Good evening,

I decided to check my system for viruses today and avast! pretty soon found a rootkit infection named MBR:Alureon-K [Rtk].

I’ve been googling about this rootkit for quite some time, but I really don’t understand that much about technology to really be able to deal with this problem on my own.
And due to this lack of technologic knowledge I’m sort of unable to know what kind of information you guys need to help me out (if possible) nor where exactly to find them.

I’d be very thankful if someone could take his or her time and help me out a bit on this one. Kind of like a step-for-step instruciton.
Of course I understand that you will be unable to accomplish this without my help in form of information about my system, and I do not expect you to do perform wonders.
What I mean by step-for-step instructions is rather “We need information XY which you will find out with programm YX, in order to be able to help you.”

I may not know nor understand that much of technology as of now, but I’m willing to learn and gladly offer as much as help as possible so that you might be able to help me.

Thank you in advance,
Hawkness

P.S. What I CAN tell you, is that I’m using Windows XP, Service Pack 3. I hope this helps.

follow this guide and attach (not copy and paste) malwarebytes / OTL / aswMBR logs
http://forum.avast.com/index.php?topic=53253.0

a removal specialist will be notified when done

I’m doing the scans at the moment. I noticed that the malwarebytes log is in german (altough I’ve chosen english as installation language).

Any way to change this so you can actually work with the logs?

EDIT: Nvm, I found out! Doing the scan again.

Monitoring…

So, scans are done Hopefully you can find something.
Logs are attached.

Hi,

Please download TDSSKiller.zip

[*]Extract it to your desktop
[*]Double click TDSSKiller.exe
[*]when the window opens, click on Change Parameters
[*]under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
[*]click OK
[*]Press Start Scan

[*]Only if Malicious objects are found then ensure Cure is selected
[*]Then click Continue > Reboot now

[*]Attach the log in your next reply

[*]A copy of the log will be saved automatically to the root of the drive (typically C:)

Followed the instructions. However, when the scan finished, there was no “reboot” button (nor any malicious files. There were two files with a level of “medium” tough).

TDSSKillerlog attached.

This second logfile (attached) is an earlier Scan of TDSSKiller i made today (I’ve read about this programm in context to Alureon already, so I had given it a shot already). This scan included a malicious file which i used the cure option on.
There was no “reboot” option either.

Hi,

Run TDSSKiller again. When you get to the entry here >> \Device\Harddisk0\DR0 ( TDSS File System ) remove/delete it and then attach that new log.

In the future avast can cope MBR:Alureon?
TDSSKiller is good, but would like that and avast managed.

Please start a new topic for your question. Thanks.

And here’s the new log

There we go…that looks better.

Please read through these instructions to familarize yourself with what to expect when this tool runs

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RCUpdate1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer’s settings, including making I-E the default browser.
3. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Hopefully this looks even better

Hi,

Are you aware that your system is set up to run from a proxy server?

I need some information on some unidentified files. We will use Virustotal Please submit these files for analysis

To submit a file to virustotal, please click VirusTotal

Browse to the following and press Open (one at a time if more than one file is listed)

c:\winxp\system32\drivers\mfx.sys

Click “Scan It”, wait for the results and post them in your next reply.

Please note that sometimes the scans take a few minutes. Please ensure that the scan has completed and the results are complete before submitting the next sample. Also please make sure each result is clearly identified as to which sample they belong to.

I’m not quite sure what you mean by that. However I did follow a guide for safer webbrowsing which included installation of a second OS in a VM. I got stuck on this part, so I dropped it.
Could it have anything to do with the rootkit infection or is it more of an additional, yet unrelated problem?

Anyways, I did not have a file called mfx.sys. The most similar named file was called mf.sys and it was in the same folder, so I scanned this one and hope it’s the right file, after all.

Also there seems to be no trouble with this file, here is the virustotal result:

SHA256: c668f419579addf37558241982b0334a93644e9c05919967c494fe9853e62d5b
SHA1: eb02adf12224a77116655ccfabd4af24f5e530c4
MD5: a7da20ab18a1bdae28b0f349e57da0d1
File size: 62.3 KB ( 63744 bytes )
File name: mf.sys
File type: Win32 EXE
Detection ratio: 0 / 42
Analysis date: 2012-05-31 15:28:06 UTC ( 1 Minute ago )
1
0
More details
Antivirus Result Update
AhnLab-V3 - 20120531
AntiVir - 20120531
Antiy-AVL - 20120531
Avast - 20120531
AVG - 20120531
BitDefender - 20120531
ByteHero - 20120531
CAT-QuickHeal - 20120531
ClamAV - 20120531
Commtouch - 20120531
Comodo - 20120531
DrWeb - 20120531
Emsisoft - 20120531
eSafe - 20120530
F-Prot - 20120531
F-Secure - 20120531
Fortinet - 20120531
GData - 20120531
Ikarus - 20120531
Jiangmin - 20120531
K7AntiVirus - 20120530
Kaspersky - 20120531
McAfee - 20120531
McAfee-GW-Edition - 20120530
Microsoft - 20120531
NOD32 - 20120531
Norman - 20120531
nProtect - 20120531
Panda - 20120531
PCTools - 20120531
Rising - 20120531
Sophos - 20120531
SUPERAntiSpyware - 20120531
Symantec - 20120531
TheHacker - 20120531
TotalDefense - 20120531
TrendMicro - 20120531
TrendMicro-HouseCall - 20120531
VBA32 - 20120530
VIPRE - 20120531
ViRobot - 20120531
VirusBuster - 20120530

Hi,

Thanks for letting me know about the proxy settings. We can fix that up.

I will return as quickly as I can.

Take your time

Hi,

[*]Please open Notepad (Start → Run → type notepad in the Open field → OK) and copy and paste the text present inside the code box below:

ClearJavaCache::

DDS::
uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421;<local>
IE: Free YouTube to MP3 Converter - c:\dokumente und einstellungen\Rafael\Anwendungsdaten\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
IE: Google Sidewiki... - c:\programme\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html

Firefox::
FF - ProfilePath - c:\dokumente und einstellungen\Rafael\Anwendungsdaten\Mozilla\Firefox\Profiles\590b5pxk.default\
FF - prefs.js: browser.search.selectedEngine - foxsearch
FF - prefs.js: browser.startup.homepage - hxxp://www.google.de/firefox
FF - prefs.js: keyword.URL - hxxp://www.finduny.com?client=mozilla-firefox&cd=UTF-8&search=1&q=
FF - prefs.js: network.proxy.http - 188.93.17.193
FF - prefs.js: network.proxy.http_port - 3128

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Programme\\Pando Networks\\Media Booster\\PMB.exe"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56759:TCP"=-
"56759:UDP"=-
"3069:TCP"=-
"5000:UDP"=-

Driver::
MFX

[*]Save this as CFScript.txt and change the “Save as type” to “All Files” and place it on your desktop.

http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif

[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
[*]ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
[*]When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix’s window while it is running. That may cause it to stall.

Here’s the log, sorry for the delay.