MBR/Alureon Infectrion

Viruses and worms
1

My Avast Internet Security keeps alerting me that I have the MBR/Alureon Infection. I have read and followed the 532530 topic running Malwarebytes’ Anti-Malware and removing the files it encountered. Log follows:

Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.07.11.08

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
(Name Deleted):: CHRISDELL [administrator]

Protection: Enabled

7/11/2012 8:42:34 AM
mbam-log-2012-07-11 (08-42-34).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 277664
Time elapsed: 13 minute(s), 36 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (PUP.MyWebSearch) → Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{549B5CA7-4A86-11D7-A4DF-000874180BB3} (Trojan.Agent) → Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 2
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

2012/07/11 08:42:16 -0700 CHRISDELL (Name Deleted) MESSAGE Starting protection
2012/07/11 08:42:25 -0700 CHRISDELL (Name Deleted) MESSAGE Protection started successfully
2012/07/11 08:42:28 -0700 CHRISDELL (Name Deleted) MESSAGE Starting IP protection
2012/07/11 08:42:39 -0700 CHRISDELL (Name Deleted) MESSAGE IP Protection started successfully

I then downloaded and ran the OTL - as directed - Logs attached.

2

welcome to the forum. the malware expert also recommend you run aswmbr. please do so. Then one of our expert here will help you from there.

http://forum.avast.com/index.php?topic=53253.0

3

I have run the aswMBR.exe file. Attached is the log from it. I did not do a fix MBR. Should I run it again and do the fix even though it gives me a warning?

4

no fix yet…wait for essexboy

5

OK go Start > Run and copy/paste in the following command

%UserProfile%\desktop\aswMBR.exe -ap 2

Then press Enter

Reboot when asked and then re-run aswMBR

6

It tells me it cannot find “c:/documents”

7

OK just use this part of the command

aswMBR.exe -ap 2

8

:frowning: It now tells me it can’t find the file. The aswMBR.exe file - even though I can browse right to it. If I browse to the file, select it and attempt to add the -ap 2, it still tells me it can’t find aswMBR.exe.

9

OK if this fails are you able to burn a CD as I will then need to kill it outside of windows

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application

http://dl.dropbox.com/u/73555776/TDSSFront.JPG

[*]Then click on Change parameters.

http://dl.dropbox.com/u/73555776/TDSSConfig.JPG

[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

[*]Click the Start Scan button.

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

http://dl.dropbox.com/u/73555776/TDSSFound.JPG

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

[*]Get the report by selecting Reports

http://dl.dropbox.com/u/73555776/TDSSEnd.JPG

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please copy and paste its contents on your next reply.

10

Did that. Report was too large to include in post. Am attaching text file of it.

11

Rebooted the computer. Now it will not come up at all! It keeps flashing, trying to load and turning off. NOW WHAT?

12

I notice from the log that you did not select cure for the MBR problem. Which would suggest that nothing was changed

I need you to download:
gparted-live-0.10.0-3.iso (115.1 MB)

Create a bootable CD, for Gparted from the ISO image.

You can use ImgBurn do this.

Now boot off of the newly created Gparted CD.

http://img829.imageshack.us/img829/5772/gpartedsplash.th.png

You should be here… Press ENTER

http://img5.imageshack.us/img5/7286/gpartedkeymaps.th.png

By default, “do not touch keymap” is highlighted.
Leave this setting alone and just press ENTER.

http://img404.imageshack.us/img404/9840/gpartedlanguage.th.png

Choose your language and press ENTER. English is default [33]

http://img140.imageshack.us/img140/7958/gpartedgui.th.png

Once again, at this prompt, press ENTER
You will now be taken to the main GUI screen below

http://img32.imageshack.us/img32/1122/gpartedo.th.png

According to your logs, the partition that you want to delete is 2 MB

Click the trash can icon to delete and then click Apply.

You should now be here confirming your actions:

http://img233.imageshack.us/img233/1533/gpartedsteps.th.png

Now you should be here:

http://img696.imageshack.us/img696/8471/gpartedsuccessclose.th.png

http://img194.imageshack.us/img194/7753/gpartedboot.th.png

Is “boot” next to your OS drive?
If “boot” is not next to your OS drive under “Flags”, right-mouse click the OS drive while in Gparted and select Manage Flags

In the menu that pops up, place a checkmark in boot like the picture below:

http://img196.imageshack.us/img196/3483/gpartedmanageflagsboot.th.png

Now double-click the
http://img822.imageshack.us/img822/641/gpartedexit.png
button.

You should receive a small pop up like this:

http://img88.imageshack.us/img88/8986/gpartedexitreboot.png

Choose reboot and then press OK.

13

Only problem is, the tdss killer “killed” my boot drive completely. The computer didn’t even recognize it was there. Problem has been solved. We took the drive out completely, reformatted it (using another computer), then restored the last Acronis backup onto the drive and an earlier MBR backup. Computer functioning now.

Thank the powers that be for Acronis!

Thanks for your help.

14

Did you reset the Flag to the system drive ?

Yep a backup is always the best result