Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

infected by MBR:Alureon-G [Rtk]


  • This topic is locked This topic is locked

#1
DebKyle

DebKyle

    Member

  • Member
  • PipPip
  • 13 posts
Ran boot scan. Got message: "C:\Documents and Settings\All Users\Application Data\AVAST software\AVAST\arpot\169fea7-e48-0.dat is infected by MBR:Alureon-G [Rtk]"
How do I safely get rid of this infection without loosing any of my stored data?
  • 0

Advertisements


#2
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi C:\Documents and Settings\All Users\Application Data\AVAST software\AVAST\arpot\169fea7-e48-0.dat is the area where Avast unpacks the definitions for the anti-rootkit scan, so Avast is actually detecting itself

We can confirm this for you

Download aswMBR.exe ( 1.8mb ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan
Posted Image

On completion of the scan click save log, save it to your desktop and post in your next reply
Posted Image
  • 0

#3
DebKyle

DebKyle

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
I ran the scan & saved to desktop. I chose the saved file to attach, but I got an error message that says I'm not permitted to upload this kind of file. What next?
  • 0

#4
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
There should be a file called aswMBR.TXT on the desktop if you pressed save log, I believe you tried to upload a copy of the MBR.dat which is banned from uploading here
  • 0

#5
DebKyle

DebKyle

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
I did choose the wrong one. So now attached is the scan you wanted me to post. Next step?

aswMBR version 0.9.7.675 Copyright© 2011 AVAST Software
Run date: 2011-06-22 20:13:25
-----------------------------
20:13:25.453 OS Version: Windows 5.1.2600 Service Pack 3
20:13:25.453 Number of processors: 1 586 0x209
20:13:25.453 ComputerName: BOBNDEB-D81BC89 UserName: Deb
20:13:26.890 Initialize success
20:13:28.234 AVAST engine defs: 11062201
20:14:07.578 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
20:14:07.578 Disk 0 Vendor: WDC_WD400EB-75CPF0 06.04G06 Size: 38166MB BusType: 3
20:14:07.578 Device \Driver\atapi -> DriverStartIo 8233931b
20:14:09.578 Disk 0 MBR read successfully
20:14:09.578 Disk 0 MBR scan
20:14:09.593 Disk 0 MBR:Alureon-G [Rtk]
20:14:09.593 Disk 0 [email protected] code has been found
20:14:09.593 Disk 0 Windows XP default MBR code found via API
20:14:09.593 Disk 0 MBR hidden
20:14:09.593 Disk 0 MBR [TDL4] **ROOTKIT**
20:14:09.593 Disk 0 trace - called modules:
20:14:09.593 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x823394d0]<<
20:14:09.593 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8239aab8]
20:14:09.593 3 CLASSPNP.SYS[f8578fd7] -> nt!IofCallDriver -> [0x823e1148]
20:14:09.593 \Driver\atapi[0x8238cb60] -> IRP_MJ_CREATE -> 0x823394d0
20:14:09.859 AVAST engine scan C:\WINDOWS
20:23:31.812 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Deb\Desktop\MBR.dat"
20:23:31.812 The log file has been saved successfully to "C:\Documents and Settings\Deb\Desktop\aswMBR.txt"

Attached Files


  • 0

#6
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Looks like Avast did detect it

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.


    Posted Image

  • If an infected file is detected, the default action will be Cure, click on Continue.


    Posted Image

  • If a suspicious file is detected, the default action will be Skip, click on Continue.


    Posted Image

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


    Posted Image

  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

  • 0

#7
DebKyle

DebKyle

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Results of TDSSKiller attached. How can I tell if it worked?

Attached Files


  • 0

#8
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
TDSSKiller did not work - so lets use aswMBR instead. Once done can you let me know if you are still getting the alert

Re-Run aswMBR

Click Scan

On completion of the scan

Click the Fix Button

Posted Image

Save the log as before and post in your next reply
  • 0

#9
DebKyle

DebKyle

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
It did not give me a "fix" option. I can FixMBR, Save Log, or Exit.

Edited by DebKyle, 25 June 2011 - 05:58 PM.

  • 0

#10
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Select exit as ther is something not quite right about that report... What problems do you have at the moment, is Avast still alerting ?
  • 0

Advertisements


#11
DebKyle

DebKyle

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Haven't noticed the alert as often. But no sound on internet. Check of sound and audio devices says each is working fine, but says "No audio device" when I go through Control Panel & check on them.
  • 0

#12
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
There is something not quite right here but I cannot put my finger on it yet

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
  • 0

#13
DebKyle

DebKyle

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Before I follow your instructions, early in those instructions you say to disable my antivirus software. At what point in the process should I turn that back on?
  • 0

#14
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Right click the orange blob and select shield control - set to disable for 1 hour. Once combofix has done it's thing then restart the shields
  • 0

#15
DebKyle

DebKyle

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Attached is log. I just ran this scan, so I don't yet know if it's changed my computer at all.

Attached Files

  • Attached File  log.txt   10.44KB   126 downloads

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP