Avast Rootkit Threat MBR Alureon-K

waddler_8

Thanks, I got the file. We now need to delete the partition.

Download ListParts from the link below & save it to your Desktop.

LINK

• Double click ListParts.exe to run it
• Press the Scan button.
• After a short scan, a log will open. Result.txt will also be on your Desktop.
• Post the contents of the log.

Wikikenkey

Deleted as not all info was copied. Waddler, please see next post #44

Wikikenkey

Sorry please ignore previous post 43 - dont think I got it all the first time.

This is it:


ListParts by Farbar Version: 16-01-2013
Ran by Angie (administrator) on 27-01-2013 at 19:15:18
Windows XP (X86)
Running From: C:\Documents and Settings\Angie\Desktop
Language: 0409
************************************************************
========================= Memory info ======================
Percentage of memory in use: 73%
Total physical RAM: 1022.48 MB
Available physical RAM: 270.77 MB
Total Pagefile: 1694.59 MB
Available Pagefile: 1062.79 MB
Total Virtual: 2047.88 MB
Available Virtual: 2001.02 MB
======================= Partitions =========================
2 Drive c: () (Fixed) (Total:55.87 GB) (Free:34.47 GB) NTFS ==>[Drive with boot components (Windows XP)]
4 Drive e: (My Book) (Fixed) (Total:931.48 GB) (Free:910.46 GB) NTFS
Disk ### Status Size Free Dyn Gpt

---

---

---

---

--- ---
Disk 0 Online 56 GB 0 B
Disk 1 Online 931 GB 0 B
Partitions of Disk 0:
===============
Partition ### Type Size Offset

---

---

---

---

Partition 1 OEM 31 MB 32 KB
Partition 2 Primary 56 GB 31 MB
Partition 3 Unknown 2544 KB 56 GB
======================================================================================================
Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No
There is no volume associated with this partition.
======================================================================================================
Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info

---

---

---

---

---

---

---

---

* Volume 1 C NTFS Partition 56 GB Healthy System (partition with boot components)
======================================================================================================
Disk: 0
Partition 3
Type : 17 (Suspicious Type)
Hidden: Yes
Active: No
There is no volume associated with this partition.
======================================================================================================
Partitions of Disk 1:
===============
Partition ### Type Size Offset

---

---

---

---

Partition 1 Primary 931 GB 1024 KB
======================================================================================================
Disk: 1
Partition 1
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info

---

---

---

---

---

---

---

---

* Volume 2 E My Book NTFS Partition 931 GB Healthy
======================================================================================================
****** End Of Log ******

waddler_8

• Open Notepad
• Copy and paste the contents of the quote box below into Notepad. Do not include code:
  

  Disk=0 Partition=3 delete
  

• Click Format and ensure Wordwrap is unchecked.
• Save as Fix.txt & save to your desktop

Then,

• Double click ListParts.exe to run it.
• Press the Fix button.
• ListParts will process the script in Fix.txt
• When finished, press the Scan button.
• A log Result.txt will open on your Desktop.
• Post me the contents of the log.

Wikikenkey

Waddler, new log

ListParts by Farbar Version: 16-01-2013
Ran by Angie (administrator) on 27-01-2013 at 19:42:11
Windows XP (X86)
Running From: C:\Documents and Settings\Angie\Desktop
Language: 0409
************************************************************
========================= Memory info ======================
Percentage of memory in use: 45%
Total physical RAM: 1022.48 MB
Available physical RAM: 561.1 MB
Total Pagefile: 1694.59 MB
Available Pagefile: 1363.94 MB
Total Virtual: 2047.88 MB
Available Virtual: 2000.89 MB
======================= Partitions =========================
2 Drive c: () (Fixed) (Total:55.87 GB) (Free:34.49 GB) NTFS ==>[Drive with boot components (Windows XP)]
4 Drive e: (My Book) (Fixed) (Total:931.48 GB) (Free:910.46 GB) NTFS
Disk ### Status Size Free Dyn Gpt

---

---

---

---

--- ---
Disk 0 Online 56 GB 0 B
Disk 1 Online 931 GB 0 B
Partitions of Disk 0:
===============
Partition ### Type Size Offset

---

---

---

---

Partition 1 OEM 31 MB 32 KB
Partition 2 Primary 56 GB 31 MB
======================================================================================================
Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No
There is no volume associated with this partition.
======================================================================================================
Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info

---

---

---

---

---

---

---

---

* Volume 1 C NTFS Partition 56 GB Healthy System (partition with boot components)
======================================================================================================
Partitions of Disk 1:
===============
The disk management services could not complete the operation.
======================================================================================================
****** End Of Log ******

waddler_8

Reboot and run aswMBR again. Choose (None) from the AV scan menu.

Wikikenkey

Waddler, log file below

aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
Run date: 2013-01-27 19:55:24

---

19:55:24.593 OS Version: Windows 5.1.2600 Service Pack 3
19:55:24.593 Number of processors: 1 586 0x207
19:55:24.593 ComputerName: ANGELA UserName: Angie
19:55:28.000 Initialize success
19:55:28.218 AVAST engine defs: 13012700
19:55:38.953 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
19:55:38.968 Disk 0 Vendor: ST360015A 3.33 Size: 57241MB BusType: 3
19:55:38.984 Disk 0 MBR read successfully
19:55:38.984 Disk 0 MBR scan
19:55:39.000 Disk 0 Windows XP default MBR code
19:55:39.015 Disk 0 Partition 1 00 DE Dell Utility Dell 4.1 31 MB offset 63
19:55:39.031 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 57208 MB offset 64260
19:55:39.031 Disk 0 scanning sectors +117226305
19:55:39.125 Disk 0 scanning C:\WINDOWS\system32\drivers
19:56:02.781 Service scanning
19:56:45.015 Modules scanning
19:57:00.828 Disk 0 trace - called modules:
19:57:00.843 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
19:57:00.859 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8738bab8]
19:57:00.859 3 CLASSPNP.SYS[f76e3fd7] -> nt!IofCallDriver -> \Device\00000068[0x873732a0]
19:57:00.859 5 ACPI.sys[f765a620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8736f940]
19:57:00.875 Scan finished successfully
19:59:24.828 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Angie\Desktop\MBR.dat"
19:59:24.859 The log file has been saved successfully to "C:\Documents and Settings\Angie\Desktop\aswMBR.txt"

waddler_8

That's better - all gone.

If you don't already have it, download and install Malwarebytes free.

http://helpdesk.malwarebytes.org/entries/20839693-where-can-i-download-the-latest-version-of-malwarebytes-anti-malware
http://helpdesk.malwarebytes.org/entries/20839693-where-can-i-download-the-latest-version-of-malwarebytes-anti-malware

When you install it, uncheck the box at the end where it says: Enable free trial of Malwarebytes Anti-malware PRO
Do however ensure the boxes Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware are checked

Run a quick scan.

http://helpdesk.malwarebytes.org/entries/20863072-how-to-run-a-quick-scan

Post the resulting log file, should it detect anything..

Wikikenkey

Thank you so much for your help, Waddler. After seeing the log, I didn't want to get too excited, just in case.

I have Malwarebytes installed. I actually did a quick scan this morning which didn't bring anything up but will run it again and send you the log file if anything does come up.

Thanks once again. Apologies for taking up most of your Sunday. Have a good week.

waddler_8

No problem.

You can delete aswMBR, Listparts & TDSSKiller etc now.