MBR Alureon-K (RTK) - Need Help

system · April 6, 2012, 3:29pm

Avast has found MBR Alureon-K (RTK) on my system. I am in the process of following your directions for tools and logs to speed up the process of getting clean. I ran SuperAntispyware Professional and it found Adware.IWin Games and BrowserHijacker.Favorites which have now been removed. I ran MBM Quick Scan and saved the log file to my desktop. I downloaded OTL to my desktop. When I attempted to run OTL, Avast found the file as suspicious and put it in Sandbox. Should I suspend my anti-virus softwares: Avast, SuperAntispyware and Threatfire while attempting to clean my system?

I’d like to get this right the first time.
Thank you.

DavidR · April 6, 2012, 3:34pm

No, when the autosandbox initially reacts have it ‘Open Normally’ and remember the answer for that program (OTL), see image example (click to expand).

system · April 6, 2012, 4:56pm

Ok.
I ran the OTL scan and it saved Extras.Txt and OTL.Txt - Notepad to my desktop.
For the next step:
To attach : Within the post select:
Additional Options
Browse
Locate the OTL log
Select tthe OTL log

Where do I this? From My Computer? I have Windows XP.

Thanks.

Pondus · April 6, 2012, 5:24pm

see the box you type text in here…

just below the text i am typing now there is a “Attachment and other options”

see attached screenshot

system · April 6, 2012, 5:40pm

Ok. I understand now.
I have attached 3 logs.
Will do next step and post when finished.

system · April 6, 2012, 6:27pm

Next log being attached.

There are 2 logs in the file because I thought the scan was finished but it wasn’t.

There is also an MBR.dat icon now on my desktop that wasn’t there before. I did not click on it.

I don’t know if I should download RogueKiller or not. If I have to do this, do I suspend my anti-viruses since it says Quite all programs?

Please advise.

Thanks.

essexboy · April 6, 2012, 6:36pm

Hi whilst I look at the logs lets see if this is not the variant that has aswMBR tagged

Copy aswMBR to your root drive i.e. C:\aswMBR.exe
Click Start > Run
Copy/paste the following command into the box and press enter

aswMBR.exe -ap 1

Once it has completed then reboot and re-run aswMBR and post the log here

Meanwhile I will look at the other logs

system · April 6, 2012, 6:53pm

How do I copy aswmbr to my root drive?

Sorry but I’ve been at this for awhile and am not sure. I copied the aswmbr icon and it’s now in my C:\
but I don’t think that’s correct. How do I know if awsmbr.exe is there or not?

essexboy · April 6, 2012, 7:03pm

Thats it, the icon is the programme ;D

system · April 6, 2012, 7:08pm

Uh Oh.

Windows cannot find awsMBR.exe

Now what?

system · April 6, 2012, 7:10pm

Should I be copying the .exe file to C:\Documents and Settings since that’s where all my log files were put?

essexboy · April 6, 2012, 7:23pm

No problemo, there are many ways to skin this cat

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_1.jpg

[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_2.jpg

[*]Click the Start Scan button.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_3.jpg

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_4.jpg

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_5.jpg

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste its contents on your next reply.

system · April 6, 2012, 8:17pm

Here are the results:

The contents exceeded the limit so I’m sending it as an attachment.

When doing the scan Avast Quarantined 8 items and gave the option to Report a false positive.

essexboy · April 6, 2012, 8:28pm

Looking better, what files did Avast quarantine ?

On completion of this run can you let me know what problems remain

Re-run TDSSKiller and when you get the following item select delete

\Device\Harddisk0\DR0 ( TDSS File System )

Then

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
To disable MBAM
Open the scanner and select the protection tab
Remove the tick from “Start with Windows”
Reboot and then run OTL

http://i1224.photobucket.com/albums/ee362/Essexboy3/mbamstop.jpg

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL O3 - HKLM\..\Toolbar: (no name) - {0DCB56A9-C471-4FBE-BDAB-0FC547057806} - No CLSID value found. O3 - HKLM\..\Toolbar: (no name) - {92786807-8D75-49A3-B4D0-0B9395F63671} - No CLSID value found. O3 - HKU\S-1-5-21-1606980848-1409082233-725345543-1004\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found. O3 - HKU\S-1-5-21-1606980848-1409082233-725345543-1004\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-CEC4-75A487FD6484} - No CLSID value found. O3 - HKU\S-1-5-21-1606980848-1409082233-725345543-1004\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found. O3 - HKU\S-1-5-21-1606980848-1409082233-725345543-1004\..\Toolbar\WebBrowser: (no name) - {EFA17369-CDC0-4927-9AFC-BAAD1F96B2AE} - No CLSID value found. [2008/09/07 23:25:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\n7-89-o9-3r-4t-r9 [2009/04/06 22:15:11 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\Lorna\Application Data\.# @Alternate Data Stream - 85 bytes -> C:\Documents and Settings\All Users\Desktop:$SS_DESCRIPTOR_PVX2VCGKMVF9F8NYTKBRVLNJCMLP9J5N8KGMJWMNNHCK98FGSH25VVVVVVVVVVVVV
:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

system · April 6, 2012, 8:42pm

Win32-Alureon-PS
Win32-Rootkit-gen (RTK)
Win 32:Alureon-ANP (RTK)
C:\TDSSKiller_Quarantinetsk 0005.dta - Moved to chest
Win32 Malware-gen - Moved to chest
C:\Documents and Settings\Lorna\Desktop\tdsskiller.exe - threat detected and blocked

Avast icon is no longer in my system tray but is still on my desktop.

Do I disable MBAM before re-running TDSSKiller?

essexboy · April 6, 2012, 8:47pm

No TDSSKiller is OK it is just that OTL stops all process and MBAM gets very uppity about that

We will fix the tray icon in a bit… And Avast was snagging the files that TDSSKiller was moving

system · April 6, 2012, 8:54pm

So I don’t need to disable MBM?

Do I re-run TDSSKiller the same way as before? Changing parameters or just Start Scan?

essexboy · April 6, 2012, 9:11pm

Same method as before change parameters etc ;D

system · April 6, 2012, 9:40pm

Re-ran TDSSKiller.

Threats found as shown in last section of attached file.

The only place I can see \Device\Harddisk0\DR0 is in Notepad.
Cannot delete it from there.

Hope you’re staying up late tonight

system · April 6, 2012, 9:43pm

Will wait for reply before re-running OTL.

MBR Alureon-K (RTK) - Need Help

Announcements