Ok Essex...I can only imagine how sick you are of the same old questions....

But…after you helped me out last time, I deleted the one file you told me to from the TDSSkiller log you reviewed, and for quite some time, the avast rootkit warning disappeared.

Now, I received this warning : MBR:.…\Par MBR: Alureor

Anyway, I ran TDSSkiller, and the old 3 medium threats were found, nothing of course matching this description, though hell if know if it would come up that way anyway.

I have attached the log from today if that assists in anyway…Again, I really appreciate your time if you can respond.

Thanks, MJ

Doesn’t look as though it ran properly

Download aswMBR.exe ( 4.1mb ) to your desktop.
Double click the aswMBR.exe to run it Click the “Scan” button to start scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBRScan.gif

On completion of the scan click save log, save it to your desktop and post in your next reply

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBRsavelog.gif

Thanks, here you go. As you can tell, I accidentally saved the log before scanning, so it includes that, plus the proper scan whereby I can see the infected file but will wait for further instructions.

Thanks man, mike

Edit: Doesn’t look like I let the scan run all the way Essex, so I’m running it again and will attach it to my next post once it says completed. MJ

Ok Essex…here is the completed log…thanks. MJ

bump

There is no need to bump…essexboy keeps an eye on threads he is working on. He just has not been online since you posted the logs.

19:22:05.984 Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 2 MB offset 234436545 19:22:06.921 Disk 0 Partition 3 **INFECTED** MBR:Alureon-K [Rtk]
Ok easy peasy this one

Type the following in the run box

diskmgmt.msc

This will open the disc management console
Ensure that are drives are in view
Then locate and by right clicking delete the 2MB partition

A suspect service was also reported so could you run OTL for me and I will remove it

Download OTL to your Desktop

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in
[b]netsvcs
%SYSTEMDRIVE%*.exe
/md5start
consrv.dll
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
C:\Windows\assembly\tmp\U*.* /s
%Temp%\smtmp\1*.*
%Temp%\smtmp\2*.*
%Temp%\smtmp\3*.*
%Temp%\smtmp\4*.*

C:\commands.txt echo list vol /raw /hide /c
/wait
C:\DiskReport.txt diskpart /s C:\commands.txt /raw /hide /c
/wait
type c:\diskreport.txt /c
/wait
erase c:\commands.txt /hide /c
/wait
erase c:\diskreport.txt /hide /c
CREATERESTOREPOINT[/b]
[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs

Well…no problem with the disk management partition delete.

I have downloaded OTL a few times, opened…and then copied what you wanted in the custom scan space. When I hit quick scan, it starts running and then disappears.

Will keep trying and report back.

MJ

Could you ensure that Avast is not sandboxing it please as that is a usual symptom of that

Could you set behaviour shield and autosandbox to ask