Help! Avast detected a malware in my pc MBR:\\.\PHSYICALDRIVE0

system · April 1, 2011, 3:41pm

Hi everyone!
Avast detected that I have malware in my laptop.
Since last week my computer shut itself off without warning!
Is it safe to delete MBR:\.\PHSYICALDRIVE0 ?
Thanks,
Jared

Pondus · April 1, 2011, 3:50pm

Is it safe to delete MBR:\\.\PHSYICALDRIVE0 ?

nope..... ;D

*Download aswMBR and save it to your desktop http://public.avast.com/~gmerek/aswMBR.exe
*Double click the aswMBR icon to run it
*click the scan button
*click save log and post it here in your next reply

system · April 2, 2011, 1:03am

Here’s the Log. Thanks

aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-04-02 09:03:04

09:03:04.703 OS Version: Windows 5.1.2600 Service Pack 3
09:03:04.703 Number of processors: 2 586 0x170A
09:03:04.703 ComputerName: SHAYNE-5C5D0391 UserName: Administrator
09:03:05.312 Initialize success
09:03:21.031 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP1T0L0-e
09:03:21.031 Disk 0 Vendor: WDC_WD2500BEVT-75ZCT2 11.01A11 Size: 238475MB BusType: 3
09:03:21.031 Disk 0 MBR read error
09:03:21.031 Disk 0 MBR scan
09:03:21.031 MBR BIOS signature not found 0
09:03:21.031 Disk 0 scanning sectors +488376000
09:03:21.046 Disk 0 scanning C:\WINDOWS\system32\drivers
09:03:26.656 Service scanning
09:03:27.937 Disk 0 trace - called modules:
09:03:27.937 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x88255aed]<<
09:03:27.937 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x8abfaab8]
09:03:27.937 3 CLASSPNP.SYS[ba108fd7] → nt!IofCallDriver → \Device\Ide\IdeDeviceP1T0L0-e[0x8acbad98]
09:03:27.937 Scan finished successfully

system · April 7, 2011, 12:09am

Hello Pondus,
I have posted the logs after running aswMBR.
The avast notification keeps on popping up everytime I open my laptop.
What should I do now?
Thanks,
Jared30

system · April 8, 2011, 10:50pm

Hello-
I need your help on how to get rid of this MBR:\.\PHSYICALDRIVE0 please… :-\ :-\ :-
Thanks,
Jared30

Left123 · April 8, 2011, 11:11pm

Download TDSSKiller from here:
http://support.kaspersky.com/downloads/utils/tdsskiller.zip

Run the TDSSKiller.exe file;

Wait until the scanning and disinfection completes. A reboot might require after the disinfection has been completed.

Post the log please.

system · April 8, 2011, 11:32pm

Thanks Left123,
I have downloaded it and I see here
Malicious objects
backdoor.win32.sinowal.knf option Cure
Suspicious objects
locked file option Skip

then click Continue?

system · April 8, 2011, 11:42pm

Hi Left123,
After I clicked on “Reboot” the computer didn’t restart and I didn’t see any logs. Will it pop up automatically after disinfection completed? I just clicked on Report,not sure if this is the log you’re looking for

2011/04/09 07:40:11.0390 3352 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/04/09 07:40:11.0671 3352 ================================================================================
2011/04/09 07:40:11.0671 3352 SystemInfo:
2011/04/09 07:40:11.0671 3352
2011/04/09 07:40:11.0671 3352 OS Version: 5.1.2600 ServicePack: 3.0
2011/04/09 07:40:11.0671 3352 Product type: Workstation
2011/04/09 07:40:11.0671 3352 ComputerName: SHAYNE
2011/04/09 07:40:11.0671 3352 UserName: Administrator
2011/04/09 07:40:11.0671 3352 Windows directory: C:\WINDOWS
2011/04/09 07:40:11.0671 3352 System windows directory: C:\WINDOWS
2011/04/09 07:40:11.0671 3352 Processor architecture: Intel x86
2011/04/09 07:40:11.0671 3352 Number of processors: 2
2011/04/09 07:40:11.0671 3352 Page size: 0x1000
2011/04/09 07:40:11.0671 3352 Boot type: Normal boot
2011/04/09 07:40:11.0671 3352 ================================================================================
2011/04/09 07:40:13.0390 3352 Initialize success

Left123 · April 9, 2011, 8:12am

If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.

If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste the contents of that file here.

If a suspicious file is detected, the default action will be Skip, click on Continue.If an infected file is detected, the default action will be Cure, click on Continue.

system · April 11, 2011, 1:09am

Hi Left 123,
I have posted the report. Please see above log.
Thanks so much for helping. I’m not getting any pop ups that my pc is infected or something.
Thanks again

system · April 11, 2011, 12:58pm

Did u installed previous of the infection some backup programm?

system · April 12, 2011, 11:23am

I’m sorry but I’m can’t understand this. Are you asking me if I install something or if I backup something?

system · April 12, 2011, 3:31pm

If u installed some program … like a backup program or something ?

system · April 15, 2011, 4:06am

I only installed TDSSKiller. That’s what Left123 told me to install to get rid of the malware.

system · April 15, 2011, 4:41am

TDSSKiller does not have an installer.