I found I was infected with MBR:Alureon-K[RTK] through Avast Antivirus. It gave me the option of deleting it, but it but it didn’t work. I also used the program aswMBR, because I read it in one of your forums. It found the virus but I was afraid to use it to fix it as it warned me that it would change everything. I did save the log though. I have also used Malwarebyte Anti-Malware, but it didn’t find it.

So far this virus hasn’t really done much, at least that I know of, but I am afraid it will. Can someone please help me.

S.Grundy

Well avast is keeping it from spreading, but you will need help of a specialist to remove it completely.

This needs further analysis by a malware removal specialist:
Go to this topic http://forum.avast.com/index.php?topic=53253.0 for information on Logs to assist in cleaning malware. Use the information about getting and using the tools and attach the logs here, not in the LOGS topic.

Here are the logs you requested.

S.Grundy

More logs!!!

S.Grundy

Last log!!! Sorry, but it said the files were to big to send all at once.

S.Grundy

While I look at OTL could you do the following

Go start > Run

Type in the following command and press enter

diskmgmt.msc

In the disc management that opens locate partition 3
Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 2 MB offset 976769024

Right click the partition and select delete
Re-run aswMBR

OK the fix is easy

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL [2011/12/26 16:34:10 | 000,008,366 | -HS- | C] () -- C:\Users\Joe\AppData\Local\1ybu3or54qr570kjb4y [2011/12/26 16:34:10 | 000,008,366 | -HS- | C] () -- C:\ProgramData\1ybu3or54qr570kjb4y [2011/06/04 18:31:12 | 000,011,470 | -HS- | C] () -- C:\Users\Joe\AppData\Local\0vyjnrk111j80em8nn [2011/06/04 18:31:12 | 000,011,470 | -HS- | C] () -- C:\ProgramData\0vyjnrk111j80em8nn [2011/03/09 20:52:07 | 000,000,457 | ---- | C] () -- C:\Program Files\0309201119520762.bat [2011/03/09 20:48:45 | 000,000,453 | ---- | C] () -- C:\Program Files\0309201119484476.bat

:Files
ipconfig /flushdns /c

:Commands
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

Do you still want me to use the diskmgmt.msc

quote essexboy

While I look at OTL could you do the following..............

I tried the diskmgmt.msc command, but cannot find the line you want me to delete. Sorry!!!

I’m not doing something right, because I don’t see anywhere I can even see partion 3. Help!!!

Should I use the fix without the diskmgmt.msc command???

I ran the fix you wrote up although I never figured out the Disk Managment program, so I could not locate

partition 3, and I could not delete
Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 2 MB offset 976769024

The log that came up after the fix said that all the processes were killed successfully.
I also ran the OTL scan after the fix and I am attaching it as you requested.

S.Grundy

I also ran a scan with aswMBR to see if the virus was deleted. According to the scan, the virus is still there.
I have attached it. Anything else I can do.

Have to go for awhile.

The mbr detection will still be there until you remove the bogus partition 3 using the Disk Managment function.

So why couldn’t you delete that partition 3, e.g. what errors did you get ?
Or is it that you don’t know how to use the Disk Management function ?

If the latter then press the Windows Key+R together this opens up the Run window, type diskmgmt.msc and click OK. That will open up a window like my example image (click to expand), this shows you all of the Drives/Disks and Partitions you have.

Find the Disk 0, Partition 3 one that is only 2MB in size:
b]Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 2 MB offset 976769024[/b]

Now right click on that Partition and you should see a list displayed, it may differ sightly from my example (I’m using windows XP), but should look very much the same. From that list select Delete.

Exercise extreme caution and select the correct partition Disk 0 - Partition 3 - 2MB in size or you could delete an important partition, with serious consequences.

If you aren’t sure don’t proceed - ask for more help.

My grid looks different. I found Disk 0 but there is no way to delete anything. I right clicked and all I get is a drop down that lists offline (not accessible), properties, or help. I am running
Vista, and I have tried every way possible to find partion 3. I am not doing something right. Is there any way you could look at a Disk Management grid from a Vista operating machine?
Because I am lost.

Or, is there another way to delete this bogus partition other than by using Disk Management?

You aren’t trying to delete Disk 0 and it would most likely not you do that. There should be a graphical representation of the Disk 0 and it would have three partitions (they may not be numbered 1, 2, 3) and they should show the partition size.

Start looking for it in the way mentioned, look for a partition that is only 2MB in size.

If you can attach an image of what your diskmgmt.msc windows looks like.

I think I found the partion and deleted it. I couldn’t find any lines, but the partion grid said it was 2MB so I right clicked on it and used the delete volume command. I am running a scan now to see. Let you know.

Thanks so much for all your help.

S.Grundy

You’re welcome.

I didn’t delete the disk. There were 3 grids next to disk 0, C: drive, D: recovery, and another that was 2MB. I right clicked and there was an option to delete volume. That was what I used. It must have worked because the virus is gone and so is the partition. I ran aswMBR just to make sure. I am attaching it.

I’m sorry about all the confusion, but I am not familiar with Disk Management and I didn’t see anything like you described, but I figured it out.

Is there anything else I need to do?

I would run OTL again and attach the log, it doesn’t produce the extras.txt file (only on first run) and wait for essexboy to get back to the topic again now that you have deleted that 2MB volume/partition.