Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works

Windows 7 rig infected MBR:Alureon-K [Rtk]

  • Please log in to reply



    Malware Expert

  • Expert
  • 19,790 posts
  • MVP
OK. We have canned instructions for this situations:Preferably from a clean computer, I need you to download: gparted-live-0.10.0-3.iso (115.1 MB)
Windows Vista 32-Bit (x86) Recovery Environment (If you have the Windows DVD then you can skip this second download and use it instead.

Create a bootable CD, 1 for Gparted and 1 for the Windows Vista Recovery Enviroment, from the ISO images. You can use ImgBurn do this.

Now boot off of the newly created Gparted CD.

Posted Image
You should be here...

Posted Image
By default, "do not touch keymap" is highlighted. Leave this setting alone and just press ENTER.

Posted Image
Choose your language and press ENTER. English is default [33]

Posted Image
Once again, at this prompt, press ENTER

You will now be taken to the main GUI screen below
Posted Image
According to your logs, the partition that you want to delete is 1 MB
Click the trash can icon to delete and then click Apply.

You should now be here confirming your actions:
Posted Image

Now you should be here:
Posted Image

Posted Image
Is "boot" next to your OS drive?

If "boot" is not next to your OS drive under "Flags", right-mouse click the OS drive while in Gparted and select Manage Flags

In the menu that pops up, place a checkmark in boot like the picture below:
Posted Image

Now double-click the Posted Image button.

You should receive a small pop up like this:
Posted Image
Choose reboot and then press OK.

Now reboot from the Windows Vista Recovery Environment CD and execute the following commands:

  • bootrec /FixMbr
  • bootrec /FixBoot
  • exit

Once back in Windows.

Download MBRCheck.exe to your desktop.
  • Be sure to disable your security programs
  • Double click on the file to run it (Confirm the UAC prompt)
  • A window will open on your desktop
  • if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
  • If nothing unusual is found just press Enter
  • A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
  • Attach that file.

  • 0





  • Topic Starter
  • Member
  • PipPip
  • 11 posts
MBRCheck, version 1.2.3
© 2010, AD

Windows Version: Windows 7 Ultimate Edition
Windows Information: Service Pack 1 (build 7601), 64-bit
Base Board Manufacturer: Gigabyte Technology Co., Ltd.
BIOS Manufacturer: Award Software International, Inc.
System Manufacturer: Gigabyte Technology Co., Ltd.
System Product Name: EP45-UD3L
Logical Drives Mask: 0x0000000d

Kernel Drivers (total 190):
0x0304B000 \SystemRoot\system32\ntoskrnl.exe
0x03002000 \SystemRoot\system32\hal.dll
0x00BCA000 \SystemRoot\system32\kdcom.dll
0x00C91000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x00CE0000 \SystemRoot\system32\PSHED.dll
0x00CF4000 \SystemRoot\system32\CLFS.SYS
0x00E34000 \SystemRoot\system32\CI.dll
0x00EF4000 \SystemRoot\system32\drivers\Wdf01000.sys
0x00F98000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x00FA7000 \SystemRoot\system32\drivers\ACPI.sys
0x00E00000 \SystemRoot\system32\drivers\WMILIB.SYS
0x00E09000 \SystemRoot\system32\drivers\msisadrv.sys
0x00E13000 \SystemRoot\system32\drivers\vdrvroot.sys
0x00D52000 \SystemRoot\system32\drivers\pci.sys
0x00D85000 \SystemRoot\System32\drivers\partmgr.sys
0x00D9A000 \SystemRoot\system32\drivers\volmgr.sys
0x00C00000 \SystemRoot\System32\drivers\volmgrx.sys
0x00E20000 \SystemRoot\system32\drivers\pciide.sys
0x00C5C000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x00C6C000 \SystemRoot\System32\drivers\mountmgr.sys
0x00DAF000 \SystemRoot\system32\drivers\vmbus.sys
0x00DEB000 \SystemRoot\system32\drivers\winhv.sys
0x00E27000 \SystemRoot\system32\drivers\atapi.sys
0x010DF000 \SystemRoot\system32\drivers\ataport.SYS
0x01109000 \SystemRoot\system32\drivers\amdxata.sys
0x01114000 \SystemRoot\system32\drivers\fltmgr.sys
0x01160000 \SystemRoot\system32\drivers\fileinfo.sys
0x0125A000 \SystemRoot\System32\Drivers\Ntfs.sys
0x01174000 \SystemRoot\System32\Drivers\msrpc.sys
0x01200000 \SystemRoot\System32\Drivers\ksecdd.sys
0x01000000 \SystemRoot\System32\Drivers\cng.sys
0x0121B000 \SystemRoot\System32\drivers\pcw.sys
0x0122C000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x0149A000 \SystemRoot\system32\drivers\ndis.sys
0x0158D000 \SystemRoot\system32\drivers\NETIO.SYS
0x01400000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x016AA000 \SystemRoot\System32\drivers\tcpip.sys
0x018AE000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x018F8000 \SystemRoot\system32\drivers\vmstorfl.sys
0x01908000 \SystemRoot\system32\drivers\volsnap.sys
0x01954000 \SystemRoot\System32\Drivers\spldr.sys
0x0195C000 \SystemRoot\System32\drivers\rdyboost.sys
0x01996000 \SystemRoot\System32\Drivers\mup.sys
0x019A8000 \SystemRoot\System32\drivers\hwpolicy.sys
0x019B1000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x01600000 \SystemRoot\system32\DRIVERS\disk.sys
0x01616000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
0x0167C000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x02C0F000 \SystemRoot\System32\Drivers\aswSnx.SYS
0x02CDC000 \SystemRoot\System32\Drivers\Null.SYS
0x02CE5000 \SystemRoot\System32\Drivers\Beep.SYS
0x02CEC000 \SystemRoot\System32\drivers\vga.sys
0x02CFA000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x02D1F000 \SystemRoot\System32\drivers\watchdog.sys
0x02D2F000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x02D38000 \SystemRoot\system32\drivers\rdpencdd.sys
0x02D41000 \SystemRoot\system32\drivers\rdprefmp.sys
0x02D4A000 \SystemRoot\System32\Drivers\Msfs.SYS
0x02D55000 \SystemRoot\System32\Drivers\Npfs.SYS
0x02D66000 \SystemRoot\system32\DRIVERS\tdx.sys
0x02D88000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x02D95000 \SystemRoot\System32\Drivers\aswTdi.SYS
0x03E9D000 \SystemRoot\system32\drivers\afd.sys
0x03F26000 \SystemRoot\System32\Drivers\aswrdr2.sys
0x03F36000 \SystemRoot\System32\DRIVERS\netbt.sys
0x03F7B000 \SystemRoot\system32\drivers\ws2ifsl.sys
0x03F86000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x03F8F000 \SystemRoot\system32\DRIVERS\pacer.sys
0x03FB5000 \SystemRoot\system32\DRIVERS\netbios.sys
0x03FC4000 \SystemRoot\system32\DRIVERS\serial.sys
0x03FE1000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x03E00000 \SystemRoot\system32\drivers\termdd.sys
0x03E14000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x03E65000 \SystemRoot\system32\drivers\nsiproxy.sys
0x03E71000 \SystemRoot\system32\drivers\mssmbios.sys
0x03E7C000 \SystemRoot\System32\drivers\discache.sys
0x040A4000 \SystemRoot\system32\drivers\csc.sys
0x04127000 \SystemRoot\System32\Drivers\dfsc.sys
0x04145000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x04156000 \SystemRoot\System32\Drivers\aswSP.SYS
0x041AE000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x041D4000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x04000000 \SystemRoot\system32\DRIVERS\atikmpag.sys
0x048AB000 \SystemRoot\system32\DRIVERS\atikmdag.sys
0x03A1F000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x03B13000 \SystemRoot\System32\drivers\dxgmms1.sys
0x03B59000 \SystemRoot\system32\drivers\HDAudBus.sys
0x03B7D000 \SystemRoot\system32\drivers\usbuhci.sys
0x03B8A000 \SystemRoot\system32\drivers\USBPORT.SYS
0x03BE0000 \SystemRoot\system32\drivers\usbehci.sys
0x05336000 \SystemRoot\system32\DRIVERS\Rt64win7.sys
0x03BF1000 \SystemRoot\system32\DRIVERS\fdc.sys
0x03A00000 \SystemRoot\system32\DRIVERS\serenum.sys
0x0539D000 \SystemRoot\system32\DRIVERS\parport.sys
0x03A0C000 \SystemRoot\system32\drivers\CompositeBus.sys
0x053BA000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x053D0000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x053F4000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x04800000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x0482F000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x0484A000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x0486B000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x04885000 \SystemRoot\system32\DRIVERS\rdpbus.sys
0x04890000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x04055000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x03A1C000 \SystemRoot\system32\drivers\swenum.sys
0x02DA7000 \SystemRoot\system32\drivers\ks.sys
0x04064000 \SystemRoot\system32\DRIVERS\umbus.sys
0x0142B000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x0489F000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0x04076000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x01236000 \SystemRoot\system32\drivers\AtihdW76.sys
0x01072000 \SystemRoot\system32\drivers\portcls.sys
0x010AF000 \SystemRoot\system32\drivers\drmk.sys
0x0408B000 \SystemRoot\system32\drivers\ksthunk.sys
0x06A61000 \SystemRoot\system32\drivers\RTKVHD64.sys
0x06BCB000 \SystemRoot\System32\Drivers\crashdmp.sys
0x06BD9000 \SystemRoot\System32\Drivers\dump_dumpata.sys
0x06BE5000 \SystemRoot\System32\Drivers\dump_atapi.sys
0x06A00000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x06A13000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x06A30000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x06A32000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x06A40000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x06BEE000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x04091000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x00000000 \SystemRoot\System32\win32k.sys
0x041EA000 \SystemRoot\System32\drivers\Dxapi.sys
0x03E8B000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x02DEA000 \SystemRoot\system32\DRIVERS\monitor.sys
0x005F0000 \SystemRoot\System32\TSDDD.dll
0x00700000 \SystemRoot\System32\cdd.dll
0x01646000 \SystemRoot\system32\drivers\luafv.sys
0x02AE0000 \??\C:\Windows\system32\drivers\aswMonFlt.sys
0x02B17000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0x02B20000 \SystemRoot\system32\drivers\WudfPf.sys
0x02B41000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x02B56000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x02A00000 \SystemRoot\system32\drivers\HTTP.sys
0x02B6E000 \SystemRoot\system32\DRIVERS\bowser.sys
0x02B8C000 \SystemRoot\System32\drivers\mpsdrv.sys
0x02BA4000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x07222000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x07270000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x07294000 \SystemRoot\system32\drivers\peauth.sys
0x0733A000 \SystemRoot\System32\Drivers\secdrv.SYS
0x07345000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x07376000 \SystemRoot\System32\drivers\tcpipreg.sys
0x07388000 \SystemRoot\System32\DRIVERS\srv2.sys
0x092B2000 \SystemRoot\System32\DRIVERS\srv.sys
0x0934A000 \??\C:\Windows\gdrv.sys
0x09353000 \SystemRoot\system32\drivers\spsys.sys
0x093C4000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0x778B0000 \Windows\System32\ntdll.dll
0x475C0000 \Windows\System32\smss.exe
0xFFBD0000 \Windows\System32\apisetschema.dll
0xFF170000 \Windows\System32\autochk.exe
0x77760000 \Windows\System32\urlmon.dll
0x77640000 \Windows\System32\kernel32.dll
0xFFB70000 \Windows\System32\ws2_32.dll
0xFFAD0000 \Windows\System32\msvcrt.dll
0xFFA30000 \Windows\System32\comdlg32.dll
0xFFA00000 \Windows\System32\imm32.dll
0xFF9E0000 \Windows\System32\imagehlp.dll
0xFF900000 \Windows\System32\oleaut32.dll
0xFF720000 \Windows\System32\setupapi.dll
0xFF650000 \Windows\System32\usp10.dll
0xFF640000 \Windows\System32\nsi.dll
0xFF5D0000 \Windows\System32\gdi32.dll
0xFF4F0000 \Windows\System32\advapi32.dll
0xFF3C0000 \Windows\System32\rpcrt4.dll
0xFF360000 \Windows\System32\Wldap32.dll
0xFF340000 \Windows\System32\sechost.dll
0xFE5B0000 \Windows\System32\shell32.dll
0x77A80000 \Windows\System32\psapi.dll
0x77430000 \Windows\System32\iertutil.dll
0x772D0000 \Windows\System32\wininet.dll
0xFE3A0000 \Windows\System32\ole32.dll
0xFE290000 \Windows\System32\msctf.dll
0xFE210000 \Windows\System32\difxapi.dll
0x77A70000 \Windows\System32\normaliz.dll
0xFE190000 \Windows\System32\shlwapi.dll
0x771D0000 \Windows\System32\user32.dll
0xFE0F0000 \Windows\System32\clbcatq.dll
0xFE0E0000 \Windows\System32\lpk.dll
0xFE0A0000 \Windows\System32\wintrust.dll
0xFE080000 \Windows\System32\devobj.dll
0xFDF10000 \Windows\System32\crypt32.dll
0xFDE70000 \Windows\System32\comctl32.dll
0xFDE00000 \Windows\System32\KernelBase.dll

Processes (total 56):
0 System Idle Process
4 System
276 C:\Windows\System32\smss.exe
396 csrss.exe
472 C:\Windows\System32\wininit.exe
488 csrss.exe
524 C:\Windows\System32\services.exe
540 C:\Windows\System32\lsass.exe
548 C:\Windows\System32\lsm.exe
664 C:\Windows\System32\winlogon.exe
684 C:\Windows\System32\svchost.exe
788 C:\Windows\System32\svchost.exe
852 C:\Windows\System32\atiesrxx.exe
912 C:\Windows\System32\svchost.exe
964 C:\Windows\System32\svchost.exe
988 C:\Windows\System32\svchost.exe
300 C:\Windows\System32\audiodg.exe
288 C:\Windows\System32\svchost.exe
1164 C:\Windows\System32\svchost.exe
1232 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
1272 C:\Windows\System32\atieclxx.exe
1392 C:\Windows\System32\spoolsv.exe
1428 C:\Windows\System32\svchost.exe
1628 C:\Windows\System32\svchost.exe
1676 C:\Program Files (x86)\GIGABYTE\EnergySaver\GSvr.exe
1264 C:\Program Files (x86)\PostgreSQL\8.3\bin\pg_ctl.exe
1852 C:\Windows\System32\taskhost.exe
1836 C:\Windows\System32\dwm.exe
2028 C:\Windows\explorer.exe
2124 C:\Windows\System32\taskeng.exe
2180 C:\Windows\SysWOW64\PnkBstrA.exe
2268 C:\Program Files (x86)\Viewpoint\Common\ViewpointService.exe
2308 postgres.exe
2316 conhost.exe
2448 C:\Windows\RAVCpl64.exe
2544 C:\Program Files\Windows Sidebar\sidebar.exe
2648 postgres.exe
2912 postgres.exe
2920 postgres.exe
2928 postgres.exe
2936 postgres.exe
2900 C:\Windows\System32\SearchIndexer.exe
2816 C:\Windows\System32\svchost.exe
3324 C:\Program Files\Windows Media Player\wmpnetwk.exe
3788 C:\Windows\System32\svchost.exe
3992 WmiPrvSE.exe
3172 C:\Program Files\Alwil Software\Avast5\AvastUI.exe
3444 C:\Users\Jordan\AppData\Local\Google\Chrome\Application\chrome.exe
1876 C:\Users\Jordan\AppData\Local\Google\Chrome\Application\chrome.exe
1908 C:\Users\Jordan\AppData\Local\Google\Chrome\Application\chrome.exe
592 C:\Users\Jordan\AppData\Local\Google\Chrome\Application\chrome.exe
3424 C:\Windows\System32\sppsvc.exe
3472 C:\Users\Jordan\Contacts\Desktop\MBRCheck.exe
3828 C:\Windows\System32\conhost.exe
3840 C:\Windows\System32\dllhost.exe
3916 taskhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00100000 (NTFS)

PhysicalDrive0 Model Number: WDCWD6400AAKS-75A7B0, Rev: 01.03B01

Size Device Name MBR Status
596 GB \\.\PhysicalDrive0 Windows 7 MBR code detected
SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79


Edited by Jpsgroi, 13 March 2012 - 08:24 PM.

  • 0



    Malware Expert

  • Expert
  • 19,790 posts
  • MVP
Looks like you may have fixed it. MBRCheck used to say:

596 GB \\.\PhysicalDrive0 MBR Code Faked!
SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79

Now it says:

596 GB \\.\PhysicalDrive0 Windows 7 MBR code detected
SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79

What does aswMBR say now?

(How did you get it to run?)
  • 0




  • Topic Starter
  • Member
  • PipPip
  • 11 posts
It looks good. I made another admin account and it fired up. Thank you very much for the help.
  • 0



    Malware Expert

  • Expert
  • 19,790 posts
  • MVP
Cleanup time then:

We need to cleanup System Restore:

Copy the following:


Right click on OTL and Run As Administrator. In the Custom Scans/Fixes box at the bottom, paste in the copied text (Ctrl + v) and then hit Run Fix.

That will get the last of the malware off the system.

You can uninstall or delete any tools we had you download and their logs.
To uninstall combofix, copy the next line:

"%userprofile%\Desktop\combofix.exe" /Uninstall

Start, All Programs, Accessories then right click on Command Prompt and Run As Administrator.
then right click, Paste, then hit Enter.

OTL has a cleanup tab if you go there it will remove itself and its logs.

To hide hidden files again (OTL may do it for you):

Vista or Win7

# Open the Control Panel menu and click Folder Options.
# After the new window appears select the View tab.
# Remove the check in the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the radio button labeled Do not Show hidden files and folders.
# Check the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and exit My Computer.

Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat.

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.

To help keep your programs up-to-date you should download and run the UpdateChecker:
(You don't need to download Betas and if there is a program you don't use you can just uninstall it rather than update it. Exception is MSN messenger which appears to be part of Windows.)
If you get a blocked program notice after installing updatechecker then change it to not run at start then manually run it once a week.
Seems to work best if Firefox is the default browser. You can also try Secunia PSI http://secunia.com/v...l/download_psi/ Same kind of info. You don't need both.
If you use Firefox then get the AdBlock Plus Add-on. WOT (Web of Trust) is another you might want to try.
The equivalent to AdBlock Plus for IE is called Simple Adblock and you should install it too: http://simple-adblock.com/
The free version only blocks 200 ads a day so another reason to use Firefox or Chrome.

If Firefox is slow loading make sure it only has the current Java add-on. Then download and run Speedy Fox.
http://www.crystalidea.com/speedyfox . You can run it any time that Firefox seems slow.

Be warned: If you use Limewire, utorrent or any of the other P2P programs you will almost certain be coming back to the Malware Removal forum. If you must use P2P then submit any files you get to http://virustotal.com before you open them.

If you have a router, log on to it today and change the default password! If using a Wireless router you really should be using encryption on the link. Use the strongest (newest) encryption method that your router and PC wireless adapter support especially if you own a business. See http://www.king5.com...-120637284.html and http://www.seattlepi...ted-1344185.php for why encryption is important. If you don't know how, visit the router maker's website. They all have detailed step by step instructions or a wizard you can download.

  • 0

Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP