Avast won't remove MBR:\\.\PHYSICALDRIVE0

[RablyPale]

I've been noticing that my computer, in particular my internet has been slow on and off recently. I've started up my computer and it just hasn't had internet access while everyone else in my house did. I decided to do a virus scan and Avast detected "MBR:\\.\PHYSICALDRIVE0". I tried to remove it and it said "Action postponed until the next reboot" so I restarted my computer. I did another scan to make sure it was removed, but it was not. Under the status tab it says "Threat:Rootkit:hidden boot-sector", and I'm not entirely sure what this means or what it is capable, so if someone can help me, it would be very much appreciated.

[com155]

maybe u can try this:


Download aswMBR.exe ( 1.8mb ) to your desktop.
 
Double click the aswMBR.exe to run it
 
Click the "Scan" button to start scan
 
 
On completion of the scan click save log, save it to your desktop and post in your next reply


u can hit fixmbr if it finds the mbr rootkit.

[RablyPale]

aswMBR version 0.9.7.777 Copyright(c) 2011 AVAST Software
Run date: 2011-07-21 04:15:16
-----------------------------
04:15:16.339    OS Version: Windows x64 6.0.6002 Service Pack 2
04:15:16.339    Number of processors: 2 586 0x1706
04:15:16.339    ComputerName: ENDUSER-PC  UserName: Enduser
04:15:18.085    Initialize success
04:15:18.188    AVAST engine defs: 11072001
04:15:19.860    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000068
04:15:19.863    Disk 0 Vendor: WDC_WD64 01.0 Size: 610480MB BusType: 6
04:15:19.900    Disk 0 MBR read successfully
04:15:19.903    Disk 0 MBR scan
04:15:19.906    Disk 0 MBR:Whistler [Rtk]
04:15:19.909    Disk 0 Whistler@MBR code has been found
04:15:19.911    Disk 0 MBR [Whistler]  **ROOTKIT**
04:15:19.924    Service scanning
04:15:21.827    Disk 0 trace - called modules:
04:15:21.858    ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys storport.sys hal.dll nvstor64.sys
04:15:21.866    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004da7790]
04:15:21.871    3 CLASSPNP.SYS[fffffa6000a0ac33] -> nt!IofCallDriver -> [0xfffffa8004bf48e0]
04:15:21.878    5 acpi.sys[fffffa60008fcfde] -> nt!IofCallDriver -> \Device\00000068[0xfffffa80040c7060]
04:15:23.585    AVAST engine scan C:\Windows
04:15:45.370    AVAST engine scan C:\Windows\system32
04:16:35.026    AVAST engine scan C:\Windows\system32\drivers
04:16:44.617    AVAST engine scan C:\Users\Enduser
04:17:42.354    Disk 0 MBR has been saved successfully to "C:\Users\Enduser\Desktop\MBR.dat"
04:17:42.361    The log file has been saved successfully to "C:\Users\Enduser\Desktop\aswMBR.txt"

[RablyPale]

Pressing Fix MBR fixed it apparently; there's no red font in the log anymore and after scanning again, aswMBR didn't detect anything. Thanks a lot!   

[com155]

ok,i think hitting fixmbr would solve the problem.

[com155]

so is the problem fixed....no alerts of a virus found in avast scan?

[RablyPale]

I'm not sure how to do a boot time scan. I'll try it if you can tell me how then I'll tell you the results.

[com155]

go to the avast! user interface by double clicking on the orange ball in the system tray.

in the interface,go to the scan computer option and then after clicking there u can click on boot-time scan

now click on schedule now and restart your pc.

now a boot-time scan will be performed on next reboot...

[RablyPale]

I did a boot time scan and I believe the last thing it detected was MBR:Whistler which it moved to the chest. I managed to get a file path to the log, so here it is though I'm pretty sure the rootkit has been removed. Thanks very much for your assistance

07/21/2011 04:53
Scan of all local drives

File C:\Program Files (x86)\Heroes of Newerth\editor\textures.s2z|>00000000\ui\images\logo.dds Error 42125 {ZIP archive is corrupted.}
File C:\Users\Enduser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10\35ace28a-587cca05|>CustomClass.class is infected by Java:Jade-B [Heur]
File C:\Users\Enduser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10\35ace28a-587cca05|>evilPolicy.class is infected by Other:Malware-gen, Deleted
File C:\Users\Enduser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10\35ace28a-587cca05|>dostuff.class is infected by Other:Malware-gen, Moved to chest
File C:\Users\Enduser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10\35ace28a-587cca05|>mosdef.class is infected by Java:Agent-BA [Expl], Moved to chest
File C:\Users\Enduser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10\35ace28a-587cca05|>SiteError.class is infected by Java:CVE-2010-0094-A [Expl], Moved to chest
File C:\Users\Enduser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\16\3f154490-45eb18ed|>bpac\a$1.class is infected by Java:Agent-BJ [Expl], Moved to chest
File C:\Users\Enduser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\16\3f154490-45eb18ed|>bpac\a.class is infected by Java:Agent-BW [Trj], Moved to chest
File C:\Users\Enduser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\16\3f154490-45eb18ed|>bpac\b.class is infected by Other:Malware-gen, Moved to chest
File C:\Users\Enduser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\16\3f154490-45eb18ed|>bpac\KAVS.class is infected by Java:Agent-BM [Expl], Moved to chest
File C:\Users\Enduser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\18\b77f2d2-485227b6|>bpac\a$1.class is infected by Java:Agent-BJ [Expl], Moved to chest
File C:\Users\Enduser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\18\b77f2d2-485227b6|>bpac\a.class is infected by Java:Agent-BW [Trj], Moved to chest
File C:\Users\Enduser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\18\b77f2d2-485227b6|>bpac\b.class is infected by Java:Agent-OG [Expl], Moved to chest
File C:\Users\Enduser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\18\b77f2d2-485227b6|>bpac\KAVS.class is infected by Java:Agent-BM [Expl], Moved to chest
File C:\Users\Enduser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\3b3d8982-20f422d7 is infected by Java:Agent-MP [Expl], Moved to chest
File C:\Users\Enduser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\3b3d8982-3cc5ba25 is infected by Java:Agent-MP [Expl], Moved to chest
File C:\Users\Enduser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\3b3d8982-46a0706c is infected by Java:Agent-MP [Expl], Moved to chest
File C:\Users\Enduser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\3b3d8982-49519a2c is infected by Java:Agent-MP [Expl], Moved to chest
File C:\Users\Enduser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\3b3d8982-6e92f5a7 is infected by Java:Agent-MP [Expl], Moved to chest
File C:\Users\Enduser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\3b3d8982-73c48dc8 is infected by Java:Agent-MP [Expl], Moved to chest
File C:\Users\Enduser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\25\22cd8d59-40d1ec25|>menu\edit.class is infected by Java:Agent-GO [Expl], Moved to chest
File C:\Users\Enduser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\25\22cd8d59-40d1ec25|>menu\file.class is infected by Java:Agent-GM [Expl], Moved to chest
File C:\Users\Enduser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\25\22cd8d59-40d1ec25|>menu\help.class is infected by Java:Agent-GN [Expl], Moved to chest
File C:\Users\Enduser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\25\22cd8d59-40d1ec25|>menu\property.class is infected by Java:Agent-DU [Expl], Moved to chest
File C:\Users\Enduser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\25\22cd8d59-40d1ec25|>pocket\object3.class is infected by Java:Agent-DR [Expl], Moved to chest
File C:\Users\Enduser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\25\22cd8d59-40d1ec25|>pocket\object4.class is infected by Java:Agent-GK [Expl], Moved to chest
File C:\Users\Enduser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39\193cc8a7-19c200e5|>bpac\a$1.class is infected by Java:Agent-BJ [Expl], Moved to chest
File C:\Users\Enduser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39\193cc8a7-19c200e5|>bpac\a.class is infected by Java:Agent-BW [Trj], Moved to chest
File C:\Users\Enduser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39\193cc8a7-19c200e5|>bpac\b.class is infected by Java:Agent-OG [Expl], Moved to chest
File C:\Users\Enduser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39\193cc8a7-19c200e5|>bpac\KAVS.class is infected by Java:Agent-BM [Expl], Moved to chest
File C:\Users\Enduser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\631b0b73-73122b4c|>encode\ANSI.class is infected by Java:Agent-DU [Expl], Moved to chest
File C:\Users\Enduser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\631b0b73-73122b4c|>encode\ISO.class is infected by Java:Agent-GM [Expl], Moved to chest
File C:\Users\Enduser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\631b0b73-73122b4c|>setup\lang.class is infected by Java:Agent-DM [Trj], Moved to chest
File C:\Users\Enduser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\5512bf5-6572898c|>c.class is infected by Java:Jade-A [Heur], Moved to chest
File C:\Users\Enduser\Desktop\CO\Champions Online BT FC.20.20110627.3\directx\AUG2007_d3dx10_35_x86.cab|>d3dx10_35.dll Error 42127 {CAB archive is corrupted.}
File C:\Users\Enduser\Desktop\CO\Champions Online BT FC.20.20110627.3\directx\Aug2009_D3DCompiler_42_x86.cab|>D3DCompiler_42.dll Error 42127 {CAB archive is corrupted.}
File C:\Users\Enduser\Desktop\CO\Champions Online BT FC.20.20110627.3\directx\Feb2006_d3dx9_29_x64.cab|>d3dx9_29.dll Error 42127 {CAB archive is corrupted.}
File C:\Users\Enduser\Desktop\CO\Champions Online BT FC.20.20110627.3\directx\Mar2009_d3dx9_41_x86.cab|>d3dx9_41.dll Error 42127 {CAB archive is corrupted.}
File C:\Users\Enduser\Desktop\CO\Champions Online BT FC.20.20110627.3\directx\Nov2007_d3dx9_36_x64.cab|>d3dx9_36.dll Error 42127 {CAB archive is corrupted.}
File C:\Users\Enduser\Desktop\CO\Champions Online BT FC.20.20110627.3\directx\NOV2007_XACT_x64.cab|>xactengine2_10.dll Error 42127 {CAB archive is corrupted.}
File C:\Users\Enduser\Desktop\HoNClient-2.0.39.1v2.exe|>$INSTDIR\editor\textures.s2z|>00000000\ui\images\logo.dds Error 42125 {ZIP archive is corrupted.}
File C:\Users\Enduser\Desktop\MBR.dat is infected by MBR:Whistler [Rtk], Moved to chest
Number of searched folders: 43371
Number of tested files: 726772
Number of infected files: 34

[argus]

Uninstall Java and download the new version

With JavaRa  http://sourceforge.net/projects/javara/files/javara/JavaRa/JavaRa.zip/download

[RablyPale]

Okay, anything I should do after that? And what is the use of java?

[Pondus]

Okay, anything I should do after that?

scan again and see if the infection is gone...

And what is the use of java?

http://www.java.com/en/download/faq/whatis_java.xml

[RablyPale]

Both Avast and aswMBR no longer detect the infection, so I believe it is gone. Thanks a lot to everyone that helped me.

[Asyn]

And what is the use of java?

If you don't need Java, just remove it.
I've done that long ago.

[Ksingh]

I have been an Avast user for quite sometime.
For the problem mentioned try using tdsskiller.
It solves the problem.