Infected with MBR:Alureon-K [Rtk] Help needed asap!

[oldman]

Hi

Did you type the command or click on tdl_fix.sh?

[sofie99]

I didn't click the tdl_fix.sh, only went to tools-> open terminal and typed as you said bash tdl_fix.sh -delete, with spaces on the both side of tdl_fix.sh and pressed enter. What now?

[oldman]

Hi

After you type the command, hit enter, type y when prompted.

[sofie99]

Okay, worked... the "deleting of hidden partion" was after that. hehe.
I'll go on with the next step then. But here's the tdl_delete.txt file...
Was this hidden partion something that this MBR rootkit created?
Avast MBR warning is still yet to come? Well it did pop up after all last time, even it took a bit longer than usually.
... to be continued.

[oldman]

Hi sofie99,

Yes the hidden partion was the infection. Avast may be alerting you of the presence of the partition or it's associated files. the next tool you use should show the file if present.

[sofie99]

Okay, looks good?

Here's the TDSSKiller log, it found 2 suspicious files and I skipped them, no need to delete those etc seemed like some files that are meant to be (unless they're infected some way?)...
No malicious files, so guess we did it? No alerts either, yet..... nice.

Oh ye... the log. It's too long to copy & paste so I'll attach the .txt file.

edit// ... but that another msn msngr icon is still just black box. What's up with it, did the program get damaged somehow?

[oldman]

Hi sofie99,
 
The TDDSK log if clean so that part is clean. These infections usually bring buddies so we may as well have a look.

uTorrent
You have uTorrent, a P2P/file sharing program installed on your computer. P2P applications like it are the largest source of malware we see. It's not the program that is the problem but what can be downloaded with it usually from an  unknown source.You'll be doing yourself a favor by removing it.

References for the risk of these programs can be found in these links:
http://www.microsoft.com/windows/ie/commun...protection.mspx

http://www.internetworldstats.com/articles/art053.htm://http://www.techweb.com/wire/1605005...cles/art053.htm

I would recommend that you uninstall uTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.

Please read through these instructions to familarize yourself with what to expect when this tool runs

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.  Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs
  
  
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. CF disconnects your machine from the internet.  The connection is automatically restored before CF completes its run.  If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

[sofie99]

Hello~
Completed combofix as you instructed...
And also removed uTorrent, since I don't really use it myself that much. Tho I'm aware of it's risks.
As I uninstalled it, some DLL attepted to access the internet with uTorrent, but I denied the access. That might've been something malicious?
Hope you understand finnish haha, or the pattern of this report since it's infact, in finnish.
Thanks!
Here's the report...

edit// Oh, and is there a way to find out that my external drive isn't infected, or should I be worried about it? I removed it from the computer as quick as I noticed the infection.

I've restarted computer now after the ComboFix scan and everything seems to be fine. Weird blackbox-icons have disappeared, pop up alerts about MBR have no longer been seen, and there's been no messages like "Generic Host Process Win32" crashing. And no sudden directing to suspicious sites (that avast always blocked).
Tho I'm still not going to use any programs / go to sites with sensitive information, until I get confirmed by you that the threat is most likely gone.

[oldman]

Hi sofie99,
 
Looks good so far. Let's do a couple of more scans with the external harddrive attached.

When attaching the harddrive hold down the shift key. This will keep the harddrive from autorunning.

You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM

• Click the Update tab
  
• Click Check for Updates
  
• If an update is found, it will download and install the latest version.
• The program will close to update and reopen.
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• Make sure the external harddrive is also selected and click scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Next

You should be able to add the external harddrive to the scan area when setting up the scanner.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.


Go here to run an online scannner from
ESET

(Note: You can use Internet Explorer or FireFox for this scan. If you use FireFox you will be asked to install an additional component. Please allow this.)

• Tick the box next to YES, I accept the Terms of Use.
  
• Click Start
  
• When asked, allow the activex control to install
  
• Disable your Antivirus software. You can usually do this with its Notfication Tray icon near the clock
  
• Click Start
  
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is  Checked.
  
• Click Scan.
  
• Wait for the scan to finish.
• When the scan completes, click List of found threats
  
• click Export to Text file and save the file to your desktop using a unique name, such as ESETScan.
  
• Include the contents of this report in your next reply

Note - when ESET doesn't find any threats, no report will be created.

• Push the back button.
  
• Push Finish
  
• Re-enable your Antivirus software.
  

Please post back with

• MBAM log
• ESET log if there is one.

[sofie99]

Hi!
Good thing you made me do some more scans.
While MBAM was up to date and scanning, avast! blocked a process "map.exe" from "C:\Program Files\Nokia\Nokia 73 Highlights\map.exe (|[Embedded_I#0028e64]) by "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe".
Then almost right after it blocked tho other from C:\System Volume Information\_restore{9CBB2215-ABD3-4EF5-B3E4-CEC5E584FDF3}\RP95\A0041563.exe" and the same but "C:\S..\_rest...\RP99\A0042346.exe".
This far MBAM had only found one suspicious file, avast quarantined all of 3 those.
So MBAM brought them up and avast! blocked??
MBAM only found one of those. a004141563.exe, which it stated to be fake trojan alert. I also still found those old "founds" from on the very first MBAM scan, from the quarantine, should I try to delete those? Seems they weren't deleted in the first place.

Then after MBAM scan, I started to try out the ESET, first I didn't get it work with either firefox (my default browser) or IE. Then the internet quit working. I had to restart it to get it working, and then ESET started working also.
It also found one file from that same "System Volume Information" folder, which avast! or MBAM didn't spot.
And two others.
I've been wondering, does these bugs in the "System Volume Information"-folder have something to do with the Error message I got during the start up from Realtek Audio: "Invalid Stream Format". It's been popping up a lot. ??
Then after ESET scan, I couldn't connect to the internet with FF/IE, again. And had to restart again to get here. Sigh!
So.... Really, thanks for putting me trough yet another scan.
What's next? Since I didn't remove any files with the ESET, they're still there....
And what to do with those files in avast! quarantine?

Since it didn't find anything from the external drive, it's clean?

Here's the logs...
again.

I'm really grateful for your help with this!!

[oldman]

Hi sofie,

Things are not as bad as they seem. Avast just took exception to MBM nosing around. This can happen when one scanner opens a file to read and other one is "looking over it's shoulder" and sees something it doesn't like. The C:\System Volume Information detections are no problem. They are infected Restore Points which won't reinfect you unless you restore the computer to that point. these will be removed when the tools are removed.

I got during the start up from Realtek Audio: "Invalid Stream Format". It's been popping up a lot. ??

You may need to update the realtek drivers.

C:\Program Files\Veoh Networks\VeohWebPlayer\OCSetupHlp.dll   Win32/OpenCandy application
C:\Program Files\Veoh Networks\VeohWebPlayer\qlps-qlipso-sntb.exe   a variant of Win32/Toolbar.Zugo application

Eset is warning you of a potentially unwanted program and that it comes bundled with a toolbar.

How is the computer running?

[sofie99]

How is the computer running?

Actually nicely, no problems appeared during few the hours that I've spent here today.
Made one full scan with MBAM when I started, and it found nothing. Neither did avast!, tho I didn't scan with it.

So that Veoh thing isn't really infected, and I don't have to worry about the C:\System Volume Information detections.
So can I little by little start returning to the normal usage?
Is there something I should do?

I've been fixing up relatives/friends computers for like 10 years, learning new about computers on the road. But this was my first time dealing with a rootkit on my own computer.
Or avast did give a false rootkit alarm after updating, that was months ago. I read about it on the forums(probably here). Since many have had the same problem, and symptoms disappeared after a while, so I kinda ignored it then.
I don't even remember what was it's name, probably have it written down somewhere.
But anyways, would be cool to learn more about these really. But atleast now I know where/who to turn to incase of troubles like this!!

edit// Oh, how about that "map.exe" which was previously found from "C:\Program Files\Nokia\Nokia 73 Highlights\map.exe", was now in

 C:\WINDOWS\Downloaded Installations\{DEC3E00E-6373-461B-AFFC-85B069BC3539}\Nokia N73 highlights.msi|>Data1.cab|>map.exe|>[Embedded:I#0028e64]

avast! found it again and says it's "high risk" malicious "Win32 Malware-gen". But seems unable to quarantine or even delete it. ?
 

[oldman]

Hi sofie,

I think that may be a false positive on Avast's part.

You can submit it to VirusTotal for analysis.

To submit a file to virustotal, please click on this link

VirusTotal

copy and paste the following into the upload a file box  (or use the "choose file" button )

C:\Program Files\Nokia\Nokia 73 Highlights\map.exe
 

scroll down a bit and click "Scan it", wait for the results and post them in your next reply.

Please note that sometimes the scans take a few minutes. Please ensure that the scan has completed and the results are complete.

[sofie99]

Hi!

I think I agree now...

SHA256:    f6d8d3d7cf3f64a36384fd7525304fc6f46e0ff26713034d693aacc81053c80f
SHA1:    5f5a5bec70179007fe8e182bd24a25b3c3c5f6ee
MD5:    9d60ec4bb31cbf2507791096cace0aaa
File size:    18.2 MB ( 19032576 bytes )
File name:    Nokia N73 highlights.msi
File type:    FlashPix
Tags:    upx
Detection ratio:    3 / 43
Analysis date:    2012-03-15 23:19:57 UTC ( 7 minuuttia ago )
0
0
Antivirus    Result    Update
AhnLab-V3    -    20120315
AntiVir    -    20120315
Antiy-AVL    -    20120315
Avast    Win32:Malware-gen    20120314
AVG    -    20120315
BitDefender    -    20120315
ByteHero    -    20120315
CAT-QuickHeal    -    20120315
ClamAV    PUA.Packed.Thinstall2425    20120315
Commtouch    -    20120315
Comodo    -    20120314
DrWeb    -    20120315
Emsisoft    -    20120315
eSafe    -    20120315
eTrust-Vet    -    20120315
F-Prot    -    20120315
F-Secure    -    20120315
Fortinet    -    20120315
GData    Win32:Malware-gen    20120315
Ikarus    -    20120315
Jiangmin    -    20120301
K7AntiVirus    -    20120314
Kaspersky    -    20120315
McAfee    -    20120314
McAfee-GW-Edition    -    20120315
Microsoft    -    20120315
NOD32    -    20120315
Norman    -    20120315
nProtect    -    20120314
Panda    -    20120315
PCTools    -    20120314
Prevx    -    20120316
Rising    -    20120315
Sophos    -    20120315
SUPERAntiSpyware    -    20120315
Symantec    -    20120315
TheHacker    -    20120313
TrendMicro    -    20120315
TrendMicro-HouseCall    -    20120315
VBA32    -    20120315
VIPRE    -    20120315
ViRobot    -    20120315
VirusBuster    -    20120315

Doesn't seem like anything that might bite that easily...

[oldman]

Hi sofie,

You can submit the file to Avast. These are for Avast6, I think they are all similar.

• Open the Avast user interface
• click Maintenance
  
• click Virus Chest
  
• right click in the chest window
• click add
  
• browse to the file and click open
  
• a copy of the file will be placed in the chest
• right click the file and click submit to virus lab
  
• use the dropdown menu for type to select false positive
  
• fill in the program info
• add a link to the VirusTotal results or this topic
• check the I know what I"m doing box
  
• click submit
  

So that Veoh thing isn't really infected,

No not really. OpenCandy is a form of adware bundled with certain software.
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Adware%3AWin32%2FOpenCandy

C:\Program Files\Veoh Networks\VeohWebPlayer\qlps-qlipso-sntb.exe   a variant of Win32/Toolbar.Zugo application

It also comes with a toolbar.

The old infected Restore points will be removed and a new clean one created when these steps are followed for removing the tools.

We can clean up the tools now.

From your desktop, please delete, if present

• any notepads/logs that we created
• mbr.zip
• mbr.dat
• aswMBR.exe
• TDSSKiller

You can also delete  from the C:\ drive  the file called TDSSKiller_* (* denotes version & date)

You can delete the files we saved on your flashdrive. Keep the xPUD cd it may come in handy one day.

Next

Click the Start button, click Run. [Vista users, go Start>"Start search"] Copy and paste the following line into the run box and click OK
Combofix /uninstall

Open OTL then click the Clean Up button. You may get prompted by your firewall that OTL wants to contact the internet -  allow this.  A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will do some clean up tasks and delete some of the tools you have downloaded plus itself.

I suggest you keep MBAM. Keep it updated and use it regularly.

Some Recommendations and prevention tips

Basic security consists of 1 antivirus program, 1 resident antispyware program, 1 on demand antispyware program and a firewall. You have those.

-Secure your Internet Explorer

From within Internet Explorer click on the Tools menu and then click on Options.

• Click once on the Security tab
• Click once on the Internet icon so it becomes highlighted.
• Click once on the Custom Level button.
• Change the Download signed ActiveX controls to Prompt
  
• Change the Download unsigned ActiveX controls to Disable
  
• Change the Initialize and script ActiveX controls not marked as safe to Disable
  
• Change the Installation of desktop items to Prompt
  
• Change the Launching programs and files in an IFRAME to Prompt
  
• Change the Navigate sub-frames across different domains to Prompt
  
• When all these settings have been made, click on the OK button.
  
• If it prompts you as to whether or not you want to save the settings, press the Yes button.
  

Next press the Apply button and then the OK to exit the Internet Properties page.

- Keeping your Windows up-to-date is crucial to your computer's security. Please go to the Windows Update Site (using Internet Explorer) and download and install all critical updates on a regular basis

- Make sure you have reset Automatic Updates to your chosen optionClick your start button > Control Panel > System > Automatic Updates tab

- Keep your antivirus program updated, as well as any other security programs you have.

-More tips and programs can be found HERE

 Please post back if you have any problems.

Take care