Hi all,
I’ve been trying to get rid of what I think is a rootkit with the file name mbr://physicaldrive0\partition3 for weeks now.
Originally, Avast was detecting the file as a threat, and it seemed as though my documents were hidden, but still existed on the harddrive. The computer was also running extremely slow, and would cause problems when I tried to open firefox.
I emailed the fine folks at Avast and ran Malware Bytes, Spybot, TDSS Killer and a couple of other scans. None of them detected the file.
Now, avast is no dectecting the file mbr://physicaldrive0\partition3 and it seems as though my files are now not only hidden but could also be deleted.
Here’s my latest scan log:
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-03-15 12:24:11
12:24:11.968 OS Version: Windows 5.1.2600 Service Pack 3
12:24:11.968 Number of processors: 1 586 0x5F02
12:24:11.968 ComputerName: CU-01 UserName:
12:24:12.250 Initialize success
12:24:13.406 AVAST engine defs: 12031300
12:24:38.625 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-3
12:24:38.640 Disk 0 Vendor: ST3808110AS 3.ADJ Size: 76293MB BusType: 3
12:24:38.671 Disk 0 MBR read successfully
12:24:38.671 Disk 0 MBR scan
12:24:39.125 Disk 0 Windows XP default MBR code
12:24:39.156 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 5004 MB offset 63
12:24:39.640 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 71280 MB offset 10249470
12:24:39.687 Disk 0 scanning sectors +156232125
12:24:40.062 Disk 0 scanning C:\WINDOWS\system32\drivers
12:24:52.328 Service scanning
12:25:06.375 Modules scanning
12:25:11.187 Disk 0 trace - called modules:
12:25:11.234 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
12:25:13.000 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x85d58ab8]
12:25:13.093 3 CLASSPNP.SYS[f74c7fd7] → nt!IofCallDriver → \Device\0000006b[0x85d14910]
12:25:13.187 5 ACPI.sys[f743e620] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-3[0x85da5940]
12:25:13.578 AVAST engine scan C:\WINDOWS
12:25:15.687 AVAST engine scan C:\WINDOWS\system32
12:26:47.171 AVAST engine scan C:\WINDOWS\system32\drivers
12:26:56.187 AVAST engine scan C:\Documents and Settings\Catholics
12:31:11.500 AVAST engine scan C:\Documents and Settings\All Users
12:31:39.296 Scan finished successfully
12:34:36.234 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\Catholics\Desktop\MBR.dat”
12:34:36.250 The log file has been saved successfully to “C:\Documents and Settings\Catholics\Desktop\aswMBR.txt”
Any help on what to do next would be greatly appreciated! Thanks!