Author Topic: aswMBR (Read 18263 times)

Nickocosmic · « **on:** February 02, 2012, 09:38:50 AM »

not sure of this topic goes here, so forgive me if i'm in the wrong. i ran this program using quick scan, and it detected an alureon-k [rtk] infection. i was following this guide:

http://public.avast.com/~gmerek/aswMBR.htm

at the very bottom, it says for alureon infections to use command aswmbr.exe -ap 1. i'm not sure how to do this. i've tried through the command prompt, but it just tells me that it can't find aswmbr.exe. i'm pretty new to this rootkit business, so i can post the log if need be. thanks in advance for any help.

true indian · « **Reply #1 on:** February 02, 2012, 09:41:25 AM »

Welcome to the forums!!!

Ensure that aswMBR is still on the desktop

1.Go start > Run.

2.Copy/paste in the following command please: aswMBR.exe -ap 1 [Notice the spaces]

3.Press enter.

4.Once the programme has run then reboot immediately.

true indian · « **Reply #2 on:** February 02, 2012, 09:44:09 AM »

Once completed with the reboot process rerun aswMBR and copy/paste the contents of the log in next reply.

Nickocosmic · « **Reply #3 on:** February 02, 2012, 10:08:07 AM »

thanks for the welcome!

i've tried running it that way through the command prompt as well as start>run, but it tells me windows can't find aswmbr.exe. i've made sure the program is on the desktop as well.

also, here is the log from the initial scan:

aswMBR version 0.9.9.1532 Copyright(c) 2011 AVAST Software
Run date: 2012-02-02 03:10:07
-----------------------------
03:10:07.756 OS Version: Windows x64 6.1.7601 Service Pack 1
03:10:07.756 Number of processors: 4 586 0x402
03:10:07.757 ComputerName: SINGULARITY UserName: Nickocosmic
03:10:08.843 Initialize success
03:10:08.881 AVAST engine defs: 12020101
03:11:06.412 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T1L0-6
03:11:06.414 Disk 0 Vendor: MAXTOR_STM3500320AS MX15 Size: 476940MB BusType: 3
03:11:06.428 Disk 0 MBR read successfully
03:11:06.430 Disk 0 MBR scan
03:11:06.432 Disk 0 Windows 7 default MBR code
03:11:06.442 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 476929 MB offset 63
03:11:06.474 Disk 0 Partition 2 00 17 Hidd HPFS/NTFS NTFS 10 MB offset 976752000
03:11:06.477 Disk 0 Partition 2 **INFECTED** MBR:Alureon-K [Rtk]
03:11:06.488 Service scanning
03:11:07.837 Modules scanning
03:11:07.846 Disk 0 trace - called modules:
03:11:07.864 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
03:11:07.874 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8006273060]
03:11:07.879 3 CLASSPNP.SYS[fffff8800196f43f] -> nt!IofCallDriver -> [0xfffffa8005328880]
03:11:07.883 5 ACPI.sys[fffff88000f017a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T1L0-6[0xfffffa8005c0b680]
03:11:09.378 AVAST engine scan C:\Windows
03:11:15.087 AVAST engine scan C:\Windows\system32
03:13:01.748 AVAST engine scan C:\Windows\system32\drivers
03:13:10.462 AVAST engine scan C:\Users\Nickocosmic
03:14:45.380 Disk 0 MBR has been saved successfully to "C:\Users\Nickocosmic\Documents\MBR.dat"
03:14:45.381 The log file has been saved successfully to "C:\Users\Nickocosmic\Documents\aswMBR.txt"

true indian · « **Reply #4 on:** February 02, 2012, 10:14:35 AM »

try renaming and then running the command.

Nickocosmic · « **Reply #5 on:** February 02, 2012, 10:26:45 AM »

renamed it and ran the command. the command prompt popped up for a second and then closed. i rebooted the computer, and ran aswmbr again. heres the log:

aswMBR version 0.9.9.1532 Copyright(c) 2011 AVAST Software
Run date: 2012-02-02 04:23:47
-----------------------------
04:23:47.367 OS Version: Windows x64 6.1.7601 Service Pack 1
04:23:47.367 Number of processors: 4 586 0x402
04:23:47.367 ComputerName: SINGULARITY UserName: Nickocosmic
04:23:50.221 Initialize success
04:23:50.268 AVAST engine defs: 12020200
04:23:51.735 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T1L0-6
04:23:51.735 Disk 0 Vendor: MAXTOR_STM3500320AS MX15 Size: 476940MB BusType: 3
04:23:51.750 Disk 0 MBR read successfully
04:23:51.750 Disk 0 MBR scan
04:23:51.766 Disk 0 Windows 7 default MBR code
04:23:51.766 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 476929 MB offset 63
04:23:51.781 Disk 0 Partition 2 00 17 Hidd HPFS/NTFS NTFS 10 MB offset 976752000
04:23:51.797 Disk 0 Partition 2 **INFECTED** MBR:Alureon-K [Rtk]
04:23:51.797 Service scanning
04:23:53.607 Modules scanning
04:23:53.607 Disk 0 trace - called modules:
04:23:53.622 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
04:23:53.622 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8006293060]
04:23:54.153 3 CLASSPNP.SYS[fffff8800199e43f] -> nt!IofCallDriver -> [0xfffffa8005cb79b0]
04:23:54.153 5 ACPI.sys[fffff88000fa27a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T1L0-6[0xfffffa8005e8b680]
04:23:55.369 AVAST engine scan C:\Windows
04:23:57.460 AVAST engine scan C:\Windows\system32
04:26:04.696 AVAST engine scan C:\Windows\system32\drivers
04:26:12.559 AVAST engine scan C:\Users\Nickocosmic
04:26:29.017 Disk 0 MBR has been saved successfully to "C:\Users\Nickocosmic\Documents\MBR.dat"
04:26:29.048 The log file has been saved successfully to "C:\Users\Nickocosmic\Documents\aswMBR1.txt"

true indian · « **Reply #6 on:** February 02, 2012, 10:31:27 AM »

May be the bad guys have improved their protection..

Try renaming it to winlogon.exe

and then try running again.

Nickocosmic · « **Reply #7 on:** February 02, 2012, 10:37:59 AM »

tried winlogon.exe, and nothing happened. renamed it back to MBR.exe and the command prompt once again popped up for a split second. screencapped it to catch what it said:

device: opened successfully
user: error reading MBR
error: Read The handle is invalid
kernel: error reading MBR

true indian · « **Reply #8 on:** February 02, 2012, 10:41:17 AM »

Open run.

copy paste this in:
diskmgmt.msc

Make sure the window is little big to see the full details given in the window.

Take a screenshot and attach it on next reply.

Nickocosmic · « **Reply #9 on:** February 02, 2012, 10:48:38 AM »

as per request.

true indian · « **Reply #10 on:** February 02, 2012, 10:53:28 AM »

Right click on the 10MB partition and click delete volume...

rerun aswmbr and attach a fresh log.

Nickocosmic · « **Reply #11 on:** February 02, 2012, 11:02:44 AM »

didn't see the infection pop up this time.

true indian · « **Reply #12 on:** February 02, 2012, 11:03:47 AM »

Check disk management again,do u see the 10MB partition still?

Nickocosmic · « **Reply #13 on:** February 02, 2012, 11:05:43 AM »

theres 9mb of unallocated space where the 10mb partition was.

true indian · « **Reply #14 on:** February 02, 2012, 11:07:46 AM »

OK...can u take a another screenshot please and attach it...

Reboot and tell me if everything is fine in reboot.

Author Topic: aswMBR (Read 18263 times)

Nickocosmic

aswMBR

true indian

Re: aswMBR

true indian

Re: aswMBR

Nickocosmic

Re: aswMBR

true indian

Re: aswMBR

Nickocosmic

Re: aswMBR

true indian

Re: aswMBR

Nickocosmic

Re: aswMBR

true indian

Re: aswMBR

Nickocosmic

Re: aswMBR

true indian

Re: aswMBR

Nickocosmic

Re: aswMBR

true indian

Re: aswMBR

Nickocosmic

Re: aswMBR

true indian

Re: aswMBR