MBR: Alureon-K

It started with a red avast! popup about MBR:\.\PHYSICALDRIVE0\Partition2 (rootkit).
I followed the instructions of the popup, then windows restarted but did first a scan I could follow on a blue screen.

After that, when restarted, the red popup was there again.
A quickscan gave one serious infection, a trojan, that I let clean up.
But after restarting the red avast! popup was there again.

I downloaded aswMBR.exe that I found in google by searching a solution.
A scan found Disk 0 Partition 2 INFECTED MBR:Alureon-K [Rtk].
After fixing + restarting the red abvast! popup came back, always about the same issue.

I don’t know if it would help at the end of scanning and fixing all over again, it’s why I look for help on this forum.

Also find the log here attached.

Follow this guide and attach all logs, then Essexboy will help you tomorrow
http://forum.avast.com/index.php?topic=53253.0

As it is on the second non active partition Avast cannot yet remove it

To determine whther it is an old TDL4 stealth rootkit

Do the following:
StartRun
type diskmgmt.msc
Click “OK

Disk Management will open.

Click and hold the right side of the Disk Management Window and drag it to the right until you can see all the columns.

Take a screen Shot of the Disk Management Window and attach the screen shot to your reply.

Here are the files. Everything is back the same after an additinal trojan was cleant.

more files

screenshot

OK the partition with the rootkit in is inactive

Do the following:
Start → Run
type diskmgmt.msc
Click “OK”

Disk Management will open.

Click and hold the right side of the Disk Management Window and drag it to the right until you can see all the columns.

Then right click the 5Mo partition and select delete
That should stop the aswMBR alerts

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL FF - prefs.js..browser.search.selectedEngine: "My Web Search" FF - prefs.js..browser.startup.homepage: "http://www.searchqu.com/406" FF - HKLM\Software\MozillaPlugins\@mywebsearch.com/Plugin: C:\Program Files\MyWebSearch\bar\1.bin\NPMyWebS.dll File not found FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\m3ffxtbr@mywebsearch.com: C:\Program Files\MyWebSearch\bar\1.bin [2011/11/27 16:15:33 | 000,000,000 | ---D | M] (Searchqu Toolbar) -- C:\Documents and Settings\Van Hooreweder\Application Data\Mozilla\Firefox\Profiles\m24644zv.default\extensions\{99079a25-328f-4bd4-be04-00955acaa0a7} [2012/02/08 10:03:23 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Van Hooreweder\Application Data\Mozilla\Firefox\Profiles\m24644zv.default\searchplugins\mywebsearch.xml [2012/02/03 20:12:04 | 000,001,339 | ---- | M] () -- C:\Documents and Settings\Van Hooreweder\Application Data\Mozilla\Firefox\Profiles\m24644zv.default\searchplugins\search-the-web.xml [2011/11/27 16:15:17 | 000,002,519 | ---- | M] () -- C:\Documents and Settings\Van Hooreweder\Application Data\Mozilla\Firefox\Profiles\m24644zv.default\searchplugins\Search_Results.xml O2 - BHO: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\Program Files\Windows iLivid Toolbar\Datamngr\ToolBar\searchqudtx.dll () O2 - BHO: (DataMngr) - {9D717F81-9148-4f12-8568-69135F087DB0} - C:\Program Files\Windows iLivid Toolbar\Datamngr\BrowserConnection.dll (Bandoo Media, inc) O3 - HKLM\..\Toolbar: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\Program Files\Windows iLivid Toolbar\Datamngr\ToolBar\searchqudtx.dll () O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found. O20 - AppInit_DLLs: (C:\PROGRA~1\WI371A~1\Datamngr\datamngr.dll) -C:\Program Files\Windows iLivid Toolbar\Datamngr\datamngr.dll (Bandoo Media, inc) O20 - AppInit_DLLs: (C:\PROGRA~1\WI371A~1\Datamngr\IEBHO.dll) -C:\Program Files\Windows iLivid Toolbar\Datamngr\IEBHO.dll (Bandoo Media, inc)

:Files
ipconfig /flushdns /c
C:\Program Files\Windows iLivid Toolbar
C:\Program Files\MyWebSearch

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

It seems to be cleant at first sight, I haven’t seen the red popup back yet.

Looks good - when you are happy run OTL and hit the cleanup button to remove OTL and associated files and folders

Thanks for help, although I think it’s normal to get support from the vendor when you arrive at a point where your anti-virus program fails. I have the impression my connection hasn’t ameloriate much but today my provider passes thus I’ll see.

What problems do you have at the moment ?

I Have reinstalled windows and See That There are still hidden folders, something That must come from a kind of previous infection. I would like to format the c drive in which I don’t succeed. I also went to a provider Who Promised Me That Would Be my internet activated in the evening of the installment, well, I’m still without internet. I also experience the problem that It Goes so slowly when I open folders in my computer now. At the moment I’m not at home, but in a cyber cafe. I have no internet at home, the wifi does not work anymore. There are 4-5 foneros in the ether, I wonder if it is them who started the virus. Do not you know the location of others who have the same virus? Excuse me I do not want to falsely accuse anybody.

(I wonder if I know the writer since earlier)

What was the problem when you tried to format your C drive ?

Hidden folders are generally windows system files

All right.

Certain sites are so slow, here e.g. meetup.com. I changed my location in town, I came from a cyberbar in Elsene where I live. Here it goes a little bit better I thought but I am not certain.

In any case there is something with my standby button at the start. I neither ca

I don’t know, I should be able to surf on my own computer. Well just that it doesn’t work. There are two popups. In that other cyberbar near to my house I didn’t get on this forum, it was too slow. Maybe tomorrow morning you get what exactly it was.

(Neither can’t I exclude wifis, that textarea doesn’t fill, that must be them because they want to make money.)


When I right click on the c drive icon and then on ‘format’ I get a popup warbing me that I will loose all my dataa. When then I click ‘OK’ I get a popup saying that it can’t format.

I’m back online on my own computer. With wifi. Did I help a bit with my information?