help with MBR:Alureon-K [Rtk]

hey,
i need help with MBR:Alureon-K [Rtk]

computer - hp pavillion dv6 - laptop
cant run win7, booted from mini-xp by hiren tools.
malware bytes cleaned 10 infections.
otl does not load.

how do i proceed?

thanks in advance,
rafi.

aswmbr log:
aswMBR version 0.9.9.1532 Copyright(c) 2011 AVAST Software
Run date: 2012-02-15 23:11:58

23:11:58.375 OS Version: Windows 5.1.2600
23:11:58.375 Number of processors: 1 586 0x170A
23:11:58.375 ComputerName: MiniXP-819 UserName: SYSTEM
23:11:58.375 Initialze error 1 Incorrect function.
23:11:58.531 AVAST engine defs: 11112801
23:12:00.468 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-1
23:12:00.468 Disk 0 Vendor: WDC_WD25 12.0 Size: 238475MB BusType: 3
23:12:00.468 Disk 0 MBR read successfully
23:12:00.484 Disk 0 MBR scan
23:12:00.484 Disk 0 Windows XP default MBR code
23:12:00.765 Disk 0 Partition 1 00 07 HPFS/NTFS NTFS 199 MB offset 2048
23:12:00.765 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 225701 MB offset 409600
23:12:00.781 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 12573 MB offset 462645248
23:12:00.796 Disk 0 Partition 4 80 (A) 17 Hidd HPFS/NTFS NTFS 1 MB offset 488394752
23:12:00.796 Disk 0 Partition 4 INFECTED MBR:Alureon-K [Rtk]
23:12:00.812 Disk 0 scanning sectors +488397152
23:12:01.093 Disk 0 scanning X:\i386\system32\drivers
23:12:01.093 Service scanning
23:12:01.609 Modules scanning
23:12:01.921 Disk 0 trace - called modules:
23:12:01.953 NTKRNLMP.EXE CLASSPNP.SYS disk.sys IASTOR8.SYS HALAACPI.DLL
23:12:01.953 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x897ae030]
23:12:01.953 3 CLASSPNP.SYS[f7647fd7] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-1[0x8a7b1028]
23:12:01.968 AVAST engine scan X:\i386
23:12:01.968 AVAST engine scan X:\i386\system32
23:12:01.968 AVAST engine scan X:\i386\system32\drivers
23:12:01.968 AVAST engine scan X:\Documents and Settings\Default User
23:12:01.984 AVAST engine scan X:\Documents and Settings\All Users
23:12:01.984 Scan finished successfully
23:12:10.328 Disk 0 MBR has been saved successfully to “X:\Documents and Settings\Default User\Desktop\MBR.dat”
23:12:10.328 The log file has been saved successfully to “X:\Documents and Settings\Default User\Desktop\aswMBR.txt”

Wait for Essexboy to help you.

Here’s a read on what’s involved to nail this bugger. Do not use it as removal guide; just as a read while waiting for Essexboy to respond.
http://www.geekstogo.com/forum/topic/310647-mbr-0-infected-by-mbralureon-k-rtk/

23:12:00.796 Disk 0 Partition 4 80 (A) 17 Hidd HPFS/NTFS NTFS 1 MB offset 488394752
This is the problem one

First we will try aswMBR

Click Start > Run
Type in Cmd and enter
In the box that opens type in the following

aswMBR.exe -ap 1

there is a space between exe and - and ap and 1

aswMBR.exe(space) -ap(space) 1

Once aswMBR has finished then reboot unless it does it for you
Then re-run aswMBR please

DonZ63 - Thank you for your quick replay.

essexboy - Thank you very much for your replay.
it worked - active partition has moved to the system 200m.
avast defenitions has errors, so i puting the log without it.

how do we preceed?

aswMBR version 0.9.9.1532 Copyright(c) 2011 AVAST Software
Run date: 2012-02-16 00:33:55

00:33:55.859 OS Version: Windows 5.1.2600
00:33:55.859 Number of processors: 1 586 0x170A
00:33:55.859 ComputerName: MiniXP-929 UserName: SYSTEM
00:33:55.859 Initialze error 1 Incorrect function.
00:33:59.625 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-1
00:33:59.625 Disk 0 Vendor: WDC_WD25 12.0 Size: 238475MB BusType: 3
00:33:59.671 Disk 0 MBR read successfully
00:33:59.671 Disk 0 MBR scan
00:33:59.671 Disk 0 Windows XP default MBR code
00:33:59.671 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 199 MB offset 2048
00:33:59.671 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 225701 MB offset 409600
00:33:59.703 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 12573 MB offset 462645248
00:33:59.718 Disk 0 Partition 4 00 17 Hidd HPFS/NTFS NTFS 1 MB offset 488394752
00:33:59.718 Disk 0 scanning sectors +488397152
00:34:00.015 Disk 0 scanning X:\i386\system32\drivers
00:34:00.015 Service scanning
00:34:00.515 Modules scanning
00:34:00.765 Disk 0 trace - called modules:
00:34:00.812 NTKRNLMP.EXE CLASSPNP.SYS disk.sys IASTOR8.SYS HALAACPI.DLL
00:34:00.812 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x897a5468]
00:34:00.812 3 CLASSPNP.SYS[f7647fd7] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-1[0x8a7b1028]
00:34:00.812 Scan finished successfully
00:34:11.984 Disk 0 MBR has been saved successfully to “X:\Documents and Settings\Default User\Desktop\MBR.dat”
00:34:11.984 The log file has been saved successfully to “X:\Documents and Settings\Default User\Desktop\aswMBR.txt”

OK go to disk management and delete the 1Mb partition

Then run the OTL logs as per the thread

When you post them could you let me know whether or not you removed the 1Mb partition and what problems you have

Hey
partition was deleted successfully in mini-xp.
now im back in win7. otl logs are attached.
system is ok. malwarebytes didnt find anything. avast is still scanning.
should i preform any more steps?

only one problem with windows update 80070005. do you think its related to the rootkit?

thank you very much for your kind help,
rafi.

Essexboy have logged out…but will be back late tomorrow UK time

Log looks OK so lets check out the windows update services

run farbar service scanner

http://i1224.photobucket.com/albums/ee362/Essexboy3/Farbar/FSS-1.jpg

Tick “All” options.
Press “Scan”.
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

hey essexboy,
the windows update service was ok after a couple restarts.
thank you very much for your help.
rafi.

Glad to hear that

Run OTL and hit the cleanup button to remove it