I am working on my brother-in-laws computer and after installing Avast on his computer I got a pop-up saying that the computer is infected with the Alureon-K rootkit. I have been searching the internet for help in removing it and I haven’t been able to get anywhere. From the posts I have read on here I saw that most people were told to download and run aswMBR and then post the log. I have done that and attached the log. Any and all help is greatly appreciated.
we also need malwarebytes and OTL log
When trying to run OTL I keep getting a pop-up that says, “List index out of bounds (19).” I am not getting the logs to come up after the scan as described in the Logs to assist in malware sticky. Not sure what I need to do to complete the scan.
Here is my Malwarebytes scan:
Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org
Database version: v2012.08.24.07
Windows XP Service Pack 2 x86 NTFS
Internet Explorer 8.0.6001.18702
Administrator :: TIM [administrator]
8/24/2012 4:19:15 PM
mbam-log-2012-08-24 (16-19-15).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 201291
Time elapsed: 50 minute(s), 39 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 3
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|StartMenuLogoff (PUM.Hijack.StartMenu) → Bad: (1) Good: (0) → Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and repaired successfully.
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
Ok, I have found an OTL log but can’t find an Extras log.
The extra.txt log is not important
Hi could you go Start > Run and type in the following command :
aswMBR.exe -ap 1
Once it has rebooted then re-run aswMBR and post the new log
When I type in the command I am getting a pop-up that says, "Windows cannot find ‘aswMBR.exe’. I tried restarting the computer and then typing the command in again but it still didn’t work. I then uninstalled aswMBR and reinstalled it but that didn’t help either.
Thought that was a bit easy
OK I need the recovery console installed and the easiest way to do that is run combofix… It is imperitive that you let combofix install the recovery console
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1
Link 2
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
- IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks
http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png
http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png
[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.
Notes:
- Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
- Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
- If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
Ok, I tried running ComboFix. The first time it locked up the computer before it even started running. I then restarted the computer and started ComboFix again. This time it started running and got to 9% and said 1 of 11 files saved. It then locked up again. Not sure what to do now.
OK lets use Linux instead
I need you to download:
gparted-live-0.10.0-3.iso (115.1 MB)
Create a bootable CD, for Gparted from the ISO image.
You can use ImgBurn do this.
Now boot off of the newly created Gparted CD.
You should be here… Press ENTER
https://dl.dropbox.com/u/73555776/Gpart-Start.GIF
By default, “do not touch keymap” is highlighted.
https://dl.dropbox.com/u/73555776/Gpart-keyselect.GIF
Leave this setting alone and just press ENTER.
https://dl.dropbox.com/u/73555776/Gpart-continue.GIF
Choose your language and press ENTER. English is default [33]
At the mode prompt enter 0, press ENTER
You will now be taken to the main GUI screen below
https://dl.dropbox.com/u/73555776/Gpart-partitions.GIF
According to your logs, the partition that you want to delete is 7 MB
Right click this partition and select delete .
https://dl.dropbox.com/u/73555776/GPart-delete.GIF
The Partition has gone
Now select Apply
Now you should be here:
https://dl.dropbox.com/u/73555776/Areyousure.GIF
Select Apply after double checking that the right partition was deleted
Is “boot” next to your OS drive?
If “boot” is not next to your OS drive under “Flags”, right-mouse click the OS drive while in Gparted and select Manage Flags
https://dl.dropbox.com/u/73555776/GPart-flags.GIF
In the menu that pops up, place a checkmark in boot like the picture below, then close :
https://dl.dropbox.com/u/73555776/GPart-bootflag.GIF
Under File select Quit
https://dl.dropbox.com/u/73555776/Gpart-quit.GIF
You will see this small Popup
https://dl.dropbox.com/u/73555776/Gpart-reboot.GIF
Choose reboot and then press OK.
Then run aswMBR once more
Ok, did all of that and here is the new aswMBR log.
OK that bad boy is now history, could you retry combofix now please
Here is the Combofix log.
Looks good … Any outstanding problems ?