How do I safely get rid of this infection without loosing any of my stored data?
infected by MBR:Alureon-G [Rtk]
Started by
DebKyle
, Jun 21 2011 01:04 PM
#1
Posted 21 June 2011 - 01:04 PM
How do I safely get rid of this infection without loosing any of my stored data?
#2
Posted 21 June 2011 - 02:55 PM
Hi C:\Documents and Settings\All Users\Application Data\AVAST software\AVAST\arpot\169fea7-e48-0.dat is the area where Avast unpacks the definitions for the anti-rootkit scan, so Avast is actually detecting itself
We can confirm this for you
Download aswMBR.exe ( 1.8mb ) to your desktop.
Double click the aswMBR.exe to run it
Click the "Scan" button to start scan
On completion of the scan click save log, save it to your desktop and post in your next reply
We can confirm this for you
Download aswMBR.exe ( 1.8mb ) to your desktop.
Double click the aswMBR.exe to run it
Click the "Scan" button to start scan
On completion of the scan click save log, save it to your desktop and post in your next reply
#3
Posted 22 June 2011 - 06:34 PM
I ran the scan & saved to desktop. I chose the saved file to attach, but I got an error message that says I'm not permitted to upload this kind of file. What next?
#4
Posted 23 June 2011 - 10:25 AM
There should be a file called aswMBR.TXT on the desktop if you pressed save log, I believe you tried to upload a copy of the MBR.dat which is banned from uploading here
#5
Posted 24 June 2011 - 02:11 PM
I did choose the wrong one. So now attached is the scan you wanted me to post. Next step?
aswMBR version 0.9.7.675 Copyright© 2011 AVAST Software
Run date: 2011-06-22 20:13:25
-----------------------------
20:13:25.453 OS Version: Windows 5.1.2600 Service Pack 3
20:13:25.453 Number of processors: 1 586 0x209
20:13:25.453 ComputerName: BOBNDEB-D81BC89 UserName: Deb
20:13:26.890 Initialize success
20:13:28.234 AVAST engine defs: 11062201
20:14:07.578 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
20:14:07.578 Disk 0 Vendor: WDC_WD400EB-75CPF0 06.04G06 Size: 38166MB BusType: 3
20:14:07.578 Device \Driver\atapi -> DriverStartIo 8233931b
20:14:09.578 Disk 0 MBR read successfully
20:14:09.578 Disk 0 MBR scan
20:14:09.593 Disk 0 MBR:Alureon-G [Rtk]
20:14:09.593 Disk 0 TDL4@MBR code has been found
20:14:09.593 Disk 0 Windows XP default MBR code found via API
20:14:09.593 Disk 0 MBR hidden
20:14:09.593 Disk 0 MBR [TDL4] **ROOTKIT**
20:14:09.593 Disk 0 trace - called modules:
20:14:09.593 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x823394d0]<<
20:14:09.593 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8239aab8]
20:14:09.593 3 CLASSPNP.SYS[f8578fd7] -> nt!IofCallDriver -> [0x823e1148]
20:14:09.593 \Driver\atapi[0x8238cb60] -> IRP_MJ_CREATE -> 0x823394d0
20:14:09.859 AVAST engine scan C:\WINDOWS
20:23:31.812 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Deb\Desktop\MBR.dat"
20:23:31.812 The log file has been saved successfully to "C:\Documents and Settings\Deb\Desktop\aswMBR.txt"
aswMBR version 0.9.7.675 Copyright© 2011 AVAST Software
Run date: 2011-06-22 20:13:25
-----------------------------
20:13:25.453 OS Version: Windows 5.1.2600 Service Pack 3
20:13:25.453 Number of processors: 1 586 0x209
20:13:25.453 ComputerName: BOBNDEB-D81BC89 UserName: Deb
20:13:26.890 Initialize success
20:13:28.234 AVAST engine defs: 11062201
20:14:07.578 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
20:14:07.578 Disk 0 Vendor: WDC_WD400EB-75CPF0 06.04G06 Size: 38166MB BusType: 3
20:14:07.578 Device \Driver\atapi -> DriverStartIo 8233931b
20:14:09.578 Disk 0 MBR read successfully
20:14:09.578 Disk 0 MBR scan
20:14:09.593 Disk 0 MBR:Alureon-G [Rtk]
20:14:09.593 Disk 0 TDL4@MBR code has been found
20:14:09.593 Disk 0 Windows XP default MBR code found via API
20:14:09.593 Disk 0 MBR hidden
20:14:09.593 Disk 0 MBR [TDL4] **ROOTKIT**
20:14:09.593 Disk 0 trace - called modules:
20:14:09.593 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x823394d0]<<
20:14:09.593 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8239aab8]
20:14:09.593 3 CLASSPNP.SYS[f8578fd7] -> nt!IofCallDriver -> [0x823e1148]
20:14:09.593 \Driver\atapi[0x8238cb60] -> IRP_MJ_CREATE -> 0x823394d0
20:14:09.859 AVAST engine scan C:\WINDOWS
20:23:31.812 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Deb\Desktop\MBR.dat"
20:23:31.812 The log file has been saved successfully to "C:\Documents and Settings\Deb\Desktop\aswMBR.txt"
Attached Files
#6
Posted 24 June 2011 - 02:16 PM
Looks like Avast did detect it
Please read carefully and follow these steps.
Please read carefully and follow these steps.
- Download TDSSKiller and save it to your Desktop.
- Extract its contents to your desktop.
- Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
- If an infected file is detected, the default action will be Cure, click on Continue.
- If a suspicious file is detected, the default action will be Skip, click on Continue.
- It may ask you to reboot the computer to complete the process. Click on Reboot Now.
- If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
- If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
#7
Posted 24 June 2011 - 05:20 PM
Results of TDSSKiller attached. How can I tell if it worked?
Attached Files
#8
Posted 25 June 2011 - 07:32 AM
TDSSKiller did not work - so lets use aswMBR instead. Once done can you let me know if you are still getting the alert
Re-Run aswMBR
Click Scan
On completion of the scan
Click the Fix Button
Save the log as before and post in your next reply
Re-Run aswMBR
Click Scan
On completion of the scan
Click the Fix Button
Save the log as before and post in your next reply
#9
Posted 25 June 2011 - 05:57 PM
It did not give me a "fix" option. I can FixMBR, Save Log, or Exit.
Edited by DebKyle, 25 June 2011 - 05:58 PM.
#10
Posted 26 June 2011 - 04:04 AM
Select exit as ther is something not quite right about that report... What problems do you have at the moment, is Avast still alerting ?
#11
Posted 27 June 2011 - 02:36 AM
Haven't noticed the alert as often. But no sound on internet. Check of sound and audio devices says each is working fine, but says "No audio device" when I go through Control Panel & check on them.
#12
Posted 27 June 2011 - 10:15 AM
There is something not quite right here but I cannot put my finger on it yet
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1
Link 2
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1
Link 2
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
- Double click on ComboFix.exe & follow the prompts.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
- Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
- Click on Yes, to continue scanning for malware.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
#13
Posted 27 June 2011 - 11:45 AM
Before I follow your instructions, early in those instructions you say to disable my antivirus software. At what point in the process should I turn that back on?
#14
Posted 27 June 2011 - 12:42 PM
Right click the orange blob and select shield control - set to disable for 1 hour. Once combofix has done it's thing then restart the shields
#15
Posted 28 June 2011 - 06:17 AM
Attached is log. I just ran this scan, so I don't yet know if it's changed my computer at all.
Attached Files
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users