Avast won't remove MBR:\\.\PHYSICALDRIVE0

I’ve been noticing that my computer, in particular my internet has been slow on and off recently. I’ve started up my computer and it just hasn’t had internet access while everyone else in my house did. I decided to do a virus scan and Avast detected “MBR:\.\PHYSICALDRIVE0”. I tried to remove it and it said “Action postponed until the next reboot” so I restarted my computer. I did another scan to make sure it was removed, but it was not. Under the status tab it says “Threat:Rootkit:hidden boot-sector”, and I’m not entirely sure what this means or what it is capable, so if someone can help me, it would be very much appreciated.

maybe u can try this:

Download aswMBR.exe ( 1.8mb ) to your desktop.

Double click the aswMBR.exe to run it

Click the “Scan” button to start scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR2-1.gif

On completion of the scan click save log, save it to your desktop and post in your next reply

http://public.avast.com/~gmerek/aswMBR2.png

u can hit fixmbr if it finds the mbr rootkit.

aswMBR version 0.9.7.777 Copyright(c) 2011 AVAST Software
Run date: 2011-07-21 04:15:16

04:15:16.339 OS Version: Windows x64 6.0.6002 Service Pack 2
04:15:16.339 Number of processors: 2 586 0x1706
04:15:16.339 ComputerName: ENDUSER-PC UserName: Enduser
04:15:18.085 Initialize success
04:15:18.188 AVAST engine defs: 11072001
04:15:19.860 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\00000068
04:15:19.863 Disk 0 Vendor: WDC_WD64 01.0 Size: 610480MB BusType: 6
04:15:19.900 Disk 0 MBR read successfully
04:15:19.903 Disk 0 MBR scan
04:15:19.906 Disk 0 MBR:Whistler [Rtk]
04:15:19.909 Disk 0 Whistler@MBR code has been found
04:15:19.911 Disk 0 MBR [Whistler] ROOTKIT
04:15:19.924 Service scanning
04:15:21.827 Disk 0 trace - called modules:
04:15:21.858 ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys storport.sys hal.dll nvstor64.sys
04:15:21.866 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffa8004da7790]
04:15:21.871 3 CLASSPNP.SYS[fffffa6000a0ac33] → nt!IofCallDriver → [0xfffffa8004bf48e0]
04:15:21.878 5 acpi.sys[fffffa60008fcfde] → nt!IofCallDriver → \Device\00000068[0xfffffa80040c7060]
04:15:23.585 AVAST engine scan C:\Windows
04:15:45.370 AVAST engine scan C:\Windows\system32
04:16:35.026 AVAST engine scan C:\Windows\system32\drivers
04:16:44.617 AVAST engine scan C:\Users\Enduser
04:17:42.354 Disk 0 MBR has been saved successfully to “C:\Users\Enduser\Desktop\MBR.dat”
04:17:42.361 The log file has been saved successfully to “C:\Users\Enduser\Desktop\aswMBR.txt”

Pressing Fix MBR fixed it apparently; there’s no red font in the log anymore and after scanning again, aswMBR didn’t detect anything. Thanks a lot! ;D

ok,i think hitting fixmbr would solve the problem.

so is the problem fixed…no alerts of a virus found in avast scan??? :slight_smile: :slight_smile: :slight_smile: :slight_smile:

I’m not sure how to do a boot time scan. I’ll try it if you can tell me how then I’ll tell you the results.

go to the avast! user interface by double clicking on the orange ball in the system tray.

in the interface,go to the scan computer option and then after clicking there u can click on boot-time scan

now click on schedule now and restart your pc.

now a boot-time scan will be performed on next reboot…

I did a boot time scan and I believe the last thing it detected was MBR:Whistler which it moved to the chest. I managed to get a file path to the log, so here it is though I’m pretty sure the rootkit has been removed. Thanks very much for your assistance :slight_smile:

07/21/2011 04:53
Scan of all local drives

File C:\Program Files (x86)\Heroes of Newerth\editor\textures.s2z|>00000000\ui\images\logo.dds Error 42125 {ZIP archive is corrupted.}
File C:\Users\Enduser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10\35ace28a-587cca05|>CustomClass.class is infected by Java:Jade-B [Heur]
File C:\Users\Enduser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10\35ace28a-587cca05|>evilPolicy.class is infected by Other:Malware-gen, Deleted
File C:\Users\Enduser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10\35ace28a-587cca05|>dostuff.class is infected by Other:Malware-gen, Moved to chest
File C:\Users\Enduser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10\35ace28a-587cca05|>mosdef.class is infected by Java:Agent-BA [Expl], Moved to chest
File C:\Users\Enduser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10\35ace28a-587cca05|>SiteError.class is infected by Java:CVE-2010-0094-A [Expl], Moved to chest
File C:\Users\Enduser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\16\3f154490-45eb18ed|>bpac\a$1.class is infected by Java:Agent-BJ [Expl], Moved to chest
File C:\Users\Enduser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\16\3f154490-45eb18ed|>bpac\a.class is infected by Java:Agent-BW [Trj], Moved to chest
File C:\Users\Enduser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\16\3f154490-45eb18ed|>bpac\b.class is infected by Other:Malware-gen, Moved to chest
File C:\Users\Enduser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\16\3f154490-45eb18ed|>bpac\KAVS.class is infected by Java:Agent-BM [Expl], Moved to chest
File C:\Users\Enduser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\18\b77f2d2-485227b6|>bpac\a$1.class is infected by Java:Agent-BJ [Expl], Moved to chest
File C:\Users\Enduser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\18\b77f2d2-485227b6|>bpac\a.class is infected by Java:Agent-BW [Trj], Moved to chest
File C:\Users\Enduser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\18\b77f2d2-485227b6|>bpac\b.class is infected by Java:Agent-OG [Expl], Moved to chest
File C:\Users\Enduser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\18\b77f2d2-485227b6|>bpac\KAVS.class is infected by Java:Agent-BM [Expl], Moved to chest
File C:\Users\Enduser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\3b3d8982-20f422d7 is infected by Java:Agent-MP [Expl], Moved to chest
File C:\Users\Enduser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\3b3d8982-3cc5ba25 is infected by Java:Agent-MP [Expl], Moved to chest
File C:\Users\Enduser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\3b3d8982-46a0706c is infected by Java:Agent-MP [Expl], Moved to chest
File C:\Users\Enduser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\3b3d8982-49519a2c is infected by Java:Agent-MP [Expl], Moved to chest
File C:\Users\Enduser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\3b3d8982-6e92f5a7 is infected by Java:Agent-MP [Expl], Moved to chest
File C:\Users\Enduser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\3b3d8982-73c48dc8 is infected by Java:Agent-MP [Expl], Moved to chest
File C:\Users\Enduser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\25\22cd8d59-40d1ec25|>menu\edit.class is infected by Java:Agent-GO [Expl], Moved to chest
File C:\Users\Enduser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\25\22cd8d59-40d1ec25|>menu\file.class is infected by Java:Agent-GM [Expl], Moved to chest
File C:\Users\Enduser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\25\22cd8d59-40d1ec25|>menu\help.class is infected by Java:Agent-GN [Expl], Moved to chest
File C:\Users\Enduser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\25\22cd8d59-40d1ec25|>menu\property.class is infected by Java:Agent-DU [Expl], Moved to chest
File C:\Users\Enduser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\25\22cd8d59-40d1ec25|>pocket\object3.class is infected by Java:Agent-DR [Expl], Moved to chest
File C:\Users\Enduser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\25\22cd8d59-40d1ec25|>pocket\object4.class is infected by Java:Agent-GK [Expl], Moved to chest
File C:\Users\Enduser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39\193cc8a7-19c200e5|>bpac\a$1.class is infected by Java:Agent-BJ [Expl], Moved to chest
File C:\Users\Enduser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39\193cc8a7-19c200e5|>bpac\a.class is infected by Java:Agent-BW [Trj], Moved to chest
File C:\Users\Enduser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39\193cc8a7-19c200e5|>bpac\b.class is infected by Java:Agent-OG [Expl], Moved to chest
File C:\Users\Enduser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39\193cc8a7-19c200e5|>bpac\KAVS.class is infected by Java:Agent-BM [Expl], Moved to chest
File C:\Users\Enduser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\631b0b73-73122b4c|>encode\ANSI.class is infected by Java:Agent-DU [Expl], Moved to chest
File C:\Users\Enduser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\631b0b73-73122b4c|>encode\ISO.class is infected by Java:Agent-GM [Expl], Moved to chest
File C:\Users\Enduser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\631b0b73-73122b4c|>setup\lang.class is infected by Java:Agent-DM [Trj], Moved to chest
File C:\Users\Enduser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\5512bf5-6572898c|>c.class is infected by Java:Jade-A [Heur], Moved to chest
File C:\Users\Enduser\Desktop\CO\Champions Online BT FC.20.20110627.3\directx\AUG2007_d3dx10_35_x86.cab|>d3dx10_35.dll Error 42127 {CAB archive is corrupted.}
File C:\Users\Enduser\Desktop\CO\Champions Online BT FC.20.20110627.3\directx\Aug2009_D3DCompiler_42_x86.cab|>D3DCompiler_42.dll Error 42127 {CAB archive is corrupted.}
File C:\Users\Enduser\Desktop\CO\Champions Online BT FC.20.20110627.3\directx\Feb2006_d3dx9_29_x64.cab|>d3dx9_29.dll Error 42127 {CAB archive is corrupted.}
File C:\Users\Enduser\Desktop\CO\Champions Online BT FC.20.20110627.3\directx\Mar2009_d3dx9_41_x86.cab|>d3dx9_41.dll Error 42127 {CAB archive is corrupted.}
File C:\Users\Enduser\Desktop\CO\Champions Online BT FC.20.20110627.3\directx\Nov2007_d3dx9_36_x64.cab|>d3dx9_36.dll Error 42127 {CAB archive is corrupted.}
File C:\Users\Enduser\Desktop\CO\Champions Online BT FC.20.20110627.3\directx\NOV2007_XACT_x64.cab|>xactengine2_10.dll Error 42127 {CAB archive is corrupted.}
File C:\Users\Enduser\Desktop\HoNClient-2.0.39.1v2.exe|>$INSTDIR\editor\textures.s2z|>00000000\ui\images\logo.dds Error 42125 {ZIP archive is corrupted.}
File C:\Users\Enduser\Desktop\MBR.dat is infected by MBR:Whistler [Rtk], Moved to chest
Number of searched folders: 43371
Number of tested files: 726772
Number of infected files: 34

Uninstall Java and download the new version

With JavaRa http://sourceforge.net/projects/javara/files/javara/JavaRa/JavaRa.zip/download

Okay, anything I should do after that? And what is the use of java?

Okay, anything I should do after that?
scan again and see if the infection is gone...
And what is the use of java?
http://www.java.com/en/download/faq/whatis_java.xml

Both Avast and aswMBR no longer detect the infection, so I believe it is gone. Thanks a lot to everyone that helped me. ;D

If you don’t need Java, just remove it.
I’ve done that long ago.

I have been an Avast user for quite sometime.
For the problem mentioned try using tdsskiller.
It solves the problem. :smiley:

the case is already solved if you read the topic…almost 3 months ago