BleepingComputer.com: The delightful world of alureon

EDIT: Is this in the wrong forum?! Sorry! I had several tabs open and must have gotten confused

Hello,

I have (quite recently) managed to infect my computer with a rootkit called Alureon, which on further investigation seems to be fairly notorious piece of malware. It was first brought to my attention by Avast (oddly during a Superantispyware scan). When I looked it up, there seemed to be a general sense in the avast and malwarebytes forums that it could be tackled directly with ComboFix, which I (perhaps unwisely) proceeded to install and run. ComboFix did indeed seem to do something, replacing files at WINDOWS\system32\drivers\atapi.sys and generally seeming quite productive (I am not an advanced computer user; I was just glad it made it through without crashing). I wasn't sure how to proceed after that. I decided to do a quick malwarebytes scan, which pleasingly turned up nothing, and then to run ComboFix again just to be on the safe side.

It was much quicker than before and didn't report any actions being taken. All clear, I thought. Now, as I said before, I'm no expert at computer security, and so my decision to poke about in the second log that CFix generated was only out of amateur interest. That said, I found a particular part of it made for worrying reading, under the heading 'Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer':

"Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net


detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7673f28
\Driver\ACPI -> ACPI.sys @ 0xf75c0cb8
\Driver\atapi -> 0x86db5e90
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: Belkin 802.11g Network Adapter #2 -> SendCompleteHandler -> NDIS.sys @ 0xf746cbb0
PacketIndicateHandler -> NDIS.sys @ 0xf745ba0d
SendHandler -> NDIS.sys @ 0xf746fb40
Warning: possible MBR rootkit infection !"

Incidentally, I earlier also downloaded the seperate GMER anti-rootkit tool, which I was unable to run without crashing either before or after using ComboFix. From my (limited) understanding of things, this could also indicate that there is still a malware/rootkit presence on my PC.

Can anyone help me determine whether my system needs further cleaning? I would be tremendously grateful! The OS seems to have retained all working functionality, no browser redirects or anything like that, but sooner or later I'm going to have to reboot and that's usually where the real fun begins with trojans . I can post the full ComboFix log if necessary? I am using Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1023.533, Service Pack 3.

Thank you for taking the time to read this topic!

VC

This post has been edited by viciouscircle: 04 February 2010 - 03:17 PM

ARK tools (anti-rootkit) are very powerfull and could leave a machine unbootable or formated - please only use them if you have a qualified professional on the phone or with you.
try running dkschk to scan for hard-drive anomalys.
(type cmd into 'run' then type in 'chkdsk c: /f /r')
c: being the hard-drive.
then reboot and it'll run.
if problems persist you might have more malware/rootkits.

This is true ,you have run 2 tools that could wipe you out the mbr and ComboFix.

You will need to run HJT/DDS.
Please follow this guide. go and do steps 6 thru 8 ,, Preparation Guide For Use Before Using Hijackthis. Include thar mbr log.
Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK

Hi guys,

Thanks for getting back to me. Yeah, I don't know why I went straight to ComboFix; I think it was panic more than anything. Hopefully I didn't do any serious damage.

I did as you suggested and posted those logs in the relevant forum. The topic is here:

http://www.bleepingcomputer.com/forums/topic293305.html

I don't know if you have the time to go and check it out, but thanks all the same. This site seems to be full of really helpful people. And all volunteers? Really makes you feel good about humanity

Thanks again

VC

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.