threat:MBR: Alureon-K

Hello,

I have been overwhelmed with attempting to fix this computer. I recently downloaded Avast free version and after running the Boot scan program several times along with MBAM software, I have been able to remove several viruses except for these pop ups that continously keep alerting me that threat has been detected and blocked. The first one is MBR partition 4 issue and the second one seems to be MBR:Alureon-K rtk.

you forgot to run aswmbr and attach the log: http://forum.avast.com/index.php?topic=53253.0

I tried running it both in regular mode and in safe mode with networking and nothing happens.

Malware removers are notified. It may take hours before one arrive so be patient

Hi BARRIOSWJ, welcome to the forum.

To make cleaning this machine easier
[*]Please do not uninstall/install any programs unless asked to
It is more difficult when files/programs are appearing in/disappearing from the logs.
[*]Please do not run any scans other than those requested
[*]Please follow all instructions in the order posted
[*]All logs/reports, etc… must be posted in Notepad. Please ensure that word wrap is unchecked. In notepad click format, uncheck word wrap if it is checked.
[*]Do not attach any logs/reports, etc… unless specifically requested to do so.
[*]If you have problems with or do not understand the instructions, Please ask before continuing.
[*]Please stay with this thread until given the All Clear. A absence of symptoms does not mean a clean machine.

We’ll need a flashdrive and if possible your Windows7 disk. I included both sets of instructions for running FSRT, with and without the disk. Some machines have the System Recovery Options installed while others don’t. Either way will work though.

download

Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

[*]Restart the computer.
[*]As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
[*]Use the arrow keys to select the Repair your computer menu item.
[*]Select US as the keyboard language settings, and then click Next.
[*]Select the operating system you want to repair, and then click Next.
[*]Select your user account an click Next.

OR

To enter System Recovery Options by using Windows installation disc:

[*]Insert the installation disc.
[*]Restart your computer.
[*]If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
[*]Click Repair your computer.
[*]Select US as the keyboard language settings, and then click Next.
[*]Select the operating system you want to repair, and then click Next.
[*]Select your user account and click Next.

Once you have entered the System Recovery Options screen:

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select “Computer” and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

I can’t seem to attach the log file and I can’t paste here because it is over 1000 characters. Please help!

here is the log file

Hi BARRIOSWJ,

We’ll do this in a couple of posts and from the System Recovery Options screen. We are also going to use the same flash drive we used before.

Download ListParts64 and save it to the flashdrive.

With the flash drive attached to the computer boot to the System Recovery Options screen as you did before.
[*]Select the command prompt
[*]Type e:\listparts64.exe and hit Enter (where e: is replaced by the drive letter for your USB drive)
[*]Listparts will start to run
[*]Check the box beside List BCD
[*]Press the Scan button

When finished scanning it will make a log Result.txt on the flash drive. Please copy and paste it to your reply.

Here is the results

Hi BARRIOSWJ,

From your flashdrive please delete Results.txt.

Next, download and save to your flashdrive the attached file Fix.txt

Next With the flash drive attached to the computer boot to the System Recovery Options screen as you did before.
[*]Select the command prompt
[*]Type e:\listparts64.exe and hit Enter (where e: is replaced by the drive letter for your USB drive)
[*]Listparts will start to run
[*]Press the Fix button
[*]ListParts will process the script in Fix.txt
[*]When finished please press the Scan button.

When finished scanning it will make a log Result.txt on the flash drive. Please copy and paste it to your reply.

here is the new result

Hi BARRIOSWJ,

Download ComboFix from :

Link 1

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs

[*]Right click on ComboFix.exe, click Run as Administrator & follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer’s settings, including making I-E the default browser.
3. If you recieve a message after running combofix similar to “Illegal operation attempted on a registry marked for deletion” simplt reboot the computer to reolve it.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Please post back with the combofix log.

Thanks

Here is the Combofix.txt

Hi BARRIOSWJ,

Please download and save to your flashdrive the attached file fixlist.txt

Please enter System Recovery Options as you did before and select Command Prompt.

[*]In the command window type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]press the Fix button just once and wait
[*]The tool will make a log on the flashdrive, [B]Fixlog.txt[/B, please post it to your reply.

How’s the computer?

I have to admit. I don’t know what you are doing but it seems to be functioning better. The only thing I am still noticing is that after a while I will get an error message from MBAM with error code 2? I was also experiencing voice commercials without a screen appearing or anything. Just until now, am I seeing the Windows 7 when I do Repair my computer whereas before I couldn’t even get that. Let me know when I am in the clear.

Here is the latest report.

The exact error code for Malwarebytes Anti-Malware is:

[OpenEvent] Failed to perform desired action. Error Code: 2

that error code seems to disable my Malware program previously mentioned.

Hi BARRIOSWJ,

Basically we removed a rogue partition in the MBR and set the correct one to active. It was the rogue that was responsible for the ads you heard.

That was the wrong log you posted. It should be named Fixlog.txt

We’ll look at the MBAM problem later.

Sorry. Here is the correct log.

Hi BARRIOSWJ,

Almost done.

This infection is known to corrupt some of windows services. We’ll have a look.

Next

Please download Farbar Service Scanner and save it to your desktop.
[*]Check all the boxes and click scan
[*]Please copy and paste the log to your reply.

One more scan to check our handiwork.

As a Vista/Win7 user you will need to right click your browser icon and select “Run as Administrator” in order to run this scan.
[]Do not use this instance of your browser for anything besides doing this scan
[
]When the scan is complete and the results saved, close that instance of your browser
[*]Open a new one the usual way and post the results in this topic.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don’t go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.

Go here to run an online scannner from
ESET

(Note: You can use Internet Explorer or FireFox for this scan. If you use FireFox you will be asked to install an additional component. Please allow this.)

[list]
[*]Tick the box next to YES, I accept the Terms of Use.
[*]Click Start
[*]When asked, allow the activex control to install
[*]Disable your Antivirus software. You can usually do this with its Notfication Tray icon near the clock
[*]Click Start
[*]Make sure that the option “Remove found threats” is Unchecked, and the option “Scan unwanted applications” is Checked.
[*]Click Scan.
[*]Wait for the scan to finish.
[*]When the scan completes, click List of found threats
[*]click Export to Text file and save the file to your desktop using a unique name, such as ESETScan.
[*]Include the contents of this report in your next reply

Note - when ESET doesn’t find any threats, no report will be created.

[*]Push the back button.
[*]Push Finish
[*]Re-enable your Antivirus software.

Please post back with
[]FSS log
[
]ESET log is there is one

Everything still ok?[/list]