Whistler Bootkit

Please also download MBRCheck to your desktop

• Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  
  • Done! Press ENTER to exit...
  
  
• Or you will see more information like below if a problem is found:
  
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  
  
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message.

 

Do you have all important data backed up? You really should do this before continuing since we will need to rewrite your MBR to fix this and while most times this can be done without any problem, these infections can react badly and that could result in a PC not being bootable. You really don't have much choice though since these infections are too dangerous to your security to leave on a PC.

Also note if you have a Dell PC which uses a non-standard MBR ( or another manufacturer's who does similar to Dell) , fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not continue but you risk serious problems leaving this infection in place and thus your only other option would be to try using the Dell Restore Utility to return a factory ship state which will remove everything you additional you have put onto the PC.


Now if you wish to continue and fix the malware - please do the following:

* Run MBRCheck.exe
* Wait until you see the following lines:
o Enter 'Y' and hit ENTER for more options, or 'N' to exit:
o Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.
Enter your choice:

* Please push the 'Y' key and then press Enter
* When the program asks you to Enter your choice: enter 2 to Restore the MBR and press the Enter key
* Now the program will ask you to "Enter the physical disk number to fix (0-99, -1 to cancel):"
o Enter 0 and press the Enter key.
* The program will show Available MBR codes as below

* You need to select your version of Windows from the list. For example, enter 0 or 1 for XP or enter 3 for Vista.....etc. and then press Enter.
* The program will prompt for confirmation. Type 'YES' and hit Enter.
* Left click on the title bar (where program name and path is written). From menu chose Edit -> Select All
* You will see all the text in the window get highlighted.
* Hit the Enter key on your keyboard to copy all of the text into the clipboard.
* Paste that text into Notepad, save it to your desktop as MBRfix.txt
* Restart your PC.
* Attach the MBRfix.txt file to your next message..

Now please re-run MBRCheck.exe and attach that log also.

Then run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Do you have your OS cd? If you do, you will need to boot to it ( change the boot up order in the bios to the cd drive as first option). Then do a repair install. Let's me know.

 

I have no idea why your system has done this. You could see if you can get into your restore partition still. I don't know what the key is, but on boot up it should tell you .....f12 maybe? '
Otherwise, you will need to borrow a cd of the same version as what you had installed.

 

I am not sure, but you can try diagnostics. Are you into the bios? There should be a different key to get you into the restore partition. Is f12 the only key that you get a prompt for when you boot up? What happens if you hit F8 to try to go into safe mode?

 

Good to know. Once they arrive, you can use them to either do a complete reformat and clean install ( which you may not want to do) or a repair install that may get your MBR back.

 

Did you go into the bios and change the boot order to cd first?

 

At this point you need to post in the software forum to try to get your system back up and running.

 

I believe that since you did a repair install, your MBR file is now good. But I would like you to get me a new C:\MGLogs.zip by running the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

 

Phew.......your MBR is fixed and your logs are clean!!! Good deal!!

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
     
     
   
   
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
   
   
10. After doing the above, you should work thru the below link:
    
    • How to Protect yourself from malware!
    
    

Support MajorGeeks!

 

You are most welcome. I am just glad that you now have a Vista CD for future use and that all is back working!!

Since you still have the scanning tools>

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
     
     
   
   
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
   
   
10. After doing the above, you should work thru the below link:
    
    • How to Protect yourself from malware!
    
    

Support MajorGeeks!