perfom desired action.Error Code:2 "
After the scan is complete: " The scan was completed successfully. No malicious items were detected." (?)

Please help me to clean my computer before I reinstall it again, and who is the most effective way to delete everything on the possible lowest level?
At the time of attack I had connected external SATA WD 1TB HDD , who began to work immediately /led indicator light and noise/ provoked by the virus.I turned off, but I’m not sure if it is infected or not.I scanned with avast deep scan, from infected PC but it says no problems. That was my backup :frowning: With which program is the best way to scan it?

Now I write from completely healthy PC but I fear to connect my storage in this PC.This computer also have Avast I.S.(I have a license for 3 PC, I remain only one more PC and I think to activate it now to a one old MacBook Pro 2009, which I bought a only a few days, but now I wonder if I have similar problems in this this /mac/ or not? I need security for my online transactions)

Excuse me for my bad English.
Thank you for your time and consideration.

Yours sincerely,

Dimka Peeva

P.S.I have had to convert Text to ANSI. I hope there are no problems.


Malwarebytes Anti-Malware (PRO) 1.60.1.1000
www.malwarebytes.org
Database version: v2012.03.25.04
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
PC :: PC-PC [limited]
Protection: Disabled
26-Mar-12 10:04:15 AM
mbam-log-2012-03-26 (10-04-15).txt
Scan type: Flash scan
Scan options enabled: Memory | Startup | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: Registry | File System | P2P
Objects scanned: 176070
Time elapsed: 7 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)


RogueKiller V7.3.2 [03/20/2012] by Tigzy
mail: tigzyRKgmailcom
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User: PC [Admin rights]
Mode: Scan – Date: 03/26/2012 10:55:23

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 20 ¤¤¤
[PROXY IE] HKCU[…]\Internet Settings : ProxyServer (87.121.77.17:8080) → FOUND
[HJ] HKLM[…]\System : ConsentPromptBehaviorAdmin (0) → FOUND
[HJ] HKLM[…]\System : EnableLUA (0) → FOUND
[WallPP] HKCU[…]\Desktop : Wallpaper () → FOUND
[HJ] HKCU[…]\Advanced : Start_ShowMyDocs (0) → FOUND
[HJ] HKCU[…]\Advanced : Start_ShowRecentDocs (0) → FOUND
[HJ] HKCU[…]\Advanced : Start_ShowUser (0) → FOUND
[HJ] HKCU[…]\Advanced : Start_ShowMyPics (0) → FOUND
[HJ] HKCU[…]\Advanced : Start_ShowMyGames (0) → FOUND
[HJ] HKCU[…]\Advanced : Start_ShowMyMusic (0) → FOUND
[HJ] HKCU[…]\Advanced : Start_ShowControlPanel (0) → FOUND
[HJ] HKCU[…]\Advanced : Start_ShowHelp (0) → FOUND
[HJ] HKCU[…]\Advanced : Start_ShowPrinters (0) → FOUND
[HJ] HKCU[…]\Advanced : Start_ShowRun (0) → FOUND
[HJ] HKCU[…]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) → FOUND
[HJ] HKLM[…]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) → FOUND
[HJ] HKCU[…]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) → FOUND
[HJ] HKLM[…]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) → FOUND
[HJ] HKCU[…]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) → FOUND
[HJ] HKCU[…]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) → FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD10EARS-00Y5B1 SCSI Disk Device +++++
— User —
[MBR] 8864e430f9cc1d1fc84b13b019eaf523
[BSP] 63606df43291d30ee5f9c5cc5e7193b0 : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 953867 Mo
User = LL1 … OK!
Error reading LL2 MBR!
+++++ PhysicalDrive1: OCZ-VERTEX2 3.5 +++++
— User —
[MBR] 25849e9074d9e371c864862c409fe69b
[BSP] 9a3957633bccc8be40bf957f24262ce6 : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 51250 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 105166848 | Size: 63112 Mo
3 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 234438656 | Size: 1 Mo
User = LL1 … OK!
User = LL2 … OK!
+++++ PhysicalDrive2: Verbatim STORE N GO USB Device +++++
— User —
[MBR] cd80e670f8a3b324333d5805803ed42c
[BSP] 8334fb291c5c3a1c12ad686dd82b5ffc : MBR Code unknown
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 8192 | Size: 7628 Mo
User = LL1 … OK!
Error reading LL2 MBR!
Finished : << RKreport[1].txt >>
RKreport[1].txt


Sorry but I decided to post only this Malwarebytes log. I have and 6 RKreports if necessary.

// Intel i5-2500K/ 8GB Ram/Asus Maximus IV GENE-Z/ SSD OCZ VERTEX2 SATAII 3.5" 120GB / GTX560i / W7x64 Ultimate Build 7601 SP1 / Avast internet security 7.0.1426 Virus Def. Version 120327-0 / Malwarebytes PRO 1.60.1.1000 PRO //

Hi the OTL text is in unicode and unreadable could you re-run OTL and then post a fresh log

Meanwhile

Copy aswMBR.exe to your root C drive (C:\aswMBR.exe)
Open an elevated command prompt
Go start > All Programs > Accessories
Right click Command Prompt and select run as Administrator
In the black box copy and paste the following command
Reboot as soon as aswMBR has completed

aswMBR.exe -ap 1

Hi, thank you for your quick response.

I have done with cmd.I left the window open and rebooted after aswMBR.exe when completed.

I think this has already been deleted but not:
[2012-03-23 01:00:02 | 000,000,184 | -H-- | C] () – C:\ProgramData~KC15PvR3FagDvor
[2012-03-23 01:00:00 | 000,000,272 | -H-- | C] () – C:\ProgramData~KC15PvR3FagDvo

I remembered that Avast after he found Alureon-G, detect this:
C:\ProgramData\KC15PvR3FagDvo.exe, and block access to:
http://muniversada.com/britix/a
http://twirdecifica.com/a/britix/a
Perhaps KC15PvR3FagDvo.exe wants to hang with some suspicious sites

Nope you do not want those so they are now history along with the rest of the rubbish

Once this run is complete can you let me know what problems remain

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL [2012-03-23 01:00:02 | 000,000,272 | -H-- | M] () -- C:\ProgramData\~KC15PvR3FagDvo [2012-03-23 01:00:02 | 000,000,184 | -H-- | M] () -- C:\ProgramData\~KC15PvR3FagDvor [2012-03-23 00:55:49 | 000,000,677 | ---- | M] () -- C:\Users\PC\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk [2012-03-23 00:55:49 | 000,000,653 | ---- | M] () -- C:\Users\PC\Desktop\System Check.lnk [2012-03-23 00:55:46 | 000,000,336 | ---- | M] () -- C:\ProgramData\KC15PvR3FagDvo [2012-03-23 00:46:06 | 001,087,370 | ---- | M] () -- C:\Users\PC\Desktop\boks.3GP [2012-03-23 01:00:02 | 000,000,184 | -H-- | C] () -- C:\ProgramData\~KC15PvR3FagDvor [2012-03-23 01:00:00 | 000,000,272 | -H-- | C] () -- C:\ProgramData\~KC15PvR3FagDvo [2012-03-23 00:55:49 | 000,000,677 | ---- | C] () -- C:\Users\PC\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk [2012-03-23 00:55:49 | 000,000,653 | ---- | C] () -- C:\Users\PC\Desktop\System Check.lnk [2012-03-23 00:55:46 | 000,000,336 | ---- | C] () -- C:\ProgramData\KC15PvR3FagDvo [2012-03-23 00:44:40 | 001,087,370 | ---- | C] () -- C:\Users\PC\Desktop\boks.3GP

:Files
ipconfig /flushdns /c
xcopy %Temp%\smtmp\1 “%AllUsersProfile%\Start Menu” /H /I /S /Y /C
xcopy %Temp%\smtmp\2 “%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch” /H /I /S /Y /C
xcopy %Temp%\smtmp\3 “%AppData%\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar” /H /I /S /Y /C
xcopy %Temp%\smtmp\4 “%AllUsersProfile%\Desktop” /H /I /S /Y /C

:Commands
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Hi,

nothing serious happened, no BSOD, before OPL starts to scan, jumped several cmd windows, and I think I saw: open -0 not found, but it was lightning fast.
Now everything is in its usual: Avast found a same rootkit,
malwarebytes wants to run and said: [OpenEvent]Failed to perfom desired action.Error Code:2
A very important clarification about malwarebytes. I bought and installed when already my computer was infected. I regret that I did not mentioned at the beginning.

OK lets get the other boy on the job

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_1.jpg

[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_2.jpg

[*]Click the Start Scan button.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_3.jpg

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_4.jpg

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_5.jpg

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste its contents on your next reply.

No problems for now.
The 1MB Partition is gone.
Does this mean that my computer is clean?

Re-run TDSSKiller and if this element should show select delete

\Device\Harddisk0\DR0 ( TDSS File System )

How is the computer behaving now ?

Hi,

after these changes when windows startup I go three windows:
1.black cmd windows /_uninst_16043653 at top /, with no information on it.
2.the second window /6902756.exe at top/ is error window and inside says: Windows cannot find ‘6902756.exe’.Make sure you taped the name correctly, and then try again.
3.exactly the same Malwarebytes error window:[OpenEvent]Failed to perfom desired action.Error Code:2
Avast stopped showing “alureon thread” popup window.
How do you think, whether it is time to reinstall now?

Those are remanants trying to run - so they must have an associated registry key with them

Could you run a fresh OTL scan please selecting all users and I will see if I can find it

Hi,

Here’s the new OTL.

OK lets clear that now, are you missing some shortcuts ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL O4 - Startup: C:\Users\PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_16043653.lnk = C:\Users\PC\AppData\Local\Temp\_uninst_16043653.bat ()

:Files
ipconfig /flushdns /c
xcopy %Temp%\smtmp\1 “%AllUsersProfile%\Start Menu” /H /I /S /Y /C
xcopy %Temp%\smtmp\2 “%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch” /H /I /S /Y /C
xcopy %Temp%\smtmp\3 “%AppData%\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar” /H /I /S /Y /C
xcopy %Temp%\smtmp\4 “%AllUsersProfile%\Desktop” /H /I /S /Y /C

:Commands
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Hi,

for now jumps only malwarebytes error window: [OpenEvent]Failed to perfom desired action.Error Code:2

I have problems with Adobe Flash player in Mozilla firefox, it is impossible to be updated…
when it’s time to format it?

Your choice but we could try a few repairs and then see where we can go from there. Once you have done this could you let me know what problems remain

Download the following three programmes to your desktop

http://download.macromedia.com/pub/flashplayer/current/uninstall_flash_player_32bit.exe
http://download.macromedia.com/pub/flashplayer/current/uninstall_flash_player_64bit.exe
http://www.malwarebytes.org/mbam-clean.exe

Run Both flash uninstallers
Remove malwarebytes using programs and feature
Then run mbam-clean.exe

Reboot

Download the IE flash player from here http://get.adobe.com/flashplayer/ untick the Google toolbar option
Download the Firefox version from here http://get.adobe.com/flashplayer/otherversions/
Select your operating system and then select non-IE browser again untick the Google toolbar

Please download Malwarebytes’ Anti-Malware

Double Click mbam-setup.exe to install the application.
[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish, so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[
]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.04.05.09

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
PC :: PC-PC [administrator]

Protection: Enabled

05-Apr-12 9:34:09 PM
mbam-log-2012-04-05 (21-34-09).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 250089
Time elapsed: 1 minute(s), 35 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

How is the computer behaving now ?

Hi,

and again I want to thank you, because you save my work!
I had several desktop.ini files in my desktop but I do not think this is a problem. (?)
windows can not be updated now, and I tried MicrosoftFixit.wu.LB.79257064262791297.1.1.Run, WindowsActivationUpdate.exe and windows-kb890830-v4.6.exe , but without success.
I have OEM windows 7 version, can this be in is the main problem? Perhaps he now has a back door?
Basically everything is working now, what is the next step?

OK lets go to the repair phase

run farbar service scanner

http://i1224.photobucket.com/albums/ee362/Essexboy3/Farbar/FSS-1.jpg

Tick “All” options.
Press “Scan”.
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

FSS log: