disk 0 master boot record virus and mbr: \\.\physicaldrive0

Hello

I have a rootkit popup coming on, asking for reboot and after reboot “MBR://./PHYSICALDRIVE0” still appears again and prompt for reboot immediately for removing the rootkit, which avast! wont delete later.
In boot-time scan - the disk 0 master boot record virus will be shown in the very beginning of scan but wont show the options to delete it or to move to chest (no options shown) but it rather continues to scan other files.

I use avast internet security along with Malwarebytes(updated regularly) i have posted the scan result of malwarebytes also.

I read other similar posts about this and downloaded OTS.exe and aswMBR.exe
i have posted the scan result of both below.

(The virus is sort of taming Mozilla firefox, i can’t login to gmail, shows password incorrect and sometimes redirects to trouble shooting page which tells how to fix the cookies problem. now i’m using chrome)

Need advise on what to do please.

Thanks

aswMBR.txt

aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-04-07 22:48:23

22:48:23.453 OS Version: Windows 5.1.2600 Service Pack 3
22:48:23.453 Number of processors: 2 586 0x403
22:48:23.453 ComputerName: MAHESHWARI UserName:
22:48:23.796 Initialize success
22:48:35.968 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP2T0L0-e
22:48:35.968 Disk 0 Vendor: ST3808110AS 3.AAD Size: 76319MB BusType: 3
22:48:37.968 Disk 0 MBR read successfully
22:48:37.968 Disk 0 MBR scan
22:48:39.968 Disk 0 scanning sectors +156280320
22:48:40.000 Disk 0 malicious Win32:MBRoot code @ sector 156280323 !
22:48:40.000 Disk 0 PE file @ sector 156280345 !
22:48:40.000 Disk 0 scanning C:\WINDOWS\system32\drivers
22:48:44.000 Service scanning
22:48:44.859 Disk 0 trace - called modules:
22:48:44.875 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
22:48:44.875 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x86775ab8]
22:48:44.875 3 CLASSPNP.SYS[f7650fd7] → nt!IofCallDriver → \Device\00000074[0x867acec0]
22:48:44.875 5 ACPI.sys[f74c7620] → nt!IofCallDriver → \Device\Ide\IdeDeviceP2T0L0-e[0x86770d98]
22:48:44.875 Scan finished successfully
aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-04-07 23:11:30

23:11:30.750 OS Version: Windows 5.1.2600 Service Pack 3
23:11:30.750 Number of processors: 2 586 0x403
23:11:30.750 ComputerName: MAHESHWARI UserName:
23:11:30.937 Initialize success
23:11:49.328 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP2T0L0-e
23:11:49.328 Disk 0 Vendor: ST3808110AS 3.AAD Size: 76319MB BusType: 3
23:11:51.328 Disk 0 MBR read successfully
23:11:51.328 Disk 0 MBR scan
23:11:53.328 Disk 0 scanning sectors +156280320
23:11:53.343 Disk 0 malicious Win32:MBRoot code @ sector 156280323 !
23:11:53.343 Disk 0 PE file @ sector 156280345 !
23:11:53.343 Disk 0 scanning C:\WINDOWS\system32\drivers
23:11:57.031 Service scanning
23:11:57.890 Disk 0 trace - called modules:
23:11:57.906 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
23:11:57.906 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x86775ab8]
23:11:57.906 3 CLASSPNP.SYS[f7650fd7] → nt!IofCallDriver → \Device\00000074[0x867acec0]
23:11:57.906 5 ACPI.sys[f74c7620] → nt!IofCallDriver → \Device\Ide\IdeDeviceP2T0L0-e[0x86770d98]
23:11:57.906 Scan finished successfully

Hi there lets stop these alerts shall we ;D

Re-Run aswMBR

Click Scan

On completion of the scan

Click the FIXMBR Button

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswmbrwhistler-1.gif

Save the log as before and post in your next reply

THEN

Download OTS to your Desktop and double-click on it to run it

[*]Make sure you close all other programs and don’t use the PC while the scan runs.
[*]Select All Users
[*]Under additional scans select the following
Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

[*]Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Please attach the log in your next post.

please refer OTS.txt which is attached

mbam-log-2011-04-08.txt

Malwarebytes’ Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6302

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/8/2011 12:20:05 AM
mbam-log-2011-04-08 (00-20-05).txt

Scan type: Full scan (C:|D:|E:|F:|G:|J:|)
Objects scanned: 250128
Time elapsed: 37 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Did you re-run ASWMbr and press the fixmbr button and reboot ?

If so are you still getting the alerts ?

Checking the OTS log now

I notice in your Host file that paypal is being redirected to

ISP: VPS SERVICES
DOMAIN: GAME.HUB.MY
Is this correct as I am about to reset your host file ?

Let me know before I post the fix please


00:28:37.625 OS Version: Windows 5.1.2600 Service Pack 3
00:28:37.625 Number of processors: 2 586 0x403
00:28:37.625 ComputerName: MAHESHWARI UserName:
00:28:37.734 Initialize success
00:28:40.453 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP2T0L0-e
00:28:40.453 Disk 0 Vendor: ST3808110AS 3.AAD Size: 76319MB BusType: 3
00:28:42.453 Disk 0 MBR read successfully
00:28:42.453 Disk 0 MBR scan
00:28:44.468 Disk 0 scanning sectors +156280320
00:28:44.484 Disk 0 malicious Win32:MBRoot code @ sector 156280323 !
00:28:44.484 Disk 0 PE file @ sector 156280345 !
00:28:44.484 Disk 0 scanning C:\WINDOWS\system32\drivers
00:28:48.484 Service scanning
00:28:49.515 Disk 0 trace - called modules:
00:28:49.515 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
00:28:49.515 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x86775ab8]
00:28:49.515 3 CLASSPNP.SYS[f7650fd7] → nt!IofCallDriver → \Device\00000074[0x867acec0]
00:28:49.515 5 ACPI.sys[f74c7620] → nt!IofCallDriver → \Device\Ide\IdeDeviceP2T0L0-e[0x86770d98]
00:28:49.515 Scan finished successfully
00:29:05.750 Disk 0 Windows 501 MBR fixed successfully

ho yes i did
i have attached latest OTS.txt please check it

i never use paypal, i have never made any transactions in my computer, i don’t have that previlage . i’m still a student.

google is my home page.
and i didn’t get exactly what you are trying to say about the host file

See here for what a HOSTS file is.
http://www.mvps.org/winhelp2002/hosts.htm
(and you may want to go to profile, account related settings and hide your e-mail address from public.)

What the import of that is - everytime you put paypal in the address bar of your browser you will get redirected to that site… I will clear it along with the AVG/Norton drivers left behind

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

[Unregister Dlls]
[Driver Services - Safe List]
YY -> (Avgfwfd) AVG network filter service [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\avgfwdx.sys
YY -> (Avgfwdx) Avgfwdx [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\avgfwdx.sys
[Registry - Safe List]
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> 
YN -> HKEY_LOCAL_MACHINE\: Main\\"Search Page" -> ${URL_SEARCHPAGE}
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-1417001333-436374069-1547161642-500\] > -> 
YN -> HKEY_USERS\S-1-5-21-1417001333-436374069-1547161642-500\: Main\\"Search Page" -> ${URL_SEARCHPAGE}
YN -> HKEY_USERS\S-1-5-21-1417001333-436374069-1547161642-500\: Main\\"Start Page" -> http://home.mywebsearch.com/index.jhtml?n=77C09F4F&ptnrS=ZRxdm799YYIN&ptb=1er2NixDstrHMMyGHHkSTw
YN -> HKEY_USERS\S-1-5-21-1417001333-436374069-1547161642-500\: "ProxyOverride" -> 127.0.0.1;*.local
< FireFox Settings [Prefs.js] > -> C:\Documents and Settings\Administrator\Application Data\Mozilla\FireFox\Profiles\0cuetjsl.default\prefs.js
YN -> keyword.URL -> "http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=ZRxdm799YYIN&ptb=1er2NixDstrHMMyGHHkSTw&ind=2011021408&ptnrS=ZRxdm799YYIN&si=&n=77ddc060&psa=&st=kwd&searchfor="
< FireFox SearchPlugins [User Folders] > -> 
YY ->  mywebsearch.xml -> C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0cuetjsl.default\searchplugins\mywebsearch.xml
< HOSTS File > ([2010/04/14 20:30:24 | 000,000,738 | ---- | M] - 19 lines) -> C:\WINDOWS\system32\drivers\etc\hosts
YN -> Reset Hosts -> 
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} [HKLM] -> Reg Error: Key error. [AVG Safe Search]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-1417001333-436374069-1547161642-500\] > -> HKEY_USERS\S-1-5-21-1417001333-436374069-1547161642-500\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{D4027C7F-154A-4066-A1AD-4243D8127440}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-21-1417001333-436374069-1547161642-500\] > -> HKEY_USERS\S-1-5-21-1417001333-436374069-1547161642-500\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{4248FE82-7FCB-46AC-B270-339F08212110}" [HKLM] -> [Reg Error: Key error.]
YN -> CmdMapping\\"{CCF151D8-D089-449F-A5A4-D9909053F20F}" [HKLM] -> [Reg Error: Key error.]
YN -> CmdMapping\\"{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}" [HKLM] -> [Reg Error: Key error.]
[Files/Folders - Created Within 30 Days]
NY ->  qwqewr -> C:\Documents and Settings\Administrator\Desktop\qwqewr
NY ->  Symantec Shared -> C:\Program Files\Common Files\Symantec Shared
NY ->  Norton -> C:\Documents and Settings\All Users\Application Data\Norton
NY ->  NortonInstaller -> C:\Documents and Settings\All Users\Application Data\NortonInstaller
[Files - No Company Name]
NY ->  man8.exe -> C:\WINDOWS\System32\man8.exe
[File - Lop Check]
NY ->  PriceGong -> C:\Documents and Settings\Administrator\Application Data\PriceGong
NY ->  avg9 -> C:\Documents and Settings\All Users\Application Data\avg9
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
[ClearAllRestorePoints]
  

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

actually after finishing it asked for reboot and i Click ok to reboot the pc.

All Processes Killed
[Driver Services - Safe List]
Service Avgfwfd stopped successfully!
Service Avgfwfd deleted successfully!
C:\WINDOWS\system32\drivers\avgfwdx.sys moved successfully.
Service Avgfwdx stopped successfully!
Service Avgfwdx deleted successfully!
File C:\WINDOWS\system32\drivers\avgfwdx.sys not found.
[Registry - Safe List]
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Main not found.
Registry key HKEY_USERS\S-1-5-21-1417001333-436374069-1547161642-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Main not found.
Registry key HKEY_USERS\S-1-5-21-1417001333-436374069-1547161642-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Main not found.
Registry value HKEY_USERS\S-1-5-21-1417001333-436374069-1547161642-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride deleted successfully.
Prefs.js: “http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=ZRxdm799YYIN&ptb=1er2NixDstrHMMyGHHkSTw&ind=2011021408&ptnrS=ZRxdm799YYIN&si=&n=77ddc060&psa=&st=kwd&searchfor=” removed from keyword.URL
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0cuetjsl.default\searchplugins\mywebsearch.xml moved successfully.
HOSTS file reset successfully!
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ deleted successfully.
Registry value HKEY_USERS\S-1-5-21-1417001333-436374069-1547161642-500\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{D4027C7F-154A-4066-A1AD-4243D8127440} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
Registry value HKEY_USERS\S-1-5-21-1417001333-436374069-1547161642-500\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\{4248FE82-7FCB-46AC-B270-339F08212110} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{4248FE82-7FCB-46AC-B270-339F08212110}\ not found.
Registry value HKEY_USERS\S-1-5-21-1417001333-436374069-1547161642-500\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\{CCF151D8-D089-449F-A5A4-D9909053F20F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{CCF151D8-D089-449F-A5A4-D9909053F20F}\ not found.
Registry value HKEY_USERS\S-1-5-21-1417001333-436374069-1547161642-500\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\ not found.
[Files/Folders - Created Within 30 Days]
C:\Documents and Settings\Administrator\Desktop\qwqewr\psp\MP_ROOT\100MNV01 folder moved successfully.
C:\Documents and Settings\Administrator\Desktop\qwqewr\psp\MP_ROOT folder moved successfully.
C:\Documents and Settings\Administrator\Desktop\qwqewr\psp folder moved successfully.
C:\Documents and Settings\Administrator\Desktop\qwqewr folder moved successfully.
C:\Program Files\Common Files\Symantec Shared\SymcData\VirusDefs-2.5-E\newdefs-trigger folder moved successfully.
C:\Program Files\Common Files\Symantec Shared\SymcData\VirusDefs-2.5-E folder moved successfully.
C:\Program Files\Common Files\Symantec Shared\SymcData folder moved successfully.
C:\Program Files\Common Files\Symantec Shared folder moved successfully.
C:\Documents and Settings\All Users\Application Data\Norton{086A63F0-6B13-4F29-9695-134E7A01E963} folder moved successfully.
C:\Documents and Settings\All Users\Application Data\Norton folder moved successfully.
C:\Documents and Settings\All Users\Application Data\NortonInstaller\Logs\2011-03-09-17h03m42s folder moved successfully.
C:\Documents and Settings\All Users\Application Data\NortonInstaller\Logs\2011-03-09-17h02m04s folder moved successfully.
C:\Documents and Settings\All Users\Application Data\NortonInstaller\Logs folder moved successfully.
C:\Documents and Settings\All Users\Application Data\NortonInstaller folder moved successfully.
[Files - No Company Name]
C:\WINDOWS\System32\man8.exe moved successfully.
[File - Lop Check]
C:\Documents and Settings\Administrator\Application Data\PriceGong\Data folder moved successfully.
C:\Documents and Settings\Administrator\Application Data\PriceGong folder moved successfully.
C:\Documents and Settings\All Users\Application Data\avg9\Log folder moved successfully.
C:\Documents and Settings\All Users\Application Data\avg9 folder moved successfully.
[Custom Items]
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Administrator\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Administrator\Desktop\cmd.txt deleted successfully.
[Empty Temp Folders]

User: Administrator
->Temp folder emptied: 2311401 bytes
->Temporary Internet Files folder emptied: 64883939 bytes
->Java cache emptied: 546879 bytes
->FireFox cache emptied: 301339761 bytes
->Google Chrome cache emptied: 104970443 bytes
->Flash cache emptied: 180509 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 7206132 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 422784 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 77998618 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 210446 bytes

Total Files Cleaned = 534.00 mb

[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Default User

User: LocalService

User: NetworkService

Total Flash Files Cleaned = 0.00 mb

Error starting restore point: System Restore is disabled.
Error closing restore point: System Restore is disabled.

Restorepoints cleared and new OTS Restore Point set!
< End of fix log >
OTS by OldTimer - Version 3.1.42.0 fix logfile created on 04082011_012352

Files\Folders moved on Reboot…
File move failed. C:\WINDOWS\temp_avast_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot…

What problems remain ?

::slight_smile:
even after constantly cleaning the temporary file with TuneUp Utilities 2009 and CCleaner
this softwares couldn’t clean 534.00 mb, that’s some great work u just did!!!

Is my pc is away from disk 0 master boot record virus and mbr: \.\physicaldrive0 threats now!!

That is an inactive sector now and of no great import. So is it running OK ?

Use this instead of CC it goes a lot deeper - made by the same author ;D

Clear Cache/Temp Files
Download TFC by OldTimer to your desktop

[*] Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
[*]It will close all programs when run, so make sure you have saved all your work before you begin.
[*]Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
[*]Once it’s finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

well it looks alright for the movement, i should appreciate u for fast & constant help provided by you, that’s a great thing. 8)

there is one thing boggles my mind is number of processes happen in my task manager, lot of unknown processes eats up memory.

as i work on animation heavy files, it makes my pc temperature rise but at the time of brand new OS installation i have been working for 18 hours or so .
so now i have to stop my work for few hours.

is there any process to kill unwanted processes permanently or if u get me some solution.
i will be very thankful if you could help.

Follow the suggestions on BlackVipers site http://www.blackviper.com/2008/05/19/black-vipers-windows-xp-x86-32-bit-service-pack-3-service-configurations/ and use the safe configuration