Problem with Alureon-K, I can't get rid of it.

I have tried to follow the advice on here and elsewhere to no avail. Be gentle with me, I am an end user and need your help.

Running Windows XP service pack 3, on a Pentium R

I lost all programs, file structure, wallpaper and internet
I tried to quarantine but it can’t. I tried delete an it says it will delay delete until next start-up. On start-up it is still there.

I have done aan avast start-up scan - no change.

I ran Windows defender on re-boot which brought back my programs

I have also run Malwarebytes, OTL, rouge killer, aswMBR, Spybot and FSS.

I now have my wallpaper back but still no filestructure or internet. I can see my files by searching on hidden files so I know they are there.

I’ll try to attach my OTL log

Please help.

MBAM log:

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.01.13.04

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
DOUST :: DOUST-118C81DC4 [administrator]

21/03/2012 11:59:24
mbam-log-2012-03-21 (11-59-24).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 174108
Time elapsed: 18 minute(s), 26 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ (Hijack.Zones) → Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Documents and Settings\DOUST\Bureau\winlogon.exe (Heuristics.Reserved.Word.Exploit) → Quarantined and deleted successfully.

(end)

This needs further analysis by a malware removal specialist and the use of additional analysis tools:
Go to this topic http://forum.avast.com/index.php?topic=53253.0 for information on Logs to assist in cleaning malware. Use the information about getting and using the tools and attach the other logs here, not in the LOGS topic.

You should also have gotten an extras.txt from your first running of OTL.

More than one log can be attached per post so long as they don’t exceed the limits for single file or cumulative total of up to 4 files attached.

OTL extras attached.

rouge killer report

RogueKiller V7.3.2 [20/03/2012] par Tigzy
mail: tigzyRKgmailcom
Remontees: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html
Blog: http://tigzyrk.blogspot.com

Systeme d’exploitation: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Demarrage : Mode normal
Utilisateur: DOUST [Droits d’admin]
Mode: Recherche – Date: 21/03/2012 10:37:15

¤¤¤ Processus malicieux: 0 ¤¤¤

¤¤¤ Entrees de registre: 7 ¤¤¤
[SUSP PATH] HKLM[…]\Run : ldmtqETJLYi.exe (C:\Documents and Settings\All Users\Application Data\ldmtqETJLYi.exe) → FOUND
[SUSP PATH] Wireless Configuration Utility HW.51.lnk @All Users : C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe → FOUND
[SUSP PATH] Wireless Configuration Utility HW.51.lnk @All Users : C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe → FOUND
[SUSP PATH] Wireless Configuration Utility HW.51.lnk @Common : C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe → FOUND
[SUSP PATH] Wireless Configuration Utility HW.51.lnk @Common : C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe → FOUND
[WallPP] HKCU[…]\Desktop : Wallpaper () → FOUND
[HJ] HKLM[…]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) → FOUND

¤¤¤ Fichiers / Dossiers particuliers: ¤¤¤

¤¤¤ Driver: [CHARGE] ¤¤¤

¤¤¤ Infection : Root.MBR ¤¤¤

¤¤¤ Fichier HOSTS: ¤¤¤
127.0.0.1 localhost

¤¤¤ MBR Verif: ¤¤¤

+++++ PhysicalDrive0: WDC WD1600AAJS-00L7A0 +++++
— User —
[MBR] 711e9888d04d359b46e295c2aa4adf4e
[BSP] fa0fa98db694d6892a5f1462dfd3e535 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 152617 Mo
User = LL1 … OK!
User != LL2 … KO!
— LL2 —
[MBR] 8a45da90882fcd1b49f27f8717295a7a
[BSP] fa0fa98db694d6892a5f1462dfd3e535 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 152617 Mo
1 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 312560640 | Size: 10 Mo

Termine : << RKreport[1].txt >>
RKreport[1].txt

Hopefully it won’t be long before a malware removal specialist can analyse the logs. Essexboy who deals with most of them may be at work (almost 3pm UK time) and is normally on-line from about 7pm UK time.

Hi,

Please download [URL=http://"http://public.avast.com/~gmerek/aswMBR.exe "]aswMBR[/URL] to your desktop.

[*]Right click and Run as Administrator the aswMBR icon to run it.
[*]Click the Scan button to start scan.
[*]When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.

[URL=http://"http://i1190.photobucket.com/albums/z454/Blottedisk/aswMBRscan.png "]
http://i1190.photobucket.com/albums/z454/Blottedisk/aswMBRscan-1.png
[/URL]
Click the image to enlarge it

I’ve already run aswMBR sorry I should have attached the log first time.

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-03-22 11:23:35

11:23:35.906 OS Version: Windows 5.1.2600 Service Pack 3
11:23:35.906 Number of processors: 2 586 0x604
11:23:35.906 ComputerName: DOUST-118C81DC4 UserName: DOUST
11:23:39.781 Initialize success
11:23:49.453 AVAST engine defs: 12032000
11:23:59.328 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP2T0L0-7
11:23:59.328 Disk 0 Vendor: WDC_WD1600AAJS-00L7A0 01.03E01 Size: 152627MB BusType: 3
11:23:59.343 Disk 0 MBR read successfully
11:23:59.343 Disk 0 MBR scan
11:23:59.343 Disk 0 Windows XP default MBR code
11:23:59.359 Disk 0 MBR hidden
11:23:59.359 Disk 0 Partition 1 00 07 HPFS/NTFS NTFS 152617 MB offset 63
11:23:59.390 Disk 0 Partition 2 80 (A) 17 Hidd HPFS/NTFS NTFS 10 MB offset 312560640
11:23:59.390 Disk 0 Partition 2 INFECTED MBR:Alureon-K [Rtk]
11:23:59.390 Disk 0 scanning sectors +312581792
11:23:59.484 Disk 0 scanning C:\WINDOWS\system32\drivers
11:24:16.500 Service scanning
11:24:32.312 Modules scanning
11:24:42.046 Disk 0 trace - called modules:
11:24:42.062 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8636ffa9]<<
11:24:42.062 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x86360438]
11:24:42.062 3 CLASSPNP.SYS[f76eefd7] → nt!IofCallDriver → \Device\00000064[0x863893b8]
11:24:42.062 5 ACPI.sys[f7664620] → nt!IofCallDriver → \Device\Ide\IdeDeviceP2T0L0-7[0x8635cd98]
11:24:42.062 \Driver\atapi[0x8637eac0] → IRP_MJ_INTERNAL_DEVICE_CONTROL → 0x8636ffa9
11:24:42.593 AVAST engine scan C:
12:55:23.578 File: C:\Program Files\Real\realplayer\Update\realsched.exe INFECTED Win32:Malware-gen
14:16:23.640 Scan finished successfully
14:32:27.062 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\DOUST\Bureau\MBR.dat”
14:32:27.062 The log file has been saved successfully to “C:\Documents and Settings\DOUST\Bureau\aswMBR.txt”

Hi frenchfancy,

Let’s start here…

Go Start > Run (or press the windows and R key together)
Copy/paste the following command into the box and press OK

aswMBR.exe -ap 1

Once aswMBR has finished, reboot and rerun aswMBR, press the scan button posting the resultant log

No luck - when I do that it says that windows can’t find the file.

If it makes any difference the aswMBR.exe is saved on my desktop as it is the only part of the file structure that I can see.

Please download TDSSKiller.zip

[*]Extract it to your desktop
[*]Double click TDSSKiller.exe
[*]when the window opens, click on Change Parameters
[*]under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
[*]click OK
[*]Press Start Scan

[*]Only if Malicious objects are found then ensure Cure is selected
[*]Then click Continue > Reboot now

[*]Copy and paste the log in your next reply

[*]A copy of the log will be saved automatically to the root of the drive (typically C:)

It didn’t find anything.

Log attached

Hi,

Run a new scan with aswMBR.

Please read through these instructions to familarize yourself with what to expect when this tool runs

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RCUpdate1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer’s settings, including making I-E the default browser.
3. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

In your next reply please post the logs created by aswMBR and ComboFix.

aswMBR ran ok, but combofix tried to install windows recovery console via the internet - so as I’ve lost internet connection this didn’t work.

combofix finished runnin however and my file structure is now back - hooray!

Still no internet, but I’ve yet to re-boot.

logs attached

Thank you for your help - it really is appreciated.

Hi,

Go ahead and reboot and see if your internet connection is back.

No, still no internet. The PC is connected by ethernet to the router. It can see the local network but not the internet. Laptop uses same router by wifi and is workin fine.

Hi,

Let’s try and get that internet back.

Please download Farbar Service Scanner and run it on the computer with the issue.
[*]Make sure the following options are checked:
[*]Internet Services
[*]Windows Firewall
[*]System Restore

[*]Press “Scan”.
[]It will create a log (FSS.txt) in the same directory the tool is run.
[
]Please copy and paste the log to your reply.

Done. log attached. Still no internet.

Hi frenchfancy,

Click Start > Run > type CMD
At cmd prompt C:>
type
netsh -c diag

then when that loads
type
show test

Copy/paste the results into your next reply.

Done, log attached.

My pc runs in French. hopefully it should be obvious but let me know if you need me to trnslate anything.

I note that it says outlook express is my default mail server. I don’t use it I use Outlook.

Hi,

Thanks for getting me this log. I ran it through a translator so I was able to manage, but thank you for the offer. :slight_smile:

In the meantime…

Please download DDS from either of these links

LINK 1
LINK 2

and save it to your desktop.

[*]Disable any script blocking protection
[*]Right-click and Run as Administrator dds to run the tool.
[*]When done, two DDS.txt’s will open.
[*]Save both reports to your desktop.

Please include the contents of the following in your next reply:

DDS.txt

Attach.txt

Done, logs attached