help geting rid of Alureon K and Trojans

Posts: 1

Alureon-K
« on: Today at 12:53:46 AM »When I scanned I got the following message : MBR:\.\PHYSICAL DRIVE0\Partiition4 Threat: MBR Alureon-K
When I tried to fix I got Error: The request is not supported Threat MBR Alurion-K

I ran a full boot scan and got the following messages:

FileC:\Documents and Settings\Allsusers\Application Data\Avast Software\Avast\log\unp194787593.tmp.mdmp is infected by MBR:Alureon-K
when I delete and do another full boot scan, the message keeps coming back

FileC:\hiberfil.sys is infected by win32:Hupigon-ONX [TRJ]
when I try to delete I get Delete: error OXC)))))43 a file cannot be opende because the share access flags are incompatible i

File C:\Documents and Settings\Bob Jones\Local Settings\Temproary Internetfiles\content.IE5\E2FXZWN\xtr_new[2].htm is infected by JS:ScriptIP-inf[Trj]
when I try to delete I get An Invalid parameter was passed to a service or function

attached are the logs after running mbam, rougekiller and OTL

RogueKiller V7.6.6 [08/10/2012] by Tigzy
mail: tigzyRKgmailcom
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Bob Jones [Admin rights]
Mode: Scan – Date: 08/23/2012 19:45:07

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost
::1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: FUJITSU MHW2060BH +++++
— User —
[MBR] dcb594b8d25db6ca7be124d2af2ec37f
[BSP] 26fe7d691f9edb5d824e85e8f49dc627 : MBR Code unknown
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 78 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 160650 | Size: 54070 Mo
2 - [XXXXXX] UNKNOWN (0xdb) [VISIBLE] Offset (sectors): 110896695 | Size: 3074 Mo
User = LL1 … OK!
User != LL2 … KO!
— LL2 —
[MBR] 77e11ff8a8c13f3bde4346dea81a2f33
[BSP] 26fe7d691f9edb5d824e85e8f49dc627 : MBR Code unknown
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 78 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 160650 | Size: 54070 Mo
2 - [XXXXXX] UNKNOWN (0xdb) [VISIBLE] Offset (sectors): 110896695 | Size: 3074 Mo
3 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 117194175 | Size: 7 Mo

Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt

RogueKiller V7.6.6 [08/10/2012] by Tigzy
mail: tigzyRKgmailcom
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Bob Jones [Admin rights]
Mode: Scan – Date: 08/23/2012 19:46:45

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost
::1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: FUJITSU MHW2060BH +++++
— User —
[MBR] dcb594b8d25db6ca7be124d2af2ec37f
[BSP] 26fe7d691f9edb5d824e85e8f49dc627 : MBR Code unknown
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 78 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 160650 | Size: 54070 Mo
2 - [XXXXXX] UNKNOWN (0xdb) [VISIBLE] Offset (sectors): 110896695 | Size: 3074 Mo
User = LL1 … OK!
User != LL2 … KO!
— LL2 —
[MBR] 77e11ff8a8c13f3bde4346dea81a2f33
[BSP] 26fe7d691f9edb5d824e85e8f49dc627 : MBR Code unknown
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 78 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 160650 | Size: 54070 Mo
2 - [XXXXXX] UNKNOWN (0xdb) [VISIBLE] Offset (sectors): 110896695 | Size: 3074 Mo
3 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 117194175 | Size: 7 Mo

Finished : << RKreport[4].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt

also attach Adwcleaner and aswMBR log http://forum.avast.com/index.php?topic=53253.0

Hi bobjcpa, welcome to the forum.

To make cleaning this machine easier
[*]Please do not uninstall/install any programs unless asked to
It is more difficult when files/programs are appearing in/disappearing from the logs.
[*]Please do not run any scans other than those requested
[*]Please follow all instructions in the order posted
[*]All logs/reports, etc… must be posted in Notepad. Please ensure that word wrap is unchecked. In notepad click format, uncheck word wrap if it is checked.
[*]Do not attach any logs/reports, etc… unless specifically requested to do so.
[*]If you have problems with or do not understand the instructions, Please ask before continuing.
[*]Please stay with this thread until given the All Clear. A absence of symptoms does not mean a clean machine.

We’ll use a CD that we will make bootable. We also need a USB flashdrive that has some space on it. We will not be changing any of the data on the usb device just using it for a file.

You will also need to use FireFox to download a file as Internet Explorer seems to mangle the download.

If you have an problems with these steps please let me know. These may look complicated but it’s fairly straight forward and for the most part automated.

Download GETxPUD.exe to the desktop of your clean computer

[*]Run GETxPUD.exe by double clicking it.
[*]A new folder will appear on the desktop.
[*]Open the GETxPUD folder and click on the get&burn.bat
[*]The program will download xpud_0.9.2.iso, and when finished, it will open BurnCDCC which will be ready to burn the image.
[*]Click on Start and follow the prompts to burn the image to a CD

Using FireFox, please download and save dumpit to your usb device.

You may want to print out this part as you will not be able to view these instructions.

[]Leave the usb device attached to the computer
[
]Boot the infected computer with the CD you just burned
[*]with the CD in the computer, restart the computer

[*]The computer must be set to boot from the CD,depending on your computer you can either do this by pressing F12 and selecting the CD as the first boot option or it can be set in the BIOS
[*]Once you have the computer set to boot from the CD allow it to boot
[*]A Welcome to xPUD screen will appear
[*]Click on File
[*]Expand mnt
[*]sda1,2…usually corresponds to your HDD
[*]sdb1 is likely your USB
[*]Click on the folder that represents your USB drive (sdb1 ?)
(you will be able to tell if it the right one as the screen will populate with your files)
[*]Locate the file you downloaded and saved earlier, dumpit
[*]double click it to run it
[*]a black window will open, follow the instructions to close the window when it’s finished
[*]a file called MBR.zip should now be placed in the right hand panel
[*]Click the Home icon at top
[*]Remove the CD and click Power off
[*]Click restart

Once the computer has rebooted open the usb device and locate MBR.zip
[*]right click it and click Extract All
[*]There will be a file named sda0.bin
[*]please rename it to sda0.txt
Please attach sda0.txt and sda0info.txt to your next reply.

I was able to burn the CD but when I click on dumpit to copy or save to the USB, it appears to be a txt file with a lot of nondescript characters. Should I save this to the USB. I opened up Foxfire and tried to find a site to download dumpit but am not sure if I have the correct file or software. Can you give me a little more details on dumpit and how to get the correct file?

Hi bobjcpa,

It sounds like you are downloading it with Internet EXplorer. Use FireFox and you should get the correct file.

I guess I’m not very smart, but I am using Firefox as the web browser and have made it my default browser. When I try to open the link http://noahdfear.net/downloads/dumpit using Firefox, it doesn’t ask me if I want to down load dumpit, here’s a portion of what I get:

#!/bin/sh -e
sed -e ‘1,/^exit$/d’ “$0” | tar xzf - && xterm -e bash mbrdump.sh
exit
‹�¨+ìN�ìZ
pTU–~ ¤“
&b²ƒ
3ÏLó«ùéþ¢A¢‚ ù‘! N÷ë¼úoº_ó£¸Æ Ù!ÓÄM9ê°%n—©uWk¥fØk±Ì¬è”³K1Ö;°Sƒ;Ýj@@³ç;ï½î××£Öº[[µnÎûîù¹çÜsï}÷tvG½ñ¤&¦J_Ù§Ž>MMM Φ†,ŠOCãÜ:ÉéœÛTßÔXßØØ Õ9™Èu_K™O<¦¹£²,Å»ã!-~ ¹?Àÿ?úùæ-µÝþPm·;¦–xŠ;Zâ÷Éírµ"?ìÈ%šª„J<FµñX”¥åé·×z•Mµ¡x –Os-Š&/Ø­±t+5,W-¡_Æò“݁¨âön••-þ˜«2%ºÃQÍê‘#Ñ°GñÆ£ q1¥ÄçõÇ6Êՙ݈ygËõ¶õD•ˆ\íWdbd�T¶Å/ü™«m……ÚÚž…±Ú5³õ‡šÙíÎêùfdôŒ!X•ô:jk[ˆ/ßîú7)±m‹V²ìîUÍU-äÛÅ#Ï]dálVýEFl²â”•zY™#+ %Þp‰×+û}͵U¥¾ ¿çTÉa_3?ÔÐ,ÊݱæFg½ì Ó²kvfÍx˜bðÈiQÓ39Ûï5õõòí,qGc ü±NSIZ² ¢U² ú™;›åºì$"ƒž°W‘}ä¨W‡t3f‘\$bZXçÕÁéªkM@Ýšs]Y¤ ¯²W†nVŸ„:Èæ¤è®Qn¦�>[õ!–ѬË͘þ…µ!^E·éöùbŠÆKk†eÝu̬™ílºMv{4Z%5³;fÕv´{p´9ªx;:;œíµÜÑÑÉöX£û‹jlÉ=%] «3÷Kè4Ô ¥Üá\[ÇótfÈãe7GÚUe BÕKbrCÃ\kž?#›k}eö\•³©½}A,âö( :;—ú½^òm›³û3Uãm¯ÌþúïÉ\Ÿ4k3;«ƒN³ššŽY´4;œ|”au{ԍú,á ›·ÈÚe9ÄzœrO=Ž/Ú$Í]<£ŽgældóÈ2ã]zp]‡ iµÒݶÙC¸K®îQd§õD©ª’oKÂ!M i1ÚW2·Xmx±ºÊ2vŒÞrµ×gÙ•Õú Z3;k²5‚kÀO3RäEÓçáÙ<Œ,SfF
Z{!¬aCïB>a’%ªJðz¬Æ¿“~WæœSëu\¬\ý=™9„eŸ›†ñâ$³úœyßd<N÷}F0ór¤Ó ËÜÌ-‰‡è�”é嘶’y3Z,X^—ºs×”' ºéݢĸ7QînZŽ5ô‘Ý9.Ù‚þæ0×ü¿¶õšª9n?ä"¡LòÒ·“@@n¥Xo1;Ú¢J,&ßEë”_vt—ÑT•ßÀF5­Ûº’ÿíûžø¡È¾ò1®yÿolœãlÀý¿¾®ÞIÝu¸ÿSðÿ÷ÿÿ‘Ïcw­¸;///ó¥ Ðè.›½Çò¹ŸÒ!K3¥)ÒÍR!cj½$CM&´ê³Q›@m5áՏÛìh7¾Áàå?¤‹¦þC¾„}©\ç—¾ž/•>PdG“Êh¬‹6|x$_&ÚQÂh…Æh*Qil4ò^Û{š·áù|©¡ªÈŽVA£™ü•ÄÏ5W¦ýa‰oõïõ]°ÄWeðw×¼Õ(¾¥&®©×yåÿžû×s­Û¤ð$75AgQk¢¶Îw‘Aï ¶ŠšÝÀÔÚ©ÝOíëFßJƒn öGÆs¥Ç7©Í§ÖEíN÷-j $=—æg2µûŒç» º–Z«ñLáI-ÔfP›Fí£¿“ÚrÁþRjQ»ÇÒ÷ÇÔ:¨9,}µMm1µnjK¨Í£¶ÞàUS[&Ø¿—Ú IÏ÷-ÔVeý7[dš©•Rk3p1µjs%=OâgBŽ>óS4NÿuÔ&^CïZŸ2ç[ž§ ¼oëË5ŽÝ¯QsZ°x¾V{{µ[©5R»Ýè_hÐIe-ÏXËæ nªAï¢veµa |=µ5ÆóL‹î ½‰ÚãûsµŒ¸°&{_̯FŒX³¦îœòÒòߌÌ;Ÿ˜Ò³Æ]þá-qú¤ËÂ÷æeãEþW)ewø¤€‹'d㧅ñÞ𨠿Uÿ‡ßÂæuýºÀO ø„Ï’Œß$ÈGD}»Àÿ3Aÿ§‚üM^&è×üÓ’0Ÿgþ·…ñŸøOö#È·
òQÿ˜€/
ò3ûEÞ.ÈÿHÀõB|o
ú·
üY‚?¿äÏ
ø:ïð«þ Áþ£‚¿ ?'èoø²À? ØPÀŠ _)à:AþUa¼6ÿ© ÿ#q¿ ò¿KÀoòÓü¢ ÿWÂøëùûù2RÀ?ä;¼KÀ!¯õÿ®üÆïä— x‰ ïÖo¾€ú­nìMð÷Èß–
Ev¼«¯§7Þ­¸LÊ#yÙÂÇÝÐaÁÓÈŸÈË6ûÍlÞÒ.WO0r¡Ð.‰®o\ÛæJ®eP¯×rÅcŠWòùñ˜
Å´¨’²•´"QH󹨼—Pì±x$®y$ª{a; H±(•®Ðy‚ШG’êfv³jD‰FÃQÉÓþ¨.Löcþž; »cZx³’FJä g#t\¨æ¥xˆn˜e%04šDRñ“Øc)Ž(!©GÑ"~¯äQƒa/Inö“7.—GÛQ\ÄsÁ‡xÔtoÁ¸Z8 ùcnMÛù”°Oò‘H Œ�™Š‡y¤ ¤ðÐIÿÈy
»®æ‡¤h1h’!;QÉóhþ "ñH–4|[(mn-SHn‡ãšä‹)ÊÆ0q}4•1 ‡ÉðñôHA=TdÀM¢šBDµ‡á’Ë0-#vøár™=ä»Ú”Ž½ÛÅvbwȇ‘áYlkLS‚˜O/O,&œRáÖ ÷øYÂ×5¡°ÑòmŽú5"P"͐›B
n„ˆ ¬Ï ‚§ÞÓ"ˆ3ndâórº M~“êwð-Íc1¦ãZ˜“Ì4;ºŠ¶©;îC§eRiú‚áMdæá-QN£®›‰ÍXžúZ¤™¤=`lˆ ›V“OgèËáÒ=+–ݹÄU_Ó”~š“~jH?Õg¸–^gú‰÷|þ™`PýÉÆ÷^ eÿLž
ÓRèV®kᧈ{&¤-eÿØrôR…eÅiYÑôäñ³^×ñµÜ8«¾æ÷ODµÖ4Aﻁq‘´ØÀŒ ¥åžÄ¸@Zc`íF1
—¯gþi£ËçKqã|¥Z´p¢~ötég^[?+ pin+²ã®b¥Éµƒ’n)(Žå ¨…Aé2?”
œ) TtÊ ä‘”.ú3A©È¼

ª:P¿”

any other suggestions?

Hi bobjcpa,

It’s not you, seems FF is doing the same thing as IE. I got it to work once. I’ll attach it.

I had to rename it to dumpit.log. Once you have downloaded it to your flashdrive rename it to dumpit.

To download the file, right click it and click save link as

I saved the file to my flash drive and renamed it but it appears to .txt file with the same type of nondescript characters as previously and not a .exe executable file which is what I think I need. Is there another program that does the same thing as dumpit that I could use ? I’m not sure I can get this to work.

I found this blog post searching the internet about DumpIt. Is this the same thing? I maybe able to save the executable file from this blog post if it is the same file you are suggesting I need to save to my flashdrive :

One-Click Windows Memory Acquisition with DumpIt

Memory forensics is becoming an essential aspect of digital forensics and incident response. When a system is believed to have been compromised or infected, the investigator needs a convenient way to take a memory snapshot of the host. DumpIt, a new tool from MoonSols, makes this very easy, even if the person in front of the affected computer isn’t technical.

DumpIt is a fusion of two trusted tools, win32dd and win64dd, combined into one one executable. DumpIt is designed to be provided to a non-technical user using a removable USB drive. The person needs to simply double-click the DumpIt executable and allow the tool to run. DumpIt will then take the snapshot of the host’s physical memory and save it to the folder where the DumpIt executable was located.

The user can then provide the investigator with the USB key, which will contain the memory snapshot file. The administrator can use free memory forensics tools such as The Volatility Framework, Mandiant Redline and HB Gary Responder Community Edition to examine the memory file’s contents for malicious artifacts.

DumpIt provides an easy way of obtaining a memory image of a Windows system even if the investigator is not physically sitting in front of the target computer. It’s so easy to use, even a naive user can do it. It’s not appropriate for all scenarios, but it will definitely make memory acquisition easier in many situations.

I downloaded what I think is the correct executable file DumpIt.exe. I saved it to my USB flashdrive and tested it on my clean computer. The black window opened up as described earlier. So I know it works.

I proceeded with the additional steps . I got to the point where I clicked on sdb1 which was the USB flashdrive drive. When I clicked on the file DumpIt.exe nothing happened. Any thoughts on why it’s not executing or what I should do next?

Hi bobjcpa,

No that is something different. The one for xpUD is the one I attached. Remember to rename it as instructed.

I saved the file you attached, to my flash drive and renamed it but it appears to be a .txt file with the same type of nondescript characters as previously described and not a .exe executable file which is what I think I need. Is there another program that does the same thing as dumpit that I could use ? I’m not sure how I can get this to work.

Hi bobjcpa,

The dumpit you need is the one that I posted. It’s an extensionless script file written for linux. If you try opening it in windows it won’t make sense. I had to add the .log as the forum wouldn’t let me upload it without an extension.

Did you try running it from xpUD?

I just now downloaded it with FireFox by right clicking the link and clicking “save link as”. Make sure it’s set to “all files”

I think I got it to work.I rebooted and located MBR.zip. I then clicked on extract all . I then highlighted sda0.bin and right clicked and clicked on rename and renamed sda0.txt. When I click on properties, it indicates its a bin file and I can’t attach it to my reply.
When I try, the file name I’m trying to attach is \mbr\sda0.txt.bin and I guess avast won’t let me attach a bin file. How do I rename so it doesn’t stay a bin file?

Also I’m not sure where I find the sda0info.txt file?

Hi bobjcpa,

Do it this way. Open Windows Explorer
[*]uncheck hide extension for known file types
[*]at the top of screen click tools
[*]click folder options
[*]click the view tab
[*]click apply, click ok
You will now be able to rename the file correctly.

The sda0info.txt should have been in the MBR.zip file.

I have attached the sda0.txt file. There was no sda0info.txt file created when I extracted all from the MBR.zip file. Only a sda0.bin and a sdb.0bin was created. You may have to use internet explorer to open the sda0.txt file. What else do I need to do?

Hi bobjcpa,

Please note after this fix you may still recieve warnings as we are not removing the rogue partition just disabling it for now. It will be removed later.

Please read through this before starting. Ask any questions you have for clarification.

[*]Download tdl_fix.sh and save it to the flash drive you where using.
[*]Make sure the flash drive is attached to the sick computer.
[*]Boot into xPUD with the CD then click the File tab.
[*]Press File
[*]Expand mnt
[*]Click on the folder under mnt that represents your USB drive (sdb1 ?)
[*]You should see the tdl_fix.sh file in the main window.
[*]Select Tool from the Menu
[*]Choose Open Terminal
[*]Type bash tdl_fix.sh then press Enter

(note there is a space after bash and that is an underscore after tdl)

[*]Read the warning then type y and press Enter to continue.
[*]Type sda then press Enter when prompted.
[*]You will be shown a list of partitions to choose marking active.
[*]Type 2 then press Enter.
[*]If you are presented with a warning about no bootloader files, type n then press Enter. If this happens, please post back for further instructions.
[*]If you receive no warning about bootloader files but are presented with another view of the partition structure and asked if it looks correct, type y then press Enter.
[*]The script will complete and prompt you to reboot the computer.
[*]Close the Terminal window and restart back into Windows by
[*]Click the Home icon at top
[*]Remove the CD and click Power off
[*]Click restart

Extra Note - in the event the computer will not boot to windows

Boot the computer with the xPUD CD and run the tdl_fix.sh script again using the following command.

bash tdl_fix.sh -restore

Make sure to leave a space to either side of tdl_fix.sh in the command.
This will prompt you to use the file tdl_mbr_sda.bin on drive sda.
Ok the procedure then restart when complete.
This is a backup of the original mbr and will restore it to it’s current state.

Please post back with the tdl_fix.txt file that was created on your flash drive.

I have attached the tdl_fix.txt file

Hi bobjcpa,

Looks good so far. We’ll get rid of another warning then continue on.

Click start > Control Panel
[*]Double-click Power Options
[*]Click the Hibernate tab
[*]uncheck the ‘Enable hibernate support’
[*]click Apply, click ok
Reboot the computer. We can re-enable hibernate later.

Next

Download the latest version of TDSSKiller from here and save it to your Desktop.

Do not delete anything unless instructed.

[*]Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_1.jpg

[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_2.jpg

[*]Click the Start Scan button.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_3.jpg

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_4.jpg

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_5.jpg

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste its contents on your next reply.

I think this is the report created attached