mbr infection I'd appreciate help removing

[forumcall4asst]

My computer recently became infected with mbr physicaldrive0 and I would appreciate help removing it. I am not sure how to run the logs I've seen on these forums but I am a quick learner. Any assistance is appreciated

[LDTate]

Please don't attach the scans / logs for these tools, use "copy/paste".

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

I suggest you do this:

XP Users

Double-click My Computer.

Click the Tools menu, and then click Folder Options.

Click the View tab.

Uncheck "Hide file extensions for known file types."

Under the "Hidden files" folder, select "Show hidden files and folders."

Uncheck "Hide protected operating system files."

Click Apply, and then click OK.

Vista Users

To enable the viewing of hidden and protected system files in Windows Vista please follow these steps:

Close all programs so that you are at your desktop.

Click on the Start button. This is the small round button with the Windows flag in the lower left corner.

Click on the Control Panel menu option.

When the control panel opens you can either be in Classic View or Control Panel Home view:

If you are in the Classic View do the following:

Double-click on the Folder Options icon.

Click on the View tab.

If you are in the Control Panel Home view do the following:

Click on the Appearance and Personalization link.

Click on Show Hidden Files or Folders.

Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.

Remove the checkmark from the checkbox labeled Hide extensions for known file types.

Remove the checkmark from the checkbox labeled Hide protected operating system files.

Please do not delete anything unless instructed to.

I've been seeing some Java infections lately.

Go here and follow the instructions to clear your Java Cache

http://www.java.com/en/download/help/plugin_cache.xml

Next:

Note: Close all browsers before running ATF Cleaner: IE, FireFox, etc.

Please download ATF Cleaner by Atribune.

Download - ATF Cleaner

[forumcall4asst]

My computer recently became infected with mbr physicaldrive0 and I would appreciate help removing it. I am not sure how to run the logs I've seen on these forums but I am a quick learner. Any assistance is appreciated

I ran the asw MBR and this is what I got...BTW thanks for your help

aswMBR version 0.9.4 Copyright© 2011 AVAST Software

Run date: 2011-03-19 16:20:27

-----------------------------

16:20:27.961 OS Version: Windows 6.1.7600

16:20:27.961 Number of processors: 8 586 0x1A05

16:20:27.961 ComputerName: STANDARD-PC UserName: standard

16:20:30.457 Initialize success

16:20:41.237 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\iaStor0

16:20:41.237 Disk 0 Vendor: Intel___ 1.0. Size: 953867MB BusType: 8

16:20:41.237 Device \Device\Ide\IAAStorageDevice-1 -> \??\IDE#DiskVolume01.0.00__#4&19feaa6c&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found

16:20:41.237 Disk 0 MBR read successfully

16:20:41.252 Disk 0 MBR scan

16:20:41.252 Disk 0 TDL4@MBR code has been found

16:20:41.252 Disk 0 MBR hidden

16:20:41.252 Disk 0 MBR [TDL4] **ROOTKIT**

16:20:41.252 Disk 0 trace - called modules:

16:20:41.252 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8761d439]<<

16:20:41.252 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x875fc580]

16:20:41.268 3 CLASSPNP.SYS[8bbb959e] -> nt!IofCallDriver -> [0x86ad22b8]

16:20:41.268 \Driver\iaStorV[0x87600cc0] -> IRP_MJ_CREATE -> 0x8761d439

16:20:41.268 Scan finished successfully

aswMBR version 0.9.4 Copyright© 2011 AVAST Software

Run date: 2011-03-19 16:20:27

-----------------------------

16:20:27.961 OS Version: Windows 6.1.7600

16:20:27.961 Number of processors: 8 586 0x1A05

16:20:27.961 ComputerName: STANDARD-PC UserName: standard

16:20:30.457 Initialize success

16:20:41.237 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\iaStor0

16:20:41.237 Disk 0 Vendor: Intel___ 1.0. Size: 953867MB BusType: 8

16:20:41.237 Device \Device\Ide\IAAStorageDevice-1 -> \??\IDE#DiskVolume01.0.00__#4&19feaa6c&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found

16:20:41.237 Disk 0 MBR read successfully

16:20:41.252 Disk 0 MBR scan

16:20:41.252 Disk 0 TDL4@MBR code has been found

16:20:41.252 Disk 0 MBR hidden

16:20:41.252 Disk 0 MBR [TDL4] **ROOTKIT**

16:20:41.252 Disk 0 trace - called modules:

16:20:41.252 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8761d439]<<

16:20:41.252 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x875fc580]

16:20:41.268 3 CLASSPNP.SYS[8bbb959e] -> nt!IofCallDriver -> [0x86ad22b8]

16:20:41.268 \Driver\iaStorV[0x87600cc0] -> IRP_MJ_CREATE -> 0x8761d439

16:20:41.268 Scan finished successfully

[LDTate]

Happy to help

FIX

Re-Run aswMBR

Click Scan

On completion of the scan

Click the Fix for TDL4 or FIXMBR for Whistler Button Select as appropriate

Save the log as before and post in your next reply

[LDTate]

You have the TDL4 rootkit

[forumcall4asst]

Happy to help

FIX

Re-Run aswMBR

Click Scan

On completion of the scan

Click the Fix for TDL4 or FIXMBR for Whistler Button Select as appropriate

Save the log as before and post in your next reply

Followed your instructions. Here is the log

ersion 0.9.4 Copyright© 2011 AVAST Software

Run date: 2011-03-19 16:32:24

-----------------------------

16:32:24.072 OS Version: Windows 6.1.7600

16:32:24.072 Number of processors: 8 586 0x1A05

16:32:24.072 ComputerName: STANDARD-PC UserName: standard

16:32:26.614 Initialize success

16:32:28.393 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\iaStor0

16:32:28.408 Disk 0 Vendor: Intel___ 1.0. Size: 953867MB BusType: 8

16:32:28.408 Device \Device\Ide\IAAStorageDevice-1 -> \??\IDE#DiskVolume01.0.00__#4&19feaa6c&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found

16:32:28.408 Disk 0 MBR read successfully

16:32:28.408 Disk 0 MBR scan

16:32:28.408 Disk 0 TDL4@MBR code has been found

16:32:28.408 Disk 0 MBR hidden

16:32:28.408 Disk 0 MBR [TDL4] **ROOTKIT**

16:32:28.408 Disk 0 trace - called modules:

16:32:28.424 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8761d439]<<

16:32:28.424 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x875fc580]

16:32:28.424 3 CLASSPNP.SYS[8bbb959e] -> nt!IofCallDriver -> [0x86ad22b8]

16:32:28.424 \Driver\iaStorV[0x87600cc0] -> IRP_MJ_CREATE -> 0x8761d439

16:32:28.424 Scan finished successfully

16:32:31.466 Disk 0 fixing MBR

16:32:41.918 Disk 0 MBR restored successfully

16:32:41.918 Infection fixed successfully - please reboot ASAP

[LDTate]

Reboot if you haven't and run a new MalwareBytes scan.

If you don't already have MBAM:

Please don't attach the scans / logs for these tools, use "copy/paste".

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

I suggest you do this:

Next:

Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
  
• At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select Perform quick scan, then click Scan.
  
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• 
  
• Then click Remove Selected .
  
• When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
  
• Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
  

Also please describe how your computer behaves at the moment.

Please don't attach the scans / logs, use "copy/paste".

[forumcall4asst]

Reboot if you haven't and run a new MalwareBytes scan.

If you don't already have MBAM:

Please don't attach the scans / logs for these tools, use "copy/paste".

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

I suggest you do this:

Next:

Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
  
• At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select Perform quick scan, then click Scan.
  
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• 
  
• Then click Remove Selected .
  
• When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
  
• Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
  

Also please describe how your computer behaves at the moment.

Please don't attach the scans / logs, use "copy/paste".

Ran Malwarebytes (please note that it was not detecting the MBR infection before. It was coming up as a suspicious file in Avast but it wouldn't get rid of it)

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6107

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

3/19/2011 5:03:26 PM

mbam-log-2011-03-19 (17-03-26).txt

Scan type: Full scan (C:\|)

Objects scanned: 258372

Time elapsed: 23 minute(s), 40 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[LDTate]

Good job

Here's my usual all clean post

To be on the safe side, I would also change all my passwords.

This infection appears to have been cleaned, but as the malware could be configured to run any program a remote attacker requires, it's impossible to be 100% sure that any machine is clean.

Log looks good

• Make your Internet Explorer more secure - This can be done by following these simple instructions:
  1. From within Internet Explorer click on the Tools menu and then click on Options.
     
  2. Click once on the Security tab
     
  3. Click once on the Internet icon so it becomes highlighted.
     
  4. Click once on the Custom Level button.
     
  5. Change the Download signed ActiveX controls to Prompt
     
  6. Change the Download unsigned ActiveX controls to Disable
     
  7. Change the Initialize and script ActiveX controls not marked as safe to Disable
     
  8. Change the Installation of desktop items to Prompt
     
  9. Change the Launching programs and files in an IFRAME to Prompt
     
  10. Change the Navigate sub-frames across different domains to Prompt
      
  11. When all these settings have been made, click on the OK button.
      
  12. If it prompts you as to whether or not you want to save the settings, press the Yes button.
      
  13. Next press the Apply button and then the OK to exit the Internet Properties page.
      

  [*]Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week

  (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  [*]Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.

  Without a firewall your computer is succeptible to being hacked and taken over.

  I am very serious about this and see it happen almost every day with my clients.

  Simply using a Firewall in its default configuration can lower your risk greatly.

  [*] WOT , Web of Trust, As 'Googling' is such an integral part of internet life, this free browser add on warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  Green to go

  Yellow for caution

  Red to stop

  WOT has an addon available for both Firefox and IE.

  [*] JAVA Click this link and click on the Free JAVA Download

  [*]Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.

  This will ensure your computer has always the latest security updates available installed on your computer.

  If there are new updates to install, install them immediately, reboot your computer, and revisit the site

  until there are no more critical updates.

Only run one Anti-Virus and Firewall program.

I would suggest you read:

PC Safety and Security--What Do I Need?.

How to Prevent Malware:

The full version of Malwarebytes' Anti-Malware could have helped protect your computer against this threat.

We use different ways of protecting your computer(s):

• Dynamically Blocks Malware Sites & Servers
  
• Malware Execution Prevention
  

Save yourself the hassle and get protected.

[LDTate]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.