not sure of this topic goes here, so forgive me if i’m in the wrong. i ran this program using quick scan, and it detected an alureon-k [rtk] infection. i was following this guide:
at the very bottom, it says for alureon infections to use command aswmbr.exe -ap 1. i’m not sure how to do this. i’ve tried through the command prompt, but it just tells me that it can’t find aswmbr.exe. i’m pretty new to this rootkit business, so i can post the log if need be. thanks in advance for any help.
i’ve tried running it that way through the command prompt as well as start>run, but it tells me windows can’t find aswmbr.exe. i’ve made sure the program is on the desktop as well.
also, here is the log from the initial scan:
aswMBR version 0.9.9.1532 Copyright(c) 2011 AVAST Software
Run date: 2012-02-02 03:10:07
03:10:07.756 OS Version: Windows x64 6.1.7601 Service Pack 1
03:10:07.756 Number of processors: 4 586 0x402
03:10:07.757 ComputerName: SINGULARITY UserName: Nickocosmic
03:10:08.843 Initialize success
03:10:08.881 AVAST engine defs: 12020101
03:11:06.412 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP2T1L0-6
03:11:06.414 Disk 0 Vendor: MAXTOR_STM3500320AS MX15 Size: 476940MB BusType: 3
03:11:06.428 Disk 0 MBR read successfully
03:11:06.430 Disk 0 MBR scan
03:11:06.432 Disk 0 Windows 7 default MBR code
03:11:06.442 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 476929 MB offset 63
03:11:06.474 Disk 0 Partition 2 00 17 Hidd HPFS/NTFS NTFS 10 MB offset 976752000
03:11:06.477 Disk 0 Partition 2 INFECTED MBR:Alureon-K [Rtk]
03:11:06.488 Service scanning
03:11:07.837 Modules scanning
03:11:07.846 Disk 0 trace - called modules:
03:11:07.864 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
03:11:07.874 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffa8006273060]
03:11:07.879 3 CLASSPNP.SYS[fffff8800196f43f] → nt!IofCallDriver → [0xfffffa8005328880]
03:11:07.883 5 ACPI.sys[fffff88000f017a1] → nt!IofCallDriver → \Device\Ide\IdeDeviceP2T1L0-6[0xfffffa8005c0b680]
03:11:09.378 AVAST engine scan C:\Windows
03:11:15.087 AVAST engine scan C:\Windows\system32
03:13:01.748 AVAST engine scan C:\Windows\system32\drivers
03:13:10.462 AVAST engine scan C:\Users\Nickocosmic
03:14:45.380 Disk 0 MBR has been saved successfully to “C:\Users\Nickocosmic\Documents\MBR.dat”
03:14:45.381 The log file has been saved successfully to “C:\Users\Nickocosmic\Documents\aswMBR.txt”
renamed it and ran the command. the command prompt popped up for a second and then closed. i rebooted the computer, and ran aswmbr again. heres the log:
aswMBR version 0.9.9.1532 Copyright(c) 2011 AVAST Software
Run date: 2012-02-02 04:23:47
04:23:47.367 OS Version: Windows x64 6.1.7601 Service Pack 1
04:23:47.367 Number of processors: 4 586 0x402
04:23:47.367 ComputerName: SINGULARITY UserName: Nickocosmic
04:23:50.221 Initialize success
04:23:50.268 AVAST engine defs: 12020200
04:23:51.735 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP2T1L0-6
04:23:51.735 Disk 0 Vendor: MAXTOR_STM3500320AS MX15 Size: 476940MB BusType: 3
04:23:51.750 Disk 0 MBR read successfully
04:23:51.750 Disk 0 MBR scan
04:23:51.766 Disk 0 Windows 7 default MBR code
04:23:51.766 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 476929 MB offset 63
04:23:51.781 Disk 0 Partition 2 00 17 Hidd HPFS/NTFS NTFS 10 MB offset 976752000
04:23:51.797 Disk 0 Partition 2 INFECTED MBR:Alureon-K [Rtk]
04:23:51.797 Service scanning
04:23:53.607 Modules scanning
04:23:53.607 Disk 0 trace - called modules:
04:23:53.622 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
04:23:53.622 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffa8006293060]
04:23:54.153 3 CLASSPNP.SYS[fffff8800199e43f] → nt!IofCallDriver → [0xfffffa8005cb79b0]
04:23:54.153 5 ACPI.sys[fffff88000fa27a1] → nt!IofCallDriver → \Device\Ide\IdeDeviceP2T1L0-6[0xfffffa8005e8b680]
04:23:55.369 AVAST engine scan C:\Windows
04:23:57.460 AVAST engine scan C:\Windows\system32
04:26:04.696 AVAST engine scan C:\Windows\system32\drivers
04:26:12.559 AVAST engine scan C:\Users\Nickocosmic
04:26:29.017 Disk 0 MBR has been saved successfully to “C:\Users\Nickocosmic\Documents\MBR.dat”
04:26:29.048 The log file has been saved successfully to “C:\Users\Nickocosmic\Documents\aswMBR1.txt”
tried winlogon.exe, and nothing happened. renamed it back to MBR.exe and the command prompt once again popped up for a split second. screencapped it to catch what it said:
device: opened successfully
user: error reading MBR
error: Read The handle is invalid
kernel: error reading MBR
Hi, I have the same infection and also use aswMBR.
When I try to ‘run’ I get that windows doesn’t recognize ‘aswMBR.exe -ap 1’ as internal command. Please tell me how to run a program, it’s quite long time I used this prompt.