Author Topic: Problem with Alureon-K, I can't get rid of it.  (Read 14920 times)

0 Members and 1 Guest are viewing this topic.

Offline frenchfancy

  • Jr. Member
  • **
  • Posts: 26
Problem with Alureon-K, I can't get rid of it.
« on: March 23, 2012, 03:00:16 PM »
I have tried to follow the advice on here and elsewhere to no avail.  Be gentle with me, I am an end user and need your help.

Running Windows XP service pack 3, on a Pentium R

I lost all programs, file structure, wallpaper and internet
I tried to quarantine but it can't.  I tried delete an it says it will delay delete until next start-up.  On start-up it is still there.

I have done aan avast start-up scan - no change.

I ran Windows defender on re-boot which brought back my programs

I have also run Malwarebytes, OTL, rouge killer, aswMBR, Spybot and FSS.

I now have my wallpaper back but still no filestructure or internet.  I can see my files by searching on hidden files so I know they are there.

I'll try to attach my OTL log

Please help.

MBAM log:

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.01.13.04

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
DOUST :: DOUST-118C81DC4 [administrator]

21/03/2012 11:59:24
mbam-log-2012-03-21 (11-59-24).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 174108
Time elapsed: 18 minute(s), 26 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ (Hijack.Zones) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Documents and Settings\DOUST\Bureau\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

(end)





Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89266
  • No support PMs thanks
Re: Problem with Alureon-K, I can't get rid of it.
« Reply #1 on: March 23, 2012, 03:35:48 PM »
This needs further analysis by a malware removal specialist and the use of additional analysis tools:
Go to this topic http://forum.avast.com/index.php?topic=53253.0 for information on Logs to assist in cleaning malware. Use the information about getting and using the tools and attach the other logs here, not in the LOGS topic.

You should also have gotten an extras.txt from your first running of OTL.

More than one log can be attached per post so long as they don't exceed the limits for single file or cumulative total of up to 4 files attached.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.5.6116 (build 24.5.9153.762) UI 1.0.808/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline frenchfancy

  • Jr. Member
  • **
  • Posts: 26
Re: Problem with Alureon-K, I can't get rid of it.
« Reply #2 on: March 23, 2012, 03:44:08 PM »
OTL extras attached.

 rouge killer report

RogueKiller V7.3.2 [20/03/2012] par Tigzy
mail: tigzyRK<at>gmail<dot>com
Remontees: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html
Blog: http://tigzyrk.blogspot.com

Systeme d'exploitation: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Demarrage : Mode normal
Utilisateur: DOUST [Droits d'admin]
Mode: Recherche -- Date: 21/03/2012 10:37:15

¤¤¤ Processus malicieux: 0 ¤¤¤

¤¤¤ Entrees de registre: 7 ¤¤¤
[SUSP PATH] HKLM\[...]\Run : ldmtqETJLYi.exe (C:\Documents and Settings\All Users\Application Data\ldmtqETJLYi.exe) -> FOUND
[SUSP PATH] Wireless Configuration Utility HW.51.lnk @All Users : C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe -> FOUND
[SUSP PATH] Wireless Configuration Utility HW.51.lnk @All Users : C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe -> FOUND
[SUSP PATH] Wireless Configuration Utility HW.51.lnk @Common : C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe -> FOUND
[SUSP PATH] Wireless Configuration Utility HW.51.lnk @Common : C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe -> FOUND
[WallPP] HKCU\[...]\Desktop : Wallpaper () -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Fichiers / Dossiers particuliers: ¤¤¤

¤¤¤ Driver: [CHARGE] ¤¤¤

¤¤¤ Infection : Root.MBR ¤¤¤

¤¤¤ Fichier HOSTS: ¤¤¤
127.0.0.1       localhost


¤¤¤ MBR Verif: ¤¤¤

+++++ PhysicalDrive0: WDC WD1600AAJS-00L7A0 +++++
--- User ---
[MBR] 711e9888d04d359b46e295c2aa4adf4e
[BSP] fa0fa98db694d6892a5f1462dfd3e535 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 152617 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] 8a45da90882fcd1b49f27f8717295a7a
[BSP] fa0fa98db694d6892a5f1462dfd3e535 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 152617 Mo
1 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 312560640 | Size: 10 Mo

Termine : << RKreport[1].txt >>
RKreport[1].txt




Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89266
  • No support PMs thanks
Re: Problem with Alureon-K, I can't get rid of it.
« Reply #3 on: March 23, 2012, 03:56:23 PM »
Hopefully it won't be long before a malware removal specialist can analyse the logs. Essexboy who deals with most of them may be at work (almost 3pm UK time) and is normally on-line from about 7pm UK time.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.5.6116 (build 24.5.9153.762) UI 1.0.808/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

jeffce

  • Guest
Re: Problem with Alureon-K, I can't get rid of it.
« Reply #4 on: March 23, 2012, 04:02:37 PM »
Hi,

Please download aswMBR to your desktop.

  • Right click and Run as Administrator the aswMBR icon to run it.
  • Click the Scan button to start scan.
  • When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.

[SIZE="1"]Click the image to enlarge it[/SIZE]
----------

Offline frenchfancy

  • Jr. Member
  • **
  • Posts: 26
Re: Problem with Alureon-K, I can't get rid of it.
« Reply #5 on: March 23, 2012, 07:26:09 PM »
I've already run aswMBR  sorry I should have attached the log first time.

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-03-22 11:23:35
-----------------------------
11:23:35.906    OS Version: Windows 5.1.2600 Service Pack 3
11:23:35.906    Number of processors: 2 586 0x604
11:23:35.906    ComputerName: DOUST-118C81DC4  UserName: DOUST
11:23:39.781    Initialize success
11:23:49.453    AVAST engine defs: 12032000
11:23:59.328    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-7
11:23:59.328    Disk 0 Vendor: WDC_WD1600AAJS-00L7A0 01.03E01 Size: 152627MB BusType: 3
11:23:59.343    Disk 0 MBR read successfully
11:23:59.343    Disk 0 MBR scan
11:23:59.343    Disk 0 Windows XP default MBR code
11:23:59.359    Disk 0 MBR hidden
11:23:59.359    Disk 0 Partition 1 00     07    HPFS/NTFS NTFS       152617 MB offset 63
11:23:59.390    Disk 0 Partition 2 80 (A) 17 Hidd HPFS/NTFS NTFS           10 MB offset 312560640
11:23:59.390    Disk 0 Partition 2  **INFECTED** MBR:Alureon-K [Rtk]
11:23:59.390    Disk 0 scanning sectors +312581792
11:23:59.484    Disk 0 scanning C:\WINDOWS\system32\drivers
11:24:16.500    Service scanning
11:24:32.312    Modules scanning
11:24:42.046    Disk 0 trace - called modules:
11:24:42.062    ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8636ffa9]<<
11:24:42.062    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86360438]
11:24:42.062    3 CLASSPNP.SYS[f76eefd7] -> nt!IofCallDriver -> \Device\00000064[0x863893b8]
11:24:42.062    5 ACPI.sys[f7664620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-7[0x8635cd98]
11:24:42.062    \Driver\atapi[0x8637eac0] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x8636ffa9
11:24:42.593    AVAST engine scan C:\
12:55:23.578    File: C:\Program Files\Real\realplayer\Update\realsched.exe  **INFECTED** Win32:Malware-gen
14:16:23.640    Scan finished successfully
14:32:27.062    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\DOUST\Bureau\MBR.dat"
14:32:27.062    The log file has been saved successfully to "C:\Documents and Settings\DOUST\Bureau\aswMBR.txt"



jeffce

  • Guest
Re: Problem with Alureon-K, I can't get rid of it.
« Reply #6 on: March 23, 2012, 08:01:05 PM »
Hi frenchfancy,

Let's start here...

Go Start > Run (or press the windows and R key together)
Copy/paste the following command into the box and press OK

aswMBR.exe -ap 1

Once aswMBR has finished, reboot and rerun aswMBR, press the scan button posting the resultant log

Offline frenchfancy

  • Jr. Member
  • **
  • Posts: 26
Re: Problem with Alureon-K, I can't get rid of it.
« Reply #7 on: March 23, 2012, 09:06:54 PM »
No luck - when I do that it says that windows can't find the file.

If it makes any difference the aswMBR.exe is saved on my desktop as it is the only part of the file structure that I can see.

jeffce

  • Guest
Re: Problem with Alureon-K, I can't get rid of it.
« Reply #8 on: March 23, 2012, 09:42:50 PM »
Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • when the window opens, click on Change Parameters
  • under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
  • click OK
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)

Offline frenchfancy

  • Jr. Member
  • **
  • Posts: 26
Re: Problem with Alureon-K, I can't get rid of it.
« Reply #9 on: March 24, 2012, 07:33:53 AM »
It didn't find anything.

Log attached

jeffce

  • Guest
Re: Problem with Alureon-K, I can't get rid of it.
« Reply #10 on: March 24, 2012, 01:18:20 PM »
Hi,

Run a new scan with aswMBR. 
-----------

Please read through these instructions to familarize yourself with what to expect when this tool runs

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.  Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. CF disconnects your machine from the internet.  The connection is automatically restored before CF completes its run.  If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
----------

In your next reply please post the logs created by aswMBR and ComboFix. 

Offline frenchfancy

  • Jr. Member
  • **
  • Posts: 26
Re: Problem with Alureon-K, I can't get rid of it.
« Reply #11 on: March 24, 2012, 09:30:39 PM »
aswMBR ran ok, but combofix tried to install windows recovery console via the internet - so as I've lost internet connection this didn't work.

combofix finished runnin however and my file structure is now back - hooray!

Still no internet, but I've yet to re-boot.

logs attached

Thank you for your help - it really is appreciated.

jeffce

  • Guest
Re: Problem with Alureon-K, I can't get rid of it.
« Reply #12 on: March 24, 2012, 09:45:55 PM »
Hi,

Go ahead and reboot and see if your internet connection is back. 

Offline frenchfancy

  • Jr. Member
  • **
  • Posts: 26
Re: Problem with Alureon-K, I can't get rid of it.
« Reply #13 on: March 25, 2012, 08:37:55 AM »
No, still no internet.  The PC is connected by ethernet to the router.  It can see the local network but not the internet.  Laptop uses same router by wifi and is workin fine.

jeffce

  • Guest
Re: Problem with Alureon-K, I can't get rid of it.
« Reply #14 on: March 25, 2012, 02:59:38 PM »
Hi,

Let's try and get that internet back.

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.