Hi Avast forum,
Avast has detected the following rootkit infection on my computer: MBR\\.\PHISICALDRIVE0\Partition4
Like many others that have had similar infections, even after deleting it, avast still picks it up after rebooting.
I downloaded the aswMBR.exe program available on the "aswMBR 0.9.9" web page (
http://public.avast.com/~gmerek/aswMBR.htm) and scanned my computer. The log showed my computer has an alueron infection. Here is the log:
aswMBR version 0.9.9.1532 Copyright(c) 2011 AVAST Software
Run date: 2012-02-10 11:58:28
-----------------------------
11:58:28.681 OS Version: Windows 6.1.7601 Service Pack 1
11:58:28.681 Number of processors: 2 586 0x170A
11:58:28.684 ComputerName: JOHANNE-PC UserName: Johanne
11:58:29.389 Initialize success
11:58:29.481 AVAST engine defs: 12021000
11:58:35.036 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
11:58:35.039 Disk 0 Vendor: SAMSUNG_HM251HI 2AJ10001 Size: 238475MB BusType: 11
11:58:35.074 Disk 0 MBR read successfully
11:58:35.077 Disk 0 MBR scan
11:58:35.081 Disk 0 Windows 7 default MBR code
11:58:35.088 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 39 MB offset 63
11:58:35.102 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 15000 MB offset 80325
11:58:35.124 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 223434 MB offset 30800325
11:58:35.162 Disk 0 Partition 4 00 17 Hidd HPFS/NTFS NTFS 0 MB offset 488395120
11:58:35.167 Disk 0 Partition 4 **INFECTED** MBR:Alureon-K [Rtk]11:58:35.184 Disk 0 scanning sectors +488397152
11:58:35.345 Disk 0 scanning C:\Windows\system32\drivers
11:58:45.726 Service scanning
11:58:47.386 Modules scanning
11:58:57.315 Disk 0 trace - called modules:
11:58:57.350 ntkrnlpa.exe CLASSPNP.SYS disk.sys ataport.SYS halmacpi.dll PCIIDEX.SYS msahci.sys
11:58:57.356 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8563f540]
11:58:57.362 3 CLASSPNP.SYS[88baa59e] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x85559030]
11:58:58.195 AVAST engine scan C:\Windows
11:59:08.785 AVAST engine scan C:\Windows\system32
12:02:04.782 AVAST engine scan C:\Windows\system32\drivers
12:02:29.421 AVAST engine scan C:\Users\Johanne
12:05:20.816 AVAST engine scan C:\ProgramData
12:05:30.933 Scan finished successfully
I then followed the instruction "How to change active partition" at the bottom of the "aswMBR 0.9.9" web page which says: "in case of Alureon infection that creates its own partition use command: aswMBR.exe -ap 1 to activate proper partition." So I ran aswMBR.exe -ap 1, but it doesn't seem to have worked properly. Here is the log :
aswMBR version 0.9.9.1532 Copyright(c) 2011 AVAST Software
Run date: 2012-02-10 11:55:32
-----------------------------
11:55:32.919 OS Version: Windows 6.1.7601 Service Pack 1
11:55:32.919 Number of processors: 2 586 0x170A
11:55:32.921 ComputerName: JOHANNE-PC UserName: Johanne
11:55:33.928 Initialze error C000010E - driver not loaded
11:55:33.956 Scan error: Incorrect function.
I am NOT a computer expert. I feel discourage and am hoping that I don't have to reformat my entire computer. Please let me know if there is one last option I can use to get ride of this damn Rootkit infection. Thanks!
