Need help getting rid of MBR:Alrueon-K rootkit virus

Hello,

May I have some help with getting rid of the Alureon-K virus? Nasty little bugger. I’ve read a lot about it. Some of the tools seem to work, but only partially. Avast Free full & quick scan see it, but can’t get rid of it. Avast indicates that it will delete upon reboot, but doesn’t. aswMBR sees it in its own partition along with a coup[le of other problems , but I don’t even get the fix option after setting it up for the right partition (2).

TDSSkiller won’t run … even if I rename it.

I even tried to get rid of the 10MB partition where it resides, but diskmgmt.msc can’t delete it.

I’ve attached the MBAM, OTL & aswMBR logs.

Please advise.

Thanks, Eda

Hi we will try aswMBR as a first removal option… If that fails we will need to work outside of windows

Go Start > Run (or press the windows and R key together)
Copy/paste the following command into the box and press OK

aswMBR.exe -ap 1

Once aswMBR has finished then reboot and rerun, press the scan button posting the resultant log

Thanks essexboy.

Done. Here’s the update log file. I had to paste below because the upload server is currently full.

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-03-20 19:13:46

19:13:46.718 OS Version: Windows 5.1.2600 Service Pack 3
19:13:46.718 Number of processors: 1 586 0x401
19:13:46.718 ComputerName: PC-MIKE1 UserName: Michael
19:17:25.765 Initialize success
19:17:35.625 AVAST engine defs: 12032001
19:29:26.265 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-3
19:29:26.265 Disk 0 Vendor: Hitachi_HDP725050GLAT80 GM4OA4CA Size: 476940MB BusType: 3
19:29:26.296 Disk 0 MBR read successfully
19:29:26.296 Disk 0 MBR scan
19:29:26.296 Disk 0 Windows XP default MBR code
19:29:26.296 Disk 0 MBR hidden
19:29:26.296 Disk 0 Partition 1 00 07 HPFS/NTFS NTFS 476929 MB offset 63
19:29:26.328 Disk 0 Partition 2 80 (A) 17 Hidd HPFS/NTFS NTFS 10 MB offset 976752000
19:29:26.328 Disk 0 Partition 2 INFECTED MBR:Alureon-K [Rtk]
19:29:26.343 Disk 0 scanning sectors +976773152
19:29:26.421 Disk 0 scanning C:\WINDOWS\system32\drivers
19:29:47.218 Service scanning
19:30:33.765 Modules scanning
19:30:59.796 Disk 0 trace - called modules:
19:30:59.812 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89b8bfa9]<<
19:30:59.812 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x89bbfab8]
19:30:59.812 3 CLASSPNP.SYS[f7637fd7] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-3[0x89baab00]
19:30:59.812 \Driver\atapi[0x89ba28a8] → IRP_MJ_INTERNAL_DEVICE_CONTROL → 0x89b8bfa9
19:31:07.625 AVAST engine scan C:\WINDOWS
19:31:36.265 AVAST engine scan C:\WINDOWS\system32
19:39:50.484 AVAST engine scan C:\WINDOWS\system32\drivers
19:40:16.937 AVAST engine scan C:\Documents and Settings\Michael
20:21:31.937 AVAST engine scan C:\Documents and Settings\All Users
20:22:42.968 Scan finished successfully
20:23:47.265 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\Michael\Desktop\MBR.dat”
20:23:47.265 The log file has been saved successfully to “C:\Documents and Settings\Michael\Desktop\aswMBR - 120320.txt”

Please advise.

Thanks, Eda

[list]OK that command did not appear to work - One final run till we revert to working from a cd

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_1.jpg

[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_2.jpg

[*]Click the Start Scan button.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_3.jpg

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_4.jpg

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_5.jpg

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste its contents on your next reply.

Thanks Essexboy,

TDSSkiller ran fine this time. Unfortunately the log file is > 45,000 characters but the maximum allowed here is 10,000.

I had to upload it to my 4Shared account. You can find it here:

http://www.4shared.com/office/4K2x9IEC/file.html

Please advise. Thanks, Eda

Could you re-run TDSSKiller again please and delete the two following elements :

\Device\Harddisk0\DR0 ( TDSS File System )
\Device\Harddisk1\DR3 ( Rootkit.Win32.BackBoot.gen )

Then let me know how the computer is behaving

I re-ran TDSSkiller but I didn’t get:

\Device\Harddisk0\DR0 ( TDSS File System )

and for \Device\Harddisk1\DR3 ( Rootkit.Win32.BackBoot.gen ), I only got the options to Skip, Copy to Quarantine or Restore - no Delete option is provided.

Also, diskmgmt.msc indicates that the Alureon-K partition is gone, google won’t let me access my igoogle page (detected “unusual traffic” from me.) and aswMBR comes back clean. The computer it is fairly sluggish – stuttering audio, jerky mouse movement, etc.

Is there anything else I should do?

Thanks.

Might have to run TDSSKiller multiple times till you get the cure option?
http://forums.malwarebytes.org/index.php?s=2ec7b998993be368df6b808d2f7b774c&showtopic=106571&st=20

It looks like TDSSKiller removed the partition - must be a late update

OK onwards now to see what miscreants remain

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Thank you, Essexboy!

Here’s the ComboFix.txt file.

The computer is still sluggish. I’m still getting a Rootkit.Win32.Backboot.gen virus detected from TDSSkiller. TDSSkiller is still only giving me the options to Skip, Copy to Quarantine & Restore.

Please advise. Thanks.

Could you attach the latest TDSSKiller so that I can look at it

Sure. Please see attached. Thank you!

Could you give TDSSKiller one more shot at deleting this

\Device\Harddisk1\DR2 ( Rootkit.Win32.BackBoot.gen )

Then once done could you re-run OTL selecting all users and I will see if I can detect what is causing the sluggishness

Sorry… TDSSkiller still won’t provide the delete option.

Should I run OTL anyway?

Thanks, Eda

Yes please and is it sluggish at start or during general use ?

Please see attached.

It’s sluggish both at start and general use.

Thank you.

OK lets remove my stuff and go for a little TLC

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands [resethosts] [emptytemp] [CLEARALLRESTOREPOINTS] [Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Remove ComboFix
[*]Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
[*]In the Run box, type in ComboFix /Uninstall
(Notice the space between the “x” and “/”)
then click OK

http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg

[]Follow the prompts on the screen
[
]A message should appear confirming that ComboFix was uninstalled

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that
[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[
]Click OK.

http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif
Your Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:
[] Go to this site and click Do I have Java
[
] It will check your current version and then offer to update to the latest version

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes.

Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?Keep safe :wave:

ONCE that has been done then run a defragmenter on your computer. If that fails to give any noticable gain we will then look at the startup elements

I ran OTL, but when I ran ComboFix /Uninstall AVAST went crazy reporting a number of threats prompting to terminate some and sandboxing others. Am I supposed to turn Avast off when I run the Uninstall?

Thanks.

I’m having the same exact problem. TDSSKiller didn’t work either. Can someone help me?

Hi thisiseasycash.

You will need to create a new topic in the Virus & Worms Forum (this one). Include a brief description of the problem, symptoms and it usually helps if you can follow the initial instructions provided to someone else with similar problems. Af ter you post, one of the experts will respond and help you work through a solution.

Good Luck!