Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with DOS\Alureon.A on Windows Home Server


  • This topic is locked This topic is locked
27 replies to this topic

#1 Jaypeg85

Jaypeg85

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 16 February 2011 - 01:12 PM

Hi there,

My StorageWorks x510 (running Windows Home Server, power pack 3) has been infected by DOS\Alureon.A according to my Microsoft Security Essentials (which couldn't remove it). I'm no longer able to boot the server (I have tried booting the disks on my desktop). I've scanned the disk with the boot partition with Microsoft Security Essentials on my desktop, which is how I discovered the infection, but I'm not sure if it's safe to use it on my desktop? I've tried using the server recovery/reinstallation tool which came with the server also without luck.

At this point I'm sure what I should do? Is it safe to attach the drive to my desktop once more in order to run DDS, create a GMER log and backup data, as described in your posting guide? I'll be very thankful for any guidance you can give me!

Thanks in advance
Jeppe

Edited by Jaypeg85, 16 February 2011 - 01:12 PM.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:12 PM

Posted 23 February 2011 - 08:51 AM

Hello ,
And :welcome: to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Quick Scan button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note - if you get the following warning, just ignore: "Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"

Click on Cancel, then Accept.

-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • RKU log

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 Jaypeg85

Jaypeg85
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 23 February 2011 - 11:04 AM

Hi,

Thanks for taking your time to look at my problems :-).

Now as for the logs, is it safe and sufficient to just reattach my harddrive to my desktop computer?

Kind regards
Jaypeg

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:12 PM

Posted 23 February 2011 - 12:23 PM

No, that will not work; the tools we use scan active processes, so it won't be very usefull to slave the drive and then run the scans.

What happens when you put the disk in the computer? How far does it boot and what error do you see (if any)?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 Jaypeg85

Jaypeg85
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 23 February 2011 - 01:01 PM

Bios posts and loads fine. After that I just get a blinking cursor and nothing happens.

I can see the hard drive in bios setup.

When I discovered the rootkit (at least that's what Microsoft Security Essentials told me), while the drive was attached as slave to my desktop it found it on something like this boot://something/something.

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:12 PM

Posted 23 February 2011 - 01:22 PM

Try this please. You will need a USB drive.
Please do NOT continue if you use drive encryption or if you have a multi-boot setup!

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Download xPUDtestdisk.exe and save it to the USB device
  • Double click xPUDtestdisk.exe to extract the contents to your USB device
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Press Tool at the top
  • Choose Open Terminal
  • Type testdisk/testdisk_static
  • Press Enter
The first screen will present log options - press Enter to continue.

Posted Image

TestDisk will scan the system and show drive information.
If more than 1 drive, select the correct drive, make sure [Proceed] is selected then press Enter to continue.

Posted Image

Select [Intel] partiton and press Enter to continue.

Posted Image

Select [MBR Code] and press Enter to continue.

Posted Image

Type Y when prompted to write a new mbr code to the first sector, then confirm at the next screen by typing Y again.

Posted Image

Press Q repeatedly until TestDisk exits then reboot.

Edited by elise025, 23 February 2011 - 01:22 PM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 Jaypeg85

Jaypeg85
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 23 February 2011 - 01:35 PM

I have no cd for the iso, so I'll go buy one tomorrow (unfortunately stores have closed for today in Denmark). Thanks for your help thus far, much appreciated!

#8 Jaypeg85

Jaypeg85
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 23 February 2011 - 01:41 PM

Is it necessary to backup data on the hard drive before attempting this rutine? Then I backup those data tonight.

#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:12 PM

Posted 23 February 2011 - 02:39 PM

No, that is not necessary; the only thing we do is overwrite the MBR, which is already infected and as such corrupted. Rewriting that will not touch any data.

As said before things are more complicated if you use drive encryption or a dual boot.

Here's the USB alternative. :)

Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer
  • Insert your USB drive
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded
  • Press Run then OK
  • Select the DiskImage option then click the browse button located on the right side of the textbox field.
  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will install a little bootable OS on your USB device
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  • After it has completed do not choose to reboot the clean computer simply close the installer.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 Jaypeg85

Jaypeg85
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 23 February 2011 - 03:10 PM

I have done that now.

After reboot and I have select the hard drive for boot, it waits a couple of secs (after trying to load something?) and reboots. Now it should be told that it might be leftovers from the server recovery I tried before I found out about the rootkit.

Any ideas of what to do next?

Edited by Jaypeg85, 23 February 2011 - 03:12 PM.


#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:12 PM

Posted 23 February 2011 - 03:34 PM

Can you slave the drive again and see if MSSE still detects the threat?

Can you retry the recovery? Probably something went wrong first time due to the infection.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 Jaypeg85

Jaypeg85
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 23 February 2011 - 03:54 PM

I'll try scannning the hard drive while slaved. If clean I'll just backup my data and install the new Windows Home Server 2.

#13 Jaypeg85

Jaypeg85
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 23 February 2011 - 04:19 PM

Damn, I broke my sata connector on my one of my raid 0 disks (and boot drive) on my desktop... one more computer problem to solve :-(. MSSE fails to install on my old dekstop for some reason, is there any other scan tool you can recommend?

Edited by Jaypeg85, 23 February 2011 - 04:19 PM.


#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:12 PM

Posted 23 February 2011 - 04:27 PM

Any antivirus ought to detect it (you can try for example Avira).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 Jaypeg85

Jaypeg85
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 23 February 2011 - 04:43 PM

Ok thank will try that!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users