whistler black internet

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by frankpost, Dec 11, 2010.

  1. frankpost

    frankpost Private E-2

    Hello
    Since a couple days NOD32 (Smart Security 4) tells me my pc is infected. I get the message
    object:
    MBR sector of the 1. physical disk
    threat:
    win32/mebroot.EZ trojan

    I first did a clean install of windows (quick format)

    When using MBRCheck it tells me physical disk nr1 is infected with the black internet whistler trojan.

    The infected disk is NOT the same physical disk which my OS is installed on, and no infected files are listed when doing a virus scan on the 2 partitions of nr 1 physical disk.

    I already replaced the MBR of the disk by using MBRCheck, and replacing it with a default windows 7 MBR.
    Also tried combofix, and Malwarebytes' anti-malware, nothing seems to solve the problem.


    I attached the mbrcheck log combofix log and OTL log

    can anybody please help me solve this??
    Thank you!

    regards
    Frank Post
     

    Attached Files:

    Last edited: Dec 11, 2010
    frankpost, Dec 11, 2010
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Also I need to ask some questions:
    1. Do you have any drives that has a non-windows installation on them
    2. Are all drives NTFS formatted
    3. Do you have any non-standard or special MBRs which can occur from companies like Dell or HP who frequently install additional partitions used for recovery partitions in lieu of giving CD/DVDs.
    4. Is any program like Grub ( see:http://www.gnu.org/software/grub/ ) being used
    5. Is drive-encryption being used?
    6. Are any drives external USB pen drives or external hard drives being used?
    7. VERY IMPORTANT: Do you have all important data backed up? You really should do this before continuing since we will need to rewrite your MBR to fix this and while most times this can be done without any problem, these infections can react badly and that could result in a PC not being bootable. You really don't have much choice though since these infections are too dangerous to your security to leave on a PC.
     
    Kestrel13!, Dec 11, 2010
    #2
  3. frankpost

    frankpost Private E-2

    Hello Kestrel13,
    First of all thank you for your quick response!

    the answers:

    1. no other than win7 installed on physical drive 0 (c : \)
    2. all drives are NTFS formatted
    3. no other non-standard MBR is used/installed (its a custom installed 'desktop' pc)
    4. never used/installed Grub
    5. no drive-encryption is used
    6. USB portable HDD is used occasionally, but not as default (the usual 'USB-stick usage')
    7. got the data backed up. (data on other physical drives than the infected also need to be backed up..??)

    if you need any other info please ask

    thanks
    regards
    Frank
     
    Last edited: Dec 11, 2010
    frankpost, Dec 11, 2010
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Download bootkit_remover.rar

    Click the underlined DOWNLOAD text to download the file and save it to your Desktop
    You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use7-Zip After extracing remover.exe to your Desktop.

    • Click Start, Run and copy and paste the below into the Run box and click OK.
    • Now reboot your PC and after reboot continue with the below instructions.
    • Now go to this MGTools and download MGtools.exe.
    • Run MGTools.exe as per the instructions in the Read and Run me first

    Then attach the below logs:

    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    Kestrel13!, Dec 11, 2010
    #4
  5. frankpost

    frankpost Private E-2

    I ran remover.exe as you stated, unfortunately I get the following error:

    ATA_Write(): DeviceIoControl() ERROR 1
    ERROR: Can't write first sector of the disk.

    I also tried to run it in Safe Mode, same error


    I attached the bootkit remover log

    regards
    Frank
     

    Attached Files:

    frankpost, Dec 11, 2010
    #5
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Try again


    • Download bootkit_remover.rar
    • Click the underlined DOWNLOAD text to download the file and save it to your Desktop.
    • You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use7-Zip
    • After extracing remover.exe to your Desktop, double click the remover.exe file to run the program.
    • Attach or post inline here, the output from remover.exe
     
    Kestrel13!, Dec 11, 2010
    #6
  7. frankpost

    frankpost Private E-2

    here you go
     

    Attached Files:

    frankpost, Dec 11, 2010
    #7
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    That's the wrong log, I don't know if it ran correctly or not, but here is an example of what I should be seeing in the log:

    Either screenshot it or attach that log if you can.
     
    Kestrel13!, Dec 11, 2010
    #8
  9. frankpost

    frankpost Private E-2

    sorry

    here you go again:

     
    frankpost, Dec 11, 2010
    #9
  10. frankpost

    frankpost Private E-2

    also did the check on the infected drive, resulting in:
    regards
    Frank
     
    frankpost, Dec 11, 2010
    #10
  11. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    • Click Start, Run and copy and paste the below into the Run box and click OK.

    • Now run MGTools as previously instructed.

    Then attach the below logs:

    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    Kestrel13!, Dec 11, 2010
    #11
  12. frankpost

    frankpost Private E-2

    I managed to fix it (well..it looks like it) with mbrfix (Sysint).

    Remover returned the write error, but for some reason mbrfix did work (first cleaned the mbr, and then created a new one)

    nonetheless thank you for your time, much appreciated!!!

    regards
    Frank
     
    frankpost, Dec 12, 2010
    #12
  13. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You're more than welcome. Do you wish to run MGTools just so I can check for any remaining malware?
     
    Kestrel13!, Dec 12, 2010
    #13

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds