Hi,

I have got a virus on my computer which I cant remove. The name is MBR:\.\PHYSICALDRIVE0\Partition2 and when i try to move to chest or delete in Avast I get the message: Error: The request is not supported (50). I have try to read in this forum to get help with the problems and tried som of the tips but it wont help. For you information I have problems to run Combofix, TDSSkiller and aswMBR who you refer to in solving the problems. Though I managed to get a log from TDSSkiller yesterday (when I didnt already do all the other programs and fixes I tried after that and seems to have caused some problems). I have started to follow the steps in the topic https://forum.avast.com/index.php?topic=53253.0 and i attach the two logs I got from OTL.

I would be really glad if you could help me as soon as you can. I will be stand-by the whole evening today and will be waiting for the answers from you and will reply to you immediately after the aswers.

Thank you in advance!

Best regards, Jonas

I tried the step with burning gparted-live-0.10.0-3.iso like in the topic http://forum.avast.com/index.php?topic=96419.0 as i have the same problem with a second partition that is 10 mb.

But I am not albe to burn it from another computer so I burned it from the same computer as I have the virus. The step after I burnt it is “Now boot off of the newly created Gparted CD.”. I dont really know what you mean by that, but I tried to reboot the computer with the burned CD in the CD-drive but nothing happened.

I post the screenshot here when I did run diskmgmt.msc.

Hopefully there should be a malware removal specialist to help you soon.

OK first thing we need to do is ensure that the computer is set to boot from CD. Also with ImgBurn did you select write image file to disc

Note : If you do not know how to set your computer to boot from CD follow the steps here

I need you to download:
gparted-live-0.10.0-3.iso (115.1 MB)

Create a bootable CD, for Gparted from the ISO image.

You can use ImgBurn do this.

Now boot off of the newly created Gparted CD.

You should be here… Press ENTER

https://dl.dropbox.com/u/73555776/Gpart-Start.GIF

By default, “do not touch keymap” is highlighted.

https://dl.dropbox.com/u/73555776/Gpart-keyselect.GIF

Leave this setting alone and just press ENTER.

https://dl.dropbox.com/u/73555776/Gpart-continue.GIF

Choose your language and press ENTER. English is default [33]

At the mode prompt enter 0, press ENTER

You will now be taken to the main GUI screen below

https://dl.dropbox.com/u/73555776/Gpart-partitions.GIF

According to your logs, the partition that you want to delete is 10 MB

Right click this partition and select delete .

https://dl.dropbox.com/u/73555776/GPart-delete.GIF

The Partition has gone

Now select Apply

Now you should be here:

https://dl.dropbox.com/u/73555776/Areyousure.GIF

Select Apply after double checking that the right partition was deleted

Is “boot” next to your OS drive?
If “boot” is not next to your OS drive under “Flags”, right-mouse click the OS drive while in Gparted and select Manage Flags

https://dl.dropbox.com/u/73555776/GPart-flags.GIF

In the menu that pops up, place a checkmark in boot like the picture below, then close :

https://dl.dropbox.com/u/73555776/GPart-bootflag.GIF

Under File select Quit

https://dl.dropbox.com/u/73555776/Gpart-quit.GIF

You will see this small Popup

https://dl.dropbox.com/u/73555776/Gpart-reboot.GIF

Choose reboot and then press OK.

Thanks alot for helping me out but I need further assistance…

I burnt the file in the other thread which I linked to in my other post named gparted-live-0.13.0-1.iso and selected write iso-file. Then i followed your steps to boot from disc which I also managed. Then I rebooted and I reached the first picture you had for the g-parted application. I pressed ENTER (Gparted Live (Default settings)) and then alot of commands in white on a black background followed. Then after some screens full of letters it froze and the last sentences were:
“INIT: Version 2.88 booting”
“[info] makefile-style concurrent boot in runlevel S”

Have I done anything wrong here? How can you help me further?

OK give me a bit and I will flash it up on my VM to see if I can replicate it

Ok, I will be waiting for your answer. Im totally stuck here.

It may be a little while as essexboy will be at work now (almost 10:30am in the UK now).

I am unable to replicate it … The indications are that it is a corrupt burn. Could you reburn the Gparted disc but on a seperate computer please

I tried to burn it again on the same computer but this time i chose “disc at once”. I tried the new disc but it stopped at the same place again when i tried to use g-parted. I got a warning message some lines up on the freezing picture that says:

Begin: Running /scripts/init-premount…done.
Begin: Mounting root file system… Begin: Running /scripts/live-premount…
[4.486534] aufs: module is from the staging directory, the quality is unknown, you have beend warned.

I dont know if that will help you.

I dont know if i will be able to burn the program from another computer today, but i will do my best. Are you sure that it will help? Should there be a problem to burn it from my computer as you see it?

Yes the malware can disrupt the burn to CD causing this problem, so a seperate sytem would help

Now I have tried to burn G-parted from another computer, but I still got the same result. The screen freezes at the same point as before when I try to boot from the disc. What could I do now? Do you have any suggestions?

Yep I have a new tool

Please download the following tool

Listparts

Run the tool, click Scan and post the log (Result.txt) it makes.

https://dl.dropbox.com/u/73555776/listparts.GIF

Also could you re-run TDSSKiller please

Here the result comes from Listparts…

I tried to download and re-run TDSSkiller, but it wont work. The only time it worked was before i had run Combofix, aswMBR and another program. None of these programs works for me and nor TDSSkiller. Dont know if that has anything to do with my Avast. With combofix I read that I should disable my Avast antivirusshield and so I did, but I didnt quit the program totally.

Well list parts is not reporting a problem

Do you have the Combofix log, if so could you attach it

Please download MBRCheck.exe to your Desktop. Run the application.

If no infection is found, it will produce a report on the desktop. Post that report in your next reply.

If an infection is found, you will be presented with the following dialog:

[QUOTE]Enter ‘Y’ and hit ENTER for more options, or ‘N’ to exit:
[/quote]
Type N and press Enter. A report will be produced on the desktop. Post that report in your next reply.

Here comes the log from MBRcheck…

I tried to run Combofix again, but it seems like it wont work. I ran it for 10 hours (it says it should take 10 minute) and then it was still running and the picture hadnt froze yet but I guessed something was wrong anyway because it had run for so long so I quit the process.

Size Device Name MBR Status -------------------------------------------- 465 GB \\.\PhysicalDrive0 MBR Code Faked! SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

Run MBRCheck.exe once again.

You will be presented with the following dialog:

[QUOTE]Found non-standard or infected MBR.
Enter ‘Y’ and hit ENTER for more options, or ‘N’ to exit:
[/quote]
Enter Y and press Enter.

The following dialog will be presented:

[QUOTE]Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice:
[/quote]
Enter 2 and press Enter

The following dialog will be presented:

[QUOTE]Enter the physical disk number to fix (0-99, -1 to cancel):
[/quote]
Enter >>0<< and press Enter

The following dialog will be presented:

Enter >>1<< and press Enter

The following dialog will be presented:

[QUOTE]Do you want to fix the MBR code? Type ‘YES’ and hit ENTER to continue:
[/quote]
Type YES and press Enter (Must type the full word, YES). You will be inform if successfully wrote a new MBR code!

And last the following dialog will be presented:

[QUOTE]Done! Press ENTER to exit…
[/quote]
Press Enter. A report will be produced on the desktop. Post that report in your next reply.

Here comes the new MBR report.

Thanks for all the help! I really appreciate it!

OK lets now see if we can get Combofix to run

First Download a fresh copy but rename it to Gotcha and then run

Download ComboFix from one of the following locations:
Link 1
Link 2

I downloaded a new Combofix from the link you gave me and tried to run it, but it froze after aprox. 15 minutes. I disabled Avast antivirusprogram before I ran it and didnt have any other program open.

My computer is totally bugged from the virus I have. Nothing works as it should, the computer is slow, all my files are hidden, I get message from Avast that I am attacked by dangerous Malware in every couple of minutes, I cant open almost any of my documents, when I try to click on links from for example a google search I am being forwarded to another adress with strange and inppropriate material and so on…