PDA

View Full Version : MBR infected with Alureon-K Rootkit



Heartborne
11-17-2011, 08:59 PM
Hello all!

I have a friend whose Windows 7 laptop is badly infected with the Alureon-k rootkit, a very nasty virus that uses advanced stealth techniques to avoid detection while nestling itself in the MBR. Hooray.

So I reckon the only way to completely eliminate the virus is to wipe out the MBR and do a fresh install of windows. I have run into a couple of caveats with this.

The pc in quesiton is a Compaq Presario C62 laptop. The first hurdle is actually getting a windows cd, which apparently has to be sent in the mail. This will take 5-7 days. Does anyone have a link to an iso that is compatible with Compaq Windows 7 laptops?

My other issue is that wiping out the MBR will also eliminate the recovery partition. Is it safe to recover this machine to the factory defaults without using the recovery partition? I'm sure you all know how these manufacturers try to prevent the user from doing wipes.

Finally, does anyone have access to a utility that will completely delete the MBR and with it the nasty bug that is causing all the problems?

classicsoftware
11-17-2011, 10:10 PM
If you have a restore CD from Compaq, it will probably re-create the restore partition. You have to ask them what is does to the MBR. There are various utilities that allow you to recreate the MBR.

Read this (http://www.bleepingcomputer.com/virus-removal/remove-tdss-tdl3-alureon-rootkit-using-tdsskillerhttp://www.bleepingcomputer.com/virus-removal/remove-tdss-tdl3-alureon-rootkit-using-tdsskiller) if you would like to try to remove it yourself.

Paul Komski
11-17-2011, 11:28 PM
The safest way to rewrite a compatible MBR and one that should retain all existing partition table information is from the recovery environment of a Win 7 installation DVD.

To run the Bootrec.exe tool, you must start Windows RE. To do this, follow these steps: (http://support.microsoft.com/kb/927392)

Put the Windows Vista or Windows 7 installation disc in the disc drive, and then start the computer.
1 Press a key when you are prompted.
2 Select a language, a time, a currency, a keyboard or an input method, and then click Next.
3 Click Repair your computer.
4 Click the operating system that you want to repair, and then click Next.
5 In the System Recovery Options dialog box, click Command Prompt.

Now entering bootrec should show you its options but the option you should use is:
bootrec /fixmbr

To be doubly secure you could make a copy of the current (possibly infected) MBR. The relevance of this is that if a boot sector virus has modified the boot sector signature then running bootrec /fixmbr or the dos command fdisk /mbr can erase all the partition tables. Should this happen by any chance there are utilities that can rebuild them for you.

If you want to ensure that the recovery partition is safe then it is possible to make an image file of it.

classicsoftware
11-17-2011, 11:39 PM
Paul:

The only problem is as soon as he boots Windows, the virus will reinfect the MBR. This would be the last step after removing the infection.

Paul Komski
11-18-2011, 12:01 AM
Is it not a Catch 22? If the MBR is truly infected (I think this can only happen with 64bit Windows 7) then it is likely to reinfect the OS as soon the PC is rebooted after having been cleaned.

If the MBR is rewritten (by whatever method) and windows not rebooted then either running a factory reinstallation (if available from startup repair) or doing a clean installation from the installation DVD should result in a clean system.

PS
I only bothered to respond because of the inherent danger of losing the partition tables if the MBR is rewritten from within Windows and because it was intimated that losing access to the restore partition was of importance. If it were me I would backup data, wipe drive and clean reinstall.

Heartborne
11-20-2011, 01:56 PM
Thanks, guys! I have absolutely no problem doing a clean wipe and reinstall. My concern is that because I've never worked with a compaq prefab before I'm not sure just how locked out of making changes the user actually is. For example, will the disc I get from compaq ALLOW me to reinstall windows without using the recovery partition? If so, I will happily wipe out the mbr entirely. I don't care about the recovery or utility partitions being there.
I'm used to having my own machines and just installing windows on a blank Hard drive with a retail windows disc. I really dislike the way these manufacturers do business.
According to an AVAST! Antivirus pre-boot scan, the MBR is definitely infected and yes, the virus is reinstalled every time windows boots.

In any case, how can I be sure that the MBR is completely clean? I used to have this great utility that a professor of mine used from DOS. You typed "clean" at the command prompt and it wiped out the MBR. It was awesome.

classicsoftware
11-20-2011, 03:24 PM
You may be locked out of changes with the installation. Once installed, you can do what you want. The main advantage to the restore disk or restore from the recovery partition is that the drivers are all installed. If you just a Windows CD, you need to make sure you have already downloaded the drivers and have them handy. Pick your poison.

Paul Komski
11-20-2011, 10:11 PM
For example, will the disc I get from compaq ALLOW me to reinstall windows without using the recovery partition?
That is the normal scenario and such disks are most commonly needed when a hard drive has failed thus losing everything (including any restore partition) on the drive and when a new drive has been obtained.

There are many ways of wiping the MBR or part of or all of the current hard drive.

DBAN (http://www.dban.org/) or CopyWipe (http://www.terabyteunlimited.com/copywipe.php) or the Diagnositc Utility from the maker of the hard drive should all be capable utilities.

Heartborne
12-01-2011, 10:27 AM
Thanks guys! Sorry for letting this sit a while, I just came back from vacation and started troubleshooting the laptop again. I got the disc from Compaq and decided to give it a run. Unfortunately, as I expected it was a self-guided restore disc which does not give the user any control over the details of the reinstall. It runs a multi-part restore which formats the windows partition, reinstalls the OS files and verifies the installation.
More unfortunately, even this isn't working as it is stuck at 31% and I keep receiving an error message telling me that a file could not be copied. I can't imagine why, since I ran diagnostics on the hard drive and they came back clean.
So, here are my questions at this point:
1) If I wipe out the MBR will this disc still work?
2) Can I use my own Windows 7 OEM disc to get into the recovery console?
3) What is causing the error message I keep receiving?

I have no choice but to move forward, so if worse comes to worst I can always have my friend buy a brand new Windows CD, but I'm hoping that won't be necessary.

classicsoftware
12-01-2011, 12:44 PM
Using DBAN, wipe the drive and then reinstall.

FTT
12-01-2011, 07:12 PM
You may be locked out of changes with the installation. Once installed, you can do what you want. The main advantage to the restore disk or restore from the recovery partition is that the drivers are all installed. If you use just a Windows CD, you need to make sure you have already downloaded the drivers and have them handy. Pick your poison.

If Heartborne has a Windows disk and recovery disk for this notebook, he should be able to do a wipe and fresh install with his Windows disk, then using the recovery one from Compaq, cancel the auto install, then 'Explore' for the needed drivers for that laptop. Perhaps the drivers would be somewhat outdated, but at least he would not have to risk going online and searching for the drivers with a vulnerable system in it's infancy. I prefer out of date drivers to get yourself up and going, then go online and update e-v-e-r-y-t-h-i-n-g-! :cool:

No surfing until all securities softs are installed and up to date PERIOD

Heartborne
12-01-2011, 11:08 PM
Thanks for following up and helping me out on this, everyone.

I went ahead and wiped the drive using DBAN and I have attempted to reinstall using the restore discs.

Sadly, I keep receiving error messages while copying files from the disc to the pc. I suspect that the disc is defective. I am going to try making a copy of the disc to see if that works.

mjc
12-02-2011, 01:17 AM
Way back in the day...W98, to be exact...I tried using my HP supplied restore disk. Needless to say, it didn't work. Called HP and they sent me a new disk.

After I got the machine back up and running I took a good look at the original disk. There was a misspelled word in one of the batch files to run the restore.

Now...what does that have to do with your problem...HP and Compaq are the same company. I wouldn't be surprised if it's not something similar...so call them back and tell them that the disk they sent is a bird chaser and that you would like them to send one that actually works.

At this point, though I wouldn't wait on Compaq, though. There should be a keycode attached to the machine, somewhere. Just use your 'full install' disk and the machine's code. (that is assuming the versions of Windows match...)

Heartborne
12-02-2011, 05:22 PM
mjc, thanks for the advice - I'm going to go ahead and give my own windows disc a shot, using the code on the machine's sticker. I'll hope and pray that it works!

In any case, it looks like the compaq disc successfully rebuilt the partition table so there's that. I'm trying to get windows installed off my own disc even as we speak.

I've been fighting with this machine for a couple of weeks now, not wanting to wipe it unless it was absolutely necessary. I think when my friend gets her pc back she's getting a list of safe browsing tips and a new antivirus!