So one day my computer reboots, and all my icons are missing, the background is black, and it’s shouting about hard disk failures (from a rogue program called Smart H.D.D). I managed to get all my icons back and scrub MOST of the viruses off, but I couldn’t help but notice things were still fishy, so I installed Avast and wouldn’t you know it, I have a 1mb partition infected with Alureon-K. I also had that virus which changes winsrv to consrv, and fixed that manually through the registry-- so far it hasn’t reverted, so all’s well.

I tried to delete the partition using the disk manager interface (in Vista), but it gave me an I/O error. Presumably because the partition is marked as Active?

I tried to run TDSSKiller and aswMBR but neither does anything at all, i.e. the programs don’t even open.

No idea where to go from here. Computer is running fine, but I’d like to scrub this off ASAP before it becomes a problem, even if Avast can keep it under control for now.

I’ve gone ahead and done the usual scans, to try and speed the process up a bit.

Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.30.05

Windows Vista Service Pack 2 x64 NTFS
Internet Explorer 9.0.8112.16421
Simon :: DRIUM [administrator]

Protection: Enabled

3/30/2012 2:56:58 PM
mbam-log-2012-03-30 (14-56-58).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 213771
Time elapsed: 6 minute(s), 37 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

RogueKiller V7.3.2 [03/20/2012] by Tigzy
mail: tigzyRKgmailcom
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6002 Service Pack 2) 64 bits version
Started in : Normal mode
User: Simon [Admin rights]
Mode: Scan – Date: 03/30/2012 14:44:11

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 103 ¤¤¤
[SUSP PATH] At17.job @ : C:\ProgramData\hIg5w28k.exe → FOUND
[SUSP PATH] At16.job @ : C:\ProgramData\hIg5w28k.exe → FOUND
[SUSP PATH] At15.job @ : C:\ProgramData\hIg5w28k.exe → FOUND
[SUSP PATH] At14.job @ : C:\ProgramData\hIg5w28k.exe → FOUND
[SUSP PATH] At13.job @ : C:\ProgramData\hIg5w28k.exe → FOUND
[SUSP PATH] At12.job @ : C:\ProgramData\hIg5w28k.exe → FOUND
[SUSP PATH] At11.job @ : C:\ProgramData\hIg5w28k.exe → FOUND
[SUSP PATH] At10.job @ : C:\ProgramData\hIg5w28k.exe → FOUND
[SUSP PATH] At1.job @ : C:\ProgramData\hIg5w28k.exe → FOUND
[SUSP PATH] At26.job @ : C:\ProgramData\hIg5w28k.exe_ → FOUND
[SUSP PATH] At25.job @ : C:\ProgramData\hIg5w28k.exe_ → FOUND
[SUSP PATH] At24.job @ : C:\ProgramData\hIg5w28k.exe → FOUND
[SUSP PATH] At23.job @ : C:\ProgramData\hIg5w28k.exe → FOUND
[SUSP PATH] At22.job @ : C:\ProgramData\hIg5w28k.exe → FOUND
[SUSP PATH] At21.job @ : C:\ProgramData\hIg5w28k.exe → FOUND
[SUSP PATH] At20.job @ : C:\ProgramData\hIg5w28k.exe → FOUND
[SUSP PATH] At2.job @ : C:\ProgramData\hIg5w28k.exe → FOUND
[SUSP PATH] At19.job @ : C:\ProgramData\hIg5w28k.exe → FOUND
[SUSP PATH] At18.job @ : C:\ProgramData\hIg5w28k.exe → FOUND
[SUSP PATH] At35.job @ : C:\ProgramData\hIg5w28k.exe_ → FOUND
[SUSP PATH] At34.job @ : C:\ProgramData\hIg5w28k.exe_ → FOUND
[SUSP PATH] At33.job @ : C:\ProgramData\hIg5w28k.exe_ → FOUND
[SUSP PATH] At32.job @ : C:\ProgramData\hIg5w28k.exe_ → FOUND
[SUSP PATH] At31.job @ : C:\ProgramData\hIg5w28k.exe_ → FOUND
[SUSP PATH] At30.job @ : C:\ProgramData\hIg5w28k.exe_ → FOUND
[SUSP PATH] At3.job @ : C:\ProgramData\hIg5w28k.exe → FOUND
[SUSP PATH] At29.job @ : C:\ProgramData\hIg5w28k.exe_ → FOUND
[SUSP PATH] At28.job @ : C:\ProgramData\hIg5w28k.exe_ → FOUND
[SUSP PATH] At27.job @ : C:\ProgramData\hIg5w28k.exe_ → FOUND
[SUSP PATH] At44.job @ : C:\ProgramData\hIg5w28k.exe_ → FOUND
[SUSP PATH] At43.job @ : C:\ProgramData\hIg5w28k.exe_ → FOUND
[SUSP PATH] At42.job @ : C:\ProgramData\hIg5w28k.exe_ → FOUND
[SUSP PATH] At41.job @ : C:\ProgramData\hIg5w28k.exe_ → FOUND
[SUSP PATH] At40.job @ : C:\ProgramData\hIg5w28k.exe_ → FOUND
[SUSP PATH] At4.job @ : C:\ProgramData\hIg5w28k.exe → FOUND
[SUSP PATH] At39.job @ : C:\ProgramData\hIg5w28k.exe_ → FOUND
[SUSP PATH] At38.job @ : C:\ProgramData\hIg5w28k.exe_ → FOUND
[SUSP PATH] At37.job @ : C:\ProgramData\hIg5w28k.exe_ → FOUND
[SUSP PATH] At36.job @ : C:\ProgramData\hIg5w28k.exe_ → FOUND
[SUSP PATH] At5.job @ : C:\ProgramData\hIg5w28k.exe → FOUND
[SUSP PATH] At48.job @ : C:\ProgramData\hIg5w28k.exe_ → FOUND
[SUSP PATH] At47.job @ : C:\ProgramData\hIg5w28k.exe_ → FOUND
[SUSP PATH] At46.job @ : C:\ProgramData\hIg5w28k.exe_ → FOUND
[SUSP PATH] At45.job @ : C:\ProgramData\hIg5w28k.exe_ → FOUND
[SUSP PATH] At6.job @ : C:\ProgramData\hIg5w28k.exe → FOUND
[SUSP PATH] At7.job @ : C:\ProgramData\hIg5w28k.exe → FOUND
[SUSP PATH] At8.job @ : C:\ProgramData\hIg5w28k.exe → FOUND
[SUSP PATH] At9.job @ : C:\ProgramData\hIg5w28k.exe → FOUND
[SUSP PATH] At1.job @ : C:\ProgramData\hIg5w28k.exe → FOUND
[SUSP PATH] At10.job @ : C:\ProgramData\hIg5w28k.exe → FOUND
[SUSP PATH] At11.job @ : C:\ProgramData\hIg5w28k.exe → FOUND
[SUSP PATH] At12.job @ : C:\ProgramData\hIg5w28k.exe → FOUND
[SUSP PATH] At13.job @ : C:\ProgramData\hIg5w28k.exe → FOUND
[SUSP PATH] At14.job @ : C:\ProgramData\hIg5w28k.exe → FOUND
[SUSP PATH] At15.job @ : C:\ProgramData\hIg5w28k.exe → FOUND
[SUSP PATH] At16.job @ : C:\ProgramData\hIg5w28k.exe → FOUND
[SUSP PATH] At17.job @ : C:\ProgramData\hIg5w28k.exe → FOUND
[SUSP PATH] At18.job @ : C:\ProgramData\hIg5w28k.exe → FOUND
[SUSP PATH] At19.job @ : C:\ProgramData\hIg5w28k.exe → FOUND
[SUSP PATH] At2.job @ : C:\ProgramData\hIg5w28k.exe → FOUND
[SUSP PATH] At20.job @ : C:\ProgramData\hIg5w28k.exe → FOUND
[SUSP PATH] At21.job @ : C:\ProgramData\hIg5w28k.exe → FOUND
[SUSP PATH] At22.job @ : C:\ProgramData\hIg5w28k.exe → FOUND
[SUSP PATH] At23.job @ : C:\ProgramData\hIg5w28k.exe → FOUND
[SUSP PATH] At24.job @ : C:\ProgramData\hIg5w28k.exe → FOUND
[SUSP PATH] At25.job @ : C:\ProgramData\hIg5w28k.exe_ → FOUND
[SUSP PATH] At26.job @ : C:\ProgramData\hIg5w28k.exe_ → FOUND
[SUSP PATH] At27.job @ : C:\ProgramData\hIg5w28k.exe_ → FOUND
[SUSP PATH] At28.job @ : C:\ProgramData\hIg5w28k.exe_ → FOUND
[SUSP PATH] At29.job @ : C:\ProgramData\hIg5w28k.exe_ → FOUND
[SUSP PATH] At3.job @ : C:\ProgramData\hIg5w28k.exe → FOUND
[SUSP PATH] At30.job @ : C:\ProgramData\hIg5w28k.exe_ → FOUND
[SUSP PATH] At31.job @ : C:\ProgramData\hIg5w28k.exe_ → FOUND
[SUSP PATH] At32.job @ : C:\ProgramData\hIg5w28k.exe_ → FOUND
[SUSP PATH] At33.job @ : C:\ProgramData\hIg5w28k.exe_ → FOUND
[SUSP PATH] At34.job @ : C:\ProgramData\hIg5w28k.exe_ → FOUND
[SUSP PATH] At35.job @ : C:\ProgramData\hIg5w28k.exe_ → FOUND
[SUSP PATH] At36.job @ : C:\ProgramData\hIg5w28k.exe_ → FOUND
[SUSP PATH] At37.job @ : C:\ProgramData\hIg5w28k.exe_ → FOUND
[SUSP PATH] At38.job @ : C:\ProgramData\hIg5w28k.exe_ → FOUND
[SUSP PATH] At39.job @ : C:\ProgramData\hIg5w28k.exe_ → FOUND
[SUSP PATH] At4.job @ : C:\ProgramData\hIg5w28k.exe → FOUND
[SUSP PATH] At40.job @ : C:\ProgramData\hIg5w28k.exe_ → FOUND
[SUSP PATH] At41.job @ : C:\ProgramData\hIg5w28k.exe_ → FOUND
[SUSP PATH] At42.job @ : C:\ProgramData\hIg5w28k.exe_ → FOUND
[SUSP PATH] At43.job @ : C:\ProgramData\hIg5w28k.exe_ → FOUND
[SUSP PATH] At44.job @ : C:\ProgramData\hIg5w28k.exe_ → FOUND
[SUSP PATH] At45.job @ : C:\ProgramData\hIg5w28k.exe_ → FOUND
[SUSP PATH] At46.job @ : C:\ProgramData\hIg5w28k.exe_ → FOUND
[SUSP PATH] At47.job @ : C:\ProgramData\hIg5w28k.exe_ → FOUND
[SUSP PATH] At48.job @ : C:\ProgramData\hIg5w28k.exe_ → FOUND
[SUSP PATH] At5.job @ : C:\ProgramData\hIg5w28k.exe → FOUND
[SUSP PATH] At6.job @ : C:\ProgramData\hIg5w28k.exe → FOUND
[SUSP PATH] At7.job @ : C:\ProgramData\hIg5w28k.exe → FOUND
[SUSP PATH] At8.job @ : C:\ProgramData\hIg5w28k.exe → FOUND
[SUSP PATH] At9.job @ : C:\ProgramData\hIg5w28k.exe → FOUND
[SUSP PATH] RunAsStdUser Task.job @ : C:\Users\Simon\AppData\Local\appkikxSA\bin\1.0.5.0\AppKikxSA.exe → FOUND
[HJ] HKLM[…]\System : EnableLUA (0) → FOUND
[HJ] HKLM[…]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) → FOUND
[HJ] HKCU[…]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) → FOUND
[HJ] HKLM[…]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) → FOUND
[HJ] HKCU[…]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) → FOUND
[HJ] HKCU[…]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) → FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com
[…]

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST31000340AS ATA Device +++++
— User —
[MBR] 9cb5697a764ca84490ad240c1efb2678
[BSP] 69a577cfd462274758ec500c84e5c42e : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 78 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 161792 | Size: 2048 Mo
2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 4356096 | Size: 951741 Mo
User = LL1 … OK!
User != LL2 … KO!
— LL2 —
[MBR] 6285a483483ebff48286c439ec8dbff4
[BSP] 69a577cfd462274758ec500c84e5c42e : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 78 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 161792 | Size: 2048 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 4356096 | Size: 951741 Mo
3 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 1953521664 | Size: 1 Mo

+++++ PhysicalDrive1: Lexar JumpDrive USB Device +++++
— User —
[MBR] 83f9433fc46e5c888fcafaf90aa182de
[BSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 2208 | Size: 15294 Mo
User = LL1 … OK!
Error reading LL2 MBR!

+++++ PhysicalDrive2: DELL USB HS-CF Card USB Device +++++
Error reading User MBR!
User = LL1 … OK!
Error reading LL2 MBR!

+++++ PhysicalDrive4: DELL USB HS-MS Card USB Device +++++
Error reading User MBR!
User = LL1 … OK!
Error reading LL2 MBR!

Finished : << RKreport[1].txt >>
RKreport[1].txt

http://i44.tinypic.com/k4w7ic.jpg

As you can see the partition seems to have disappeared??? It was there this morning! It even shows up in the scan results, so why can’t I see it anymore? However, trying to delete it from this interface gave me an I/O error and refused to do anything.

Extras!

And here’s the OTL file.

I -do- have access to a CD burner to make a boot CD if it’s needed, however if that solution would mean losing my Windows settings, installed programs, drivers, or that kind of stuff, I would prefer an alternate solution that won’t make me have to reinstall tons of stuff.

I’m sorry for bumping my own thread, I just wanted to make sure it was at least looked at. I’m worried leaving the virus alone for too long might cause damage to the hard drive or somesuch, even though it seems content enough doing absolutely nothing right now.

I’m also a bit worried at the fact the 1mb partition is created is marked as my ‘active’ partition. Shouldn’t my main one with the OS on it be the active one?

Essexboy is notified…he usually arrive here late UK time

Hi there on the screen shot and according to aswMBR that partition is not active
So right click it and select delete

You do not appear to have run RogueKiller with the shortcuts hijack setting could you do that now please

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL [2012/03/30 01:38:25 | 000,000,000 | -HS- | M] () -- C:\Windows\SysNative\dds_trash_log.cmd [2012/03/29 15:21:19 | 000,000,112 | ---- | M] () -- C:\ProgramData\2D64367U.dat [2012/03/29 13:42:33 | 000,099,328 | ---- | M] () -- C:\Users\Simon\AppData\Roaming\3C7FC64A.exe

:Files
ipconfig /flushdns /c
C:\Windows\tasks\At*.job
C:\ProgramData\hIg5w28k.exe_
C:\ProgramData\hIg5w28k.exe
xcopy %Temp%\smtmp\1 “%AllUsersProfile%\Start Menu” /H /I /S /Y /C
xcopy %Temp%\smtmp\2 “%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch” /H /I /S /Y /C
xcopy %Temp%\smtmp\3 “%AppData%\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar” /H /I /S /Y /C
xcopy %Temp%\smtmp\4 “%AllUsersProfile%\Desktop” /H /I /S /Y /C

:Commands
[CREATERESTOREPOINT]
[Reboot]

The partition no longer appears in that interface. I didn’t delete it, though-- according to the logs, it’s marked as ‘HIDDEN!’ now, which I guess is why I can’t see it to delete it anymore?

Here’s the OTL log from running the shortcut fix, and joined to the post is the RogueKiller log; please note that while OTL was running, Avast picked up on a threat called Crypt-MEQ, meanwhile, Roguekiller gave me a bunch of ‘no disk in drive!’ errors and then opened an URL in Chrome (http://tigzyrk.blogspot.ca/2011/11/rogue-system-restore.html):

========== OTL ==========
File move failed. C:\Windows\SysNative\dds_trash_log.cmd scheduled to be moved on reboot.
C:\ProgramData\2D64367U.dat moved successfully.
C:\Users\Simon\AppData\Roaming\3C7FC64A.exe moved successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Could not flush the DNS Resolver Cache: Function failed during execution.
C:\Users\Simon\Desktop\cmd.bat deleted successfully.
C:\Users\Simon\Desktop\cmd.txt deleted successfully.
C:\Windows\tasks\At49.job moved successfully.
C:\Windows\tasks\At50.job moved successfully.
C:\Windows\tasks\At51.job moved successfully.
C:\Windows\tasks\At52.job moved successfully.
C:\Windows\tasks\At53.job moved successfully.
C:\Windows\tasks\At54.job moved successfully.
C:\Windows\tasks\At55.job moved successfully.
C:\Windows\tasks\At56.job moved successfully.
C:\Windows\tasks\At57.job moved successfully.
C:\Windows\tasks\At58.job moved successfully.
C:\Windows\tasks\At59.job moved successfully.
C:\Windows\tasks\At60.job moved successfully.
C:\Windows\tasks\At61.job moved successfully.
C:\Windows\tasks\At62.job moved successfully.
C:\Windows\tasks\At63.job moved successfully.
C:\Windows\tasks\At64.job moved successfully.
C:\Windows\tasks\At65.job moved successfully.
C:\Windows\tasks\At66.job moved successfully.
C:\Windows\tasks\At67.job moved successfully.
C:\Windows\tasks\At68.job moved successfully.
C:\Windows\tasks\At69.job moved successfully.
C:\Windows\tasks\At70.job moved successfully.
C:\Windows\tasks\At71.job moved successfully.
C:\Windows\tasks\At72.job moved successfully.
C:\Windows\tasks\At73.job moved successfully.
C:\Windows\tasks\At74.job moved successfully.
C:\Windows\tasks\At75.job moved successfully.
C:\Windows\tasks\At76.job moved successfully.
C:\Windows\tasks\At77.job moved successfully.
C:\Windows\tasks\At78.job moved successfully.
C:\Windows\tasks\At79.job moved successfully.
C:\Windows\tasks\At80.job moved successfully.
C:\Windows\tasks\At81.job moved successfully.
C:\Windows\tasks\At82.job moved successfully.
C:\Windows\tasks\At83.job moved successfully.
C:\Windows\tasks\At84.job moved successfully.
C:\Windows\tasks\At85.job moved successfully.
C:\Windows\tasks\At86.job moved successfully.
C:\Windows\tasks\At87.job moved successfully.
C:\Windows\tasks\At88.job moved successfully.
C:\Windows\tasks\At89.job moved successfully.
C:\Windows\tasks\At90.job moved successfully.
C:\Windows\tasks\At91.job moved successfully.
C:\Windows\tasks\At92.job moved successfully.
C:\Windows\tasks\At93.job moved successfully.
C:\Windows\tasks\At94.job moved successfully.
C:\Windows\tasks\At95.job moved successfully.
C:\Windows\tasks\At96.job moved successfully.
File\Folder C:\ProgramData\hIg5w28k.exe_ not found.
File\Folder C:\ProgramData\hIg5w28k.exe not found.
< xcopy %Temp%\smtmp\1 “%AllUsersProfile%\Start Menu” /H /I /S /Y /C >
0 File(s) copied
C:\Users\Simon\Desktop\cmd.bat deleted successfully.
C:\Users\Simon\Desktop\cmd.txt deleted successfully.
< xcopy %Temp%\smtmp\2 “%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch” /H /I /S /Y /C >
C:\Users\Simon\AppData\Local\Temp\smtmp\2\AIM.lnk
C:\Users\Simon\AppData\Local\Temp\smtmp\2\desktop.ini
C:\Users\Simon\AppData\Local\Temp\smtmp\2\Frozen Throne.lnk
C:\Users\Simon\AppData\Local\Temp\smtmp\2\Google Chrome.lnk
C:\Users\Simon\AppData\Local\Temp\smtmp\2\Internet Explorer.lnk
C:\Users\Simon\AppData\Local\Temp\smtmp\2\League of Legends.lnk
C:\Users\Simon\AppData\Local\Temp\smtmp\2\Mozilla Firefox.lnk
C:\Users\Simon\AppData\Local\Temp\smtmp\2\MUSHClient.lnk
C:\Users\Simon\AppData\Local\Temp\smtmp\2\NCLauncher.lnk
C:\Users\Simon\AppData\Local\Temp\smtmp\2\Shows Desktop.lnk
C:\Users\Simon\AppData\Local\Temp\smtmp\2\Spybot - Search & Destroy.lnk
C:\Users\Simon\AppData\Local\Temp\smtmp\2\Steam.lnk
C:\Users\Simon\AppData\Local\Temp\smtmp\2\SWTOR.lnk
C:\Users\Simon\AppData\Local\Temp\smtmp\2\Teamspeak.lnk
C:\Users\Simon\AppData\Local\Temp\smtmp\2\The Last Remnant.lnk
C:\Users\Simon\AppData\Local\Temp\smtmp\2\μTorrent.lnk
16 File(s) copied
C:\Users\Simon\Desktop\cmd.bat deleted successfully.
C:\Users\Simon\Desktop\cmd.txt deleted successfully.
< xcopy %Temp%\smtmp\3 “%AppData%\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar” /H /I /S /Y /C >
0 File(s) copied
C:\Users\Simon\Desktop\cmd.bat deleted successfully.
C:\Users\Simon\Desktop\cmd.txt deleted successfully.
< xcopy %Temp%\smtmp\4 “%AllUsersProfile%\Desktop” /H /I /S /Y /C >
0 File(s) copied
C:\Users\Simon\Desktop\cmd.bat deleted successfully.
C:\Users\Simon\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
Error creating restore point.

OTL by OldTimer - Version 3.2.39.2 log created on 04022012_043021

Here’s the post-reboot OTL scan, and a post-reboot RogueKiller scan, as you can see the hidden partition is still there:

[list]Lets try TDSSKiller that sometimes sees it, otherwise we will need to create a Gparted disc and work outside of windows

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_1.jpg

[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_2.jpg

[*]Click the Start Scan button.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_3.jpg

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_4.jpg

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_5.jpg

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste its contents on your next reply.

TDSSKiller finally started and ran normally. It detected Alureon, rebooted, and now my system appears (keyword: appears) to be clean again. Here is the log it produced; I also took the liberty to run RogueKiller, which no longer detects the rogue partition.

The log was too long to join to the post, so I put it here: http://pastebin.com/FS0rewCn

I’m currently in the process of letting Avast do a full system scan, since it’s at least able to detect Alureon. I’ll post again once that’s done. Also going to run TDSSKiller again; can never be too safe.

Yep that killed it

Run TDSSKiller again and delete the following element

\Device\Harddisk0\DR0 ( TDSS File System )

Avast reports a clean system. TDSSKiller and RogueKiller as well. Unfortunately TDSSKiller did not find that threat you told me to get rid of-- I guess it might have been removed along with the partition even though I selected skip as instructed.

In light of this I want to give you my most sincere thanks for your help. I’m going to purchase Avast’s full version, first because this level of costumer service is just amazing, and second because without Avast I might have never found out what was wrong with my system.

Thank you again!

Before I remove my rubbish, are there any outstanding problems ?