Infected with MBR:\\.\PHYSICALDRIVE0 Need help, thanks!

[marwa]

Hi
I have got a virus named MBR:\\.\PHYSICALDRIVE0 - high- threat:hurri
I tried to move to chest in Avast I got the message: Error: The request is not supported when I tried to deleted "postpone to the next reboot after rebooted it I got the message: error "it is not implement"
I read some other similar posts about this and downloaded aswMBR and ran it on safemode
This is what came up
aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-09-11 16:38:16
-----------------------------
16:38:16.531    OS Version: Windows 5.1.2600 Service Pack 2
16:38:16.531    Number of processors: 1 586 0x605
16:38:16.546    ComputerName: FASTER  UserName: Faster
16:38:17.046    Initialize success
16:38:18.312    AVAST engine defs: 13091100
16:38:24.640    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
16:38:24.656    Disk 0 Vendor: WDC_WD5000AAKX-00ERMA0 15.01H15 Size: 476938MB BusType: 3
16:38:24.750    Disk 0 MBR read successfully
16:38:24.765    Disk 0 MBR scan
16:38:25.203    Disk 0 Hurri
16:38:25.218    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS        29996 MB offset 63
16:38:25.562    Disk 0 Partition - 00     0F Extended LBA            446933 MB offset 61432560
16:38:25.593    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       149997 MB offset 61432623
16:38:25.625    Disk 0 Partition - 00     05     Extended            149997 MB offset 368627490
16:38:25.671    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS       149997 MB offset 368627553
16:38:25.718    Disk 0 Partition - 00     05     Extended   

when I pressed (the only choose available) fixMBR I got the massage
warning
writing a new master boot record to your system partition could damage your partition tables and cause your partitions to become inaccessible
this application writes standard windows MBR code
are you sour you want to fix the MBR ?

I ran tdsskiller.exe, the log it returned  " no threats found"
I ran mbam-setup-1.75.0.1300.exe, it did not delete the virus


I would be really glad if you could help me
thanks in advance

[Pondus]

follow instructions here and attach logs ...not copy and paste.   http://forum.avast.com/index.php?topic=53253.0

run in order listed
AdwCleaner / Malwarebytes / OTL / aswMBR

when done malware specialists will be notified and check the logs
when finish, all tools used will be removed

[marwa]

thanks alot for your fast replay

ADwcleaner  says "pending. please uncheck elements you don not want to remove"

[Pondus]

if you are unsure, just save log and the removal experts will take care of it

[magna86]

Monitoring

[marwa]

thank you for your help 

Here is the logo from adwcleaner

[magna86]

@marwa

Follow instructions precisely. Nowhere was told to run an adwcleaner four times.
Attach here AdwCleaner[R0].txt log.

I'll need logs from Malwarebytes ( only one scan ) , aswMBR and OTL. Attach it here.

[marwa]

I am sorry for that
attached 3 logos

[magna86]

Ok. Your rootkit based malware works at level of master boot records that it loads before Windows.

aswMBR is lightware AntiRootkit tool, therefor I would like to use much more powerful AntiRootkit tool in order to obtain more information abaut your MBR based rootkit.
When I had the whole view, then we will carry on with full malware removal.





Please download GMER, AntiRootkit tool from the link below and save it to your Desktop:

Gmer download link
Note: file will be random named



Double-clicking to run GMER.

• Wait for initial scan to finish - if there is any query, click No;
  
• Click Scan button and wait until the full scan is complete;
  
• Click Save ... - save the report to the Desktop (named Gmer1 );
  
  
• Right-click wherever in the GMER's window and select Options > 3rd party - click the Scan button;
  
• Please wait until the full scan is complete;
• Click Save ... button and save report to Desktop (named Gmer2 );
  note: time scan for Gmer2 log may take some time
  
  
• Click the >>> and select Autostart card;
  
• After quick scan, click Copy button;
  
• Open notepad and Paste text. Save report to the Desktop (named Gmer3 )
  

> Attach here all Gmer logreports. (Gmer1; Gmer2 and Gmer3)

[marwa]

Here comes the logs from GMER

the third step ( auto star),

the picture had frozen for about an hour without any progress
 
so I copied and pasted it and I didn't exit the program yet


Thank you for all the help

[magna86]

Here you have multiple infections. Your system is seriously infected.
Let's start cleansing operation.






1. Please download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

--------------------------------------------------------------------
2. Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this or this Instruction.

Instructions how to disable avast:

• Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
  
• In the window that opens on the top right corner, click Settings.
  
• In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.
  
• => Again, right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
  
• In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.
  

Note: Do not forget to turn on this option after the cleaning.

--------------------------------------------------------------------
3. Run ComboFix. Click on I Agree!

ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix's window while it is running.
If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart computer once more.

--------------------------------------------------------------------
4. When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
 Attach log reports ( ComboFix.txt) back to topic.

[marwa]

here is it

[magna86]

1. Disable your AntiVirus!

2. Open notepad and copy/paste the text present inside the code box below:

Code: [Select]

KillAll::
Mbr::
Reboot::
Folder::
c:\program files\GUM8B.tmp
DirLook::
C:\sh4ldr
c:\documents and settings\Faster\Local Settings\Application Data\cald3
c:\documents and settings\Faster\Application Data\cald3
ClearJavaCache::
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000

Save this as CFScript.txt



Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run.
Don't tach your PC while ComboFix is working...
When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:\ComboFix.txt )


----- next -----


Please re-run aswMBR and post me fresh created aswMBR.txt logreport.

[marwa]

I follow all the steps unfortunately Combofix it is unable to run scan just frozen window without any progress
I attached the logo from aswMBR

[magna86]

On your Desktop you should have MBR dump file:
C:\Documents and Settings\Faster\Desktop\MBR.dat
If is not there, then re-run aswMBR and it will be created.

Please zip/rar with password "virus" and upload file here:
http://www.wikisend.com
Post me please download link.

----- next -----




Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

• Double-click to run it. When the tool opens click Yes to disclaimer.
  
• Under Optional Scan ensure "List BCD" and "Driver MD5" are ticked.
  
• Press Scan button.
  
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
  

----- Rootkit Removal -----


Step#1

Please download TDSSKiller  and save it to your desktop

    Execute TDSSKiller.exe by doubleclicking on it.

•     Press Start Scan
  
   
•   If Suspicious object is detected, the default action will be Skip, click on Continue.
   
•   If Malicious objects are found, select Cure.
  

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt


Please post the contents of that log in your next reply.


----------


Step#2




Please download Malwarebytes AntiRootkit and save it to your desktop.
http://www.malwarebytes.org/products/mbar/

Full instructions how to use MBAR
http://www.bleepingcomputer.com/virus-removal/how-to-use-malwarebytes-anti-rootkit
    Please note: This is a beta version so please be sure to read the disclaimer and note of it.

• Unzip/unrar MBAR in a folder to your Desktop
• Open the folder where the contents were unzipped to run mbar.exe
  
  
• Click on Next > then on Update button to download fresh definitions.
  
• When database updates click Next
  
• In the following window ensure "Targets" scan for Drivers; Sectors; System are ticked. Then select "Scan button"
  
  
• If an infection/s are found ensure "Create Restore Point" is checked, then select the "Cleanup Button" to remove threats.
  Or if you are sure any entries should not be kept, just untick them. A list of infected files will be listed.
  
  
• The Clean up procedure will be Scheduled for process.
• When complete pop-up will show you. Select the Yes button and the system should re-boot to complete the cleaning process.
  

>> Please attach the two following logs from the mbar folder:

system-log.txt
and
mbar-log-year-month-day (hour-minute-second).txt.



----- next -----


> In your next reply please attach here:

- MBR.dat download link
- FRST and Attach reports
- TDSSKiller log
- system and mbar logs