Author Topic: MBR:\\.\PHYSICALDRIVE0 (Read 5688 times)

REDACTED · « **on:** April 14, 2015, 09:54:52 PM »

Hi All,

i wonder if anyone can help me... Magna86 maybe??
I've just unpacked a all-in-one terninal, installed .NET Framework 4, Teamviewer, and Avast.
At first scan, Avast found this MBR problem:

File Name: MBR:\\.\PHYSICALDRIVE0
Severity: High
Status: Threat: Defo@boot

No action could be applied to fix it.
Tried to do Boot scan at start up and no option was able to fix it.

Thank you in advance for your help.

Robin

Michael (alan1998) · « **Reply #1 on:** April 14, 2015, 10:03:36 PM »

https://forum.avast.com/index.php?topic=53253.0

essexboy · « **Reply #2 on:** April 14, 2015, 11:05:05 PM »

Prior to that please run this programme and attach the log

Download the latest version of TDSSKiller from here and save it to your Desktop.

Doubleclick on TDSSKiller.exe to run the application
Then click on Change parameters.
Check the boxes beside Verify Driver Digital Signature, Detect TDLFS file system and Use KSN to scan objects , then click OK.
Click the Start Scan button.
If a suspicious object is detected, the default action will be Skip, click on Continue.
If malicious objects are found, they will show in the Scan results and offer three (3) options.
Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
Get the report by selecting Reports

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please copy and paste its contents on your next reply.

REDACTED · « **Reply #3 on:** April 14, 2015, 11:24:49 PM »

Hi

thank you for a prompt reply.

attached is the log from tdsskiller as per intructions.

robin

essexboy · « **Reply #4 on:** April 15, 2015, 04:06:53 PM »

Re-run TDSSKiller and when you get this select cure :

17:15:37.0635 0x121c \Device\Harddisk0\DR0 ( HEUR:Rootkit.Boot.BackBoot.gen ) - skipped by user
17:15:37.0635 0x121c \Device\Harddisk0\DR0 ( HEUR:Rootkit.Boot.BackBoot.gen ) - User select action: Skip

REDACTED · « **Reply #5 on:** April 15, 2015, 04:47:08 PM »

Hi Essexboy,

I didn't have the choice to cure. only skip, quarantine, and maybe delete? but it wasn't cure. this, i assume, because "suspicious" object were found instead of "malicious".

thank you

robin

essexboy · « **Reply #6 on:** April 15, 2015, 05:15:02 PM »

Select delete and allow it to create a new MBR

REDACTED · « **Reply #7 on:** April 15, 2015, 05:44:31 PM »

my bad!

the three options are: Skip, Copy to quarantine, and RESTORE, not delete. sorry

essexboy · « **Reply #8 on:** April 15, 2015, 06:25:53 PM »

OK use restore and it should replace the MBR with a backup

REDACTED · « **Reply #9 on:** April 29, 2015, 03:29:48 AM »

hi Essexboy

i think your instructions worked. Thank you!!!
both avast and tdsskiller scan clean now
i attach tdssk latest log

thanks again

robin

essexboy · « **Reply #10 on:** April 29, 2015, 04:08:03 PM »

My pleasure

Author Topic: MBR:\\.\PHYSICALDRIVE0 (Read 5688 times)

REDACTED

MBR:\\.\PHYSICALDRIVE0

Michael (alan1998)

Re: MBR:\\.\PHYSICALDRIVE0

essexboy

Re: MBR:\\.\PHYSICALDRIVE0

REDACTED

Re: MBR:\\.\PHYSICALDRIVE0

essexboy

Re: MBR:\\.\PHYSICALDRIVE0

REDACTED

Re: MBR:\\.\PHYSICALDRIVE0

essexboy

Re: MBR:\\.\PHYSICALDRIVE0

REDACTED

Re: MBR:\\.\PHYSICALDRIVE0

essexboy

Re: MBR:\\.\PHYSICALDRIVE0

REDACTED

Re: MBR:\\.\PHYSICALDRIVE0

essexboy

Re: MBR:\\.\PHYSICALDRIVE0