Avast WEBforum

Other => Viruses and worms => Topic started by: marwa on September 12, 2013, 07:28:51 AM

Title: Infected with MBR:\\.\PHYSICALDRIVE0 Need help, thanks!
Post by: marwa on September 12, 2013, 07:28:51 AM

Hi
I have got a virus named MBR:\\.\PHYSICALDRIVE0 - high- threat:hurri
I tried to move to chest in Avast I got the message: Error: The request is not supported when I tried to deleted "postpone to the next reboot after rebooted it I got the message: error "it is not implement"
I read some other similar posts about this and downloaded aswMBR and ran it on safemode
This is what came up
aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-09-11 16:38:16
-----------------------------
16:38:16.531    OS Version: Windows 5.1.2600 Service Pack 2
16:38:16.531    Number of processors: 1 586 0x605
16:38:16.546    ComputerName: FASTER  UserName: Faster
16:38:17.046    Initialize success
16:38:18.312    AVAST engine defs: 13091100
16:38:24.640    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
16:38:24.656    Disk 0 Vendor: WDC_WD5000AAKX-00ERMA0 15.01H15 Size: 476938MB BusType: 3
16:38:24.750    Disk 0 MBR read successfully
16:38:24.765    Disk 0 MBR scan
16:38:25.203    Disk 0 Hurri
16:38:25.218    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS        29996 MB offset 63
16:38:25.562    Disk 0 Partition - 00     0F Extended LBA            446933 MB offset 61432560
16:38:25.593    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       149997 MB offset 61432623
16:38:25.625    Disk 0 Partition - 00     05     Extended            149997 MB offset 368627490
16:38:25.671    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS       149997 MB offset 368627553
16:38:25.718    Disk 0 Partition - 00     05     Extended   

when I pressed (the only choose available) fixMBR I got the massage
warning
writing a new master boot record to your system partition could damage your partition tables and cause your partitions to become inaccessible
this application writes standard windows MBR code
are you sour you want to fix the MBR ?

I ran tdsskiller.exe, the log it returned  " no threats found"
I ran mbam-setup-1.75.0.1300.exe, it did not delete the virus


I would be really glad if you could help me
thanks in advance

Title: Re: Infected with MBR:\\.\PHYSICALDRIVE0 Need help, thanks!
Post by: Pondus on September 12, 2013, 07:31:17 AM

follow instructions here and attach logs ...not copy and paste.   http://forum.avast.com/index.php?topic=53253.0

run in order listed
AdwCleaner / Malwarebytes / OTL / aswMBR

when done malware specialists will be notified and check the logs
when finish, all tools used will be removed

Title: Re: Infected with MBR:\\.\PHYSICALDRIVE0 Need help, thanks!
Post by: marwa on September 12, 2013, 08:56:02 AM

thanks alot for your fast replay

ADwcleaner  says "pending. please uncheck elements you don not want to remove"

Title: Re: Infected with MBR:\\.\PHYSICALDRIVE0 Need help, thanks!
Post by: Pondus on September 12, 2013, 09:22:25 AM

if you are unsure, just save log and the removal experts will take care of it

Title: Re: Infected with MBR:\\.\PHYSICALDRIVE0 Need help, thanks!
Post by: magna86 on September 12, 2013, 10:26:54 AM

Monitoring

Title: Re: Infected with MBR:\\.\PHYSICALDRIVE0 Need help, thanks!
Post by: marwa on September 12, 2013, 10:32:41 AM

thank you for your help 

Here is the logo from adwcleaner

Title: Re: Infected with MBR:\\.\PHYSICALDRIVE0 Need help, thanks!
Post by: magna86 on September 12, 2013, 10:47:32 AM

@marwa

Follow instructions precisely. Nowhere was told to run an adwcleaner four times.
Attach here AdwCleaner[R0].txt log.

I'll need logs from Malwarebytes ( only one scan ) , aswMBR and OTL. Attach it here.

Title: Re: Infected with MBR:\\.\PHYSICALDRIVE0 Need help, thanks!
Post by: marwa on September 12, 2013, 11:30:10 AM

I am sorry for that
attached 3 logos

Title: Re: Infected with MBR:\\.\PHYSICALDRIVE0 Need help, thanks!
Post by: magna86 on September 12, 2013, 11:44:19 AM

Ok. Your rootkit based malware works at level of master boot records that it loads before Windows.

aswMBR is lightware AntiRootkit tool, therefor I would like to use much more powerful AntiRootkit tool in order to obtain more information abaut your MBR based rootkit.
When I had the whole view, then we will carry on with full malware removal.





Please download GMER, AntiRootkit tool from the link below and save it to your Desktop:

Gmer download link (http://www2.gmer.net/download.php)
Note: file will be random named



Double-clicking to run GMER.

• Wait for initial scan to finish - if there is any query, click No;
  
• Click Scan button and wait until the full scan is complete;
  
• Click Save ... - save the report to the Desktop (named Gmer1 );
  
  
• Right-click wherever in the GMER's window and select Options > 3rd party - click the Scan button;
  
• Please wait until the full scan is complete;
• Click Save ... button and save report to Desktop (named Gmer2 );
  note: time scan for Gmer2 log may take some time
  
  
• Click the >>> and select Autostart card;
  
• After quick scan, click Copy button;
  
• Open notepad and Paste text. Save report to the Desktop (named Gmer3 )
  

> Attach here all Gmer logreports. (Gmer1; Gmer2 and Gmer3)

Title: Re: Infected with MBR:\\.\PHYSICALDRIVE0 Need help, thanks!
Post by: marwa on September 12, 2013, 05:24:54 PM

Here comes the logs from GMER

the third step ( auto star),

the picture had frozen for about an hour without any progress
 
so I copied and pasted it and I didn't exit the program yet


Thank you for all the help

Title: Re: Infected with MBR:\\.\PHYSICALDRIVE0 Need help, thanks!
Post by: magna86 on September 12, 2013, 06:03:50 PM

Here you have multiple infections. Your system is seriously infected.
Let's start cleansing operation.






1. Please download ComboFix from here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) and save it to your Desktop.
If you are unsure how ComboFix works please read this guide (http://www.bleepingcomputer.com/combofix/how-to-use-combofix) carefully.
note: ComboFix must be downloaded to your Desktop.

--------------------------------------------------------------------
2. Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this (http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.html) or this (http://www.bleepingcomputer.com/forums/topic114351.html) Instruction.

Instructions how to disable avast:

• Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
  
• In the window that opens on the top right corner, click Settings.
  
• In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.
  
• => Again, right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
  
• In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.
  

Note: Do not forget to turn on this option after the cleaning.

--------------------------------------------------------------------
3. Run ComboFix. Click on I Agree!

ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix's window while it is running.
If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart computer once more.

--------------------------------------------------------------------
4. When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
 Attach log reports ( ComboFix.txt) back to topic.

Title: Re: Infected with MBR:\\.\PHYSICALDRIVE0 Need help, thanks!
Post by: marwa on September 12, 2013, 07:02:47 PM

here is it

Title: Re: Infected with MBR:\\.\PHYSICALDRIVE0 Need help, thanks!
Post by: magna86 on September 12, 2013, 10:16:47 PM

1. Disable your AntiVirus!

2. Open notepad and copy/paste the text present inside the code box below:

Code: [Select]

KillAll::
Mbr::
Reboot::
Folder::
c:\program files\GUM8B.tmp
DirLook::
C:\sh4ldr
c:\documents and settings\Faster\Local Settings\Application Data\cald3
c:\documents and settings\Faster\Application Data\cald3
ClearJavaCache::
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000

Save this as CFScript.txt

(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run.
Don't tach your PC while ComboFix is working...
When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:\ComboFix.txt )


----- next -----


Please re-run aswMBR and post me fresh created aswMBR.txt logreport.

Title: Re: Infected with MBR:\\.\PHYSICALDRIVE0 Need help, thanks!
Post by: marwa on September 13, 2013, 12:44:20 AM

I follow all the steps unfortunately Combofix it is unable to run scan just frozen window without any progress
I attached the logo from aswMBR

Title: Re: Infected with MBR:\\.\PHYSICALDRIVE0 Need help, thanks!
Post by: magna86 on September 13, 2013, 12:01:18 PM

On your Desktop you should have MBR dump file:
C:\Documents and Settings\Faster\Desktop\MBR.dat
If is not there, then re-run aswMBR and it will be created.

Please zip/rar with password "virus" and upload file here:
http://www.wikisend.com
Post me please download link.

----- next -----




Please download Farbar Recovery Scan Tool (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/) and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

• Double-click to run it. When the tool opens click Yes to disclaimer.
  
• Under Optional Scan ensure "List BCD" and "Driver MD5" are ticked.
  
• Press Scan button.
  
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
  

----- Rootkit Removal -----


Step#1

Please download TDSSKiller (http://media.kaspersky.com/utilities/VirusUtilities/EN/tdsskiller.exe)  and save it to your desktop

    Execute TDSSKiller.exe by doubleclicking on it.

•     Press Start Scan
  
   
•   If Suspicious object is detected, the default action will be Skip, click on Continue.
   
•   If Malicious objects are found, select Cure.
  

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt


Please post the contents of that log in your next reply.


----------


Step#2




Please download Malwarebytes AntiRootkit and save it to your desktop.
http://www.malwarebytes.org/products/mbar/

Full instructions how to use MBAR
http://www.bleepingcomputer.com/virus-removal/how-to-use-malwarebytes-anti-rootkit
    Please note: This is a beta version so please be sure to read the disclaimer and note of it.

• Unzip/unrar MBAR in a folder to your Desktop
• Open the folder where the contents were unzipped to run mbar.exe
  
  
• Click on Next > then on Update button to download fresh definitions.
  
• When database updates click Next
  
• In the following window ensure "Targets" scan for Drivers; Sectors; System are ticked. Then select "Scan button"
  
  
• If an infection/s are found ensure "Create Restore Point" is checked, then select the "Cleanup Button" to remove threats.
  Or if you are sure any entries should not be kept, just untick them. A list of infected files will be listed.
  
  
• The Clean up procedure will be Scheduled for process.
• When complete pop-up will show you. Select the Yes button and the system should re-boot to complete the cleaning process.
  

>> Please attach the two following logs from the mbar folder:

system-log.txt
and
mbar-log-year-month-day (hour-minute-second).txt.



----- next -----


> In your next reply please attach here:

- MBR.dat download link
- FRST and Attach reports
- TDSSKiller log
- system and mbar logs

Title: Re: Infected with MBR:\\.\PHYSICALDRIVE0 Need help, thanks!
Post by: marwa on September 13, 2013, 09:03:18 PM

THANKS FOR ALL THE HELP

MBR.dat download link without password
http://wikisend.com/download/379620/aswMBR.rar

FRST and reports Attached

TDSSKiller said no threats found

system and mbar logs attached

Title: Re: Infected with MBR:\\.\PHYSICALDRIVE0 Need help, thanks!
Post by: magna86 on September 13, 2013, 10:48:33 PM

@ marwa

You have been attach aswMBR.txt logreport, not MBR.dat file.

Please re-try upload that file to me again? I need to examine that file becouse your MBR might be new kind of malware.


When you upload MBR.dat and post here download link, then just re-run Combofix. If CF wants to be updated or to install Recovery Console, allow it.

Title: Re: Infected with MBR:\\.\PHYSICALDRIVE0 Need help, thanks!
Post by: magna86 on September 13, 2013, 10:50:39 PM

Do you understand this?

"عبد الرحمن & محمود"
"مروة"

What is say?

edit:
You do not have to answer, it's legit.  :)
---------

Just please attach fresh created Combofix.txt and MBR.dat to analyze that file.

Title: Re: Infected with MBR:\\.\PHYSICALDRIVE0 Need help, thanks!
Post by: marwa on September 14, 2013, 02:49:03 AM

sorry I didn't notice the extension

marwa = مروة 
عبد الرحمن & محمود my son's names


http://wikisend.com/download/251258/MBR.rar
Here comes the log from CF

Title: Re: Infected with MBR:\\.\PHYSICALDRIVE0 Need help, thanks!
Post by: magna86 on September 14, 2013, 11:51:36 AM

Ok, I got it. You may edit your post and remove download link if you will.
This is just bump of MBR, not malware by itself but hey...just in case. :)

The thing is that master boot records (MBR) does not belong to the Windows operating system.
Somewhat hase been made ​​changes to it. That somewhat may be legit software but in your case some malicius software.

avast flag this as "Hurri" but this is rootkit known as "MBR.Malmo" and it's malicious. So we will fix your MBR and set it to default Windows settings.
If some malware using MBR as shield from me and my tools to hide it's loading point or MBR by itself make malicius payload to system then fixMBR will to the trick.
======================================


FixMBR from Recovery Console

When we run ComboFix earlier, CF has been installed the Windows Recovery Console. We are going to use that now.

1. Reboot your machine and when the Boot Menu flashes up - select "Microsoft Windows Recovery Console"
(you need to be very fast with the arrow key as you only have a couple of seconds before it defaults to the windows XP bootup)

(http://fotkica.com/thumbs3/1_tmb_153239505_RC_BootMenu.jpg) (http://fotkica.com/slike.php?slika=1_153239505_RC_BootMenu.jpg)


(http://fotkica.com/thumbs3/1_tmb_459718526_2RConsole_A.jpg) (http://fotkica.com/slike.php?slika=1_459718526_2RConsole_A.jpg)


2. When you get to the above screen, take note of the number that references your operating system.
If it's '1' like the picture above, type 1 and press Enter

(http://fotkica.com/thumbs3/1_tmb_62688892_3RConsole_Fixmbr.jpg) (http://fotkica.com/slike.php?slika=1_62688892_3RConsole_Fixmbr.jpg)


4. Next type FIXMBR

(http://fotkica.com/thumbs3/1_tmb_72587141_4RConsole_FixmbrB.jpg) (http://fotkica.com/slike.php?slika=1_72587141_4RConsole_FixmbrB.jpg)


It will ask you "if you're sure you want to write a new MBR" answer 'Y'

Then type EXIT to reboot the machine.

And that's it.  :)



----- next -----

Re-check:

> Re-run aswMBR tool and post me here fresh created aswMBR.txt logreport.


----- next -----


> CFScript for Combofix


Open notepad and copy/paste the text present inside the code box below:

Code: [Select]

Folder::
c:\windows\865537E164904193A4B6669C62711852.TMP
c:\program files\GUM8B.tmp

DirLook::
c:\documents and settings\Faster\Local Settings\Application Data\cald3
c:\documents and settings\Faster\Application Data\cald3
c:\documents and settings\Faster\Local Settings\Application Data\Temp
c:\program files\Common Files\xing shared

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000

DDS::
uStart Page = about:blank

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{51d565ca-4dbd-499a-9118-fed2a54f7558}]

Save this as CFScript.txt

(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:\ComboFix.txt )

Title: Re: Infected with MBR:\\.\PHYSICALDRIVE0 Need help, thanks!
Post by: marwa on September 16, 2013, 02:46:34 PM

hi
I had to reinstall Windows because it wasn't able to restart
it also has been crashing randomly i don't know if it's related to the virus or not so, I' II do these steps
thanks

Title: Re: Infected with MBR:\\.\PHYSICALDRIVE0 Need help, thanks!
Post by: marwa on September 16, 2013, 02:59:58 PM

is it OK to do those steps,  I don't have any of the software you've told me to downloaded
or any of the reports and the new operation system is windows 7

Title: Re: Infected with MBR:\\.\PHYSICALDRIVE0 Need help, thanks!
Post by: magna86 on September 16, 2013, 06:54:05 PM

Hi,

If you had re-install windows then I'll need to see fresh Combofix and aswMBR logreports.

Re-run Combofix, afterwards aswMBR and post me fresh created logs if you wish to check are you malware free.

Title: Re: Infected with MBR:\\.\PHYSICALDRIVE0 Need help, thanks!
Post by: marwa on September 16, 2013, 08:37:27 PM

here are the two reports and I' II attach the results of the scan I ran after re-install windows

Title: Re: Infected with MBR:\\.\PHYSICALDRIVE0 Need help, thanks!
Post by: magna86 on September 16, 2013, 08:59:04 PM

Ok, your PC is malware free.



It is necessary to uninstall ComboFix :

• Click Start (or (http://amf.mycity.rs/pg/images/VistaStartButton.png)) then Run.
  
  
  On Windows7 or Vista you may use Start Search field if Run is not available.
  
  
• In the line of text type in (Copy) the following:

Code: [Select]

ComboFix /Uninstall

Note that there is a space between "  ComboFix  " and "  /Uninstall  " .

• then click OK (or press Enter ).

Wait for the uninstall process is complete.


----- next -----


Please download AdwCleaner (http://www.bleepingcomputer.com/download/adwcleaner/) by Xplode and save to your Desktop.

Double click on AdwCleaner.exe to run the tool.

• Click on the Scan button.
  
• After the scan has finished click on the Clean button.

Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the removal process.

• After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
  
• Post logfile will also be saved in the C:\AdwCleaner folder.

I don't need to see AdwCleaner logreport.


----- and -----


I can see you are using "USB Disk Security" for USB protections. I recommend to non-free USB Disk Security software replace with free (and I dare to say much better) MCShield.

Unlike competitive software relies on a database and removes malware only if it is in its definition (antivirus works at the same way) MCShield relies on it's own powerfull heuristic.
Analyzes the all known behavior and control all known methods of spreading malware from USB to the PC and thus made the detection.

You may download MCShield from one of the following links:

MyCity -  Official download link (http://www.mcshield.net)
Softpedija - Mirror download link (http://www.softpedia.com/get/Antivirus/MCShield.shtml)

It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but it will immediately clean flash drive, memory card or external HDD.