MBR:whistler-C [rtk]

[fraise]

Hello there I have been having this alert for the past 2 weeks, I reformatted my C drive and it is still there. It seems that it is on my other drive E, I think, but it doesn't say anywhere where its located exactly though.

Disk 0 Masterboot Record MBR:whistler-C [rtk]

What should do?

thank you.

[Pondus]

* download aswMBR and save to desktop  http://public.avast.com/~gmerek/aswMBR.exe
* click the aswMBR icon to run
* click scan...On completion of the scan click "save log" post here in next reply

[fraise]

ok attached

[Pondus]

does not show as whistler there.....maybe a new version ?


follow the guide here and attach the logs, then essexboy will have a look tomorrow
http://forum.avast.com/index.php?topic=53253.0


he is usually in here around 08:00pm - 11:59pm UK time....

[fraise]

Hi ok here is a screen shot , I will attach those other logs after I finish with the malwarebytes log

[fraise]

Ok here are the other logs

[essexboy]

08:43:08.063    Disk 0  \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP4T0L0-4
08:43:08.065    Disk 0 Vendor: WDC_WD1001FALS-00K1B0 05.00K05 Size: 953869MB BusType: 3
08:43:08.072    Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP5T0L0-5
08:43:08.075    Disk 1 Vendor: Patriot_Pyro 319ABBF0 Size: 57241MB BusType: 3
08:43:10.082    Disk 1 MBR read successfully
08:43:10.086    Disk 1 MBR scan
08:43:10.090    Disk 1 Windows 7 default MBR code

This is where the problem resides .. Disc 0 is not configured as a boot drive but it has an MBR and that is what is being detected.
It in itself is not a problem but to clear the alert you will need to reformat that disc (I believe that will be the E drive )  Or I can place an inert MBR on there for you

[fraise]

08:43:08.063    Disk 0  \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP4T0L0-4
08:43:08.065    Disk 0 Vendor: WDC_WD1001FALS-00K1B0 05.00K05 Size: 953869MB BusType: 3
08:43:08.072    Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP5T0L0-5
08:43:08.075    Disk 1 Vendor: Patriot_Pyro 319ABBF0 Size: 57241MB BusType: 3
08:43:10.082    Disk 1 MBR read successfully
08:43:10.086    Disk 1 MBR scan
08:43:10.090    Disk 1 Windows 7 default MBR code

This is where the problem resides .. Disc 0 is not configured as a boot drive but it has an MBR and that is what is being detected.
It in itself is not a problem but to clear the alert you will need to reformat that disc (I believe that will be the E drive )  Or I can place an inert MBR on there for you

Hi sorry I don't quite understand , is the  MBR:whistler-C [rtk] a problem? This drive is my storage drive so if I reformat it , it would clear all my data.

What should I do?

Thank you for your help I really appreciate it.

[essexboy]

If you wish I can replace that MBR with a replacement

Please download MBRCheck.exe to your Desktop. Run the application.
 
If no infection is found, it will produce a report on the desktop. Post that report in your next reply.
 
If an infection is found, you will be presented with the following dialog:
 

Enter 'Y' and hit ENTER for more options, or 'N' to exit: 

 
Type N and press Enter. A report will be produced on the desktop. Post that report in your next reply.

[fraise]

Hi ok here it is attached , I don't know much about these viruses so I will go with what you say maybe a replacement is best?

[essexboy]

Lets put a windows 7 MBR there

Run MBRCheck.exe once again.
 
You will be presented with the following dialog:
 

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

 
Enter Y and press Enter.
 
The following dialog will be presented:

Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.
 
Enter your choice:

 
Enter 2 and press Enter
 
The following dialog will be presented:
 

Enter the physical disk number to fix (0-99, -1 to cancel):

 
Enter >>0<< and press Enter
 
The following dialog will be presented:

Available MBR codes:
[ 0] Default (Windows XP)
[ 1] Windows XP
[ 2] Windows Server 2003
[ 3] Windows Vista
[ 4] Windows 2008
[ 5] Windows 7
[-1] Cancel
 
Please select the MBR code to write to this drive:

 
Enter >>5<<  and press Enter
 
The following dialog will be presented:

Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue:

 
Type YES and press Enter (Must type the full word, YES). You will be inform if successfully wrote a new MBR code!
 
And last the following dialog will be presented:
 

Done! Press ENTER to exit...

 
Press Enter. A report will be produced on the desktop. Post that report in your next reply.

[fraise]

ok did it attached

[essexboy]

Could you confirm the alerts have now ceased

[fraise]

ok let me do a scan

[fraise]

it still says its there, here is screen shot