Author Topic: Virus: Please help me to remove MBR:\\.\PHYSICALDRIVE0\Partition2  (Read 8991 times)

0 Members and 1 Guest are viewing this topic.

Offline DreaMzzy

  • Jr. Member
  • **
  • Posts: 24
Hi,

I have got a virus on my computer which I cant remove. The name is MBR:\\.\PHYSICALDRIVE0\Partition2 and when i try to move to chest or delete in Avast I get the message: Error: The request is not supported (50).  I have try to read in this forum to get help with the problems and tried som of the tips but it wont help. For you information I have problems to run Combofix, TDSSkiller and aswMBR who you refer to in solving the problems. Though I managed to get a log from TDSSkiller yesterday (when I didnt already do all the other programs and fixes I tried after that and seems to have caused some problems). I have started to follow the steps in the topic https://forum.avast.com/index.php?topic=53253.0 and i attach the two logs I got from OTL.

I would be really glad if you could help me as soon as you can. I will be stand-by the whole evening today and will be waiting for the answers from you and will reply to you immediately after the aswers.

Thank you in advance!

Best regards, Jonas

Offline DreaMzzy

  • Jr. Member
  • **
  • Posts: 24
Re: Virus: Please help me to remove MBR:\\.\PHYSICALDRIVE0\Partition2
« Reply #1 on: July 18, 2012, 06:55:53 PM »
I tried the step with burning gparted-live-0.10.0-3.iso like in the topic http://forum.avast.com/index.php?topic=96419.0 as i have the same problem with a second partition that is 10 mb.

But I am not albe to burn it from another computer so I burned it from the same computer as I have the virus. The step after I burnt it is "Now boot off of the newly created Gparted CD.". I dont really know what you mean by that, but I tried to reboot the computer with the burned CD in the CD-drive but nothing happened.

I post the screenshot here when I did run diskmgmt.msc.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 71413
  • No support PMs thanks
Re: Virus: Please help me to remove MBR:\\.\PHYSICALDRIVE0\Partition2
« Reply #2 on: July 18, 2012, 07:38:39 PM »
Hopefully there should be a malware removal specialist to help you soon.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2015 10.2.2215 R2/ Outpost Firewall Pro9.1/ Firefox 36.0.4, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.4/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 35882
  • Dragons by Sasha
    • Malware fixes
Re: Virus: Please help me to remove MBR:\\.\PHYSICALDRIVE0\Partition2
« Reply #3 on: July 18, 2012, 08:51:00 PM »
OK first thing we need to do is ensure that the computer is set to boot from CD.  Also with ImgBurn did you select write image file  to disc 

Note : If you do not know how to set your computer to boot from CD follow the steps here


I need you to download:
gparted-live-0.10.0-3.iso (115.1 MB) 

Create a bootable CD, for Gparted from the ISO image.

You can use ImgBurn do this.

Now boot off of the newly created Gparted CD.
 
You should be here... Press ENTER



By default, "do not touch keymap" is highlighted.



 Leave this setting alone and just press ENTER.



Choose your language and press ENTER. English is default [33]

At the mode prompt enter 0,  press ENTER 

You will now be taken to the main GUI screen below



According to your logs, the partition that you want to delete is 10 MB

Right click this partition and select delete .



The Partition has gone

Now select Apply

Now you should be here:



Select Apply after double checking that the right partition was deleted

Is "boot" next to your OS drive? 
If "boot" is not next to your OS drive under "Flags", right-mouse click the OS drive while in Gparted and select Manage Flags 


In the menu that pops up, place a checkmark in boot like the picture below, then close :

 


Under File select Quit


You will see this small Popup




Choose reboot and then press OK.

Offline DreaMzzy

  • Jr. Member
  • **
  • Posts: 24
Re: Virus: Please help me to remove MBR:\\.\PHYSICALDRIVE0\Partition2
« Reply #4 on: July 18, 2012, 09:56:27 PM »
Thanks alot for helping me out but I need further assistance..

I burnt the file in the other thread which I linked to in my other post named gparted-live-0.13.0-1.iso and selected write iso-file. Then i followed your steps to boot from disc which I also managed. Then I rebooted and I reached the first picture you had for the g-parted application. I pressed ENTER (Gparted Live (Default settings)) and then alot of commands in white on a black background followed. Then after some screens full of letters it froze and the last sentences were:
"INIT: Version 2.88 booting"
"[info] makefile-style concurrent boot in runlevel S"

Have I done anything wrong here? How can you help me further?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 35882
  • Dragons by Sasha
    • Malware fixes
Re: Virus: Please help me to remove MBR:\\.\PHYSICALDRIVE0\Partition2
« Reply #5 on: July 18, 2012, 10:00:01 PM »
OK give me a bit and I will flash it up on my VM to see if I can replicate it

Offline DreaMzzy

  • Jr. Member
  • **
  • Posts: 24
Re: Virus: Please help me to remove MBR:\\.\PHYSICALDRIVE0\Partition2
« Reply #6 on: July 19, 2012, 07:18:26 AM »
Ok, I will be waiting for your answer. Im totally stuck here.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 71413
  • No support PMs thanks
Re: Virus: Please help me to remove MBR:\\.\PHYSICALDRIVE0\Partition2
« Reply #7 on: July 19, 2012, 11:29:16 AM »
It may be a little while as essexboy will be at work now (almost 10:30am in the UK now).
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2015 10.2.2215 R2/ Outpost Firewall Pro9.1/ Firefox 36.0.4, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.4/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 35882
  • Dragons by Sasha
    • Malware fixes
Re: Virus: Please help me to remove MBR:\\.\PHYSICALDRIVE0\Partition2
« Reply #8 on: July 19, 2012, 02:46:56 PM »
I am unable to replicate it ..  The indications are that it is a corrupt burn.  Could you reburn the Gparted disc but on a seperate computer please

Offline DreaMzzy

  • Jr. Member
  • **
  • Posts: 24
Re: Virus: Please help me to remove MBR:\\.\PHYSICALDRIVE0\Partition2
« Reply #9 on: July 19, 2012, 05:26:15 PM »
I tried to burn it again on the same computer but this time i chose "disc at once". I tried the new disc but it stopped at the same place again when i tried to use g-parted. I got a warning message some lines up on the freezing picture that says:

Begin: Running /scripts/init-premount...done.
Begin: Mounting root file system... Begin: Running /scripts/live-premount...
[4.486534] aufs: module is from the staging directory, the quality is unknown, you have beend warned.

I dont know if that will help you.

I dont know if i will be able to burn the program from another computer today, but i will do my best. Are you sure that it will help? Should there be a problem to burn it from my computer as you see it?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 35882
  • Dragons by Sasha
    • Malware fixes
Re: Virus: Please help me to remove MBR:\\.\PHYSICALDRIVE0\Partition2
« Reply #10 on: July 19, 2012, 07:46:18 PM »
Yes the malware can disrupt the burn to CD causing this problem, so a seperate sytem would help

Offline DreaMzzy

  • Jr. Member
  • **
  • Posts: 24
Re: Virus: Please help me to remove MBR:\\.\PHYSICALDRIVE0\Partition2
« Reply #11 on: July 21, 2012, 12:57:58 AM »
Now I have tried to burn G-parted from another computer, but I still got the same result. The screen freezes at the same point as before when I try to boot from the disc. What could I do now? Do you have any suggestions?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 35882
  • Dragons by Sasha
    • Malware fixes
Re: Virus: Please help me to remove MBR:\\.\PHYSICALDRIVE0\Partition2
« Reply #12 on: July 21, 2012, 12:15:07 PM »
Yep I have a new tool

Please download the following tool

Listparts

Run the tool, click Scan and post the log (Result.txt) it makes.



Also could you re-run TDSSKiller please

Offline DreaMzzy

  • Jr. Member
  • **
  • Posts: 24
Re: Virus: Please help me to remove MBR:\\.\PHYSICALDRIVE0\Partition2
« Reply #13 on: July 22, 2012, 07:05:09 PM »
Here the result comes from Listparts..

I tried to download and re-run TDSSkiller, but it wont work. The only time it worked was before i had run Combofix, aswMBR and another program. None of these programs works for me and nor TDSSkiller. Dont know if that has anything to do with my Avast. With combofix I read that I should disable my Avast antivirusshield and so I did, but I didnt quit the program totally.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 35882
  • Dragons by Sasha
    • Malware fixes
Re: Virus: Please help me to remove MBR:\\.\PHYSICALDRIVE0\Partition2
« Reply #14 on: July 22, 2012, 07:16:38 PM »
Well list parts is not reporting a problem

Do you have the Combofix log, if so could you attach it

Please download MBRCheck.exe to your Desktop. Run the application.
 
If no infection is found, it will produce a report on the desktop. Post that report in your next reply.
 
If an infection is found, you will be presented with the following dialog:
 
Quote
Enter 'Y' and hit ENTER for more options, or 'N' to exit: 

 
Type N and press Enter. A report will be produced on the desktop. Post that report in your next reply.