support for aswMBR?

[essexboy]

I think that his boils down to the file system on the hard drive and the scsi connect.. A very unusual combination...  If you have no problems evident then I would suspect it may be something you will either have to get used to, or convert the drive to NTFS

[nixxy13]

I have just recently installed Avast Free Antivirus and it immediately detected a Rootkit MBR: Alureon. I tried using the Delete now action but it didn't work. I did some web searches and saw it was recommended to use aswMBR. I downloaded aswMBR and did a scan and it returned this log -

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-03-18 13:56:22
-----------------------------
13:56:22.378    OS Version: Windows 5.1.2600 Service Pack 2
13:56:22.378    Number of processors: 1 586 0x905
13:56:22.378    ComputerName: NIX  UserName: Me
13:56:25.302    Initialize success
13:56:26.193    AVAST engine defs: 12031701
13:57:28.583    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
13:57:28.593    Disk 0 Vendor: FUJITSU_MHS2040AT__D 8205 Size: 35141MB BusType: 3
13:57:28.994    Disk 0 MBR read successfully
13:57:28.994    Disk 0 MBR scan
13:57:29.004    Disk 0 unknown MBR code
13:57:29.024    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS        35134 MB offset 63
13:57:29.054    Disk 0 Partition 2 00     17 Hidd HPFS/NTFS NTFS            7 MB offset 71956080
13:57:29.064    Disk 0 Partition 2  **INFECTED** MBR:Alureon-K [Rtk]
13:57:29.064    Disk 0 scanning sectors +71971200
13:57:29.274    Disk 0 scanning C:\WINDOWS\system32\drivers
13:57:49.423    Service scanning
13:58:23.632    Modules scanning
13:58:42.389    Disk 0 trace - called modules:
13:58:42.860    ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
13:58:42.860    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f24ab8]
13:58:42.870    3 CLASSPNP.SYS[f76e105b] -> nt!IofCallDriver -> \Device\00000079[0x86f3f130]
13:58:42.870    5 ACPI.sys[f7657620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x86f23d98]
13:58:43.360    AVAST engine scan C:\
14:36:15.960    Scan finished successfully
14:36:52.883    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Me\My Documents\MBR.dat"
14:36:52.893    The log file has been saved successfully to "C:\Documents and Settings\Me\My Documents\aswMBR.txt"

My question is now do I just select FixMBR or is it more complicated than that? sorry just unsure what to do next. (Yes i'm a noob  )
   

[essexboy]

OK this is a multiple type infection so we will need to remove it in parts

First :

Do the following:
Start -> Run
type diskmgmt.msc
Click "OK"
 
Disk Management will open.
 
Click and hold the right side of the Disk Management Window and drag it to the right until you can see all the columns.

You will see a 7 MB partition
Right click that and select delete

Then :

Download the latest version of TDSSKiller from here and save it to your Desktop.
 
 

• Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
   
  
   
  
• Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
   
  
   
  
• Click the Start Scan button.
   
  
   
  
• If a suspicious object is detected, the default action will be Skip, click on Continue.
   
  
   
  
• If malicious objects are found, they will show in the Scan results and offer three (3) options.
• Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
   
  
   
  
• Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

[nixxy13]

Thank you for the the swift reply. I deleted the partition with Disk Manager and did a scan with TDSSkiller which detected 21 threats. There was no Cure option so I skipped them all. Here is a link the TDSSkiller log (I had to upload it to cloud storage as it exceeded the character limit for a post). 

http://www.mediafire.com/?6v1bt5lw9ib9wxw

[essexboy]

Any problems apparent ?

[nixxy13]

I did another scan with aswMBR and it isn't detecting Aureon anymore. From the log I provided you, do you think the threats that TDSSkiller found will be a problem going forward? all I did was skip them.

[essexboy]

No they were just unsigned generic drivers and should not be a problem

Is the computer behaving itself now ?

[nixxy13]

So far so good.
Thank you so much for all of your help.

[essexboy]

Run OTL and press the cleanup button to remove the tools