Win32-Alureon-OF [Rtk] caught, but can't boot

[GaryGo]

On 2011-01-05, I was at trustworthy web site, but one with lots of ads. Avast reported Win32-Alureon-OF [Rtk], but claimed that it stopped the virus from doing damage. But, Avast recommended that I allow it to reboot my PC and run a boot time scan. I clicked yes, and started to reboot. But, the system was not able to boot past the point where it selects the boot drive. The PC tried to boot off the hard drive, and then hung, so the virus scan never started.

At some level, Avast failed. Either Avast did not successfully protect my PC (even though it said it did), or Avast corrupted my boot sector. Maybe an ad inserted a virus.

In any case, I booted off my XP CD, started repair mode, and at the prompt, I ran fixmbr and fixboot. I will be verbose to help future victims.

Fixmbr and fixboot do not affect partitioning (if you have two hard drives), and do not affect any data on the hard drive(s). When your PC can't boot into Windows, there is not much to lose. If your hard drive is physically damaged, these will not work. In that case, try chkdsk. If these commands all fail, you'll need to reformat your hard drive and reinstall your operating system, if your drive works at all.

FIXMBR grabs the original master boot record code from the drive's EEPROM chip and restores it, effectively wiping out anything that might be in there, be it LILO, GRUB, a Windows bootloader, and any possible traces of a virus, etc. When that command is finished, the MBR is as good as it was the moment the drive passed QA testing at the factory.

FIXBOOT restores the native ability for Windows to boot with the NTLDR file and bootloader, simply put.  Run FIXMBR first, then FIXBOOT right after that, then type exit and press Enter to reboot.

CHKDSK attempts to find and repair physical disk errors. You might lose a file or two, depending on the extent of the damage. If the bootup simply hangs, not even a blue screen, try fixmbr and ßfixboot first, although it is safe to run chkdsk occasionally.

I popped out the XP CD and rebooted. My PC proceeded to boot, Avast ran the boot time scan (took a couple hours, no viruses detected), and Windows then started. I have not seen any trouble since then. I am now up and running. Avast probably saved me from "something", but not from MBR corruption that had to be repaired manually.

[CharleyO]

***

I am glad that you got it all sorted out and back running again.  

One thing I want to mention. There are no trustworthy web sites.
All of them can be hacked in some way or another.
You should be aware of that after your recent experience.


***

[essexboy]

That is the TDL4 MBR bootkit, I wonder if Avast tried to repair the MBR but failed for some reason.  I would be intrigued to know if Avast is now taking that approach, as an MBR fix is fairly easy as you found out (the hard way)   

[Left123]

MBR fix is fairly easy)  

What if  the corruption in the MBR affects the partition table?Running
fixmbr might would not  resolve the problem.