Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with MBR:\\.\PHYSICALDRIVE0


  • Please log in to reply
5 replies to this topic

#1 Nadianna

Nadianna

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:57 AM

Posted 30 March 2012 - 04:37 AM

I seem to have picked up a very nasty rootkit from (stupidly) clicking on a random Google image search link. I tried running an Avast antivirus scan, which worked til it found something called MBR:\\.\PHYSICALDRIVE0. I couldn't try to delete it because the Avast scan froze and crashed immediately after finding it.

Googling leads me to believe it's some sort of rootkit, is that right? I'm now getting tons of critical errors ("Drive sector not found") and repeated system errors ("A Write command during the test has failed to complete", etc) and another error that just says "Seek Error- Sector not found". I am completely unable to access my Task Manager, my Start menu is empty, and now most of my desktop has disappeared. I haven't been able to access Avast since that first time, either.

I added this because I don't know if they're related, but a popup called S.M.A.R.T. Repair, which Avast still manages to block from connecting to a malicious website, has been popping up since this happened. If this is a separate problem I'll handle it after, since I know topics are supposed to be for one thing at a time.

I haven't attempted anything else besides the failed Avast scan, since I don't know what to do. I'm running Windows Vista 64-bit, which has Avast and Malwarebytes installed (I can access neither). I would be so grateful if anyone could help me fix this.

BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:11:57 AM

Posted 30 March 2012 - 09:00 AM

Boot the PC in safemode with networking

Click on startmenu and type

cmd and Right click on it and select run as administrator

If your task manager is disabled,copy and run this command

Echo y | reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr

Press ENTER

If you're desktop is blank and unable to right click on it ,run this command

Echo y | reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDesktop


Restart your PC in safemode with networking


Press WIndows+R key and type

%temp% and click ok

If you find a folder called SMTMP,Copy the folder to a safe location.

Download

http://www.techspot.com/downloads/4716-malwarebytes-anti-malware.html

Install,update and run a full scan

Click on SHOW results.Select all infections and remove it

Reboot the PC and scan MBAM once in regular mode until you get a clean log


Download

TDSSkiller

Launch it.Click on change parameters-Select TDLFS file system

Click on "Scan".Please post the LOG report(log file should be in your C drive)

Download

http://www.bleepingcomputer.com/download/anti-virus/unhide

Run the UNHIDE tool,which should restore the hidden files

good luck

Edited by narenxp, 30 March 2012 - 09:01 AM.


#3 Nadianna

Nadianna
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:57 AM

Posted 30 March 2012 - 09:20 AM

I got to the second step (copy/pasting the second command, regarding the desktop issue) and got an error: "ERROR: the system was unable to find the specified registry key or value." Should I continue on?

#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:11:57 AM

Posted 31 March 2012 - 01:14 PM

yes please

#5 Nadianna

Nadianna
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:57 AM

Posted 03 April 2012 - 11:33 PM

Okay, I followed the other steps. I installed and ran Malwarebytes and deleted the four things it found. It now returns a clean log when I run it.

I also used TDSS, but it doesn't find anything and returns a blank log no matter how many times I try it.

I ran the unhide tool with no problems; my desktop has returned, but only the left side of my Start menu is visible (the part where it has Computer, Control Panel, Devices & Printers, etc is still blank).

#6 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:11:57 AM

Posted 05 April 2012 - 04:50 AM

DOwnload

FIXTDSS

Launch it ,It may ask for restart,reboot the PC

On reboot ,click on repair option

Now run the TDSSkiller and post the log

Regarding the startmenu issue

Right click on your startmenu-properties

Check mark

store and display recently opened programs
store and display recently items

Click on customize

Click on Use default settings at the bottom

Click ok and apply,your startmenu programs may be empty


Press WIndows+R key and type

%temp% and click ok

If you find a folder called SMTMP,Copy the folder to a safe location.

Let me know how it went

good luck

Edited by narenxp, 05 April 2012 - 04:52 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users