Can't get rid of MBR Alureon

Viruses and worms
1

What else should I post?

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.18.04

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 7.0.6002.18005
dreamcatcher :: DREAMCATCHER-PC [administrator]

3/24/2012 5:31:24 PM
mbam-log-2012-03-24 (17-31-24).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 353301
Time elapsed: 1 hour(s), 22 minute(s),

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Update (Trojan.Agent.GMAGen) → Data: rundll32.exe “C:\Windows\system32\config\systemprofile\AppData\Roaming\Adobe\Adobe\yvfpemrj.dll”,DllRegisterServer → Quarantined and deleted successfully.
HKU.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Update (Trojan.Agent.GMAGen) → Data: rundll32.exe “C:\Windows\system32\config\systemprofile\AppData\Roaming\Adobe\Adobe\yvfpemrj.dll”,DllRegisterServer → Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Adobe\Adobe\yvfpemrj.dll (Trojan.Agent.GMAGen) → Quarantined and deleted successfully.

(end)

2
What else should I post?
follow the guide here and [b]attach[/b] the logs from OTL / aswMBR http://forum.avast.com/index.php?topic=53253.0
3

;D

4

to slow again ;D

5

Grrrrrrr

6

Not sure what is going on. When I tried to do the OTL scan it disappeared and I waited 10 minutes and nothing came up.

7

Then try aswMBR

Essexboy is in bed now…just midnight in UK now…but will be back tomorrow

8

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-03-24 20:19:03

20:19:03.022 OS Version: Windows 6.0.6002 Service Pack 2
20:19:03.022 Number of processors: 2 586 0xF0D
20:19:03.024 ComputerName: DREAMCATCHER-PC UserName: dreamcatcher
20:19:16.325 Initialize success
20:19:16.778 AVAST engine defs: 12032401
20:19:27.044 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-0
20:19:27.047 Disk 0 Vendor: SAMSUNG_ HS10 Size: 238475MB BusType: 3
20:19:27.056 Disk 0 MBR read successfully
20:19:27.062 Disk 0 MBR scan
20:19:27.066 Disk 0 unknown MBR code
20:19:27.070 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 229985 MB offset 63
20:19:27.106 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 8487 MB offset 471009735
20:19:27.120 Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 2 MB offset 488392065
20:19:27.125 Disk 0 Partition 3 INFECTED MBR:Alureon-K [Rtk]
20:19:27.132 Disk 0 scanning sectors +488397152
20:19:27.179 Disk 0 scanning C:\Windows\system32\drivers
20:19:52.552 Service scanning
20:19:56.083 Service .smb * LOCKED 123
20:20:25.748 Service TrustedInstaller C:\Windows\servicing\TrustedInstaller.exe HIDDEN
20:20:37.162 Modules scanning
20:20:45.845 Disk 0 trace - called modules:
20:20:45.903 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll iaStor.sys
20:20:45.910 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x85bb0170]
20:20:45.920 3 CLASSPNP.SYS[885a08b3] → nt!IofCallDriver → [0x8466f310]
20:20:45.926 5 acpi.sys[826966bc] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-0[0x85060028]
20:20:48.564 AVAST engine scan C:\Windows
20:20:55.355 AVAST engine scan C:\Windows\system32
20:23:48.970 AVAST engine scan C:\Windows\system32\drivers
20:24:12.893 AVAST engine scan C:\Users\dreamcatcher
20:29:12.785 Disk 0 MBR has been saved successfully to “C:\Users\dreamcatcher\Documents\MBR.dat”
20:29:12.797 The log file has been saved successfully to “C:\Users\dreamcatcher\Documents\aswMBR.txt”

9

RogueKiller V7.3.2 [03/20/2012] by Tigzy
mail: tigzyRKgmailcom
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User: dreamcatcher [Admin rights]
Mode: Scan – Date: 03/25/2012 01:20:14

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 4 ¤¤¤
[BLACKLIST DLL] HKUS\S-1-5-19[…]\Run : Update (rundll32.exe “C:\Windows\system32\config\systemprofile\AppData\Roaming\Adobe\Adobe\yvfpemrj.dll”,DllRegisterServer) → FOUND
[BLACKLIST DLL] HKUS\S-1-5-20[…]\Run : Update (rundll32.exe “C:\Windows\system32\config\systemprofile\AppData\Roaming\Adobe\Adobe\yvfpemrj.dll”,DllRegisterServer) → FOUND
[HJ] HKLM[…]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) → FOUND
[HJ] HKLM[…]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) → FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost
::1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: SAMSUNG HM250JI +++++
— User —
[MBR] 06e36294547fc5d19bc009fd8a79f9e5
[BSP] 74f57324e4dc5ad9a725bf116130038a : HP tatooed MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 229985 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 471009735 | Size: 8487 Mo
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 488392065 | Size: 2 Mo
User = LL1 … OK!
User = LL2 … OK!

Finished : << RKreport[1].txt >>
RKreport[1].txt

RogueKiller V7.3.2 [03/20/2012] by Tigzy
mail: tigzyRKgmailcom
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User: dreamcatcher [Admin rights]
Mode: Remove – Date: 03/25/2012 01:22:40

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 4 ¤¤¤
[BLACKLIST DLL] HKUS\S-1-5-19[…]\Run : Update (rundll32.exe “C:\Windows\system32\config\systemprofile\AppData\Roaming\Adobe\Adobe\yvfpemrj.dll”,DllRegisterServer) → DELETED
[BLACKLIST DLL] HKUS\S-1-5-20[…]\Run : Update (rundll32.exe “C:\Windows\system32\config\systemprofile\AppData\Roaming\Adobe\Adobe\yvfpemrj.dll”,DllRegisterServer) → DELETED
[HJ] HKLM[…]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) → REPLACED (0)
[HJ] HKLM[…]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) → REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost
::1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: SAMSUNG HM250JI +++++
— User —
[MBR] 06e36294547fc5d19bc009fd8a79f9e5
[BSP] 74f57324e4dc5ad9a725bf116130038a : HP tatooed MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 229985 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 471009735 | Size: 8487 Mo
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 488392065 | Size: 2 Mo
User = LL1 … OK!
User = LL2 … OK!

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt

RogueKiller V7.3.2 [03/20/2012] by Tigzy
mail: tigzyRKgmailcom
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User: dreamcatcher [Admin rights]
Mode: Shortcuts HJfix – Date: 03/25/2012 01:27:53

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ File attributes restored: ¤¤¤
Desktop: Success 1 / Fail 0
Quick launch: Success 0 / Fail 0
Programs: Success 20 / Fail 0
Start menu: Success 1 / Fail 0
User folder: Success 105 / Fail 0
My documents: Success 0 / Fail 0
My favorites: Success 0 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 0 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 317 / Fail 0
Backup: [NOT FOUND]

Drives:
[C:] \Device\HarddiskVolume1 – 0x3 → Restored
[D:] \Device\HarddiskVolume2 – 0x3 → Restored

¤¤¤ Infection : ¤¤¤

Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt

10

OK lets get rid of the bad partition first

20:19:27.120 Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 2 MB offset 488392065

Go to Start > Run and type in :

Diskmgmt.msc

Once it has opened then locate this Partition

Number 3
Size 2MB

Right click the partition and select delete

THEN

Could you run OTL as per the logs thread and post that

11

Did the above but still can’t run OTL. Get popups saying avast finds the file suspicious and terminates it.

12

When Avast opens the sandbox dialogue
In the drop down select run as normal

13

OTL

14

On completion of this run can you let me know what problems remain

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL O4 - HKU\.DEFAULT..\Run: [dplaysvr] C:\Windows\system32\config\systemprofile\AppData\Local\dplaysvr.exe File not found O4 - HKU\S-1-5-18..\Run: [dplaysvr] C:\Windows\system32\config\systemprofile\AppData\Local\dplaysvr.exe File not found [2011/12/20 14:54:30 | 000,009,384 | --S- | C] () -- C:\Users\dreamcatcher\AppData\Local\046738v2s422e038a187d8ewi6i8 [2011/12/20 14:54:30 | 000,009,384 | --S- | C] () -- C:\ProgramData\046738v2s422e038a187d8ewi6i8 [2011/12/04 01:16:23 | 000,010,082 | --S- | C] () -- C:\Users\dreamcatcher\AppData\Local\143231q1e656l461c525j5gkq2q2 [2011/12/04 01:16:23 | 000,010,082 | --S- | C] () -- C:\ProgramData\143231q1e656l461c525j5gkq2q2 [2011/11/21 13:13:44 | 000,000,000 | ---D | M] -- C:\Users\dreamcatcher\AppData\Roaming\1C329 [2011/11/21 13:13:44 | 000,000,000 | ---D | M] -- C:\Users\dreamcatcher\AppData\Roaming\29AE8 [2011/11/25 03:19:59 | 000,000,000 | ---D | M] -- C:\Users\dreamcatcher\AppData\Roaming\ACekIBrzOyAu [2011/11/17 01:50:15 | 000,000,000 | ---D | M] -- C:\Users\dreamcatcher\AppData\Roaming\BccSS1iibD3nGam [2011/11/16 14:02:23 | 000,000,000 | ---D | M] -- C:\Users\dreamcatcher\AppData\Roaming\CGG44HsJE8TqYwV [2011/11/25 03:04:39 | 000,000,000 | ---D | M] -- C:\Users\dreamcatcher\AppData\Roaming\DnnFF4ammHsWJdL [2011/11/17 02:02:32 | 000,000,000 | ---D | M] -- C:\Users\dreamcatcher\AppData\Roaming\eRRRLL9hTXqjCeI [2011/11/25 03:05:24 | 000,000,000 | ---D | M] -- C:\Users\dreamcatcher\AppData\Roaming\GNyyccA1uvD2b [2011/11/25 03:19:55 | 000,000,000 | ---D | M] -- C:\Users\dreamcatcher\AppData\Roaming\hmG5aQJ6dKfLhXj [2011/11/16 14:02:16 | 000,000,000 | ---D | M] -- C:\Users\dreamcatcher\AppData\Roaming\i9ggTTXqjYCeIVz [2011/08/04 02:36:37 | 000,000,000 | ---D | M] -- C:\Users\dreamcatcher\AppData\Roaming\ICAClient [2011/11/25 03:22:14 | 000,000,000 | ---D | M] -- C:\Users\dreamcatcher\AppData\Roaming\j1ivDD3n4mH5W7E [2011/11/16 14:11:13 | 000,000,000 | ---D | M] -- C:\Users\dreamcatcher\AppData\Roaming\K2ibD3pnGaHsKfL [2011/11/17 01:50:07 | 000,000,000 | ---D | M] -- C:\Users\dreamcatcher\AppData\Roaming\KBPP0yycA1iv2 [2011/09/05 23:17:59 | 000,000,000 | ---D | M] -- C:\Users\dreamcatcher\AppData\Roaming\MSNInstaller [2011/11/25 03:05:25 | 000,000,000 | ---D | M] -- C:\Users\dreamcatcher\AppData\Roaming\n444pmmG5sQ6dK8 [2011/11/25 03:22:35 | 000,000,000 | ---D | M] -- C:\Users\dreamcatcher\AppData\Roaming\oJJ66dEEK8f [2011/12/04 20:00:10 | 000,000,000 | ---D | M] -- C:\Users\dreamcatcher\AppData\Roaming\PeellOBBtzPyc1i [2011/11/16 14:11:16 | 000,000,000 | ---D | M] -- C:\Users\dreamcatcher\AppData\Roaming\pqjYCwkIVlNx0c1 [2011/11/17 01:50:15 | 000,000,000 | ---D | M] -- C:\Users\dreamcatcher\AppData\Roaming\QlllONNtxP0 [2011/11/16 15:30:07 | 000,000,000 | ---D | M] -- C:\Users\dreamcatcher\AppData\Roaming\qnnGG4aaQ [2011/11/25 03:22:34 | 000,000,000 | ---D | M] -- C:\Users\dreamcatcher\AppData\Roaming\R11uuvD22oF4pGs [2011/11/16 14:02:40 | 000,000,000 | ---D | M] -- C:\Users\dreamcatcher\AppData\Roaming\sTTTXqqjUCeIrNx [2011/11/16 14:02:41 | 000,000,000 | ---D | M] -- C:\Users\dreamcatcher\AppData\Roaming\SuuuvSS2ibFpnGa [2011/11/25 03:05:04 | 000,000,000 | ---D | M] -- C:\Users\dreamcatcher\AppData\Roaming\v77ddEKK8gR9hXw [2011/11/17 01:50:03 | 000,000,000 | ---D | M] -- C:\Users\dreamcatcher\AppData\Roaming\xyyyxAA1uvS2bFp

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

15

New OTL scan

16

I did a full scan with and it appears to be gone. Thanks for your help. :smiley:

17

OOps missed one, how is the system behaving now ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL DRV - File not found [Kernel | On_Demand | Unknown] -- -- (.smb)

:Files
ipconfig /flushdns /c

:Commands
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

18

========== OTL ==========
Error: No service named .smb was found to stop!
Service\Driver key .smb not found.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\dreamcatcher\Downloads\cmd.bat deleted successfully.
C:\Users\dreamcatcher\Downloads\cmd.txt deleted successfully.
========== COMMANDS ==========

OTL by OldTimer - Version 3.2.39.2 log created on 03282012_182345

19

Any further problems before I remove my tools ?

20

No. Thank you every thing is working fine now.