Unable to move virus to chest or delete it

[Geoffers1]

I have a virus
File name MBR:\\.\PHYSICALDRIVE0
Severity High
Status Threat:Rootkit:hidden boot-sector
When attempting to move it to chest I get Error message The request is not supported(50)
When I attempt to delete it states Action postponed until the next reboot
Upon rebooting my laptop and running a scan the virus is found again and I go round in circles as before.
Please help. How can I solve this problem??

[Pondus]

Run aswMBR
see here how to   http://forum.avast.com/index.php?topic=72185.0
post/attach the log here and Essexboy will check it when he is back tomorrow


lower left corner > additional options > attach

[Geoffers1]

aswMBR version 0.9.2 Copyright(c) 2011 avast! Software
Run date: 2011-02-25 23:29:42
-----------------------------
23:29:42.391    OS Version: Windows 6.0.6000
23:29:42.391    Number of processors: 2 586 0xF0D
23:29:42.393    ComputerName: GEOFF-PC  UserName: Geoff
23:29:45.823    Initialize success
23:29:50.628    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdePort2
23:29:50.628    Disk 0 Vendor: FUJITSU_MHY2120BH 0040020B Size: 114473MB BusType: 3
23:29:50.628    Device \Device\Ide\IdeDeviceP2T0L0-4 -> \??\IDE#DiskFUJITSU_MHY2120BH_______________________0040020B#5&611cf43&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
23:29:52.687    Disk 0 MBR read successfully
23:29:52.687    Disk 0 MBR scan
23:29:52.687    Disk 0 TDL4@MBR code has been found
23:29:52.687    Disk 0 MBR hidden
23:29:52.703    Disk 0 MBR [TDL4]  **ROOTKIT**
23:29:52.703    Disk 0 trace - called modules:
23:29:52.703    ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x861b3439]<<
23:29:52.718    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85b12308]
23:29:52.718    3 ntkrnlpa.exe[828b07e2] -> nt!IofCallDriver -> [0x86203cb8]
23:29:52.718    \Driver\atapi[0x85d18128] -> IRP_MJ_CREATE -> 0x861b3439
23:29:52.734    Scan finished successfully
23:29:58.287    Disk 0 fixing MBR
23:30:08.318    Disk 0 MBR restored successfully
23:30:08.318    Infection fixed successfully - please reboot ASAP

[Pondus]

seems it found and removed a TDL4 rootkit


to see if there is more in there, follow this guide an attach logs

Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
(post the logs here in this topic and not in the guide)


To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( OTL.Txt. / Extras.Txt / Malwarebytes scan log )


Essexboy will look at the logs tomorrow....

[essexboy]

ASWMbr is improving - nice to see.  Lets see if there are any remnants in the OTL logs

[inkameep]

I have the same problem as geoffers1

I did was he was told and here is my log

[Pondus]

@inkameep

follow the steps you see in my reply #3 and post/attach OTL / Malwarebytes logs

[essexboy]

@inkameep as that is TDL4 the fix button on ASWMbr should be available press that. 

Just press the FIX button none of the other buttons 

[Troodlechops]

I have the same virus and sent my pc away to a computer shop, they had it for 2 weeks sent it back still infected (obviously because this crap wont go away) so I googled it and you guys came up.

Computer shop sent my pc back with avast free anti virus already installed and as the others have said i keep deleting it, and it keeps coming back. I ran the recommended program, scan found nothing, pressed fix anyway, did nothing. Yes I still have avast screaming at me that the rootkit is still there :/ here is my log;

aswMBR version 0.9.5.317 Copyright(c) 2011 AVAST Software
Run date: 2011-05-29 17:03:18
-----------------------------
17:03:18.875    OS Version: Windows 5.1.2600 Service Pack 3
17:03:18.875    Number of processors: 2 586 0xF0B
17:03:18.875    ComputerName: COMPUTER  UserName: Owner
17:03:19.609    Initialize success
17:03:52.171    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-12
17:03:52.171    Disk 0 Vendor: ST3500630AS 3.AFM Size: 476940MB BusType: 3
17:03:54.171    Disk 0 MBR read successfully
17:03:54.171    Disk 0 MBR scan
17:03:54.171    Disk 0 Windows XP default MBR code
17:03:56.187    Disk 0 scanning sectors +976752000
17:03:56.203    Disk 0 scanning C:\WINDOWS\system32\drivers
17:04:02.765    Service scanning
17:04:03.828    Disk 0 trace - called modules:
17:04:03.828    ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
17:04:03.828    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b1e0ab8]
17:04:03.828    3 CLASSPNP.SYS[b8108fd7] -> nt!IofCallDriver -> \Device\00000071[0x8b2119e8]
17:04:03.828    5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP3T0L0-12[0x8b20dd98]
17:04:11.750    Unsigned kernel modules:
17:04:11.750    0xb780e000 C:\WINDOWS\system32\DRIVERS\VClone.sys
17:04:18.625    Scan finished successfully
17:11:25.828    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\MBR.dat"
17:11:25.828    The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\aswMBR.txt"

[mikaelrask]

I have the same virus and sent my pc away to a computer shop, they had it for 2 weeks sent it back still infected (obviously because this crap wont go away) so I googled it and you guys came up.

Computer shop sent my pc back with avast free anti virus already installed and as the others have said i keep deleting it, and it keeps coming back. I ran the recommended program, scan found nothing, pressed fix anyway, did nothing. Yes I still have avast screaming at me that the rootkit is still there :/ here is my log;

aswMBR version 0.9.5.317 Copyright(c) 2011 AVAST Software
Run date: 2011-05-29 17:03:18
-----------------------------
17:03:18.875    OS Version: Windows 5.1.2600 Service Pack 3
17:03:18.875    Number of processors: 2 586 0xF0B
17:03:18.875    ComputerName: COMPUTER  UserName: Owner
17:03:19.609    Initialize success
17:03:52.171    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-12
17:03:52.171    Disk 0 Vendor: ST3500630AS 3.AFM Size: 476940MB BusType: 3
17:03:54.171    Disk 0 MBR read successfully
17:03:54.171    Disk 0 MBR scan
17:03:54.171    Disk 0 Windows XP default MBR code
17:03:56.187    Disk 0 scanning sectors +976752000
17:03:56.203    Disk 0 scanning C:\WINDOWS\system32\drivers
17:04:02.765    Service scanning
17:04:03.828    Disk 0 trace - called modules:
17:04:03.828    ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
17:04:03.828    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b1e0ab8]
17:04:03.828    3 CLASSPNP.SYS[b8108fd7] -> nt!IofCallDriver -> \Device\00000071[0x8b2119e8]
17:04:03.828    5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP3T0L0-12[0x8b20dd98]
17:04:11.750    Unsigned kernel modules:
17:04:11.750    0xb780e000 C:\WINDOWS\system32\DRIVERS\VClone.sys
17:04:18.625    Scan finished successfully
17:11:25.828    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\MBR.dat"
17:11:25.828    The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\aswMBR.txt"

i suggest you do a boot scan with avast and send what i finds to the chest. sens it finds trhe infection but can't do anything with it.

http://www.schmahl.net/avastbootscan.php- instructions how to make a boot scan. instructions for avast 6 is in the text aswell in a link there in the begining of the guide.

good luck and someone will check that log aswell.