Another Alureon K!

Hey guys,

Another one for you.

Hopefully I have followed the post guide properly below. First time poster. Yesterday, I was simply watching youtube on Firefox when all of a sudden all desktop icons disapeared, sound drivers halted, and page changed to “Avast Enhanced Protection”. Suspected was not right so Ctrl+Alt+Del Firefox, removed my ethernet cable and unplugged my two external drives. After doing this a load of windows popped up informing me my “hard-drive clusters” were damaged [as if!] and that all my files were locked.

I maintain a scorched earth policy generally and decided I’d just format it as I’d recently backed up last month when buying my new video card. FORMATTED WIN7 and reinstalled entire OS [I think I may not have cleared the 100mb partition] and reinstalled my main programs from internet. About half an hour after reinstalling I get a warning from AVAST stating I have rootkit MBR:Alureon infection. I have scanned PC and submit to you results below. Please bear in mind this is a fresh Win7 install and it is still updating windows in the background as we speak.

Thanks in advance,
Mike


Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.30.07

Windows 7 x64 NTFS
Internet Explorer 9.0.8112.16421
Mike :: MIKE-PC [administrator]

Protection: Enabled

30/03/2012 19:47:35
mbam-log-2012-03-30 (19-47-35).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 451412
Time elapsed: 1 hour(s), 28 minute(s), 3 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
F:\Backup\Original Backup\PPC\vba\gsgetfile.dll (Trojan.Dropper) → Quarantined and deleted successfully.

(end)


Restarting PC and will continue with follow up required posts.


update [if your reCaptcha post system visual tests will actually let me post. Some are just white noise of actual images instead of words !?!]

http://i7.photobucket.com/albums/y286/the__jin/rootkit.png

Screenshot and two logs.

I can’t seem to reply to this post with logs as it keeps telling me I already replied. Starting to get annoyed. This is basically a test. It is the stupid visual tests.

F:\Backup\Original Backup\PPC\vba\gsgetfile.dll (Trojan.Dropper) -> Quarantined and deleted successfully.
Move info on your hardware configuration please.

Do you have a single hard drive with multiple partitions? Or multiple hard drives? What is partition F: in your system?

Do you have an OEM PC like HP, Gateway, etc. with a hidden recovery partiton?

When you reinstalled windows I assume you installed it in partition C:. Does that drive have multiple partitions?

Is your PC a dual/multiple boot OS?

Thanks for your reply! :slight_smile:

  1. I have a single HD to which there was originally, to my knowledge no partitions arranged by me. Was a newly partitioned hard-drive and that last install of Win7 [which I formatted, only to find Virus still alive] was my first OS installt to that drive. C: is my main single TB internal HD, F: and E: are my 2x External Hard-drives to which I have some materal backed up. The system is not reliant on them. I use them for storage. I can only assume that they have been compromised by this virus intrusion [since Virus appeared post-format and I think it’s safe to say it can spread] and so I have included them in the scan.

  2. I built the PC myself. Bought every single part. It is a gaming rig. The first I have constructed from scratch.

  3. My system is not a dual or muliple boot OS.

Here is the log from aswMBR. It has confirmed Alureon K.

Hi lets get rid of the alert first

Open discmanager

Right click this partition and select delete
Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 1 MB offset 1953521664

I will look at the other logs now

Thanks for the advice. Sorry if I seem dumb but can’t seem to find the one you mean. If I am being stupid it’s because I’ve never felt the need to fiddle with partitions before. This is what I see on my screen and the only one I see close to the 1MB is the 2MB one. Is that it? Worried if I delete wrong one I will cause issues.

http://i7.photobucket.com/albums/y286/the__jin/discmanager.png

Yes thats the one, although Avast is just reporting 1MB

After you have deleted it run aswMBR once more please

Ok done. Attached. If we get this all sorted, do you guys have any advice where this thing could have come from, for so many people to be hit at once. Apparently Microsoft spotted this on the 8th March and I have no idea how this was contracted. I am very careful with my internet generally.

I take it I shouldn’t click “fix mbr”? [I haven’t] Or do I just scan. Results below.

still unable to connect. still shows the same connection. and the same repair error

Does this virus have the ability to steal data from my PC? Just worried about sensitive data. :S

Just did another Avast scan which hasn’t picked up anything whereas before it found it.

Hello, thanks for your response. I have done the scan in safe mode. Here is the report.

Since I had formatted my PC [but still had the alert] I think I may have saved myself from deep embedding of the virus. I originally had alerts popping up [as in screenshot] even after the format. These alerts seem to have dissipated and the TDSS scan returned nothing. Hoping I am in the clear… mmmm

No… I did full scan as far as I am aware :o


30/03/2012 19:47:35
mbam-log-2012-03-30 (19-47-35).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 451412
Time elapsed: 1 hour(s), 28 minute(s), 3 second(s)

and then there was this sure [remember this was all POST-FORMAT/OS REINSTALL]. Surprised that this rootkit stayed after a format!:

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-03-30 22:00:07

22:00:07.988 OS Version: Windows x64 6.1.7600
22:00:07.989 Number of processors: 6 586 0xA00
22:00:07.989 ComputerName: MIKE-PC UserName: Mike
22:00:11.049 Initialize success
22:00:11.372 AVAST engine defs: 12033000
22:00:34.294 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-0
22:00:34.299 Disk 0 Vendor: Hitachi_HDS5C1010CLA382 JC4OA3MA Size: 953869MB BusType: 3
22:00:34.335 Disk 0 MBR read successfully
22:00:34.340 Disk 0 MBR scan
22:00:34.347 Disk 0 Windows 7 default MBR code
22:00:34.354 Disk 0 Partition 1 00 07 HPFS/NTFS NTFS 100 MB offset 2048
22:00:34.374 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 953758 MB offset 206848
22:00:34.412 Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 1 MB offset 1953521664
22:00:34.421 Disk 0 Partition 3 INFECTED MBR:Alureon-K [Rtk]
22:00:34.460 Disk 0 scanning C:\Windows\system32\drivers
22:00:38.877 Service scanning
22:00:59.100 Modules scanning
22:00:59.119 Disk 0 trace - called modules:
22:00:59.481 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
22:00:59.492 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffa8007acd060]
22:00:59.503 3 CLASSPNP.SYS[fffff8800188143f] → nt!IofCallDriver → [0xfffffa800740d580]
22:00:59.515 5 ACPI.sys[fffff88000fab781] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8007418060]
22:01:01.353 AVAST engine scan C:\Windows
22:01:04.229 AVAST engine scan C:\Windows\system32
22:03:03.148 AVAST engine scan C:\Windows\system32\drivers
22:03:09.379 AVAST engine scan C:\Users\Mike
22:04:46.976 AVAST engine scan C:\ProgramData
22:04:56.521 Scan finished successfully
22:07:24.497 Disk 0 MBR has been saved successfully to “C:\Users\Mike\Desktop\MBR.dat”
22:07:24.502 The log file has been saved successfully to “C:\Users\Mike\Desktop\aswMBR.txt”

No. I was just watching Youtube :smiley: . I don’t have any memory sticks. My two external hard-drives are always plugged in. The virus seems to have activated itself randomly. It may have been contracted hours earlier. I am just wondering if it is gone as I am getting no more Avast rootkit alerts since I removed that partition…

Never had infection before. Drives have been fully scanned with the same tools here. That file that came up on F:\ may even have been the source for all I know but that folder was an old, old, OLD backup folder and this is a relatively new virus. So far, since I formatted the PC, noticed the rootkit still operating, removed the partition on instruction and ran these scans I think it may be totally gone. Just wanted the Malware Expert’s seal of approval :slight_smile: Here is the new scan:

Yea. I know it’s not the best move for some people, but a full format really helped. Obviously the thing stayed on in background, but I am just lucky to backup so often. :smiley: Thanks again for all your help guys. Really appreciate it and have learnt a few things too. I will give an update in 24hours of how my baby runs.

http://i7.photobucket.com/albums/y286/the__jin/IMG-20120312-00022.jpg

Unless you format all your drives totally this is one bit of malware that will survive. Although, having said that it was inert

This has actually been around since December in its early form and is not new. aswMBR can cure the active version of this - but as of yet not remove the bad partition. That needs to be done manually as in your case

Hey guys. Just giving you 24hr update. System seems secure. No sign whatsoever of the malware after multiple scans with your tools. I want to express again my many thanks!