Argh! Got infected with MBR Alureon-k [rtk] - having trouble

Looks like I got hit with my first Rootkit and I’m at a bit of a loss on how to proceed… >:(

It all started when the “System Fix” malware program popped in and started taking over my system. I was able to remove it with Malware Bytes, but then after installing a fresh copy of Avast and running a scan Avast reports the following:

MBR: \PHYSICALDRIVE0\Partition2 Threat: MBR: Alureon-K(Rtk)

It doesn’t not seem like Avast is able to remove this… I’ve done some research and tried a few things but I’m not having much luck, so now I am humbly escalating and asking for help.

I have attached the results from the OTL scan. However I seem to be unable to run aswMBR.exe, when I double click the file I am asked if I want to run it, but then nothing happens… :-\

Hoping someone can advise.

TIA

I have attached the results from the OTL scan. However I seem to be unable to run aswMBR.exe, when I double click the file I am asked if I want to run it, but then nothing happens...
does it work if you rename aswMBR.exe to........explorer.exe / firefox.exe / adobe.exe......

When I try that, I get the following error message:

explorer.exe - Application Error

The application failed to initialize properly (0xc0000005). Click OK to terminate the application.

OK
anyway…essexboy will be here soon :wink:

Hi there it may be the ADS that is stopping aswMBR - so I will remove that now and look at the MBR with another tool. Meanwhile are you some shortcuts missing ?

[*] Download RogueKiller and save it on your desktop.
[*]Quit all programs
[*] Start RogueKiller.exe.
[*] Wait until Prescan has finished …
[*] Click on Scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRScan.png

[*]Wait for the end of the scan.
[*] The report has been created on the desktop.
[*] Click on the Delete button.

http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRDelete.png

[*]The report has been created on the desktop.

[*]Next click on the ShortcutsFix

http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRShortcutsFix.png

[*]The report has been created on the desktop.

Please post: All RKreport.txt text files located on your desktop.

THEN

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL [2012/03/22 00:51:15 | 000,000,464 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\eLgoRAEYmIMyko [2012/03/22 00:49:45 | 000,000,264 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~eLgoRAEYmIMyko [2012/03/22 00:49:45 | 000,000,176 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~eLgoRAEYmIMykor @Alternate Data Stream - 5840 bytes -> C:\Documents and Settings\T61\My Documents\gremlin.jpg:Q30lsldxJoudresxAaaqpcawXc

:Files
ipconfig /flushdns /c
xcopy %Temp%\smtmp\1 “%AllUsersProfile%\Start Menu” /H /I /S /Y /C
xcopy %Temp%\smtmp\2 “%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch” /H /I /S /Y /C
xcopy %Temp%\smtmp\3 “%AppData%\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar” /H /I /S /Y /C
xcopy %Temp%\smtmp\4 “%AllUsersProfile%\Desktop” /H /I /S /Y /C

:Commands
[resethosts]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

FINALLY

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_1.jpg

[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_2.jpg

[*]Click the Start Scan button.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_3.jpg

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_4.jpg

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_5.jpg

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste its contents on your next reply.

No icons are missing. They were restored after I ran malwarebytes.

Should I still run roguekiller?

TDSSkiller does not work for me either. Same problem as with aswMBR

Yes please run both Roguekiller and OTL as there are some shortcuts in the smtp folder

Do the following:
StartRun
type diskmgmt.msc
Click “OK

Disk Management will open.

Click and hold the right side of the Disk Management Window and drag it to the right until you can see all the columns.

Take a screen Shot of the Disk Management Window and attach the screen shot to your reply.

Ok ran RogueKiller and OTL, logs attached.

Still unable to run TDSSKiller

Could you give me a screens shot of disc management please so that I can confirm the variant

Screenshot. Hopefully…

Sorry was having trouble with the attachments…

Hopefully this post will include the last logs:

OK it is the 3MB partition that we will now need to kill - you were missing some files

Desktop: Success 8 / Fail 0 Quick launch: Success 0 / Fail 0 Programs: Success 6 / Fail 0 Start menu: Success 0 / Fail 0 User folder: Success 2026 / Fail 0 My documents: Success 2 / Fail 0 My favorites: Success 13 / Fail 0 My pictures: Success 0 / Fail 0 My music: Success 0 / Fail 0 My videos: Success 0 / Fail 0 Local drives: Success 53112 / Fail 0 Backup: [FOUND] Success 11 / Fail 187

Preferably from a clean computer, I need you to download: gparted-live-0.10.0-3.iso (115.1 MB)
Windows XP Recovery Console rc.iso

Create a bootable CD, 1 for Gparted and 1 for the Windows XP Recovery Console, from the ISO images. You can use ImgBurn do this.

Now boot off of the newly created Gparted CD.


http://img829.imageshack.us/img829/5772/gpartedsplash.th.png

You should be here…
Press ENTER


http://img5.imageshack.us/img5/7286/gpartedkeymaps.th.png

By default, “do not touch keymap” is highlighted. Leave this setting alone and just press ENTER.


http://img404.imageshack.us/img404/9840/gpartedlanguage.th.png

Choose your language and press ENTER. English is default [33]


http://img140.imageshack.us/img140/7958/gpartedgui.th.png

Once again, at this prompt, press ENTER

You will now be taken to the main GUI screen below

http://img32.imageshack.us/img32/1122/gpartedo.th.png

According to your logs, the partition that you want to delete is 3MB
Click the trash can icon to delete and then click Apply.

You should now be here confirming your actions:

http://img233.imageshack.us/img233/1533/gpartedsteps.th.png

Now you should be here:

http://img696.imageshack.us/img696/8471/gpartedsuccessclose.th.png


http://img194.imageshack.us/img194/7753/gpartedboot.th.png

Is “boot” next to your OS drive?

If “boot” is not next to your OS drive under “Flags”, right-mouse click the OS drive while in Gparted and select Manage Flags

In the menu that pops up, place a checkmark in boot like the picture below:

http://img196.imageshack.us/img196/3483/gpartedmanageflagsboot.th.png

Now double-click the
http://img822.imageshack.us/img822/641/gpartedexit.png
button.

You should receive a small pop up like this:

http://img88.imageshack.us/img88/8986/gpartedexitreboot.png

Choose reboot and then press OK.

Now reboot from the Windows XP Recovery Console CD and execute the following commands:

fixmbr \Device\HardDisk0
fixboot c:
exit

Once back in Windows.

Retry either aswMBR or TDSSKiller

Ok will give that a go now. Thanks.

Here is the updated OTL log from after I did the quick scan after the roguekiller reboot. Forgot that step.

This appears to be a new twist on this variant as up until yesterday both TDSSKiller and aswMBR kicked butt

Ugh great… :-[

Ok so some progress… The partition is gone now, so that at least makes me feel a little better.

I am now able to run TDSSKiller and have posted the results. It reported 10 threats, I’m pretty sure some of them are legit processes. I did not have the cure option available for any of them, just skip, delete, and quarantine.

They are legitimate files so not a problem ;D

How is the computer behaving now ?

Could you test that windows upates is working

It ‘looks’ like I am all back to normal. I did an Avast quick scan and it came up clean.

Just running windows update now and it’s pulling some stuff down, so it looks to me like it’s working…

Would you say that I should be good to go now? Or should I run anything else?

I would like you to use it as normal for a day and when you are happy let me know and I will remove my tools and tidy up ;D

Thanks a lot Essex! I sincerely appreciate the help! I’m usually the goto guy for this stuff but I’ve never had anything this nasty before and since this is my main machine for business I’m feeling well anxious… Just wish I knew how I got this little bugger, I’m afraid to surf now :slight_smile:

Will let you know tomorrow if everything seems all good.

In the meantime, should I delete my attachments from my posts? Not sure what the implications are of having those logs up there for everyone to review…

Thanks!

To be honest there is nothing really earth shattering in the logs apart from the computer name and what programmes you are running. But sure go ahead and remove them