Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

MBR: Alureon-k {RTK} rootkit infection - Please help!


  • Please log in to reply

#1
Engravist

Engravist

    New Member

  • Member
  • Pip
  • 1 posts
G'day

Came to work today to find there is a some kind of rootkit infection on one of a computers, this poses a huge problem for us since it controls a machine nessicary for the running of the business. Symptoms include, very slow running performance, 90% of programs refuseing to open or giving "XXXX experienced a problem and had to close" occasional loss of interface (toolbar etc disappearing temporarily.

I ran a Avast Virus scan and detected MBR:\\.\physicalDrive0\partition2, Rootkit: hidden Boot_Sector. I attempted to delete this and it gave the message deletion delayed till reboot. I then i attempted rebooting, no change. I then ran a boot scan and it detected 3 corrupt files and what I believe was the rookit which appeared to originate from a file named "Fedex Invoice" which i suspect one of my colleges opened in an email. I then had the option to "Delete all, delete, chest, chest all etc" I attempted to delete them twice but received the message "0XC0000035 {Object name already exists}" then n the third attempt it confirmed that they files had been deleted.
It then continued the scan as usual and proceeded to start up. However no change at all, still not able to open programs and still extremely slow. I did another scan and this time Avast detected "MBR: Aluron-K P [RTK]" obviously, not good. I downloaded aswMBR in an attempt to get more info and delete the bloody thing. However once download it will not run, no error message or crash file, simply does not run. I then downloaded tdsskiller in hope this may run, downloaded, unzipped but same thing, will not run.

Specs are as follows:
Machine name: ENGRAVING-FRONT
Operating System: Windows XP Professional (5.1, Build 2600) Service Pack 3 (2600.xpsp_sp3_gdr.111025-1629)
Language: English (Regional Setting: English)
System Manufacturer: INTEL_
System Model: D945GNT_
BIOS: Default System BIOS
Processor: Intel® Pentium® 4 CPU 3.40GHz (2 CPUs)
Memory: 1022MB RAM
Page File: 542MB used, 1917MB available
Windows Dir: C:\WINDOWS
DirectX Version: DirectX 9.0c (4.09.0000.0904)
DX Setup Parameters: Not found
DxDiag Version: 5.03.2600.5512 32bit Unicode

Display Devices
---------------
Card name: NVIDIA GeForce 6600
Manufacturer: NVIDIA
Chip type: GeForce 6600
DAC type: Integrated RAMDAC
Device Key: Enum\PCI\VEN_10DE&DEV_0141&SUBSYS_00000000&REV_A2
Display Memory: 256.0 MB
Current Mode: 1440 x 900 (32 bit) (60Hz)
Monitor: Plug and Play Monitor
Monitor Max Res: 1600,1200
Driver Name: nv4_disp.dll
Driver Version: 6.14.0011.8618 (English)
DDI Version: 9 (or higher)
Driver Attributes: Final Retail
Driver Date/Size: 6/10/2009 07:03:00, 5908608 bytes
WHQL Logo'd: n/a
WHQL Date Stamp: n/a
VDD: n/a
Mini VDD: nv4_mini.sys
Mini VDD Date: 6/10/2009 07:03:00, 8087712 bytes
Device Identifier: {D7B71E3E-4201-11CF-1A42-0B2003C2CB35}
Vendor ID: 0x10DE
Device ID: 0x0141
SubSys ID: 0x00000000
Revision ID: 0x00A2
Revision ID: 0x00A2
Video Accel: ModeMPEG2_C ModeMPEG2_D ModeWMV9_B ModeWMV9_A
Deinterlace Caps: {6CB69578-7617-4637-91E5-1C02DB810285}: Format(In/Out)=(YUY2,YUY2) Frames(Prev/Fwd/Back)=(0,0,0) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY DeinterlaceTech_PixelAdaptive
{335AA36E-7884-43A4-9C91-7F87FAF3E37E}: Format(In/Out)=(YUY2,YUY2) Frames(Prev/Fwd/Back)=(0,0,0) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY DeinterlaceTech_BOBVerticalStretch
{6CB69578-7617-4637-91E5-1C02DB810285}: Format(In/Out)=(UYVY,YUY2) Frames(Prev/Fwd/Back)=(0,0,0) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY DeinterlaceTech_PixelAdaptive
{335AA36E-7884-43A4-9C91-7F87FAF3E37E}: Format(In/Out)=(UYVY,YUY2) Frames(Prev/Fwd/Back)=(0,0,0) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY DeinterlaceTech_BOBVerticalStretch
{6CB69578-7617-4637-91E5-1C02DB810285}: Format(In/Out)=(YV12,0x3231564e) Frames(Prev/Fwd/Back)=(0,0,0) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY DeinterlaceTech_PixelAdaptive
{335AA36E-7884-43A4-9C91-7F87FAF3E37E}: Format(In/Out)=(YV12,0x3231564e) Frames(Prev/Fwd/Back)=(0,0,0) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY DeinterlaceTech_BOBVerticalStretch
{6CB69578-7617-4637-91E5-1C02DB810285}: Format(In/Out)=(NV12,0x3231564e) Frames(Prev/Fwd/Back)=(0,0,0) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY DeinterlaceTech_PixelAdaptive
{335AA36E-7884-43A4-9C91-7F87FAF3E37E}: Format(In/Out)=(NV12,0x3231564e) Frames(Prev/Fwd/Back)=(0,0,0) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY DeinterlaceTech_BOBVerticalStretch
Registry: OK
DDraw Status: Enabled
D3D Status: Enabled
AGP Status: Enabled
DDraw Test Result: Not run
D3D7 Test Result: Not run
D3D8 Test Result: Not run
D3D9 Test Result: Not run

Really, i'm at a complete loss of what to try next, I'm now getting semi regular alerts of avast blocking internet explorer opening a page (Assumeing it's some kind of popup) also a message saying avast has detected a rootkit "MBR: Alurec" allows me to delete it, then suggests i restart and do a bootscan however once again this does nothing.

Please help, need it ASAP!
Thank you in advance.
  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,012 posts
  • MVP
Click on the Avast ball. Then click on Additional Protections then on AutoSandbox then on Settings then uncheck Enable AutoSandbox. OK

Microsoft finally has a tool that will (supposedly) remove TDSS and friends. It's called Windows Defender Offline.

http://windows.micro...efender-offline

Download save and run it.

There is a separate program for 32 and 64 bit systems. (You need to choose the 32 bit option) Then you have a choice of blank CD or a USB drive or .iso file. You should create a CD as older systems won't always boot from a USB. You boot off the cd or USB (you may need to go into BIOS/CMOS Setup or the Boot Menu to get it to boot and it gives you some choices (Quick Scan and Full Scan if I remember correctly - may be other choices - I'd do the Full Scan.). Then it scans your system and fixes anything it knows how to fix but I think it asks permission so you can't just let it run overnight.
The tool creates a log in "c:\windows\windows defender offline\summit\mssWrapper.log" It doesn't seem to tell you what it removed but at least I can see if it ran OK so copy and paste it into your reply.


IF that doesn't make Avast happy then:
Can you run OTL and get us a log?
http://www.geekstogo...ldtimer-listit/
If you get an Extras log please post it too.

Do the following:
Start -> Run
type diskmgmt.msc
Click "OK"

Disk Management will open.

Click and hold the right side of the Disk Management Window and drag it to the right until you can see all the columns.

Take a screen Shot of the Disk Management Window and attach the screen shot to your reply.
http://graphicssoft....nscreenshot.htm Save the file as a .jpg or the forum won't allow it. This will allow me to see what the hidden partition looks like.


Judging by what you've seen so far we need to run Combofix:

ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Save this file -- to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on ComboFix to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Download TDSSKiller:
http://support.kaspe.../tdsskiller.exe
Save it to your desktop then run it.
Double click on TDSSKiller.exe (Vista or Win 7 must right click and Run As Admin)
If TDSSKiller alerts you that the system needs to reboot, please consent.
When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.


Run TDSSKiller again but this time:
before you hit the Scan hit Change Parameters and check the two items under Additional Options. OK then Scan.
In this mode it is prone to false positives so do not change the SKIP option to DELETE unless it says TDSS.
When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.

Download aswMBR.exe ( 511KB ) to your desktop.
Double click the aswMBR.exe to run it
uncheck trace disk IO calls
Click the "Scan" button to start scan
On completion of the scan (Note if the Fix button is enabled (not the FixMBR button) and tell me) click save log, save it to your desktop and post in your next reply



Malwarebytes' Anti-Malware
:!: If you have a previous version of MalwareBytes', remove it via Add or Remove Programs and download a fresh copy. :!:

http://www.malwarebytes.org/mbam.php

SAVE Malwarebytes' Anti-Malware to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location.
* The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
* Post that log back here.

Ron
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP