Whistler@mbr

mistermox · Mar 27, 2011

I'm hit by a whistler.. and i can't get rid of it.. please help!!

after reading this thread

Code:

http://forums.majorgeeks.com/showthread.php?t=233895

i joined up because i'm in a grave need for help..
I'm running on XP antivirus is Avast and malwarebytes..

i followed the advice in the thread and downloaded

Welcome to MajorGeeks!

*To detect the presence of the Whistler virus:

Download bootkit_remover.rar
Click the underlined DOWNLOAD text to download the file and save it to your Desktop.
You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use7-Zip
After extracing remover.exe to your Desktop, double click the remover.exe file to run the program.
Attach or post inline here, the output log from remover.exe

After running the program and rebooting my Avast anitivirus isn't working.. and i can't load any homepage from kaspersky, avast etc....

The log that came out said the following

Code:

##########################################################################
#
#  TDSS Remover detected objects log
#  Copyright (c) 2009-2010 eSage Lab
#
#     http://www.esagelab.com/
#     support@esagelab.com
#
#  Program Version: 1.8.0.0
#  OS Version: Microsoft Windows XP Professional Service Pack 3, v.3264 (build 2600)
#
#  Computer Name: ADMIN-PC
#
#  Log File Date/Time: 28.03.2011/01:05:00
#
##########################################################################

    Alert Type: Hidden Object
   Object Type: Registry Key
 Original Name: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0009d0500a46

    Alert Type: Hidden Object
   Object Type: Registry Key
 Original Name: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0

    Alert Type: Hidden Object
   Object Type: Registry Key
 Original Name: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1

    Alert Type: Hidden Object
   Object Type: Registry Key
 Original Name: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001

    Alert Type: Hidden Object
   Object Type: Registry Key
 Original Name: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC

    Alert Type: No Access
   Object Type: Registry Key
 Original Name: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg

    Alert Type: No Access
   Object Type: File
 Original Name: C:\WINDOWS\system32\aswBoot.exe

    Alert Type: No Access
   Object Type: File
 Original Name: C:\WINDOWS\system32\drivers\aavmker4.sys

    Alert Type: No Access
   Object Type: File
 Original Name: C:\WINDOWS\system32\drivers\aswFsBlk.sys

    Alert Type: No Access
   Object Type: File
 Original Name: C:\WINDOWS\system32\drivers\aswmon.sys

    Alert Type: No Access
   Object Type: File
 Original Name: C:\WINDOWS\system32\drivers\aswmon2.sys

    Alert Type: No Access
   Object Type: File
 Original Name: C:\WINDOWS\system32\drivers\aswRdr.sys

    Alert Type: No Access
   Object Type: File
 Original Name: C:\WINDOWS\system32\drivers\aswSnx.sys

    Alert Type: No Access
   Object Type: File
 Original Name: C:\WINDOWS\system32\drivers\aswSP.sys

    Alert Type: No Access
   Object Type: File
 Original Name: C:\WINDOWS\system32\drivers\aswTdi.sys

    Alert Type: No Access
   Object Type: File
 Original Name: C:\WINDOWS\system32\drivers\sptd.sys

To do the next step i had to dowload mbr check.. which i can't do because it wont load...

uncertain of what mbr check is i do have this avast mbr which i think might cover the same grounds? after a scan with that i got this log.

Code:

aswMBR version 0.9.2 Copyright(c) 2011 avast! Software
Run date: 2011-03-27 23:30:09
-----------------------------
01:30:09.125    OS Version: Windows 5.1.2600 Service Pack 3, v.3264
01:30:09.125    Number of processors: 2 586 0x401
01:30:09.125    ComputerName:  UserName: 
01:30:09.500    Initialize success
01:30:49.500    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e
01:30:49.500    Disk 0 Vendor: Maxtor_6B160M0 BANC1BY0 Size: 156334MB BusType: 3
01:30:49.515    Disk 0 MBR read successfully
01:30:49.515    Disk 0 MBR scan
01:30:49.515    Disk 0 Whistler@MBR code has been found
01:30:49.515    Disk 0 MBR [Whistler]  **ROOTKIT**
01:30:49.515    Disk 0 trace - called modules:
01:30:49.515    ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS 
01:30:49.515    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a68aab8]
01:30:49.515    3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-e[0x8a6b2d98]
01:30:49.515    Scan finished successfully

What do i DO???

Sincerely, MisterMox

chaslang · Mar 27, 2011

Welcome to Major Geeks!

Please also download MBRCheck to your desktop

Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)

It will show a Black screen with some information that will contain either the below line if no problem is found:

Done! Press ENTER to exit...

Or you will see more information like below if a problem is found:

Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.

MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.

Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )

Note that newer forms of this infection have typically required repairing the MBR using the Windows Boot CD for the respective version of Windows. Due you have your boot CD?

Log in or Sign up

Whistler@mbr

mistermox Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member