Help with Disk 0 partition 4 Infected MBR:Alureon-K [Rtk]

[kalim1993]

Hi First time I have signed up and i am having allot of problems with my Dell Inspiron mini 1018.
I can't seem to run many programmes with an error message 'the application was unable to start correctly (0xc0000005)
Malware bytes isn't finding anything.

my aswmbr log is:
aswMBR version 0.9.9.1618 Copyright(c) 2011 AVAST Software
Run date: 2012-02-18 13:51:15
-----------------------------
13:51:15.268    OS Version: Windows 6.1.7601 Service Pack 1
13:51:15.268    Number of processors: 2 586 0x1C0A
13:51:15.284    ComputerName: JIMMYS-PC  UserName: Jimmy
13:51:17.443    Initialize success
13:51:20.878    AVAST engine defs: 12021800
13:52:18.123    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
13:52:18.131    Disk 0 Vendor: ST9250315AS D005DEM1 Size: 238475MB BusType: 11
13:52:18.162    Disk 0 MBR read successfully
13:52:18.171    Disk 0 MBR scan
13:52:18.750    Disk 0 Windows 7 default MBR code
13:52:18.773    Disk 0 MBR hidden
13:52:18.800    Disk 0 Partition 1 00     DE Dell Utility Dell 8.0      100 MB offset 2048
13:52:19.633    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS        10000 MB offset 206848
13:52:19.876    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS       228373 MB offset 20686848
13:52:19.948    Disk 0 Partition 4 80 (A) 17 Hidd HPFS/NTFS NTFS            0 MB offset 488395120
13:52:20.096    Disk 0 Partition 4  **INFECTED** MBR:Alureon-K [Rtk]
13:52:20.121    Disk 0 scanning sectors +488397152
13:52:20.664    Disk 0 scanning C:\Windows\system32\drivers
13:52:44.000    Service scanning
13:53:15.630    Modules scanning
13:53:26.999    Disk 0 trace - called modules:
13:53:27.031    ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8495dfa9]<<
13:53:27.054    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x84946ac8]
13:53:27.073    3 CLASSPNP.SYS[86d9e59e] -> nt!IofCallDriver -> [0x84945558]
13:53:27.105    \Driver\PCTCore[0x84862df8] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x8495dfa9
13:53:28.208    AVAST engine scan C:\Windows
13:53:31.359    AVAST engine scan C:\Windows\system32
13:56:51.816    AVAST engine scan C:\Windows\system32\drivers
13:57:09.269    AVAST engine scan C:\Users\Jimmy
14:00:37.058    AVAST engine scan C:\ProgramData
14:01:45.038    Scan finished successfully
14:02:06.928    Disk 0 MBR has been saved successfully to "C:\Users\Jimmy\Desktop\MBR.dat"
14:02:06.947    The log file has been saved successfully to "C:\Users\Jimmy\Desktop\aswMBR.txt"


Thank you for taking a look

[Pondus]

Follow the guide and attach OTL logs
http://forum.avast.com/index.php?topic=53253.0

[essexboy]

Prior to the log run lets kill this meanie first

Run an elevated command prompt :

Go start > all programmes > accessories
Right click command prompt and select run as administrator
Type in the following command


aswMBR.exe -ap 1

Ensure the spaces are in the right place

aswMBR.exe(space) -ap(space) 1

When AswMBR has finished then reboot and rerun aswMBR scan

[kalim1993]

okay thanks for the quick replys, i've tried doing the command prompt and getting a message
'aswMBR.exe' is not a recogized as internal or external command operable program or batch file'

[essexboy]

Is aswMBR on the desktop ?
Did you type the full command
If so then download a fresh copy and retry
If not then move to the desktop

[kalim1993]

aswMBR is on the desktop, and a new copy has been downloaded too and i am still recieving the save message, I typed everything correctly just as you said

[essexboy]

OK a new one - I will see if I can find the dropper when we get to the OTL logs

Download the latest version of TDSSKiller from

here and save it to your Desktop.
 
 

• Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
   
  
   
  
• Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
   
  
   
  
• Click the Start Scan button.
   
  
   
  
• If a suspicious object is detected, the default action will be Skip, click on Continue.
   
  
   
  
• If malicious objects are found, they will show in the Scan results and offer three (3) options.
• Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
   
  
   
  
• Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.
[/list]

[kalim1993]

Thank you for that, But My laptop doesn't seem to TDSSkiller, I'm not getting any error messages i've tried opening as admin and nothing loads up, I've tried opening TDSSkiller in safe mode too but nothing appears?

[essexboy]

OK looks like the latest variant

Do you have a cd to create a system repair disc ?

Is the computer 64 or 32 bit

What Startup Repair is capable of can be read in this Microsoft Article.

You may need to Add The Run... Box For Windows 7 for the below...

However, you can also open the Run.. box via depressing both the Windows key and R together.

--------------

Create a Windows 7 System Repair Disc:

Note: the below can only be done if your machine has a a type of CD/R or DVD/R optical drive installed. Also depending on the exact type of OEM your machine has you may be unable to actually create a SRD.

• Click on Start(Windows 7 Orb) >> Run..., then copy/paste the following command into the box and click on OK:
  
  

Code: [Select]

recdisc.exe

• Allow the UAC(User Account Control) prompt via selecting Yes.
  
• You should now see a menu like the below:-

• Put a blank rewritable  CD/DVD in your optical(CD/DVD) drive and then click on Create disc.

A blank CD/R or DVD/R can be used also...

• Note: If a AutoPlay window pops up, just close it.
  
• When the SRD has been created you will see similar to the below:-

• Now click on Close >> OK.
  
• You now have a Windows 7 System Repair Disc.
  

Please note: The above can be created with either a 32 or 64 bit Operating System. However the disks are not interchangeable...IE a 32 bit Startup Repair Disk cannot be used on a 64 bit Operating System and vice versa otherwise damage may be caused rather than any actual repairs implemented.
 
The differences between the aforementioned can be read in this Microsoft Article:-

32-bit and 64-bit Windows: frequently asked questions

[kalim1993]

Okay the laptop is 32 bit,
It Does not have a cd drive, but i have a usb powered cd/dvd writer which i can make the repair disk, I shall do this right now and let you know onces its done, thank you for helping me.

[kalim1993]

okay the system repair disk for 32bit has now been made.

[essexboy]

OK once that has been made we will need to create a Linux disc part to enable the removal of the bad partition

I will give the instructions for that now

I need you to download:
gparted-live-0.11.0-7.iso (115.1 MB)

Create a bootable USB  for Gparted  from the ISO images.  You can use UnetBootin do this.

Create a bootable CD  You can use ImgBurn do this.


You should be here...
Press ENTER
 

By default, "do not touch keymap" is highlighted. Leave this setting alone and just press ENTER.
 

Choose your language and press ENTER. English is default [33]
 

Once again, at this prompt, press ENTER
 
You will now be taken to the main GUI screen below

According to your logs, the partition that you want to delete is 1MB
Click the trash can icon to delete and then click Apply.
 
You should now be here confirming your actions:

 
Now you should be here:

 

Is "boot" next to your OS drive?
 
If "boot" is not next to your OS drive under "Flags", right-mouse click the OS drive while in Gparted and select Manage Flags
 
In the menu that pops up, place a checkmark in boot like the picture below:

 
Now double-click the button.
 
You should receive a small pop up like this:

Choose reboot and then press OK.
 
Now reboot from the Windows 7 Recovery Environment CD and execute the following commands:
 

• bootrec /FixMbr
• bootrec /FixBoot
• exit

Once back in Windows.

Re-Run aswMBR and post the log