MBR:Alureon-K [Rtk]

[Hawkness]

Good evening,

I decided to check my system for viruses today and avast! pretty soon found a rootkit infection named MBR:Alureon-K [Rtk].

I've been googling about this rootkit for quite some time, but I really don't understand that much about technology to really be able to deal with this problem on my own.
And due to this lack of technologic knowledge I'm sort of unable to know what kind of information you guys need to help me out (if possible) nor where exactly to find them.

I'd be very thankful if someone could take his or her time and help me out a bit on this one. Kind of like a step-for-step instruciton.
Of course I understand that you will be unable to accomplish this without my help in form of information about my system, and I do not expect you to do perform wonders.
What I mean by step-for-step instructions is rather "We need information XY which you will find out with programm YX, in order to be able to help you."

I may not know nor understand that much of technology as of now, but I'm willing to learn and gladly offer as much as help as possible so that you might be able to help me.

Thank you in advance,
Hawkness

P.S. What I CAN tell you, is that I'm using Windows XP, Service Pack 3. I hope this helps.

[Pondus]

follow this guide and attach (not copy and paste) malwarebytes / OTL / aswMBR logs
http://forum.avast.com/index.php?topic=53253.0


a removal specialist will be notified when done

[Hawkness]

I'm doing the scans at the moment. I noticed that the malwarebytes log is in german (altough I've chosen english as installation language).

Any way to change this so you can actually work with the logs? :/

EDIT: Nvm, I found out! Doing the scan again.

[jeffce]

Monitoring...

[Hawkness]

So, scans are done Hopefully you can find something.
Logs are attached.

[jeffce]

Hi,

Please download TDSSKiller.zip

• Extract it to your desktop
• Double click TDSSKiller.exe
  
• when the window opens, click on Change Parameters
  
• under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
  
• click OK
  
• Press Start Scan
  
  • Only if Malicious objects are found then ensure Cure is selected
    
  • Then click Continue > Reboot now
    
• Attach the log in your next reply
• A copy of the log will be saved automatically to the root of the drive (typically C:\)
  

----------

[Hawkness]

Followed the instructions. However, when the scan finished, there was no "reboot" button (nor any malicious files. There were two files with a level of "medium" tough).

TDSSKillerlog attached.

[Hawkness]

This second logfile (attached) is an earlier Scan of TDSSKiller i made today (I've read about this programm in context to Alureon already, so I had given it a shot already). This scan included a malicious file which i used the cure option on.
There was no "reboot" option either.

[jeffce]

Hi,

Run TDSSKiller again.  When you get to the entry here >> \Device\Harddisk0\DR0 ( TDSS File System ) remove/delete it and then attach that new log. 

[military]

In the future avast can cope MBR:Alureon?
TDSSKiller is good, but would like that and avast managed.

[Asyn]

In the future avast can cope MBR:Alureon?
TDSSKiller is good, but would like that and avast managed.

Please start a new topic for your question. Thanks.

[Hawkness]

And here's the new log

[jeffce]

There we go...that looks better. 

Please read through these instructions to familarize yourself with what to expect when this tool runs

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.  Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs
  
  
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. CF disconnects your machine from the internet.  The connection is automatically restored before CF completes its run.  If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
----------

[Hawkness]

There we go...that looks better. 

Hopefully this looks even better

[jeffce]

Hi,

Are you aware that your system is set up to run from a proxy server? 

I need some information on some unidentified files. We will use Virustotal Please submit these files for analysis

To submit a file to virustotal, please click  VirusTotal

Browse to the following and press Open  (one at a time if more than one file is listed)

c:\winxp\system32\drivers\mfx.sys


Click "Scan It", wait for the results and post them in your next reply.

Please note that sometimes the scans take a few minutes. Please ensure that the scan has completed and the results are complete before submitting the next sample. Also please make sure each result is clearly identified as to which sample they belong to.