aswMBR

not sure of this topic goes here, so forgive me if i’m in the wrong. i ran this program using quick scan, and it detected an alureon-k [rtk] infection. i was following this guide:

http://public.avast.com/~gmerek/aswMBR.htm

at the very bottom, it says for alureon infections to use command aswmbr.exe -ap 1. i’m not sure how to do this. i’ve tried through the command prompt, but it just tells me that it can’t find aswmbr.exe. i’m pretty new to this rootkit business, so i can post the log if need be. thanks in advance for any help.

Welcome to the forums!!! ;D Ensure that aswMBR is still on the desktop

1.Go start > Run.

2.Copy/paste in the following command please: aswMBR.exe -ap 1 [Notice the spaces]

3.Press enter.

4.Once the programme has run then reboot immediately.

Once completed with the reboot process rerun aswMBR and copy/paste the contents of the log in next reply.

thanks for the welcome!

i’ve tried running it that way through the command prompt as well as start>run, but it tells me windows can’t find aswmbr.exe. i’ve made sure the program is on the desktop as well.

also, here is the log from the initial scan:

aswMBR version 0.9.9.1532 Copyright(c) 2011 AVAST Software
Run date: 2012-02-02 03:10:07

03:10:07.756 OS Version: Windows x64 6.1.7601 Service Pack 1
03:10:07.756 Number of processors: 4 586 0x402
03:10:07.757 ComputerName: SINGULARITY UserName: Nickocosmic
03:10:08.843 Initialize success
03:10:08.881 AVAST engine defs: 12020101
03:11:06.412 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP2T1L0-6
03:11:06.414 Disk 0 Vendor: MAXTOR_STM3500320AS MX15 Size: 476940MB BusType: 3
03:11:06.428 Disk 0 MBR read successfully
03:11:06.430 Disk 0 MBR scan
03:11:06.432 Disk 0 Windows 7 default MBR code
03:11:06.442 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 476929 MB offset 63
03:11:06.474 Disk 0 Partition 2 00 17 Hidd HPFS/NTFS NTFS 10 MB offset 976752000
03:11:06.477 Disk 0 Partition 2 INFECTED MBR:Alureon-K [Rtk]
03:11:06.488 Service scanning
03:11:07.837 Modules scanning
03:11:07.846 Disk 0 trace - called modules:
03:11:07.864 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
03:11:07.874 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffa8006273060]
03:11:07.879 3 CLASSPNP.SYS[fffff8800196f43f] → nt!IofCallDriver → [0xfffffa8005328880]
03:11:07.883 5 ACPI.sys[fffff88000f017a1] → nt!IofCallDriver → \Device\Ide\IdeDeviceP2T1L0-6[0xfffffa8005c0b680]
03:11:09.378 AVAST engine scan C:\Windows
03:11:15.087 AVAST engine scan C:\Windows\system32
03:13:01.748 AVAST engine scan C:\Windows\system32\drivers
03:13:10.462 AVAST engine scan C:\Users\Nickocosmic
03:14:45.380 Disk 0 MBR has been saved successfully to “C:\Users\Nickocosmic\Documents\MBR.dat”
03:14:45.381 The log file has been saved successfully to “C:\Users\Nickocosmic\Documents\aswMBR.txt”

try renaming and then running the command.

renamed it and ran the command. the command prompt popped up for a second and then closed. i rebooted the computer, and ran aswmbr again. heres the log:

aswMBR version 0.9.9.1532 Copyright(c) 2011 AVAST Software
Run date: 2012-02-02 04:23:47

04:23:47.367 OS Version: Windows x64 6.1.7601 Service Pack 1
04:23:47.367 Number of processors: 4 586 0x402
04:23:47.367 ComputerName: SINGULARITY UserName: Nickocosmic
04:23:50.221 Initialize success
04:23:50.268 AVAST engine defs: 12020200
04:23:51.735 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP2T1L0-6
04:23:51.735 Disk 0 Vendor: MAXTOR_STM3500320AS MX15 Size: 476940MB BusType: 3
04:23:51.750 Disk 0 MBR read successfully
04:23:51.750 Disk 0 MBR scan
04:23:51.766 Disk 0 Windows 7 default MBR code
04:23:51.766 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 476929 MB offset 63
04:23:51.781 Disk 0 Partition 2 00 17 Hidd HPFS/NTFS NTFS 10 MB offset 976752000
04:23:51.797 Disk 0 Partition 2 INFECTED MBR:Alureon-K [Rtk]
04:23:51.797 Service scanning
04:23:53.607 Modules scanning
04:23:53.607 Disk 0 trace - called modules:
04:23:53.622 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
04:23:53.622 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffa8006293060]
04:23:54.153 3 CLASSPNP.SYS[fffff8800199e43f] → nt!IofCallDriver → [0xfffffa8005cb79b0]
04:23:54.153 5 ACPI.sys[fffff88000fa27a1] → nt!IofCallDriver → \Device\Ide\IdeDeviceP2T1L0-6[0xfffffa8005e8b680]
04:23:55.369 AVAST engine scan C:\Windows
04:23:57.460 AVAST engine scan C:\Windows\system32
04:26:04.696 AVAST engine scan C:\Windows\system32\drivers
04:26:12.559 AVAST engine scan C:\Users\Nickocosmic
04:26:29.017 Disk 0 MBR has been saved successfully to “C:\Users\Nickocosmic\Documents\MBR.dat”
04:26:29.048 The log file has been saved successfully to “C:\Users\Nickocosmic\Documents\aswMBR1.txt”

May be the bad guys have improved their protection…

Try renaming it to winlogon.exe

and then try running again.

tried winlogon.exe, and nothing happened. renamed it back to MBR.exe and the command prompt once again popped up for a split second. screencapped it to catch what it said:

device: opened successfully
user: error reading MBR
error: Read The handle is invalid
kernel: error reading MBR

Open run.

copy paste this in:
diskmgmt.msc

Make sure the window is little big to see the full details given in the window.

Take a screenshot and attach it on next reply.

as per request.

Right click on the 10MB partition and click delete volume…

rerun aswmbr and attach a fresh log.

didn’t see the infection pop up this time.

Check disk management again,do u see the 10MB partition still?

theres 9mb of unallocated space where the 10mb partition was.

OK…can u take a another screenshot please and attach it…

Reboot and tell me if everything is fine in reboot.

rebooting now.

Tell me if everything is fine during the reboot

and i will give some tips

everything seems to be all gravy according to aswmbr. thanks so much for your help!

No problem! ;D

In your topic subject put in a big old RESOLVED :slight_smile:

Hi, I have the same infection and also use aswMBR.

When I try to ‘run’ I get that windows doesn’t recognize ‘aswMBR.exe -ap 1’ as internal command. Please tell me how to run a program, it’s quite long time I used this prompt.