Infected with MBR:Alureon-K [Rtk] Help needed asap!

Hi!
Help needed!
I was just browsing around few hours ago, and then suddenly got avast pop-up telling that it has blocked some site.
Then it blocked a process that had something to do with java, called VgMJeNUWBfGqi.exe. I found it from “Application Data” folder and deleted.
Then deleted some other file I found with the same name. At that time I didn’t really think it would be this big. And avast scan didn’t give any results either.
Then after a while I started to get many infection/blocked urls/application messages. And lastly that I was infected with MBR:Alureon-K, which avast called “MBR:Alurec”.
Did some searching, tho it started to distract my googling about itself. Ofcourse avast couldn’t remove it, even after performing a scan during windows start up.

Then I downloaded this aswMBR version 0.9.9.1665, did scan, but this is as far as I got… couldn’t remove it. And I didn’t quite get it, how to command it “aswMBR.exe -ap 1 to activate proper partition”.
I also ran Malwarebytes’ Anti-Malware quick scan, which first found some MBR, which I deleted. But with second scan it no longer found a thing.
As I’ve been working with computers all my life, I have no experience with rootkit infections. Luckily, I guess.
I would format my HD if I happened to have the installation CD here, but not at the moment. Aswell this is my only PC and I’d have school works to do, but with the situation like this I can’t.
I found other topics about the same issue, but couldn’t get anything out of 'em. (Or then I’m just sooo tired at this hour, and confused)
I’m also concerned about my external-hd, which I removed as quick as I noticed the infection. Could it be infected aswell?

Please! I really need some help with this, as soon as possible!

Oh, and it didn’t let me “fix” only “fixMBR”.

Looking forward to hear from you!!
Thanks a lot in advance!
~ Sofie

Sofie99 welcome to avast! forum.

Follow this guide an attach ( do not copy/paste ) the logs for Malwarebytes’, OTL, and aswMBR.exe in this thread.

http://forum.avast.com/index.php?topic=53253.0

Essexboy, the especialist to remove infections, will be here tomorrow evening UK time, unless Oldman or JeffC come in earlier.

Thank you for the quick reply and welcoming!

Here’s the logs…
mbam logs are the first one when it found an infection and removed it, and the last time when it no longer found anything.

Thank you Sofie99. Essexboy was notified. You just have to wait until tomorrow. Sorry.

Here’s also the most recent aswMBR log, as it didn’t fit in to last post…
Thank you iroc9555, guess I’ll just have to wait then and get some goodnight sleep while waiting.
(Been skipping that few hours since I found out about the infection, howcome these things always pop up at late hours)

You are welcome. Just come back tomorrow for futher instructions.

Hi iroc9555, welcome to the forum.

To make cleaning this machine easier
[*]Please do not uninstall/install any programs unless asked to
It is more difficult when files/programs are appearing in/disappearing from the logs.
[*]Please do not run any scans other than those requested
[*]Please follow all instructions in the order posted
[*]All logs/reports, etc… must be posted in Notepad. Please ensure that word wrap is unchecked. In notepad click format, uncheck word wrap if it is checked.
[*]Do not attach any logs/reports, etc… unless specifically requested to do so.
[*]If you have problems with or do not understand the instructions, Please ask before continuing.
[*]Please stay with this thread until given the All Clear. A absence of symptoms does not mean a clean machine.

We’ll use a CD that we will make bootable. We also need a USB flashdrive that has some space on it. We will not be changing any of the data on the usb device just using it for a file.

You will also need to use FireFox to download a file as Internet Explorer seems to mangle the download.

If you have an problems with these steps please let me know. These may look complicated but it’s fairly straight forward and for the most part automated.

Download GETxPUD.exe your computer’s desktop.

[*]Run GETxPUD.exe by double clicking it.
[*]A new folder will appear on the desktop.
[*]Open the GETxPUD folder and click on the get&burn.bat
[*]The program will download xpud_0.9.2.iso, and when finished, it will open BurnCDCC which will be ready to burn the image.
[*]Click on Start and follow the prompts to burn the image to a CD

Using FireFox, please download and save dumpit to your usb device.

You may want to print out this part as you will not be able to view these instructions.[/b]

[]Leave the usb device attached to the computer
[
]Boot the infected computer with the CD you just burned
[*]with the CD in the computer, restart the computer

[*]The computer must be set to boot from the CD,depending on your computer you can either do this by pressing F12 and selecting the CD as the first boot option or it can be set in the BIOS
[*]Once you have the computer set to boot from the CD allow it to boot
[*]A Welcome to xPUD screen will appear
[*]Click on File
[*]Expand mnt
[*]sda1,2…usually corresponds to your HDD
[*]sdb1 is likely your USB
[*]Click on the folder that represents your USB drive (sdb1 ?)
(you will be able to tell if it the right one as the screen will populate with your files)
[*]Locate the file you downloaded and saved earlier, dumpit
[*]double click it to run it
[*]a black window will open, follow the instructions to close the window when it’s finished
[*]a file called MBR.zip should now be placed in the right hand panel
[*]Click the Home icon at top
[*]Remove the CD and click Power off
[*]Click restart

Once the computer has rebooted open the usb device and attach the MBR.zip file to your next reply.

Hi oldman, thanks for the instructions!
Since the forum refused to attach the .zip file, I uploaded it to mediafire. Is that okay?
Here’s the link hxxp://www.mediafire.com/file/7hurlga8a5joiqe/mbr.zip

I uploaded it to mediafire. Is that okay?
That is okay ;)

Hi sofie99,

That’s fine. Please use FireFox again to download this next file.

[*]Download tdl_fix.sh and save it to the flash drive you where using.
[*]Make sure the flash drive is attached to the sick computer.
[*]Boot into xPUD with the CD then click the File tab.
[*]Press File
[*]Expand mnt
[*]Click on the folder under mnt that represents your USB drive (sdb1 ?)
[*]You should see the tdl_fix.sh file in the main window.
[*]Select Tool from the Menu
[*]Choose Open Terminal
[*]Type bash tdl_fix.sh then press Enter

(note there is a space after bash and that is an underscore after tdl)

[*]Read the warning then type y and press Enter to continue.
[*]Type sda then press Enter when prompted.
[*]You will be shown a list of partitions to choose marking active.
[*]Type 1 then press Enter.
[*]If you are presented with a warning about no bootloader files, type n then press Enter to choose another. If this happens, please post back for further instructions. Just leave the computer running if you wish and use your other one to post, if you have another computer…
[*]If you receive no warning about bootloader files but are presented with another view of the partition structure and asked if it looks correct, type y then press Enter.
[*]The script will complete and prompt you to reboot the computer.
[*]Close the Terminal window and restart back into Windows.
[*]Post the contents of the tdl_fix.txt file that was created on your flash drive and let me know how the computer is behaving

Note - in the event there is a problem booting the computer normally after running the script, run the tdl_fix.sh script again using the following command.

bash tdl_fix.sh -restore

Make sure to leave a space to either side of tdl_fix.sh in the command.
This will prompt you to use the file tdl_mbr_sda.bin on drive sda.
Ok the procedure then restart when complete.
This is a backup of the original mbr and will restore it to it’s current state.

Please post back with
[*]tdl_fix.txt

Rightey!
But by flash drive you mean the usb-stick I were using with “dumpit” or the external drive I happened to have attached at the time of infection?

Hi sofie99,

The usb device you used for dumpit.

Okay, completed that. No problems appeared, computer booted normally after that.
Only weird thing that on the programs “quick start” bar or whatever it’s called, there’s two msn messenger icons (which starts with the windows, rarely use it nowadays tho) and the another one is just a black box now.
I mean, there isn’t usually two of 'em either. And the avast haven’t warned about the MBR yet…tho it usually takes a while.
Anyways, here’s the txt file…

Hi sofie99,

Looks promising. One more trip with xPud.

[*]Boot into xPUD then click the File tab.
[*]Press File
[*]Expand mnt
[*]Click on the folder under mnt that represents your USB drive (sdb1 ?)
[*]You should see the tdl_fix.sh file in the main window.
[*]Select Tool from the Menu
[*]Choose Open Terminal
[*]Type bash tdl_fix.sh -delete then press Enter.
[*]** Make sure to leave a space to either side of tdl_fix.sh in the command.
[*]You should be notified of a hidden partition found and prompted to delete it.
[*]Type y then press Enter.
[*]The script will complete and prompt you to reboot the computer.
[*]Close the Terminal window and restart back into Windows.
[*]Post the contents of the tdl_delete.txt file that was created on your flash drive.

Note - in the event there is a problem booting the computer normally after running the script, run the tdl_fix.sh script again using the following command.

bash tdl_fix.sh -restore

Make sure to leave a space to either side of tdl_fix.sh in the command.
This will prompt you to use the file tdl_mbr_sda.bin on drive sda.
Ok the procedure then restart when complete.

Next

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_1.jpg

[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_2.jpg

[*]Click the Start Scan button.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_3.jpg

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_4.jpg

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_5.jpg

[*]Note:If [b]Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste its contents on your next reply.

Pleas post back with
[]tdl_delete.txt
[
]TDSSKiller log
Any problems?

It gave me the same WARNING as with the first tdl_fix.sh time, about editing hd partion structure, that I might lose data and that backups will be made. But nothing about deleting this tdl… or anything. Ok? Should I type y?

Hi

Did you type the command or click on tdl_fix.sh?

I didn’t click the tdl_fix.sh, only went to tools-> open terminal and typed as you said bash tdl_fix.sh -delete, with spaces on the both side of tdl_fix.sh and pressed enter. What now?

Hi

After you type the command, hit enter, type y when prompted.

Okay, worked… the “deleting of hidden partion” was after that. hehe.
I’ll go on with the next step then. But here’s the tdl_delete.txt file…
Was this hidden partion something that this MBR rootkit created?
Avast MBR warning is still yet to come? Well it did pop up after all last time, even it took a bit longer than usually.
… to be continued.

Hi sofie99,

Yes the hidden partion was the infection. Avast may be alerting you of the presence of the partition or it’s associated files. the next tool you use should show the file if present.