Avast WEBforum
Other => Viruses and worms => Topic started by: ThatHaydenGuy on May 12, 2012, 04:50:36 AM
-
Last night my computer detected an MBR:Alureon-K rootkit, I told it to delete the virus immediately and set it to run a boot-time scan. The next morning I checked the scan logs and it said that it successfully removed three Alureon-K's to the chest. It detected no other viruses.
To be sure, I ran a full-computer scan and detected: MRB: "\\.\PHYSICALDRIVE0\Partition3" with a status: "Threat: MBR:Alureon-K [RTK]".
I tried to repair the file, delete it and move it to the chest. Nothing worked.
What's my next step to remove this thing?
-
Last night my computer detected an MBR:Alureon-K rootkit, I told it to delete the virus immediately and set it to run a boot-time scan. The next morning I checked the scan logs and it said that it successfully removed three Alureon-K's to the chest. It detected no other viruses.
To be sure, I ran a full-computer scan and detected: MRB: "\\.\PHYSICALDRIVE0\Partition3" with a status: "Threat: MBR:Alureon-K [RTK]".
I tried to repair the file, delete it and move it to the chest. Nothing worked.
What's my next step to remove this thing?
Next step would be to read the sticky posted here: http://forum.avast.com/index.php?topic=53253.0 (http://forum.avast.com/index.php?topic=53253.0) Logs produced after scans will make it possible for one of our expert malware removal (killer) experts to help you clean your system. You will need to run Malwarebytes, OTL, and aswMBR.exe. Each will produce a log for review. You will be asked to run additional programs if needed, but at the discretion of the expert helping you. Suggest to not make any changes to your system or clean it unless told to do so.
Use the "Attachment and other options" link below the text box you are writing in to attach the logs produced. You will also see a tick box to
"Notify me of replies" to help you get along a little faster.
A malware expert has been notified.
-
Also could you take a screenshot of disc management showing all partitions
Go Start > Run :
Type :
diskmgmt.msc
-
Is this the kind of thing you wanted?
http://i.imgur.com/iAOmM.jpg
I had to put it an in Imgur image because it wouldn't let me attach the file the easy way. Copying the above link will give you the screenshot.
(SFW, nothing bad. Just the screenshot, I swear!)
-
Yep that looks OK - could you now run aswMBR and OTL please
-
aswMBR is not running. If I try to run it, it asks for Admin permission, I give it, and then nothing happens. >:(
And as for OTL, I left it on default settings and just clicked Run Scan. I've attached the log file.
-
You have both Avast and AVG on your system. One of them must go
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
To disable MBAM
Open the scanner and select the protection tab
Remove the tick from "Start with Windows"
Reboot and then run OTL
(http://i1224.photobucket.com/albums/ee362/Essexboy3/mbamstop.jpg)
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O4 - HKCU..\Run: [hhYdAGSGtMTv.exe] C:\ProgramData\hhYdAGSGtMTv.exe File not found
[2012/04/08 20:25:14 | 000,302,592 | ---- | M] () -- C:\Users\Ellis\Desktop\bisj4ixt.exe
:Files
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN
Download the latest version of TDSSKiller from here (http://support.kaspersky.com/downloads/utils/tdsskiller.exe) and save it to your Desktop.
- Doubleclick on TDSSKiller.exe to run the application
(http://dl.dropbox.com/u/73555776/TDSSFront.JPG)
- Then click on Change parameters.
(http://dl.dropbox.com/u/73555776/TDSSConfig.JPG)
- Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
- Click the Start Scan button.
- If a suspicious object is detected, the default action will be Skip, click on Continue.
(http://dl.dropbox.com/u/73555776/TDSSFound.JPG)
- If malicious objects are found, they will show in the Scan results and offer three (3) options.
- Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
- Get the report by selecting Reports
(http://dl.dropbox.com/u/73555776/TDSSEnd.JPG)
- Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
Please copy and paste its contents on your next reply.
-
AVG is gone.
MBAM's "protection" tab looks like this: http://i.imgur.com/o9kp1.png
I'm unsure how to proceed.
-
According to your image you have the free version of MBAM, so you don't have any resident protection to stop.
So you should be able to proceed with the remainder of essexboy's instructions in that post.
-
Thank you. I will :)
-
All processes killed
========== OTL ==========
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{21FA44EF-376D-4D53-9B0F-8A89D3229068} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21FA44EF-376D-4D53-9B0F-8A89D3229068}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\hhYdAGSGtMTv.exe deleted successfully.
C:\Users\Ellis\Desktop\bisj4ixt.exe moved successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Ellis\Desktop\cmd.bat deleted successfully.
C:\Users\Ellis\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
[EMPTYTEMP]
User: All Users
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: Ellis
->Temp folder emptied: 278012 bytes
->Temporary Internet Files folder emptied: 20760591 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 7020429 bytes
->Flash cache emptied: 7742 bytes
User: Public
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 54511278 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 7709740 bytes
Total Files Cleaned = 86.00 mb
Restore point Set: OTL Restore Point
OTL by OldTimer - Version 3.2.42.3 log created on 05132012_114124
Files\Folders moved on Reboot...
C:\Users\Ellis\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
File\Folder C:\Users\Ellis\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KUBQ1CXS\fw-nonplayer-banner[1].htm not found!
File\Folder C:\Users\Ellis\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KUBQ1CXS\pixel[1].htm not found!
File\Folder C:\Users\Ellis\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F5TZY3LN\channels[1].htm not found!
C:\Users\Ellis\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F5TZY3LN\login_account[1].htm moved successfully.
C:\Users\Ellis\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F5TZY3LN\login_status[2].htm moved successfully.
C:\Users\Ellis\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8JFDK9HA\emily[1].htm moved successfully.
C:\Users\Ellis\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8JFDK9HA\xd_receiver[1].htm moved successfully.
File\Folder C:\Users\Ellis\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4M0WE2T2\data_sync[1].htm not found!
File\Folder C:\Users\Ellis\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4M0WE2T2\fw-nonplayer-banner[1].htm not found!
File\Folder C:\Users\Ellis\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4M0WE2T2\fw-nonplayer-banner[2].htm not found!
C:\Users\Ellis\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4M0WE2T2\pixel[1].htm moved successfully.
File move failed. C:\Windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.
Registry entries deleted on Reboot...
-
TDSSKiller is NOT running. Same problem as aswMBR.
-
OK we have a new variant of the stealth TDL4. I would like to test one more programme to see if it detects it
- Download RogueKiller (http://www.sur-la-toile.com/RogueKiller/) and save it on your desktop.
- Quit all programs
- Start RogueKiller.exe.
- Wait until Prescan has finished ...
- Click on Scan
(http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRScan.png)
- Wait for the end of the scan.
- The report has been created on the desktop.
- Click on the Delete button.
(http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRDelete.png)
- The report has been created on the desktop.
Please post: All RKreport.txt text files located on your desktop.
Now we will prepare for deletion once I have determined where it is hiding
Download the following three programmes to your desktop :
1. Wintoboot (http://www.wintobootic.com/#)
2. Windows 7 64bit RC (http://www.forum.probz.net/index.php?/files/file/19-windows-7-recovery-environment-iso/)
3. Farbar Recovery Scan Tool x64 (http://download.bleepingcomputer.com/farbar/FRST64.exe)
Extract wintoboot to your desktop
Insert a USB drive of at least 4GB
Run Wintoboot
(http://dl.dropbox.com/u/73555776/wintoboot.JPG)
Drag and drop the Windows 7 ISO to the programme in the space indicated
Tick the Format box and accept the warnings
Press Do It
You will see it progressing
(http://dl.dropbox.com/u/73555776/usb%20progress.JPG)
It will let you know when it is done
Then copy FRST to the same USB
(http://dl.dropbox.com/u/73555776/frstwintoboot.JPG)
Insert the USB into the sick computer and start the computer. First ensuring that the system is set to boot from USB
Note: If you are not sure how to do that follow the instructions Here (http://pcsupport.about.com/od/fixtheproblem/ss/bootorderchange.htm)
When you reboot you will see this although yours will say windows 7. Click repair my computer
(http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7275.jpg)
Select your operating system
(http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277202.jpg)
Select Command prompt
(http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277.jpg)
At the command prompt type the following :
notepad and press Enter.
The notepad opens. Under File menu select Open.
Select "Computer" and find your flash drive letter and close the notepad.
In the command window type e:\frst64.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]
-
To ensure that AVG is completely removed, use the following link, download and run AVG uninstall after essexboy and you have successfully cleaned your system of Alureon-K infection here: http://kb.eset.com/esetkb/index?page=content&id=SOLN146 (http://kb.eset.com/esetkb/index?page=content&id=SOLN146) Any remnants left over can cause anomalies and strange behavior; this tool will help to prevent that.
Reason I say that is because I would not run this tool until after essexboy has told me to.
There is a first time for everything here; essexboy is able to help you because he knows many people in the industry, and will find a solution for you. He knows what he is doing. Logs are what is important here.
-
RogueKiller DID work. I've attached the reports and followed your instructions.
Wintoboot link is a bad link. I'm not sure how to proceed.
-
Aye the site has gone down... However, I do have a copy on my skydrive ;D
If you could click the Globe under my Avatar that will take you there, then locate and download WiNTBootic and proceed as directed
As it stands none of the tools are detecting this in normal mode - so we will see if wiorking outside of windows will reveal it
-
I followed your instructions until I reached this point:
"In the command window type e:\frst64.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
"
I typed in the FRST64.exe path and everything, but instead of a tool running or a disclaimer, my notepad just filled up with a massive amount of code.
Please advise on how to proceed.
-
The use of notepad is just to tell you where FRST is
Change directory to the drive that has FRST and run from there by typing FRST64.exe
-
Ah. I see. I can't believe I didn't think of that.
Everything ran smoothly, log is attached.
-
Here is the culprit
Disk: 0
Partition 3
Type : 17 (Suspicious Type)
Hidden: Yes
Active: Yes
There is no volume associated with this partition.
What we need to do now is set the proper partition to active
Another disc to make I am afraid
Download and burn to disc
gparted-live-0.11.0-7.iso (http://sourceforge.net/projects/gparted/files/latest/download?source=files) (115.1 MB)
Create a bootable CD, for Gparted ISO image. You can use ImgBurn (http://download.imgburn.com/SetupImgBurn_2.5.6.0.exe) do this.
Now boot off of the newly created Gparted CD.
(http://img829.imageshack.us/img829/5772/gpartedsplash.th.png)
You should be here...
Press ENTER
(http://img5.imageshack.us/img5/7286/gpartedkeymaps.th.png)
By default, "do not touch keymap" is highlighted. Leave this setting alone and just press ENTER.
(http://img404.imageshack.us/img404/9840/gpartedlanguage.th.png)
Choose your language and press ENTER. English is default [33]
(http://img140.imageshack.us/img140/7958/gpartedgui.th.png)
Once again, at this prompt, press ENTER
You will now be taken to the main GUI screen below
(http://img32.imageshack.us/img32/1122/gpartedo.th.png)
According to your logs, the partition that you want to delete is 1Mb
Click the trash can icon to delete and then click Apply.
You should now be here confirming your actions:
(http://img233.imageshack.us/img233/1533/gpartedsteps.th.png)
Now you should be here:
(http://img696.imageshack.us/img696/8471/gpartedsuccessclose.th.png)
(http://img194.imageshack.us/img194/7753/gpartedboot.th.png)
Is "boot" next to your 100Mb system drive?
If "boot" is not next to your system drive under "Flags", right-mouse click the system drive while in Gparted and select Manage Flags
In the menu that pops up, place a checkmark in boot like the picture below:
(http://img196.imageshack.us/img196/3483/gpartedmanageflagsboot.th.png) (http://"http://img196.imageshack.us/img196/3483/gpartedmanageflagsboot.png")
Now double-click the (http://img822.imageshack.us/img822/641/gpartedexit.png) button.
You should receive a small pop up like this:
(http://img88.imageshack.us/img88/8986/gpartedexitreboot.png)
Choose reboot and then press OK.
If the system should fail to boot then run the windows recovery console USB and execute the following commands:
bootrec /FixMbr
bootrec /FixBoot
exit
Once back in Windows.
Retry aswMBR
-
I don't have any space CD's lying around.
Instead of using a CD, could I somehow use my trusty USB (15Gb)?
-
Yes if you could go to my site (Link is the Globe under my Avatar )
Download WiNTBootic.exe
(http://dl.dropbox.com/u/73555776/wintoboot.JPG)
Drag and drop the GParted ISO to the programme in the space indicated
Tick the Format box and accept the warnings
Press Do It
You will see it progressing
(http://dl.dropbox.com/u/73555776/usb%20progress.JPG)
It will let you know when it is done
Then boot from the USB and follow the destructions as previous ;D
-
Followed your instructions, it seems to have worked. This is my first reboot after removing the bad partition, and so far no sign of infection.
I'm going to run another full-system Avast! scan to see if it's all gone.
-
Detected three MBR: Alureon type viruses. The kind that were in my first post that I could easily remove. (This kind has a specified file name in an easy to access place)
Am I free to move them to the chest?
Also. Is there anything else you want me to do?
-
Yes could you do one further aswMBR run please followed a an OTL quick scan
-
I did the aswMBR scan. The program worked this time, so I'm going to take that as a good sign. Anyway, it's 2:45 AM here. I'm going to bed. I'll do the OTL tomorrow.
Log attached if you want to see it.
-
That looks good - sleep tight ;D
-
And here's the OTL log.
Anything else you want me to do, or am I free and clean?
-
Subject to no further problems :)
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean :thumbsup:
A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:
Run OTL- Under the Custom Scans/Fixes box at the bottom, paste in the following
:Commands
[resethosts]
[emptytemp]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.
We will now confirm that your hidden files are set to that, as some of the tools I use will change that
- Click Start.
- Open My Computer.
- Select the Tools menu and click Folder Options.
- Select the View Tab.
- Under the Hidden files and folders heading select Do not show hidden files and folders.
- Click Yes to confirm.
- Click OK.
(http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif)
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.
Upgrading Java:
- Go to this site (http://java.com/en/) and click Do I have Java
- It will check your current version and then offer to update to the latest version
SPRING CLEAN
To manually create a new Restore Point
- Go to Control Panel and select System
- Select System
- On the left select System Protection and accept the warning if you get one
- Select System Protection Tab
- Select Create at the bottom
- Type in a name i.e. Clean
- Select Create
Now we can purge the infected ones
- GoStart > All programs > Accessories > system tools
- Right click Disc cleanup and select run as administrator
- Select Your main drive and accept the warning if you get one
- For a few moments the system will make some calculations
- Select the More Options tab
- In the System Restore and Shadow Backups select Clean up
- Select Delete on the pop up
- Select OK
- Select Delete
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
(http://img233.imageshack.us/img233/7729/mbamicontw5.gif)
Malwarebytes (http://www.malwarebytes.org/mbam-download.php). Update and run weekly to keep your system clean
Download and install FileHippo update checker (http://www.filehippo.com/updatechecker/) and run it monthly it will show you which programmes on your system need updating and give a download link
It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
- Microsoft Windows Update (http://windowsupdate.microsoft.com)
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ? (http://www.geekstogo.com/forum/topic/225044-preventing-malware-and-safe-computing/)
Keep safe :wave: