pleasehelp: Avast detects Alureon-c@mbr [Rtk] attached to mbr 0 & cant delete it

I run Windows XP and use Avast free edition as virus scanner. I did a system restore yesterday due to the fact that I believe I had a browser hijacker and hope to eliminate it. After I did a system restore, browser searching no longer redirected me to other spam/ad sites. However, when I ran a boot and quick scan on Avast, it detected Alureon-c@mbr [Rtk] which appeared to infect the file MBR 0. It appears that I cannot delete it or move it to the virus chest (no action could be applied from the results of the scan log)

I am quite technologically challenged and have no clue what to do.

I would be grateful for any help and thank you for all of that and time (hopefully I won’t eventually have to get my laptop reformated for the matter)

You should download and run aswMBR.exe

Look here in reply #4 how to http://forum.avast.com/index.php?topic=73447.msg610838#msg610838

then post / attach the log here

Please download TDSSKiller from http://support.kaspersky.com/downloads/utils/tdsskiller.exe and save it to your Desktop.

  • Doubleclick TDSSKiller.exe to run the tool
  • Click the Start Scan button
  • After the scan has finished, click the Close button
  • Click the Report button and copy/paste the contents of it into your next reply

Hi, Pondus,
Here it is…

aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-03-11 16:50:32

16:50:32.763 OS Version: Windows 5.1.2600 Service Pack 2
16:50:32.763 Number of processors: 1 586 0xA00
16:50:32.783 ComputerName: KEN-LLKCZ7AYHG5 UserName: Ken
16:50:33.284 Initialize success
16:50:41.646 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-3
16:50:41.656 Disk 0 Vendor: ST94813A 3.04 Size: 38154MB BusType: 3
16:50:43.669 Disk 0 MBR read successfully
16:50:43.669 Disk 0 MBR scan
16:50:43.669 Disk 0 TDL4@MBR code has been found
16:50:43.679 Disk 0 MBR [TDL4] ROOTKIT
16:50:43.679 Disk 0 scanning C:\WINDOWS\system32\drivers
16:50:49.217 Service scanning
16:50:50.609 Disk 0 trace - called modules:
16:50:50.629 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys aliide.sys PCIIDEX.SYS
16:50:50.669 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x84380ab8]
16:50:50.669 3 CLASSPNP.SYS[f759005b] → nt!IofCallDriver → \Device\0000006f[0x843d1f18]
16:50:50.669 5 ACPI.sys[f7506620] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-3[0x843d1940]
16:50:50.669 Scan finished successfully

thanks!

Hi Pondus,

So I tried to cure it when I scanned this again. This is the second time I’m scanning. The results look different. Does this mean that I don’t have the malware anymore?

aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-03-11 17:06:33

17:06:33.807 OS Version: Windows 5.1.2600 Service Pack 2
17:06:33.807 Number of processors: 1 586 0xA00
17:06:33.837 ComputerName: KEN-LLKCZ7AYHG5 UserName: Ken
17:06:34.298 Initialize success
17:06:35.840 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-3
17:06:35.850 Disk 0 Vendor: ST94813A 3.04 Size: 38154MB BusType: 3
17:06:37.913 Disk 0 MBR read successfully
17:06:37.923 Disk 0 MBR scan
17:06:39.926 Disk 0 scanning sectors +78124095
17:06:39.966 Disk 0 scanning C:\WINDOWS\system32\drivers
17:06:44.843 Service scanning
17:06:46.365 Disk 0 trace - called modules:
17:06:46.375 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys aliide.sys PCIIDEX.SYS
17:06:46.385 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x84397ab8]
17:06:46.385 3 CLASSPNP.SYS[f759005b] → nt!IofCallDriver → \Device\0000006f[0x8436cf18]
17:06:46.395 5 ACPI.sys[f7506620] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-3[0x8436c940]
17:06:46.395 Scan finished successfully

as i can see it found a TDL4 rootkit and removed it

Disk 0 TDL4@MBR code has been found

anyway i have sendt a PM to Essexboy to have look at this,
he is the removal expert here so you should check back here for his advice…he may be in bed now but will be back tomorrow

also do a scan with this

Malwarebytes Anti-Malware 1.50.1 http://filehippo.com/download_malwarebytes_anti_malware/
always update the program so you have latest database before you scan
click the remove selected button to quarantine anything found

please post the scan log here

Hey Left123,

So I tried to cure the tdss thing and before i scanned it with the tdsskiller, I rebooted my computer again. Attached is the scan log; Can you tell me whether the virus is still here or gone? thanks!

Thank you so much, Pondus! I’ll wait for Essexboy’s reply too.
Here is the copy of the mbam log.

Malwarebytes’ Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6027

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

3/11/2011 5:33:21 PM
mbam-log-2011-03-11 (17-33-21).txt

Scan type: Quick scan
Objects scanned: 135007
Time elapsed: 10 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

The TDSSKiller log is saved in Unicode so it looks as chinese gibbely gobbel ;D
you need to save it as ANSI

'Tis OK showed no sign, aswMBR killed it ;D

Any other problems ?

I just modified my earlier post of the mbam log! I guess no more viruses, it seems? lol
please let me know if everything looks alright now…
if it’s fine, that means no more virus right?

anyways, THANK YOU SO MUCH! YOU GUYS ARE ALL EXPERTS ;D

I wouldn’t have solved this without any of your help.

Nope thank GMER he made the programme that removed it ;D

Is your system running OK

LOL yes…my system seems to be running fine now. haha and yes, thank GMER and thank you all!