MBR:\\.\PHYSICALDRIVE0

Hi All,

i wonder if anyone can help me… Magna86 maybe??
I’ve just unpacked a all-in-one terninal, installed .NET Framework 4, Teamviewer, and Avast.
At first scan, Avast found this MBR problem:

File Name: MBR:\.\PHYSICALDRIVE0
Severity: High
Status: Threat: Defo@boot

No action could be applied to fix it.
Tried to do Boot scan at start up and no option was able to fix it.

Thank you in advance for your help.

Robin

https://forum.avast.com/index.php?topic=53253.0

Prior to that please run this programme and attach the log

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application

https://dl.dropbox.com/u/73555776/tdss%20start.JPG

[*]Then click on Change parameters.

https://dl.dropbox.com/u/73555776/tdss%20Change%20param.JPG

[*]Check the boxes beside Verify Driver Digital Signature, Detect TDLFS file system and Use KSN to scan objects , then click OK.

[*]Click the Start Scan button.

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

https://dl.dropbox.com/u/73555776/tdss%20threat.JPG

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

[*]Get the report by selecting Reports

https://dl.dropbox.com/u/73555776/tdss%20report.JPG

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please copy and paste its contents on your next reply.

Hi

thank you for a prompt reply.

attached is the log from tdsskiller as per intructions.

robin

Re-run TDSSKiller and when you get this select cure :

17:15:37.0635 0x121c \Device\Harddisk0\DR0 ( HEUR:Rootkit.Boot.BackBoot.gen ) - skipped by user
17:15:37.0635 0x121c \Device\Harddisk0\DR0 ( HEUR:Rootkit.Boot.BackBoot.gen ) - User select action: Skip

Hi Essexboy,

I didn’t have the choice to cure. only skip, quarantine, and maybe delete? but it wasn’t cure. this, i assume, because “suspicious” object were found instead of “malicious”.

thank you

robin

Select delete and allow it to create a new MBR

my bad!

the three options are: Skip, Copy to quarantine, and RESTORE, not delete. sorry

OK use restore and it should replace the MBR with a backup

hi Essexboy

i think your instructions worked. Thank you!!!
both avast and tdsskiller scan clean now
i attach tdssk latest log

thanks again

robin

My pleasure :slight_smile: