MRB: \\.\PHYSICALDRIVE0\Partition3 / MBR:Alureon-K Please Help!

Last night my computer detected an MBR:Alureon-K rootkit, I told it to delete the virus immediately and set it to run a boot-time scan. The next morning I checked the scan logs and it said that it successfully removed three Alureon-K’s to the chest. It detected no other viruses.

To be sure, I ran a full-computer scan and detected: MRB: “\.\PHYSICALDRIVE0\Partition3” with a status: “Threat: MBR:Alureon-K [RTK]”.

I tried to repair the file, delete it and move it to the chest. Nothing worked.

What’s my next step to remove this thing?

Next step would be to read the sticky posted here: http://forum.avast.com/index.php?topic=53253.0 Logs produced after scans will make it possible for one of our expert malware removal (killer) experts to help you clean your system. You will need to run Malwarebytes, OTL, and aswMBR.exe. Each will produce a log for review. You will be asked to run additional programs if needed, but at the discretion of the expert helping you. Suggest to not make any changes to your system or clean it unless told to do so.

Use the “Attachment and other options” link below the text box you are writing in to attach the logs produced. You will also see a tick box to
“Notify me of replies” to help you get along a little faster.

A malware expert has been notified.

Also could you take a screenshot of disc management showing all partitions

Go Start > Run :
Type :
diskmgmt.msc

Is this the kind of thing you wanted?

http://i.imgur.com/iAOmM.jpg

I had to put it an in Imgur image because it wouldn’t let me attach the file the easy way. Copying the above link will give you the screenshot.

(SFW, nothing bad. Just the screenshot, I swear!)

Yep that looks OK - could you now run aswMBR and OTL please

aswMBR is not running. If I try to run it, it asks for Admin permission, I give it, and then nothing happens. >:(

And as for OTL, I left it on default settings and just clicked Run Scan. I’ve attached the log file.

You have both Avast and AVG on your system. One of them must go

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
To disable MBAM
Open the scanner and select the protection tab
Remove the tick from “Start with Windows”
Reboot and then run OTL

http://i1224.photobucket.com/albums/ee362/Essexboy3/mbamstop.jpg

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found. O4 - HKCU..\Run: [hhYdAGSGtMTv.exe] C:\ProgramData\hhYdAGSGtMTv.exe File not found [2012/04/08 20:25:14 | 000,302,592 | ---- | M] () -- C:\Users\Ellis\Desktop\bisj4ixt.exe

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application

http://dl.dropbox.com/u/73555776/TDSSFront.JPG

[*]Then click on Change parameters.

http://dl.dropbox.com/u/73555776/TDSSConfig.JPG

[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

[*]Click the Start Scan button.

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

http://dl.dropbox.com/u/73555776/TDSSFound.JPG

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

[*]Get the report by selecting Reports

http://dl.dropbox.com/u/73555776/TDSSEnd.JPG

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please copy and paste its contents on your next reply.

AVG is gone.

MBAM’s “protection” tab looks like this: http://i.imgur.com/o9kp1.png

I’m unsure how to proceed.

According to your image you have the free version of MBAM, so you don’t have any resident protection to stop.

So you should be able to proceed with the remainder of essexboy’s instructions in that post.

Thank you. I will :slight_smile:

All processes killed
========== OTL ==========
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{21FA44EF-376D-4D53-9B0F-8A89D3229068} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{21FA44EF-376D-4D53-9B0F-8A89D3229068}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\hhYdAGSGtMTv.exe deleted successfully.
C:\Users\Ellis\Desktop\bisj4ixt.exe moved successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Ellis\Desktop\cmd.bat deleted successfully.
C:\Users\Ellis\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Ellis
->Temp folder emptied: 278012 bytes
->Temporary Internet Files folder emptied: 20760591 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 7020429 bytes
->Flash cache emptied: 7742 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 54511278 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 7709740 bytes

Total Files Cleaned = 86.00 mb

Restore point Set: OTL Restore Point

OTL by OldTimer - Version 3.2.42.3 log created on 05132012_114124

Files\Folders moved on Reboot…
C:\Users\Ellis\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
File\Folder C:\Users\Ellis\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KUBQ1CXS\fw-nonplayer-banner[1].htm not found!
File\Folder C:\Users\Ellis\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KUBQ1CXS\pixel[1].htm not found!
File\Folder C:\Users\Ellis\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F5TZY3LN\channels[1].htm not found!
C:\Users\Ellis\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F5TZY3LN\login_account[1].htm moved successfully.
C:\Users\Ellis\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F5TZY3LN\login_status[2].htm moved successfully.
C:\Users\Ellis\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8JFDK9HA\emily[1].htm moved successfully.
C:\Users\Ellis\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8JFDK9HA\xd_receiver[1].htm moved successfully.
File\Folder C:\Users\Ellis\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4M0WE2T2\data_sync[1].htm not found!
File\Folder C:\Users\Ellis\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4M0WE2T2\fw-nonplayer-banner[1].htm not found!
File\Folder C:\Users\Ellis\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4M0WE2T2\fw-nonplayer-banner[2].htm not found!
C:\Users\Ellis\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4M0WE2T2\pixel[1].htm moved successfully.
File move failed. C:\Windows\temp_avast_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot…

TDSSKiller is NOT running. Same problem as aswMBR.

OK we have a new variant of the stealth TDL4. I would like to test one more programme to see if it detects it

[*] Download RogueKiller and save it on your desktop.
[*]Quit all programs
[*] Start RogueKiller.exe.
[*] Wait until Prescan has finished …
[*] Click on Scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRScan.png

[*]Wait for the end of the scan.
[*] The report has been created on the desktop.
[*] Click on the Delete button.

http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRDelete.png

[*]The report has been created on the desktop.

Please post: All RKreport.txt text files located on your desktop.

Now we will prepare for deletion once I have determined where it is hiding

Download the following three programmes to your desktop :

  1. Wintoboot
  2. Windows 7 64bit RC
  3. Farbar Recovery Scan Tool x64

Extract wintoboot to your desktop
Insert a USB drive of at least 4GB
Run Wintoboot

http://dl.dropbox.com/u/73555776/wintoboot.JPG

Drag and drop the Windows 7 ISO to the programme in the space indicated
Tick the Format box and accept the warnings
Press Do It

You will see it progressing

http://dl.dropbox.com/u/73555776/usb%20progress.JPG

It will let you know when it is done
Then copy FRST to the same USB

http://dl.dropbox.com/u/73555776/frstwintoboot.JPG

Insert the USB into the sick computer and start the computer. First ensuring that the system is set to boot from USB
Note: If you are not sure how to do that follow the instructions Here

When you reboot you will see this although yours will say windows 7. Click repair my computer

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7275.jpg

Select your operating system

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277202.jpg

Select Command prompt

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277.jpg

At the command prompt type the following :

notepad and press Enter.
The notepad opens. Under File menu select Open.
Select “Computer” and find your flash drive letter and close the notepad.
In the command window type e:\frst64.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

To ensure that AVG is completely removed, use the following link, download and run AVG uninstall after essexboy and you have successfully cleaned your system of Alureon-K infection here: http://kb.eset.com/esetkb/index?page=content&id=SOLN146 Any remnants left over can cause anomalies and strange behavior; this tool will help to prevent that.

Reason I say that is because I would not run this tool until after essexboy has told me to.

There is a first time for everything here; essexboy is able to help you because he knows many people in the industry, and will find a solution for you. He knows what he is doing. Logs are what is important here.

RogueKiller DID work. I’ve attached the reports and followed your instructions.

Wintoboot link is a bad link. I’m not sure how to proceed.

Aye the site has gone down… However, I do have a copy on my skydrive ;D

If you could click the Globe under my Avatar that will take you there, then locate and download WiNTBootic and proceed as directed

As it stands none of the tools are detecting this in normal mode - so we will see if wiorking outside of windows will reveal it

I followed your instructions until I reached this point:

"In the command window type e:\frst64.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
"

I typed in the FRST64.exe path and everything, but instead of a tool running or a disclaimer, my notepad just filled up with a massive amount of code.
Please advise on how to proceed.

The use of notepad is just to tell you where FRST is

Change directory to the drive that has FRST and run from there by typing FRST64.exe

Ah. I see. I can’t believe I didn’t think of that.

Everything ran smoothly, log is attached.

Here is the culprit

Disk: 0 Partition 3 Type : 17 (Suspicious Type) Hidden: [b]Yes[/b] Active: [b]Yes[/b]

There is no volume associated with this partition.

What we need to do now is set the proper partition to active

Another disc to make I am afraid

Download and burn to disc
gparted-live-0.11.0-7.iso (115.1 MB)

Create a bootable CD, for Gparted ISO image. You can use ImgBurn do this.

Now boot off of the newly created Gparted CD.

http://img829.imageshack.us/img829/5772/gpartedsplash.th.png

You should be here…
Press ENTER

http://img5.imageshack.us/img5/7286/gpartedkeymaps.th.png

By default, “do not touch keymap” is highlighted. Leave this setting alone and just press ENTER.

http://img404.imageshack.us/img404/9840/gpartedlanguage.th.png

Choose your language and press ENTER. English is default [33]

http://img140.imageshack.us/img140/7958/gpartedgui.th.png

Once again, at this prompt, press ENTER

You will now be taken to the main GUI screen below

http://img32.imageshack.us/img32/1122/gpartedo.th.png

According to your logs, the partition that you want to delete is 1Mb
Click the trash can icon to delete and then click Apply.

You should now be here confirming your actions:

http://img233.imageshack.us/img233/1533/gpartedsteps.th.png

Now you should be here:

http://img696.imageshack.us/img696/8471/gpartedsuccessclose.th.png

http://img194.imageshack.us/img194/7753/gpartedboot.th.png

Is “boot” next to your 100Mb system drive?

If “boot” is not next to your system drive under “Flags”, right-mouse click the system drive while in Gparted and select Manage Flags

In the menu that pops up, place a checkmark in boot like the picture below:

http://img196.imageshack.us/img196/3483/gpartedmanageflagsboot.th.png

Now double-click the
http://img822.imageshack.us/img822/641/gpartedexit.png
button.

You should receive a small pop up like this:

http://img88.imageshack.us/img88/8986/gpartedexitreboot.png

Choose reboot and then press OK.

If the system should fail to boot then run the windows recovery console USB and execute the following commands:

bootrec /FixMbr
bootrec /FixBoot
exit

Once back in Windows.

Retry aswMBR