Avast Rootkit Threat MBR Alureon-K

Wikikenkey

Hi all

I downloaded Avast last weekend and now everytime I put my PC on it tells me I have something malicious "Partition 3 MBR Alureon-K" which I can delete. I delete this and then it says to do a rootkit scan which takes forever. Everything seems fine after that but on rebooting it brings up this message everytime and wants another scan. Any ideas what this is and how to clear? Thank you.

Pikeyp

You could try out Malwarebytes new Anti-rootkit scanner , it's in beta still at the moment but you never know your luck!

http://www.malwarebytes.org/products/mbar/

Wikikenkey

Thank you. Will try that this evening.

waddler_8

I would backup any important data before attempting any fix first.

This rootkit - part of the data-stealing Alureon malware family - creates a hidden, malicious partition and alters the partition table to make it the active partition: http://blog.eset.com/2011/10/18/tdl4-rebooted


Download aswMBR and save it to your Desktop.

http://public.avast.com/~gmerek/aswMBR.exe

• Double click aswMBR.exe (XP) or right click & choose "Run as Administrator" to run it (Vista, Win 7).
• Click the Scan button.
• Wait till the scan reports "Scan finished successfully"
• Click Save log & save the log to your desktop.
• Click OK
• Two files will be created, aswMBR.txt & a file named MBR.dat
• Click EXIT.
• Copy & Paste the contents of aswMBR.txt into your next reply.

Don't click to fix anything, just post the log.

Wikikenkey

Hi Waddler

Thank you for helping me out with this.

I have carried out your instructions and this is the log from aswMBR.txt.

aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
Run date: 2013-01-26 08:06:31

---

08:06:31.890 OS Version: Windows 5.1.2600 Service Pack 3
08:06:31.890 Number of processors: 1 586 0x207
08:06:31.906 ComputerName: ANGELA UserName: Angie
08:06:33.437 Initialize success
08:06:35.687 AVAST engine defs: 13012501
08:06:48.296 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
08:06:48.296 Disk 0 Vendor: ST360015A 3.33 Size: 57241MB BusType: 3
08:06:48.328 Disk 0 MBR read successfully
08:06:48.343 Disk 0 MBR scan
08:06:48.343 Disk 0 Windows XP default MBR code
08:06:48.343 Disk 0 Partition 1 00 DE Dell Utility Dell 4.1 31 MB offset 63
08:06:48.359 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 57208 MB offset 64260
08:06:48.375 Disk 0 Partition 3 80 (A) 17 Hidd HPFS/NTFS NTFS 2 MB offset 117226305
08:06:48.375 Disk 0 Partition 3 **INFECTED** MBR:Alureon-K [Rtk]
08:06:48.390 Disk 0 MBR [SST] **ROOTKIT**
08:06:48.390 Disk 0 trace - called modules:
08:06:48.390 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
08:06:48.390 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8738bab8]
08:06:48.406 3 CLASSPNP.SYS[f76e3fd7] -> nt!IofCallDriver -> \Device\00000068[0x873732a0]
08:06:48.406 5 ACPI.sys[f765a620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8736f940]
08:06:48.796 AVAST engine scan C:\WINDOWS
08:07:20.312 AVAST engine scan C:\WINDOWS\system32
08:11:58.062 AVAST engine scan C:\WINDOWS\system32\drivers
08:12:27.125 AVAST engine scan C:\Documents and Settings\Angie
08:18:34.921 AVAST engine scan C:\Documents and Settings\All Users
08:26:22.812 Scan finished successfully
08:27:51.890 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Angie\Desktop\MBR.dat"
08:27:51.890 The log file has been saved successfully to "C:\Documents and Settings\Angie\Desktop\aswMBR.txt"

Please let me know what to do next.

Thanks again

hybernia

We ran Avast's aswMBR last week on this computer because we were certain that a corruption of our Master Boot Record had occurred. Our computer is protected by three tiers of active defense in the form of Malwarebytes PRO, WinPatrol PRO, and PandaCloud A/V. We also have Tiny firewall in place instead of Windows' firewall. We use CCleaner at the end of every online session, too, so as to clear caches.

But the computer's performance has deteriorated so much in recent weeks that our suspicions remained, despite Malwarebytes and Panda repeatedly failing to find anything wrong. Nor were they the only failures: an online scan undertaken by Kaspersky likewise failed to report anything -- which was why we realised, if there was an infection here, it had to be outside Windows, otherwise Windows-based scanners and Windows-based A/V and anti-malware software would have found it.

Avast's aswMBR instantly located the rootkit. Unlike the report you have, which shows "Windows XP Default MBR code", our report contained no mention of the existence of our own Windows Vista Default MBR because the rootkit had corrupted it beyond recognition.

(The rootkit was TLD4, renowned, apparently, for sneaking in under the radar of A/V and anti-malware defences.)

We backed up the files and folders we most use / need and then hit "Fix MBR" because aswMBR is, I think, the only one to offer this kind of facility quickly and automatically. The rootkit was killed and numerous cross-infections killed with it, because we re-ran aswMBR afterwards and everything was fine. We also downloaded Sophos's scanner and reviewed the entire Windows system -- it found two threats and dealt with them.

The computer seemed perfect until we opened our email box to check for incoming mail and there discovered that fixing the MBR rootkit had resulted in the erasure of every file, folder, computer program, image, sound, video, document and email since August 30, 2012.

It seemed the fix had, perhaps, gone to the last "good" restore point and rolled everything back to that. Certainly that was the only restore point showing up when we re-checked.

Five months' work was therefore wiped out. As for emails, Windows Mail was on-screen with every email received in July/August, every email sent in July/August, and every email still in the delete folder but not emptied in July/August.(Of course, all those emails had long since been deleted from inbox, sent and dustbin -- or rather, they hadn't, because Windows Mail caches everything even if you think you've dumped it.)

Moral of this tale:

A fix of an MBR rootkit can result in your entire hard drive being rendered unuseable. In our case, we have lost nearly 5 months data, but we could as easily have lost absolutely everything. Please don't attempt any fix or any repair UNLESS you have first backed up either (a) everything on your hard drive ort (b) at the very least, the files, folders, documents, emails etc etc you think you'll need.

Good luck, Angie!

closed

cause and symptoms don't add up

the moral is backup before you're infected.

Wikikenkey

Thanks hybernia and closed. I am running another backup on Western Digital in readiness for any suggestions that Waddler will come back to me with on my log.

Wikikenkey

Bump for help?

waddler_8

Sorry for the late reply, I was out at the football all day yesterday.

This assumes aswMBR is saved to your desktop. If it isn't, let me know.

Go to Start > Run and copy/paste the following command into the run box:

"%userprofile%\desktop\aswmbr.exe" -ap 2

Click OK

aswMBR will run. Click Yes to the prompt & REBOOT

After reboot, re-run aswMBR - post the log.

Wikikenkey

Thanks for your reply Waddler. Hope you had a good match.

Yes, I have saved aswMBR to my desktop. I will carry out your instructions and get back to you. Do I copy the text with the quote marks?

Thank you.