MBR:Alureon-K [rtk]

Viruses and worms
1

Avast detected an MBR:Alureon-K rootkit on my computer last night. Also, it’s been experiencing BSODs with ntkrnlpa.sys since mid May now, and this might be related to it. To be honest, my friend has been using this computer and I have no idea how long the rootkit has been in there for. I just installed Avast yesterday. All logs are from scans in Safe Mode, I will get BSODs otherwise.

2

Hi,

Let me look these over and I will return shortly. :slight_smile:

3

Hi,

Please download TDSSKiller.zip

[*]Extract it to your desktop
[*]Double click TDSSKiller.exe
[*]when the window opens, click on Change Parameters
[*]under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
[*]click OK
[*]Press Start Scan

[*]Only if Malicious objects are found then ensure Cure is selected
[*]Then click Continue > Reboot now

[*]Attach the log in your next reply

[*]A copy of the log will be saved automatically to the root of the drive (typically C:)

4

Thanks Jeff!
It found a malware object (Rootkit) and a suspicious object (TDSS File System). Should I mark them both for curing?

5

Hi,

Please attach the log so I can be sure of what we are removing. :slight_smile:

6

Sure

7

Ok yes please remove those entries. :slight_smile: Thanks!

8

quarantine? or delete?

9

Quarantine will be fine. :slight_smile:

Please attach the new log that is made.

10

Here’s the new log.

11

Hi,

Download Combofix from the link below, and save it to your desktop.
Link

Note: It is important that it is saved directly to your desktop
If you get a message saying “Illegal operation attempted on a registry key that has been marked for deletion”, please restart your computer.

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.
When finished, it will produce a report for you.
[*]Please post the C:\ComboFix.txt for further review.

12

Thanks Jeff! The ComboFix log.

13

I had a look at my partitions on drive 0 on diskmgmt and there seems to be 9mb of unallocated space that I can’t delete. How do I find out whether or not it is legit? I ran an aswMBR scan and that didn’t show anything in red. Log and diskmgmt screenshot attached.

14

jeff is offline and will return my today night or evening…check back later :wink:

15

Hi,

Please run ComboFix again and attach a new log. I want to see if those File Replicators entries are still there.

16

Hi. Here’s the latest ComboFix log.

17

Thanks. Please run a new scan with TDSSKiller and post the newly made log while I am looking over the ComboFix log. :slight_smile:

18

Thanks! :slight_smile: TDSSKiller found the same TDSS File System that I had it quarantine yesterday. Do you think deleting it would make a difference?

19

Hi,

Yes please delete that entry that TDSSKiller is finding and then attach the new log.

20

Here you go.