Just like the person in this topic a friend of mine got a message from Avast about an infection stating that his notebook's MBR was tampered, and that Avast couldn't remove the infection. So he brought his machine to me.
'mbr:\\.\physicaldrive0 rootkit: hidden boot sector' was the search term that brought me here.
I tried to fix it with
- Clamwin portable ->no direct related infection found, a couple of others though
- HiJackThis ->no infection found
- GMER ->no infection found
- mbr ->error reading MBR
- catchme ->no disk found, detected NTDLL code modification(?)
- MBRCheck ->infection found, repair offered, but no fix
- ComboFix ->no infection found
- F-Secure Blacklight ->didn't run
Also on the same machine when trying to boot from cd (testing with all the bootable cd's I have) result is BSOD stating that acpi.sys is involved. Maybe related? I would have preferred working from a bootable cd, on the assumption that chances to catch the peskiest ones might be better. Had to resort to safe mode.
I understand if you prefer to work case by case and hence out-of-the-shelf solutions wouldn't be your way. Me and my friend live some distance apart and I can't have his machine in my place all the time, and it's no more here, so I won't be able to easily give you further details fast. I'm writing anyway, first just in case my (perhaps partial or unfinished) solution would be of help to somebody else and second just in case the problem should come back, I might be better prepared. Not to mention the prevailing boot problem of course. Otherwise the machine seemed to work fine.
The notebook is a HP Pavilion model dv6-2116eo running Win 7 Home 64-bit. It remains a mystery how and even when the infection occurred. Clamwin's finds 'Trojan.Redbrowser' and 'Trojan.Agent-25576' don't seem to be related, or could they?
TIA of any feedback