Trojan:DOS/Alureon.A Master Boot Record Virus!!

[boulder38]

Hi Guys....


I've been given a computer to fix from a mate.

The problem as was given to me was that the screen would just stay black after the boot up sequence. No windows loading screen. Sure enough that was how it was when i got it.

Took the hard drive out and put it into my computer as an external drive and as soon as the computer picked it up the Microsoft Security Essentials picks up that its got this TrojanOS/Alureon.A Virus which infects the Master Boot Record. As soon as it picks up the virus, the virus kicks in and then makes the Harddrive unreadable by the computer. I can watch it pop-up in my computer, then watch microsoft security essentials pop-up and then the drives dissapear.

Because it makes the drive dissapear it cant get rid of it quick enough and then i also cant run any other programs on it as in malwarebytes or AVG through a different computer.

Ive even tried running a chkdsk through a XP recovery console but it just says that the disk is corrupted and unreadable and says the same when trying through a BartPE Disk as well.


Sometimes it will come up with do you want to format the drive and then dissapears, a couple of times its actually shown the content sizes of the drive and then dissapeared.


Anybody know how to get rid of this Virus from the BootSector?!?


Thanks
Luke

 

[johnb35]

Have you tried booting to safe mode?

 

[boulder38]

The computer the harddrive came from doesnt get that far to go into safe mode. It doesnt even get to think about loading windows because the virus renders it unreadable.

I could try My computer in safe mode i suppose but dont think that would make much of a difference except not having my anti-virus running so it could infect my machine which i Dont want!! lol

 

[Okedokey]

Connected to your computer it shouldnt read the MBR.

 

[boulder38]

Correct it shouldnt BUT the virus is activating from there and so the Microsoft Security Essentials is picking it up.

The address of the item that Microsoft Security Essentials gives is this:-

boot:\Device\Harddisk1\DR8\(MBR)



The 'DR8' changes between numbers of 1-8

 

[Okedokey]

I would connect it to a USB external drive or similar, boot in safe mode, extract your data and then you dban to format that drive.

 

[boulder38]

Its connected through USB drive at the mo.

If i boot into safe mode and turn the external drive on, will i not risk infecting my own computer without virus protection in safe mode?

 

[Okedokey]

Yes there is a risk. Although I would think it would be quite small.

What OS do you have?

I would install a virtual 'sandbox' environment such as VM ware or MS's version. You can then sandbox an OS and work on it from there with no risk.

 

[boulder38]

Mmmmm ok, Ive got vista running on my machine but ive got a laptop with a spare install of 7 on a harddrive which ill try safe mode with that as i dont mind if that gets infected!

I havent got any VMware software installed and havent used it before so that would be new to me.

Ill try the safe mode option and report back from there.

Thanks for help

 

[Method9]

You could plug only that hard drive into you mobo, boot from a Linux live CD, then move the important data to an external hard drive. Then DBAN away.

 

[boulder38]

Ive tried the safe mode root but it just says that the disk is either corrupted or unreadable.

Ive tried a BartPE Live disk but that gave the same indication of either corrupted or unreadable.....would a linux live cd give the same result?

I havent got a linux live cd and havent used one before either

 

[Okedokey]

Its screwed mate. Start again imho.

 

[johnb35]

Agreed. Hopefully you didn't have too many important files on there. This is one of the reasons why you always want to backup your important data as disaster can strike at any time.

 

[boulder38]

It does sound it doesnt it

Do you know of any MBR programs so i could try and rebuild it?


And yes both myself and my mate have told him to keep a backup but he didnt! Apparently theres lots and lots of phoos and work docs on there.....Doh!

 

[johnb35]

Well, you could fix it through recovery console but you said it told you disk was corrupted. If the data is really important, he'll have to send the drive off to get the data professionally taken off. You'll have to find a drive recovery company.

 

[boulder38]

Yeh true!

Bugger....will have to give him the bad news!

Thanks for your help guys and consider this virus as a Nasty Bugger!!!

 

[lubolat]

Try using a live Linux cd (Ubuntu). Run it on startup (have the computer boot from cd drive) and extract all data needed to a USB drive. Then use the disk utility in Ubuntu and reformat the hard drive from there, don't forget to create an active partition. This will basically wipe out everything on it, incl the virus. Then re-install the Windows and (after carefully scanning all the files you backed up for viruses) transfer them back to the drive.
Do a search on Ubuntu and download the ISO file to your computer, then create a live cd with image burning software. There are instructions online. You will need that handy disc more times than you know it.

 

[boulder38]

It wouldnt work, Id tried it and also a live version of BartPE and Mini Windows XP from the Hirens Boot disk.

Nothing would get me access to the drive but what i could do using the mini windows XP on hirens bootdisk is use diskgenius (something like that) and recover the partition so i was then able to get the docs back (mainly photos) and then wipe it and reinstall.

So all back up and running now but ill tell ya that virus is a bugger!!!