MBR:Alureon-K [rtk] partion 3

[s.grundy]

I found I was infected with MBR:Alureon-K[RTK]  through Avast Antivirus.  It gave me the option of deleting it, but it but it didn't work.  I also used the program  aswMBR, because I read it in one of your forums.  It found the virus but I was afraid to use it to fix it as it warned me that it would change everything.  I did save the log though.   I have also used Malwarebyte Anti-Malware, but it didn't find it.

So far this virus hasn't really done much, at least that I know of, but I am afraid it will.  Can someone please help me.

S.Grundy

[DavidR]

Well avast is keeping it from spreading, but you will need help of a specialist to remove it completely.

This needs further analysis by a malware removal specialist:
Go to this topic http://forum.avast.com/index.php?topic=53253.0 for information on Logs to assist in cleaning malware. Use the information about getting and using the tools and attach the logs here, not in the LOGS topic.

[s.grundy]

Here are the logs you requested.

S.Grundy

[s.grundy]

More logs!!!

S.Grundy

[s.grundy]

Last log!!!  Sorry, but it said the files were to big to send all at once.

S.Grundy

[essexboy]

While I look at OTL could you do the following

Go start > Run

Type in the following command and press enter

diskmgmt.msc

In the disc management that opens locate partition 3
Disk 0 Partition 3 00     17 Hidd HPFS/NTFS NTFS            2 MB offset 976769024

Right click the partition and select delete
Re-run aswMBR

[essexboy]

OK the fix is easy

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  

  :OTL
  [2011/12/26 16:34:10 | 000,008,366 | -HS- | C] () -- C:\Users\Joe\AppData\Local\1ybu3or54qr570kjb4y
  [2011/12/26 16:34:10 | 000,008,366 | -HS- | C] () -- C:\ProgramData\1ybu3or54qr570kjb4y
  [2011/06/04 18:31:12 | 000,011,470 | -HS- | C] () -- C:\Users\Joe\AppData\Local\0vyjnrk111j80em8nn
  [2011/06/04 18:31:12 | 000,011,470 | -HS- | C] () -- C:\ProgramData\0vyjnrk111j80em8nn
  [2011/03/09 20:52:07 | 000,000,457 | ---- | C] () -- C:\Program Files\0309201119520762.bat
  [2011/03/09 20:48:45 | 000,000,453 | ---- | C] () -- C:\Program Files\0309201119484476.bat
  
  :Files
  ipconfig /flushdns /c
  
  :Commands
  [emptytemp]
  [CREATERESTOREPOINT]
  [Reboot]
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[s.grundy]

Do you still want me to use the diskmgmt.msc

[Pondus]

quote essexboy

While I look at OTL could you do the following..............

[s.grundy]

I tried the diskmgmt.msc command, but cannot find the line you want me to delete.  Sorry!!!

I'm not doing something right, because I don't see anywhere I can even see partion 3.  Help!!!

[s.grundy]

Should I use the fix without the diskmgmt.msc command???

[s.grundy]

I ran the fix you wrote up although I never figured out the Disk Managment program, so I could not locate

partition 3,       and I could not delete
Disk 0 Partition 3 00     17 Hidd HPFS/NTFS NTFS            2 MB offset 976769024

The log that came up after the fix said that all the processes were killed successfully.
I also ran the OTL scan after the fix and I am attaching it as you requested. 

S.Grundy

[s.grundy]

I also ran a scan with aswMBR to see if the virus was deleted.  According to the scan, the virus is still there.
I have attached it.  Anything else I can do.

Have to go for awhile.

[DavidR]

The mbr detection will still be there until you remove the bogus partition 3 using the Disk Managment function.

I ran the fix you wrote up although I never figured out the Disk Managment program, so I could not locate

partition 3,       and I could not delete
Disk 0 Partition 3 00     17 Hidd HPFS/NTFS NTFS            2 MB offset 976769024

The log that came up after the fix said that all the processes were killed successfully.
I also ran the OTL scan after the fix and I am attaching it as you requested. 
<snip>

So why couldn't you delete that partition 3, e.g. what errors did you get ?
Or is it that you don't know how to use the Disk Management function ?

If the latter then press the Windows Key+R together this opens up the Run window, type diskmgmt.msc and click OK. That will open up a window like my example image (click to expand), this shows you all of the Drives/Disks and Partitions you have.

Find the Disk 0, Partition 3 one that is only 2MB in size:
b]Disk 0 Partition 3 00     17 Hidd HPFS/NTFS NTFS            2 MB offset 976769024[/b]

Now right click on that Partition and you should see a list displayed, it may differ sightly from my example (I'm using windows XP), but should look very much the same. From that list select Delete.

Exercise extreme caution and select the correct partition Disk 0 - Partition 3 - 2MB in size or you could delete an important partition, with serious consequences.

If you aren't sure don't proceed - ask for more help.

[s.grundy]

My grid looks different.  I found Disk 0 but there is no way to delete anything.  I right clicked and all I get is a drop down that lists offline (not accessible), properties, or help.  I am running
Vista, and I have tried every way possible to find partion 3.  I am not doing something right.  Is there any way you could look at a Disk Management grid from a Vista operating machine?
Because I am lost.

Or, is there another way to delete this bogus partition other than by using Disk Management?