Help! Computer infected with mbr://physicaldrive0\partition3

Hi all,

I’ve been trying to get rid of what I think is a rootkit with the file name mbr://physicaldrive0\partition3 for weeks now.

Originally, Avast was detecting the file as a threat, and it seemed as though my documents were hidden, but still existed on the harddrive. The computer was also running extremely slow, and would cause problems when I tried to open firefox.

I emailed the fine folks at Avast and ran Malware Bytes, Spybot, TDSS Killer and a couple of other scans. None of them detected the file.

Now, avast is no dectecting the file mbr://physicaldrive0\partition3 and it seems as though my files are now not only hidden but could also be deleted.

Here’s my latest scan log:

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-03-15 12:24:11

12:24:11.968 OS Version: Windows 5.1.2600 Service Pack 3
12:24:11.968 Number of processors: 1 586 0x5F02
12:24:11.968 ComputerName: CU-01 UserName:
12:24:12.250 Initialize success
12:24:13.406 AVAST engine defs: 12031300
12:24:38.625 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-3
12:24:38.640 Disk 0 Vendor: ST3808110AS 3.ADJ Size: 76293MB BusType: 3
12:24:38.671 Disk 0 MBR read successfully
12:24:38.671 Disk 0 MBR scan
12:24:39.125 Disk 0 Windows XP default MBR code
12:24:39.156 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 5004 MB offset 63
12:24:39.640 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 71280 MB offset 10249470
12:24:39.687 Disk 0 scanning sectors +156232125
12:24:40.062 Disk 0 scanning C:\WINDOWS\system32\drivers
12:24:52.328 Service scanning
12:25:06.375 Modules scanning
12:25:11.187 Disk 0 trace - called modules:
12:25:11.234 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
12:25:13.000 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x85d58ab8]
12:25:13.093 3 CLASSPNP.SYS[f74c7fd7] → nt!IofCallDriver → \Device\0000006b[0x85d14910]
12:25:13.187 5 ACPI.sys[f743e620] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-3[0x85da5940]
12:25:13.578 AVAST engine scan C:\WINDOWS
12:25:15.687 AVAST engine scan C:\WINDOWS\system32
12:26:47.171 AVAST engine scan C:\WINDOWS\system32\drivers
12:26:56.187 AVAST engine scan C:\Documents and Settings\Catholics
12:31:11.500 AVAST engine scan C:\Documents and Settings\All Users
12:31:39.296 Scan finished successfully
12:34:36.234 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\Catholics\Desktop\MBR.dat”
12:34:36.250 The log file has been saved successfully to “C:\Documents and Settings\Catholics\Desktop\aswMBR.txt”

Any help on what to do next would be greatly appreciated! Thanks!

Can You also attach a OTL log

http://forum.avast.com/index.php?topic=53253.0

And SpyBot S&D You Can trow out the Window…usless You have some cookies You want to Remove

I will run that scan now and do that. Thanks!

I’m unsure of where the “extras” file is, but attached to this post is the OTL file that popped up after the scan

so you have avast and McAfee installed… and also running Ad-Awarere that has a integrated Ikarus virus engine

only install one AV
when you have uninstalled, run a removal tool so all leftover files that can conflict is gone
run and reboot - Uninstallers – Security Software http://singularlabs.com/uninstallers/security-software/

OK, I removed McAfee, what tool do I have to run now? Do I still have to also remove Avast or Malware Bytes? Thanks!

What is reporting this ? As aswMBR is not showing a partition 3

Are you missing files/folders and icons ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL O3 - HKU\S-1-5-21-3406005673-2020778624-1518414639-1004\..\Toolbar\WebBrowser: (no name) - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No CLSID value found.

:Files
ipconfig /flushdns /c
xcopy %Temp%\smtmp\1 “%AllUsersProfile%\Start Menu” /H /I /S /Y /C
xcopy %Temp%\smtmp\2 “%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch” /H /I /S /Y /C
xcopy %Temp%\smtmp\3 “%AppData%\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar” /H /I /S /Y /C
xcopy %Temp%\smtmp\4 “%AllUsersProfile%\Desktop” /H /I /S /Y /C

:Commands
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_1.jpg

[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_2.jpg

[*]Click the Start Scan button.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_3.jpg

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_4.jpg

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_5.jpg

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste its contents on your next reply.

Do I still have to also remove Avast or Malware Bytes?
no...these are the one you keep ;)

Yes, my files were hidden, but Wow, Essexboy, I’m not sure what you did but once I ran the fix my files at least now appear on the desktop, but they are still “shaded” and it seems as though I’m not out of the woods yet. Thank you so far for your help! I am attaching the OTL file here. Now, on to the next step.

Once you have completed the TDSSKiller run we will get the rest of your icons back

[*] Download RogueKiller and save it on your desktop.
[*]Quit all programs
[*] Start RogueKiller.exe.
[*] Wait until Prescan has finished …
[*] Click on Scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRScan.png

[]Wait for the end of the scan.
[
] The report has been created on the desktop.

[*]Next click on the ShortcutsFix

http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRShortcutsFix.png

[*]The report has been created on the desktop.

Please post: All RKreport.txt text files located on your desktop.

Noted! :smiley:

I’m attaching the TDSS report here. For some reason, it didn’t pick up anything.

OK run the RogueKiller programme now

Also what programme reported the infection ?

Here are the RKreport files. Thanks!

Ok what problems remain, RogueKiller did not see the partition either

Well now my files appear on the desktop and they are no longer “shaded” and they are able to be opened. We’re making progress!

I am going to run my computer in regular mode and shall see if things seem to run correctly.

Thank you both for your help so far! I will keep you updated.

Yep test everything out and let me know of any problems

Essexboy and Pondus thank you both so much for your help! It appears as though my computer is back to normal!

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands [resethosts] [emptytemp] [CLEARALLRESTOREPOINTS] [Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that
[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[
]Click OK.

http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif
Your Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:
[] Go to this site and click Do I have Java
[
] It will check your current version and then offer to update to the latest version

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes.

Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?Keep safe :wave: