Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit kbdclass.sys and win32:alureon-FZ infections?


  • Please log in to reply
40 replies to this topic

#1 mrblond

mrblond

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 31 January 2011 - 06:48 AM

Hallo, I hope to find some help for the problem I have.

Technical info: PC - Intel Celeron CPU 2.40GHz / Windows XP Professional Version 2002 service pack 2 / HDDs 1.internal - C: 16GB + D: 64GB; 2.internal - F: 150GB 3.external G: 40GB + H: 200GB; 4.external I: 500GB (all external disc are always plugged in the PC)

I'm starting with the common usual trouble - During the last 5 or 6 months my PC has started working slower. Constantly messages start appearing like - C:\ drive is out of memory. I place all my files on other HDDs - internal and external. I put almost nothing in C:\ excepting the software I've worked for years. I constantly use CCleaner to empty the disk's space and options in Google Chrome (delete history) and Google Earth delete cache. Despite this, in a day or two the message appears again. Sometimes even in a two or three hours after cleaning and see 1,2GB free on C:\ the above message appear and when open the C: after that - the free space is not more than a 200MB. Several times I searched in C:\ folder by folder where is the memory gone. Its size is 16 GB but when I try to calculate the used size by generally summing up the folder sizes I cannot find more than a 10 or 12 GB used.

The antivirus software I've used is Avira AntiVir Personal and during the last months it caught some Trojans several times. And now the first attention - About three or four months ago I noticed that some of my external disks are renamed. G:- became H: and H: - became J: and I have no idea how it happened. Second attention - two weeks ago when I started one of my programmes this message appeared - This application has failed to start because the application configuration is incorrect. Reinstalling the application may fix this problem. Horrified, I found the same message when starting and some of the other programmes. Affected applications were Adobe Reader, Photoshop and Google Earth. Reinstalling helped only for the Adobe Reader. The other two cannot be started at all no matter I reinstaled them too. The same message appear again.

This time I start searching solutions. Fist I downloaded some software for repearing registry, diagnostics and something like that - Window Registry Repair 2.5; Advanced System Care 3.7.3 and others. I run them and they showed many errors in the system and fixed them. But nothing changed as a whole. Then I instaled one more antivir software - Avast!. It scaned the system and announced infection and warning for rootkit. Avast suggested to restart and they start scaning before loading Windows. Then they find some file infected with win32:alureon-FZ and one more error. They stated that the file cannot be repaired and I chose option - delete it. I did this scan three times and always the same thing happened. I also run AVG which didn't find anything. But Avast started constantly to open messages for the presence of rootkit. Then I run GMER and it showed the same as in the Avast's message - C:\Windows\system32\drivers\kbdclass.sys - high risk! Then I run another tool - Root Repeal but it couldn't start and blocked the system. I came across the info about ComboFix - downloaded it and moved it in the Desctop, disabled all tools and antivirs and started the ComboFix.exe from the desctop but it didn,t start...nothig happened.

Could someone please give advice what to do?

tcpview.txt file is attached below...

Edited by mrblond, 31 January 2011 - 08:42 AM.


BC AdBot (Login to Remove)

 


#2 mrblond

mrblond
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 31 January 2011 - 08:41 AM

I attach the tcpview.txt file after the instructions in How to receive help in the Am I Hacked? forum

Attached Files



#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,801 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:06:15 AM

Posted 02 February 2011 - 03:04 PM

Hello,

Please follow the instructions in ==>This Guide<==. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues and what you have done to resolve them.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#4 mrblond

mrblond
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 04 February 2011 - 09:14 AM

Disaster!!! Yesterday I started to follow the suggested guide and managed to backup half of my images in another computer. Today when I turned my PC on to continue the steps this message appears:

Windows could not start because the following file is missing or corrupt:
\WINDOWS\SYSTEM32\CONFIG\SYSTEM

You can attemp to repair this file by starting Windows Setup using the original Setup CD-ROM.
Select 'r' at the first screen to start repair.


Can something be done to drive the computer again?

#5 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,801 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:06:15 AM

Posted 06 February 2011 - 11:04 AM

Hello,

I've contacted those more knowledgeable than I to assist you.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,815 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:15 PM

Posted 06 February 2011 - 11:20 AM

Hi, do you have an XP CD at hand?

Please start your computer and tap the F8 key. When the Advanced Boot Options menu comes up, select Last Known Good Configuration and let me know if that loads.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 mrblond

mrblond
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 07 February 2011 - 04:09 AM

Well, in Advanced Boot Options menu I selected Last Known Good Configuration - enter and it opened this:

Please select the operating system to start:

Microsoft Windows XP Professional
(this line is highlighted)

Use the up and down keys to move the highlight to your choice.
Press ENTER to choose.


at the bottom of the screen:

For troubleshooting and advanced startup options for Windows, press F8.
Last Known Good Configuration (your most recent settings that worked)
- (the text in this line is colored in blue)

Since here work only the enter key I pressed it and the same message appears as in my previous post.


PS: Meanwhile, is it safe to use my external disks with my laptop?
And no, I don't have XP CD at hand.

Thanks for helping!

Edited by mrblond, 07 February 2011 - 04:14 AM.


#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,815 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:15 PM

Posted 07 February 2011 - 04:45 AM

Sorry, I forgot to mention that, at that screen just press enter. Please let me know if windows loads after that.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 mrblond

mrblond
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 07 February 2011 - 05:06 AM

No, windows doesn't start after that.

this message appears again:
Windows could not start because the following file is missing or corrupt:
\WINDOWS\SYSTEM32\CONFIG\SYSTEM

You can attemp to repair this file by starting Windows Setup using the original Setup CD-ROM.
Select 'r' at the first screen to start repair.


#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,815 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:15 PM

Posted 07 February 2011 - 06:05 AM

Try this please. You will need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Next download driver.sh to your USB drive
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see driver.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh
  • Press Enter
  • After it has finished a report will be located on your USB drive named report.txt
  • Remove the USB drive and insert it back in your working computer and navigate to report.txt

    Please note - all text entries are case sensitive
Copy and paste the report.txt for my review

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 mrblond

mrblond
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 07 February 2011 - 06:57 AM

OK I'm ready with the burnt CD and the USB with driver.sh
I turn the sick PC on and placed the CD and the USB. I rebooted it but cannot see how to set to boot from the CD. When I should tap the F12 key? I try it when rebooting as with F8 but nothing happened. I opened the Windows Advanced Options Menu but there is not an option - boot from the CD?

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,815 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:15 PM

Posted 07 February 2011 - 08:16 AM

When booting your computer, on the first screen, do you see any information on how to bring up the boot menu, or to change boot order? You can also try to tap F11 or Del.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 mrblond

mrblond
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 07 February 2011 - 10:12 AM

OK, by tapping Del I opened some Setup menu: Phoenix - AwardBIOS CMOS Setup Utility

There in second sub-menu tab (Advanced) are the options:

>Removable Device Priority
>Hard Disk Boot Priority
>CD-ROM Boot Priority
First Boot Device [Hard Disk]
Second Boot Device [CDROM]
Third Boot Device [Removable]
Boot Other Device [Disabled]

>Advanced BIOS Features
>Advanced Chipset Features
>PnP/PCI Configurations
>Frequency/Voltage Control


I can move up and down to select each of them. Should I select >CD-ROM Boot Priority or Second Boot Device [CDROM] or this is not the menu we searching for?

What if the CDROM not working?

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,815 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:15 PM

Posted 07 February 2011 - 11:38 AM

First Boot Device needs to become CD rom, and Second boot device harddisk.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 mrblond

mrblond
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 07 February 2011 - 12:21 PM

Done. First boot device is CDROM now. When reboot the below screen apears for 5 sec.

Sec. Master Disk: CD-RW, ATA 33
Sec. Slave Disk: None

USB Storage Device: Seagate Free Agent 102D
USB Storage Device: USB2.0 Mobile Disk

PCI Device Listing...
Bus No. Device No. Func No. Vendor/Device Class Device Class IRQ
========================================================================


..... lines with numbers and text in this table........




Verifying DMI Pool Data................
Boot from CD:_



...and after seconds this message again:

Windows could not start because the following file is missing or corrupt:
\WINDOWS\SYSTEM32\CONFIG\SYSTEM

You can attemp to repair this file by starting Windows Setup using the original Setup CD-ROM.
Select 'r' at the first screen to start repair.


Thanks for the help, I'll try again tomorrow. Maybe the CDROM couldn't read the CD.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users