Infected with MBR:\\.\PHYSICALDRIVE0 Need help, thanks!

Hi
I have got a virus named MBR:\.\PHYSICALDRIVE0 - high- threat:hurri
I tried to move to chest in Avast I got the message: Error: The request is not supported when I tried to deleted "postpone to the next reboot after rebooted it I got the message: error “it is not implement”
I read some other similar posts about this and downloaded aswMBR and ran it on safemode
This is what came up
aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-09-11 16:38:16

16:38:16.531 OS Version: Windows 5.1.2600 Service Pack 2
16:38:16.531 Number of processors: 1 586 0x605
16:38:16.546 ComputerName: FASTER UserName: Faster
16:38:17.046 Initialize success
16:38:18.312 AVAST engine defs: 13091100
16:38:24.640 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP1T0L0-e
16:38:24.656 Disk 0 Vendor: WDC_WD5000AAKX-00ERMA0 15.01H15 Size: 476938MB BusType: 3
16:38:24.750 Disk 0 MBR read successfully
16:38:24.765 Disk 0 MBR scan
16:38:25.203 Disk 0 Hurri
16:38:25.218 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 29996 MB offset 63
16:38:25.562 Disk 0 Partition - 00 0F Extended LBA 446933 MB offset 61432560
16:38:25.593 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 149997 MB offset 61432623
16:38:25.625 Disk 0 Partition - 00 05 Extended 149997 MB offset 368627490
16:38:25.671 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 149997 MB offset 368627553
16:38:25.718 Disk 0 Partition - 00 05 Extended

when I pressed (the only choose available) fixMBR I got the massage
warning
writing a new master boot record to your system partition could damage your partition tables and cause your partitions to become inaccessible
this application writes standard windows MBR code
are you sour you want to fix the MBR ?

I ran tdsskiller.exe, the log it returned " no threats found"
I ran mbam-setup-1.75.0.1300.exe, it did not delete the virus

I would be really glad if you could help me
thanks in advance

follow instructions here and attach logs …not copy and paste. http://forum.avast.com/index.php?topic=53253.0

run in order listed
AdwCleaner / Malwarebytes / OTL / aswMBR

when done malware specialists will be notified and check the logs
when finish, all tools used will be removed

thanks alot for your fast replay

ADwcleaner says “pending. please uncheck elements you don not want to remove”

if you are unsure, just save log and the removal experts will take care of it

Monitoring

thank you for your help

Here is the logo from adwcleaner

@marwa

Follow instructions precisely. Nowhere was told to run an adwcleaner four times.
Attach here AdwCleaner[R0].txt log.

I’ll need logs from Malwarebytes ( only one scan ) , aswMBR and OTL. Attach it here.

I am sorry for that
attached 3 logos

Ok. Your rootkit based malware works at level of master boot records that it loads before Windows.

aswMBR is lightware AntiRootkit tool, therefor I would like to use much more powerful AntiRootkit tool in order to obtain more information abaut your MBR based rootkit.
When I had the whole view, then we will carry on with full malware removal.

Please download GMER, AntiRootkit tool from the link below and save it to your Desktop:

Gmer download link
Note: file will be random named

Double-clicking to run GMER.

[*]Wait for initial scan to finish - if there is any query, click No;
[*]Click Scan button and wait until the full scan is complete;
[*]Click Save … - save the report to the Desktop (named Gmer1 );

[*]Right-click wherever in the GMER’s window and select Options > 3rd party - click the Scan button;
[*]Please wait until the full scan is complete;
[*]Click Save … button and save report to Desktop (named Gmer2 );
note: time scan for Gmer2 log may take some time

[*]Click the >>> and select Autostart card;
[*]After quick scan, click Copy button;
[*]Open notepad and Paste text. Save report to the Desktop (named Gmer3 )

Attach here all Gmer logreports. (Gmer1; Gmer2 and Gmer3)

Here comes the logs from GMER

the third step ( auto star),

the picture had frozen for about an hour without any progress

so I copied and pasted it and I didn’t exit the program yet

Thank you for all the help

Here you have multiple infections. Your system is seriously infected.
Let’s start cleansing operation.

  1. Please download ComboFix from here and save it to your Desktop.
    If you are unsure how ComboFix works please read this guide carefully.
    note: ComboFix must be downloaded to your Desktop.

  1. Temporarily disable your AntiVirus program.
    If you are unsure how to do this please read this or this Instruction.

Instructions how to disable avast:

[*]Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
[*]In the window that opens on the top right corner, click Settings.
[*]In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.
[*]=> Again, right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn on this option after the cleaning.


  1. Run ComboFix. Click on I Agree!

ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.
If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart computer once more.


  1. When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
    Attach log reports ( ComboFix.txt) back to topic.

here is it

  1. Disable your AntiVirus!

  2. Open notepad and copy/paste the text present inside the code box below:

KillAll::
Mbr::
Reboot::
Folder::
c:\program files\GUM8B.tmp
DirLook::
C:\sh4ldr
c:\documents and settings\Faster\Local Settings\Application Data\cald3
c:\documents and settings\Faster\Application Data\cald3
ClearJavaCache::
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000

Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run.
Don’t tach your PC while ComboFix is working…
When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

----- next -----

Please re-run aswMBR and post me fresh created aswMBR.txt logreport.

I follow all the steps unfortunately Combofix it is unable to run scan just frozen window without any progress
I attached the logo from aswMBR

On your Desktop you should have MBR dump file:
C:\Documents and Settings\Faster\Desktop[b]MBR.dat[/b]
If is not there, then re-run aswMBR and it will be created.

Please zip/rar with password “virus” and upload file here:
http://www.wikisend.com
Post me please download link.

----- next -----

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “List BCD” and “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

----- Rootkit Removal -----

Step#1

Please download TDSSKiller and save it to your desktop

Execute [b]TDSSKiller.exe[/b] by doubleclicking on it.

[*] Press Start Scan

[*] If Suspicious object is detected, the default action will be Skip, click on Continue.
[*] If Malicious objects are found, select Cure.

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, [b]C:\TDSSKiller.<version_date_time>log.txt[/b]

Please post the contents of that log in your next reply.


Step#2

Please download Malwarebytes AntiRootkit and save it to your desktop.
http://www.malwarebytes.org/products/mbar/

Full instructions how to use MBAR
http://www.bleepingcomputer.com/virus-removal/how-to-use-malwarebytes-anti-rootkit
Please note: This is a beta version so please be sure to read the disclaimer and note of it.

[*] Unzip/unrar MBAR in a folder to your Desktop
[*] Open the folder where the contents were unzipped to run mbar.exe

[*] Click on Next > then on Update button to download fresh definitions.
[*] When database updates click Next
[*] In the following window ensure “Targets” scan for Drivers; Sectors; System are ticked. Then select “Scan button”

[*] If an infection/s are found ensure “Create Restore Point” is checked, then select the “Cleanup Button” to remove threats.
Or if you are sure any entries should not be kept, just untick them. A list of infected files will be listed.

[*] The Clean up procedure will be Scheduled for process.
[*] When complete pop-up will show you. Select the Yes button and the system should re-boot to complete the cleaning process.

Please attach the two following logs from the mbar folder:

system-log.txt
and
mbar-log-year-month-day (hour-minute-second).txt.

----- next -----

In your next reply please attach here:

  • MBR.dat download link
  • FRST and Attach reports
  • TDSSKiller log
  • system and mbar logs

THANKS FOR ALL THE HELP

MBR.dat download link without password
http://wikisend.com/download/379620/aswMBR.rar

FRST and reports Attached

TDSSKiller said no threats found

system and mbar logs attached

@ marwa

You have been attach aswMBR.txt logreport, not MBR.dat file.

Please re-try upload that file to me again? I need to examine that file becouse your MBR might be new kind of malware.

When you upload MBR.dat and post here download link, then just re-run Combofix. If CF wants to be updated or to install Recovery Console, allow it.

Do you understand this?

“عبد الرحمن & محمود”
“مروة”

What is say?

edit:
You do not have to answer, it’s legit. :slight_smile:

Just please attach fresh created Combofix.txt and MBR.dat to analyze that file.

sorry I didn’t notice the extension

marwa = مروة
عبد الرحمن & محمود my son’s names

http://wikisend.com/download/251258/MBR.rar
Here comes the log from CF

Ok, I got it. You may edit your post and remove download link if you will.
This is just bump of MBR, not malware by itself but hey…just in case. :slight_smile:

The thing is that master boot records (MBR) does not belong to the Windows operating system.
Somewhat hase been made ​​changes to it. That somewhat may be legit software but in your case some malicius software.

avast flag this as “Hurri” but this is rootkit known as “MBR.Malmo” and it’s malicious. So we will fix your MBR and set it to default Windows settings.
If some malware using MBR as shield from me and my tools to hide it’s loading point or MBR by itself make malicius payload to system then fixMBR will to the trick.

FixMBR from Recovery Console

When we run ComboFix earlier, CF has been installed the Windows Recovery Console. We are going to use that now.

  1. Reboot your machine and when the Boot Menu flashes up - select “Microsoft Windows Recovery Console”
    (you need to be very fast with the arrow key as you only have a couple of seconds before it defaults to the windows XP bootup)


http://fotkica.com/thumbs3/1_tmb_153239505_RC_BootMenu.jpg


http://fotkica.com/thumbs3/1_tmb_459718526_2RConsole_A.jpg

  1. When you get to the above screen, take note of the number that references your operating system.
    If it’s ‘1’ like the picture above, type 1 and press Enter


http://fotkica.com/thumbs3/1_tmb_62688892_3RConsole_Fixmbr.jpg

  1. Next type FIXMBR


http://fotkica.com/thumbs3/1_tmb_72587141_4RConsole_FixmbrB.jpg

It will ask you “if you’re sure you want to write a new MBR” answer ‘Y

Then type EXIT to reboot the machine.

And that’s it. :slight_smile:

----- next -----

Re-check:

Re-run aswMBR tool and post me here fresh created aswMBR.txt logreport.

----- next -----

CFScript for Combofix

Open notepad and copy/paste the text present inside the code box below:

Folder::
c:\windows\865537E164904193A4B6669C62711852.TMP
c:\program files\GUM8B.tmp

DirLook::
c:\documents and settings\Faster\Local Settings\Application Data\cald3
c:\documents and settings\Faster\Application Data\cald3
c:\documents and settings\Faster\Local Settings\Application Data\Temp
c:\program files\Common Files\xing shared

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000

DDS::
uStart Page = about:blank

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{51d565ca-4dbd-499a-9118-fed2a54f7558}]

Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )