help geting rid of Alureon K and Trojans

[bobjcpa]

Posts: 1

 Alureon-K
« on: Today at 12:53:46 AM »When I scanned I got the following message :  MBR:\\.\PHYSICAL DRIVE0\Partiition4 Threat: MBR Alureon-K
When I tried to fix I got  Error: The request is not supported Threat MBR Alurion-K

I ran a full boot scan and got the following messages:

FileC:\Documents and Settings\Allsusers\Application Data\Avast Software\Avast\log\unp194787593.tmp.mdmp is infected by MBR:Alureon-K 
when I delete and do another full boot scan, the message keeps coming back

FileC:\hiberfil.sys is infected by win32:Hupigon-ONX [TRJ] 
when I try to delete I get  Delete: error OXC)))))43 a file cannot be opende because the share access flags are incompatible i

File C:\Documents and Settings\Bob Jones\Local Settings\Temproary Internetfiles\content.IE5\E2FXZWN\xtr_new[2].htm is infected by JS:ScriptIP-inf[Trj]
when I try to delete I get  An Invalid parameter was passed to a service or function

attached are the logs after running mbam, rougekiller and OTL

RogueKiller V7.6.6 [08/10/2012]  by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Bob Jones [Admin rights]
Mode: Scan -- Date: 08/23/2012 19:45:07

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1       localhost
::1             localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: FUJITSU MHW2060BH +++++
--- User ---
[MBR] dcb594b8d25db6ca7be124d2af2ec37f
[BSP] 26fe7d691f9edb5d824e85e8f49dc627 : MBR Code unknown
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 78 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 160650 | Size: 54070 Mo
2 - [XXXXXX] UNKNOWN (0xdb) [VISIBLE] Offset (sectors): 110896695 | Size: 3074 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] 77e11ff8a8c13f3bde4346dea81a2f33
[BSP] 26fe7d691f9edb5d824e85e8f49dc627 : MBR Code unknown
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 78 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 160650 | Size: 54070 Mo
2 - [XXXXXX] UNKNOWN (0xdb) [VISIBLE] Offset (sectors): 110896695 | Size: 3074 Mo
3 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 117194175 | Size: 7 Mo

Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt



RogueKiller V7.6.6 [08/10/2012]  by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Bob Jones [Admin rights]
Mode: Scan -- Date: 08/23/2012 19:46:45

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1       localhost
::1             localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: FUJITSU MHW2060BH +++++
--- User ---
[MBR] dcb594b8d25db6ca7be124d2af2ec37f
[BSP] 26fe7d691f9edb5d824e85e8f49dc627 : MBR Code unknown
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 78 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 160650 | Size: 54070 Mo
2 - [XXXXXX] UNKNOWN (0xdb) [VISIBLE] Offset (sectors): 110896695 | Size: 3074 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] 77e11ff8a8c13f3bde4346dea81a2f33
[BSP] 26fe7d691f9edb5d824e85e8f49dc627 : MBR Code unknown
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 78 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 160650 | Size: 54070 Mo
2 - [XXXXXX] UNKNOWN (0xdb) [VISIBLE] Offset (sectors): 110896695 | Size: 3074 Mo
3 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 117194175 | Size: 7 Mo

Finished : << RKreport[4].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt

[Pondus]

also attach Adwcleaner and aswMBR log    http://forum.avast.com/index.php?topic=53253.0

[oldman]

Hi bobjcpa, welcome to the forum.

To make cleaning this machine easier

• Please do not uninstall/install any programs unless asked to
  It is more difficult when files/programs are appearing in/disappearing from the logs.
  
• Please do not run any scans other than those requested
  
• Please follow all instructions in the order posted
• All logs/reports, etc.. must be posted in Notepad. Please ensure that word wrap is unchecked. In notepad click format, uncheck word wrap if it is checked.
• Do not attach any logs/reports, etc.. unless specifically requested to do so.
• If you have problems with or do not understand the instructions, Please ask before continuing.
  
• Please stay with this thread until given the All Clear. A absence of symptoms does not mean a clean machine.
  

We'll use a CD that we will make bootable. We also need a USB flashdrive that has some space on it. We will not be changing any of the data on the usb device just using it for a file.

You will also need to use FireFox to download a file as Internet Explorer seems to mangle the download.

If you have an problems with these steps please let me know. These may look complicated but it's fairly straight forward and for the most part automated.
 

Download GETxPUD.exe to the desktop of your clean computer

• Run GETxPUD.exe by double clicking it.
  
• A new folder will appear on the desktop.
• Open the GETxPUD folder and click on the get&burn.bat
  
• The program will download xpud_0.9.2.iso, and when finished, it will open BurnCDCC which will be ready to burn the image.
• Click on Start and follow the prompts to burn the image to a CD
  

Using FireFox, please download and save  dumpit to your usb device.

You may want to print out this part as you will not be able to view these instructions.

• Leave the usb device attached to the computer
• Boot the infected computer with the CD you just burned
• with the CD in the computer, restart the computer

• The computer must be set to boot from the CD,depending on your computer you can either do this by pressing F12 and selecting the CD as the first boot option or it can be set in the BIOS
• Once you have the computer set to boot from the CD allow it to boot
• A Welcome to xPUD screen will appear
• Click on File
  
• Expand mnt
  
• sda1,2...usually corresponds to your HDD
• sdb1 is likely your USB
  
• Click on the folder that represents your USB drive (sdb1 ?)

(you will be able to tell if it the right one as the screen will populate with your files)

• Locate the file you downloaded and saved earlier, dumpit
  
• double click it to run it
• a black window will open, follow the instructions to close the window when it's finished
• a file called MBR.zip should now be placed in the right hand panel
  
• Click the Home icon at top
  
• Remove the CD and click Power off
  
• Click restart
  

Once the computer has rebooted open the usb device and locate MBR.zip

• right click it and click Extract All
  
• There will be a file named sda0.bin
  
• please rename it to sda0.txt
  

Please attach sda0.txt and sda0info.txt to your next reply.

[bobjcpa]

I was able to burn the CD but when I click on dumpit to copy or save to the USB, it appears to be a txt file with a lot of nondescript characters.  Should I save this to the USB.  I opened up Foxfire and tried to find a site to download dumpit but am not sure if I have the correct file or software.  Can you give me a little more details on dumpit and how to get the correct file?

[oldman]

Hi bobjcpa,

It sounds like you are downloading it with Internet EXplorer. Use FireFox and you should get the correct file.

[bobjcpa]

I guess I'm not very smart,  but I am using Firefox as the web browser and have made it my default browser.  When I try to open the link   http://noahdfear.net/downloads/dumpit using Firefox, it doesn't ask me if I want to down load dumpit,  here's a portion of what I get:

#!/bin/sh -e
sed -e '1,/^exit$/d' "$0" | tar xzf - && `xterm -e bash mbrdump.sh`
exit
‹�¨+ìN�ìZ
pTU–~   ¤“
&b²ƒ
3ÏLó«ùéþ¢A¢‚ ù‘!   N÷ë¼úoº_ó£¸Æ   Ù!ÓÄM9ê°%n—©uWk¥fØk±Ì¬è”³K1Ö;°Sƒ;Ýj@@³ç;ï½î××£Öº[[µnÎûîù¹çÜsï}÷tvG½ñ`¤&¦J_Ù§Ž>MMM Φ†,ŠOCãÜ:ÉéœÛTßÔXßØØ Õ9™Èu_K™O<¦¹£²,Å»ã!-~
¹?Àÿ?úùæ-µÝþPm·;¦–xŠ;Zâ÷Éírµ"?ìÈ%šª„J<FµñX”¥åé·×z•Mµ¡x –Os-Š&/Ø­±t+5,W-¡_Æò“݁¨âön••-þ˜«2%ºÃQÍê‘#Ñ°GñÆ£
q1¥ÄçõÇ6ÊÕ
™ÝˆygËõ¶õD•ˆ\íWdbd�T¶Å/ü™«m……ÚÚž…±Ú5³õ‡šÙíÎêùfdôŒ!X•ô:jk[ˆ/ßîú7)±m‹V²ìîUÍU-äÛÅ#Ï]dálVý
EFl²â”•zY™#+
%Þp‰×+û}͵U¥¾
¿çTÉa_3?ÔÐ,ÊݱæFg½ì   Ó²kvfÍx˜bðÈiQÓ39Ûï5õõòí,qGc
ü±NSIZ²
¢U² ú™;›åºì$"ƒž°W‘}ä¨W‡t3f‘\$bZXçÕÁéªkM@Ýš
s]Y¤
¯²W†nVŸ„:Èæ¤è®Qn¦�>[õ!–ѬË͘þ…µ!^E·éöùbŠÆKk†eÝu̬™ílºMv{4Z%5³;fÕv´{p´9ªx;:;œíµÜÑÑÉöX£û‹jlÉ=%]   «3÷Kè4Ô   ¥Üá\[ÇótfÈãe7GÚUeBÕKbrCÃ\kž?#›k}eö\•³©½}A,âö(:;—ú½^òm›³û3Uãm¯ÌþúïÉ\Ÿ4k3;`«ƒN³ššŽY´4;œ|”au{ԍú,á›·ÈÚe9ÄzœrO=Ž/Ú$Í]<£ŽgældóÈ2ã]zp]‡iµÒݶÙC¸K®îQd§õD©ª'oKÂ!M   i1ÚW2·Xmx±ºÊ2vŒÞ*rµ×gÙ•Õú Z3;k²5‚kÀO3RäEÓçáÙ<Œ,SfF
Z{!¬CïB>a’%ªJðz¬Æ¿“~WæœSëu\¬\ý=™9„eŸ›†ñâ$³úœyßd<N÷}F0ór¤ÓËÜÌ-‰‡è�”é嘶’y3Z,X^—ºs×”'ºéݢĸ7QînZŽ5ô‘Ý9.Ù‚þæ0×ü
¿¶õšª9n?ä"¡LòÒ·“@@n¥Xo1;Ú¢J,&ßEë”_vt—ÑT•`ßÀF5­Ûº’ÿíûžø¡È¾ò1®yÿolœãlÀý¿¾®ÞIÝu¸ÿS
ðÿ÷ÿÿ‘Ïcw­¸;///ó¥   Ðè.›½
Çò¹ŸÒ!K3¥)ÒÍR!cj½$CM&´ê³Q›@m5áՏÛìh7¾Áàå?¤‹¦þC¾„}©\ç—¾ž/•>PdG“Êh¬‹6|x$_&ÚQÂh…Æh*Qil4ò^Û{š·áù|©¡ªÈŽVA£™ü•ÄÏ5W¦ý‰oõïõ]°ÄWðw×¼Õ
(¾¥&®©×yåÿžû×s­Û¤ð$75AgQk¢¶Îw‘Aï ¶ŠšÝÀÔÚ©ÝOíëFßJƒn öGÆs¥Ç7©Í§ÖEíN÷-j$=—æg2µûŒç»
º–Z«ñLáI-ÔfP›Fí
£¿“ÚrÁþRjQ»ÇÒ÷ÇÔ:¨9,}µMm1µnjK¨Í£¶ÞàUS[&Ø¿—Ú
IÏ÷-ÔVý7[dš©•Rk3p1µjs%=OâgBŽ>óS4NÿuÔ&^CïZŸ2
ç[ž§¼oëË5ŽÝ¯QsZ°x¾V{{µ[©5R»Ýè_hÐI-ÏXËænªAï¢vµ
|=µ5ÆóL‹î
½‰ÚãûsµŒ¸°&{_̯FŒX³¦îœòÒòߌÌ;Ÿ˜Ò³Æ]þá-qú¤ËÂ÷æeãEþW)wø¤€‹'d㧅ñÞ𨠿Uÿ‡ßÂæuýºÀO   ø„`Ï'Œß$ÈGD}»Àÿ3Aÿ§‚üM^&è×üÓ’0Ÿgþ·…ñŸøOö#È·
òQÿ˜€/
ò3ûEÞ.ÈÿHÀõB|o
ú·
üY‚?¿äÏ
ø:
ïð«þÁþ£‚¿   
?'èoø²À? ØPÀŠ _)à:AþUa¼6
ÿ© ÿ#q¿ò¿KÀoòÓü¢ ÿWÂøëùûù2RÀ?ä;¼KÀ!
¯õÿ®üÆïä—   x‰ ïÖo¾€ú­nìMð÷Èß–
Ev¼«¯§7Þ­¸LÊ#yÙÂÇÝÐaÁÓÈŸÈË6ûÍlÞÒ.WO0r¡Ð\.‰®o\ÛæJ®eP¯×rÅcŠWòùñ˜*Å´¨'²•´"QH󹨼—Pì±x$®y$ª{a; H±(•®Ðy‚ШG’êfv³jD‰FÃQÉÓþ¨.Löcþž; »cZx³'FJä g#t\¨æ¥xˆn˜%*04šDRñ“Øc)Ž(!©GÑ"~¯äQƒa/Inö“7.—GÛQ\ÄsÁ‡xÔtoÁ¸Z8 ùcnMÛ*ù”°Oò‘HŒ�™Š‡y¤ ¤ðÐIÿÈy
»®æ‡¤h1h’!;QÉóhþ "ñH–4|[(mn-SHn‡ãšä‹)ÊÆ0q}4•1‡ÉðñôHA=TdÀM¢šBDµ‡á’Ë0-#vøár™=ä»Ú”Ž½ÛÅvbwȇ‘áYlkLS‚˜O/O,&œRáÖ÷øYÂ×5¡°ÑòmŽú5"P"͐›B
n„ˆ ¬Ï‚§ÞÓ"ˆ3ndâórº M~“êwð-Íc1¦ãZ˜“Ì4;ºŠ¶©;îC§eRiú‚áMdæá-QN£®›‰ÍXžúZ¤™¤=`lˆ ›V“OgèËá*Ò=+–ݹÄU_Ó”~š“~jH?Õg¸–^gú‰÷|þ™`PýÉÆ÷^ eÿLž
ÓRèV®kᧈ{&¤-eÿØrôR…eÅiYÑôäñ³^×ñµÜ8«¾æ÷ODµÖ4Aﻁq‘´ØÀŒ¥åžÄ¸@Zc`íF1*—¯gþi£ËçKqã|¥Z´p¢~ötég^[?+pin+²ã®b¥Éµƒ’n)(Žå ¨…Aé2?”
œ) TtÊ ä‘”.ú3A©È¼
”
ª:P¿
”

any other suggestions?

[oldman]

Hi bobjcpa,

It's not you, seems FF is doing the same thing as IE. I got it to work once. I'll attach it.

I had to rename it to dumpit.log. Once you have downloaded it to your flashdrive rename it to dumpit.

To download the file, right click it and click save link as

[bobjcpa]

I saved the file to my flash drive and renamed it but it appears to .txt file with the same type of nondescript characters as previously  and not a .exe executable file which is what I think I need.  Is there another program that does the same thing as dumpit that I could use ? I'm not sure I can get this to work.

[bobjcpa]

I found this blog post  searching the internet about DumpIt.  Is this the same thing?  I maybe able to save the executable file from this blog post if it is the same file you are suggesting I need to save to my flashdrive :
 \
One-Click Windows Memory Acquisition with DumpIt

Memory forensics is becoming an essential aspect of digital forensics and incident response. When a system is believed to have been compromised or infected, the investigator needs a convenient way to take a memory snapshot of the host. DumpIt, a new tool from MoonSols, makes this very easy, even if the person in front of the affected computer isn’t technical.

DumpIt is a fusion of two trusted tools, win32dd and win64dd, combined into one one executable. DumpIt is designed to be provided to a non-technical user using a removable USB drive. The person needs to simply double-click the DumpIt executable and allow the tool to run. DumpIt will then take the snapshot of the host’s physical memory and save it to the folder where the DumpIt executable was located.

The user can then provide the investigator with the USB key, which will contain the memory snapshot file. The administrator can use free memory forensics tools such as The Volatility Framework, Mandiant Redline and HB Gary Responder Community Edition to examine the memory file’s contents for malicious artifacts.

DumpIt provides an easy way of obtaining a memory image of a Windows system even if the investigator is not physically sitting in front of the target computer. It’s so easy to use, even a naive user can do it. It’s not appropriate for all scenarios, but it will definitely make memory acquisition easier in many situations.

[bobjcpa]

I downloaded what I think is the correct executable file DumpIt.exe.  I saved it to my USB flashdrive and tested it on my clean computer.  The black window opened up as described earlier. So I know it  works.

 I proceeded with the additional steps .  I got to the point where I clicked on sdb1 which was the USB flashdrive drive.  When I clicked on the file DumpIt.exe nothing happened.  Any thoughts on why it's not executing or what I should do next? 

[oldman]

Hi bobjcpa,

No that is something different. The one for xpUD is the one I attached. Remember to rename it as instructed.

[bobjcpa]

I saved the file you attached, to my flash drive and renamed it but it appears to be a .txt file with the same type of nondescript characters as previously described and not a .exe executable file which is what I think I need.  Is there another program that does the same thing as dumpit that I could use ? I'm not sure how I can get this to work.

[oldman]

Hi bobjcpa,


The dumpit you need is the one that I posted. It's an extensionless script file written for linux. If you try opening it in windows it won't make sense. I had to add the .log as the forum wouldn't let me upload it without an extension.

Did you try running it from xpUD?

I just now downloaded it with FireFox by right clicking the link and clicking "save link as". Make sure it's set to "all files"

[bobjcpa]

I think I got it to work.I rebooted and located MBR.zip.  I then clicked on extract all .  I then highlighted sda0.bin and right clicked and clicked on rename and renamed sda0.txt.  When I click on properties, it indicates its a bin file and I can't attach it to my reply.
 When I try, the file name I'm trying to attach is \mbr\sda0.txt.bin  and I guess avast won't let me attach a bin file.  How do I rename so it doesn't stay a bin file?

Also I'm not sure where I find the sda0info.txt file?

[oldman]

Hi bobjcpa,

Do it this way. Open Windows Explorer

• uncheck hide extension for known file types
  
• at the top of screen click tools
  
• click folder options
  
• click the view tab
  
• click apply, click ok
  

You will now be able to rename the file correctly.

The sda0info.txt should have been in the MBR.zip file.