Guess what: Infected by Alureon k rootkit\partition 4

Hi there,

I notice that avast has verified : Rootkit Found, Mbr:\Physicaldrive0\partition 4.
But first i saw a program called “System Check” annoying me that my computer had 14 errors…After that i look for the answer in internet. Notice that was a false positive. Further i notice that this rootkit alureon k was in my pc too. Damn it. I download a many programs to try kill the problem, but no result. I download Malware, Trojan killer, and three others.
I saw a post that i should run roguekiller. I run it on desktop after change its name to Mac.exe, because it wasn’t running. Ok it worked, it scanned, but after push “delete icon” it stopped, seems to keep scanning endless(status : Searching for Policy Hijacks).
http://c:\rogue killer.jpg
. is it normal?. In desktop the “Rkreport[1].txt” and a folder “RK_Quarantine” was created.
Then i stopped without know what to do. i think i must run aswMBR its right?

Sorry my english is bad and i am noobie…
Could you help me, thanks.

sorry the image i tried to post had failure.
Ow, couldn’t click on “shortcutsFix” on roguekiller after the “Delete” pressed.

Could you proceed direct to the aswMBR run and the OTL scan please

Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Versão da Base de Dados: v2012.03.25.03

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
GIL :: JARDINEIRO [administrador]

Proteção: Não permitir

25/3/2012 16:49:47
mbam-log-2012-03-25 (16-49-47).txt

Tipo de Verificação: Verificação Rápida
Opções de verificações ativadas: Memória | Inicialização | Registro | Sistema de arquivos | Heurística/Extra | Heurística/Shuriken | PUP | PUM
Opções de verificação desativadas: P2P
Objetos escaneados: 198288
Tempo decorrido: 4 minuto(s), 55 segundo(s)

Processos de Memória Detectados: 0
(Não foram detectados ítens maliciosos)

Módulos de Memória Detectados: 0
(Não foram detectados ítens maliciosos)

Chaves de Registro Detectadas: 0
(Não foram detectados ítens maliciosos)

Valores de Registro Detectadas: 0
(Não foram detectados ítens maliciosos)

Itens de Dados no Registro Detectadas: 0
(Não foram detectados ítens maliciosos)

Pastas Detectadas: 0
(Não foram detectados ítens maliciosos)

Arquivos Detectados: 0
(Não foram detectados ítens maliciosos)

(fim)

it is in portuguese, is there any problem? I can reinstall in english…
i’ve tried to run aswMBR changing the name to iexplore, but occured an error. i can’t run it .

No problem with Portugese ;D

OK that is a big clue

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_1.jpg

[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_2.jpg

[*]Click the Start Scan button.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_3.jpg

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_4.jpg

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_5.jpg

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste its contents on your next reply.

ok, i’ve downloaded the tdsskiller, but i can’t run it. I double click it but nothing happens…
Should i run it in safemode?

Nope there is one more thing I need you to do

Go to start > run
Type in diskmgmt.msc
Your disc management screen will open
Expand so that you can see all the partitions and then take a screenshot for me
Attach that

Are you able to burn a cd on the other computer ?

Yes, i can burn a cd in another pc.

The OTL files.txt.
Maybe can help.

Hey i posted OtL.txt i unicode
here is in ANSI

OK lets get at it, first I willl restore the remaining missing icons. Then we will tackle the MBR problem

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL DRV - [2012/03/24 23:16:12 | 000,054,624 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\4ba18F.sys -- (4ba18F) DRV - [2012/03/24 22:43:53 | 000,054,624 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\8598.sys -- (8598)

:Files
ipconfig /flushdns /c
xcopy %Temp%\smtmp\1 “%AllUsersProfile%\Start Menu” /H /I /S /Y /C
xcopy %Temp%\smtmp\2 “%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch” /H /I /S /Y /C
xcopy %Temp%\smtmp\3 “%AppData%\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar” /H /I /S /Y /C
xcopy %Temp%\smtmp\4 “%AllUsersProfile%\Desktop” /H /I /S /Y /C

:Commands
[emptyjava]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

I need you to download: gparted-live-0.10.0-3.iso (115.1 MB)

Create a bootable CD, for Gparted from the ISO images. You can use ImgBurn do this.

Now boot off of the newly created Gparted CD.

http://img829.imageshack.us/img829/5772/gpartedsplash.th.png

You should be here…

Press ENTER

http://img5.imageshack.us/img5/7286/gpartedkeymaps.th.png

By default, “do not touch keymap” is highlighted. Leave this setting alone and just press ENTER.

http://img404.imageshack.us/img404/9840/gpartedlanguage.th.png

Choose your language and press ENTER. English is default [33]

http://img140.imageshack.us/img140/7958/gpartedgui.th.png

Once again, at this prompt, press ENTER

You will now be taken to the main GUI screen below

http://img32.imageshack.us/img32/1122/gpartedo.th.png

According to your logs, the partition that you want to delete is 2 MB

Click the trash can icon to delete and then click Apply.

You should now be here confirming your actions:

http://img233.imageshack.us/img233/1533/gpartedsteps.th.png

Now you should be here:

http://img696.imageshack.us/img696/8471/gpartedsuccessclose.th.png

http://img194.imageshack.us/img194/7753/gpartedboot.th.png

Is “boot” next to your OS drive?

If “boot” is not next to your OS drive under “Flags”, right-mouse click the OS drive while in Gparted and select Manage Flags

In the menu that pops up, place a checkmark in boot like the picture below:

http://img196.imageshack.us/img196/3483/gpartedmanageflagsboot.th.png

Now double-click the
http://img822.imageshack.us/img822/641/gpartedexit.png
button.

You should receive a small pop up like this:

http://img88.imageshack.us/img88/8986/gpartedexitreboot.png

Choose reboot and then press OK.

Here the OTL.Txt after the reboot.
I just open the OtL and click quick scan.
Didn’t change any settings or paste any commands.
i didn’t mark “all users”.

Post the OTL.txt :in Unicode
and OTL(ANSI). Txt :in ANSI

lol.
I’am doing the download in other pc.

Once you have deletion the partition and reset the boot flag, restart in normal mode and run a quick aswMBR scan for me please

almost there, but a problem:
i run the aswMBR and it work, i click on scan(quick scan), started to run but didn`t finished, occured an error annouced by windows. "occured an error and aswmbr have to be closed.
And didn’t create the log…could not save it.

here is the image of the error…

should i run it from command prompt?.
I saw it from "Topic: Disk 0 Partition 4 INFECTED MBR:Alureon-K [Rtk] "
with the : aswMBR.exe -ap 1

Hey i tried to run Tdsskiller and started. I didn’t use it.
I think it’s better wait for instructions.

Hey by the way thanks a lot for everything until now :), it’s very nice this forum, i hate don’t understand much more about it .

Unfortunately you may experience some time zone ping pong, it is now 1am in the UK, so essexboy will be asleep now. So unless one of the other malware removal specialists in a time zone closer to yours can pick up on this it will be later today before essexboy can get back to the forums.

Hi there,
Thanks a lot, i run combo fix and rogue killer and tdsskiller and Malaware without problems. This is the tags.
but my father told me to reset (format) the computer, old guy and he uses on his work. He were afraid, all right his old already.
Well, besides i believe it is all ok i’ll format. But i feel much better after this battle against this damn infection.

Thanks a lot essexboy!!
And sorry to take your time.

Ow don’t gorget to keep feed yourself with true food, not junky food. ok?! see ya

It locked on the banking file

How is the computer looking now.

What problems are you experiencing ?

the computer looks fine after all.
didn’t format yet.
the only problem is mouse…i mean the white arrow appears to be loading…it keeps appearing the hourglass like it were loading something and then back to white arrow alone again. The hourglass appears and disappear like a ligth of christmas, damn i hate this. and i notice that my pc have the recycle, is it a dangerous vírus?

other stuff it is ok. Avast was runned and didn’t find anything.

ty