Avast WEBforum
Other => Viruses and worms => Topic started by: bigneil on May 06, 2011, 04:15:42 PM
-
Hi
Seems I've got a whistler@mbr virus.
Have read down some of the threads in this forum but still have the problem. It's being picked up by the avast antivirus.
So far, i've run Malwarebytes anti-malware, no joy.
I've also downloaded OTS and have the log (saved as ANSI)attached.
Tried also to run MBRCheck.exe, it ran and produced a log but didn't seem to give me the options as indicated in the threadi read as it ran; i.e to enter physical disk numbers etc. Log also attached.
This is the first time I've entered a forum for help like this so sorry if i seem a little wobbly on things.
Would appreciate any help pls?
Many thanks in advance.
bigneil
-
Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) ( 511KB ) to your desktop.
Double click the aswMBR.exe to run it
Click the "Scan" button to start scan
(http://public.avast.com/~gmerek/aswMBR1.png)
On completion of the scan click save log, save it to your desktop and post in your next reply
-
Hi Many thanks for getting back to me so promptly. will try this.
Thanks once again.
N
-
Hi Again
Downloaded aswMBR,exe and ran it as advised. Pls see attached the log it generated.
Thanks and hope to hear from you soon.
N
-
17:36:25.515 Disk 2 Whistler@MBR code has been found
17:36:25.515 Disk 2 MBR hidden
17:36:25.515 Disk 2 MBR [Whistler] **ROOTKIT**
* scan again, click "FIX MBR" and reboot
* after reboot, scan again and click "SAVE LOG" post that log
-
Hi
Just rescanned and run "FIX MBR".
Rebooted, scanned again and attached new log as advised.
Hoping this shows some good news.
Thanks once again.
N
-
I have PMd Essexboy so he will have a check on this ;)
-
Hi
ok, many thanks. will wait to hear from you.
Speak soon i hope.
N
-
Hi you have been using infected USB drives by the look of it, I will clear the mountpoints and close some ports
Download the attached fix.txt to your desktop
Start OTS. click the Run Fix button.
A dialogue will open asking for the location of the fix.txt
Locate the file you downloaded to your desktop
Click run fix again
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here
I will review the information when it comes back in.
-
Files, no company name:
sysprs7.dll -> I:\WINDOWS\System32\sysprs7.dll -> [2008/11/29 20:24:37 | 000,001,025 | ---- | C] ()
lsprst7.dll -> I:\WINDOWS\System32\lsprst7.dll -> [2008/11/29 20:24:37 | 000,000,205 | ---- | C] ()
What about those...? Just curious. :)
-
This is what I have gleaned
"These files are directly related to our new SPSS/Clementine licensing
scheme. When an SPSS or Clementine data file is opened the internal
license manager will search for a valid license and set these files
accordingly. [It] will first attempt to write these files to the
\windows\system32 directory. If the user doesn't have permission to
write there, [it then] writes them to the directory where the data
files reside. [...] Our development is looking to see if this can be
handled in a more elegant way in the future."
And that's why it doesn't occur with administrative privileges, since
those convey write access to system directories.
-
Hi Essexboy.
The pc didn't seem to like that.
Downloaded the fix.txt file to desktop and ran OTS, located the fix.txt file from my desktop and ran fix again.
As i clicked the Run Fix icon,all the icons i have on my desktop vanished (but has left the wallpaper ok) and the 'green progress bar' (immediately above the OTS 'additional scans' section seemed to dance left and right for about 20 seconds - hope you can picture what i mean).
The progress bar did eventually go '100% completed' after about 40 secs; still no icons on my desktop and there's no box appeared saying 'ok' so of course there's no log file.
Can you help with a next move? I can still move my mouse cursor and the OTS menu window is still showing, (with the run scan, quick scan, paste fix here bits etc etc, [Run fix button is greyed out]).
I'm writing this message from my laptop.
Should i reboot?
thanks
N. [and p.s. yes, just come back off hols and my son has popped around to do some work for his CV on the pc during the easter hols ...... using a usb drive!! (he's been informed)]
-
When OTS runs and has a cleartemps instruction it will close all running processes including explorer. This is to ensure it gets everything in the first run. As for the time taken - the more junk in your temporary files the longer it will take to run
All that should be left in the fix box is [cleartemps] if after about 10 minutes or so it has not rebooted then control-Alt-delete and stop OTS from rinning via taskmanager. Then reboot
-
Hi
Thanks for getting back and also for clarifiying what had happened....
So, log file appeared after rebbot - pls find attached.
Thanks - much appreciated.
N
-
Please make sure the file is saved with code ANSI.
Open in Notepad, click "File" -> "Save As".
-
oops!! sorry.
here we go.
Thanks
N
-
Okay, thanks.
Need to have essexboy look at it - but as a tendency, I'ld say it's looking good.
Please be patient until essexboy answers here.
-
Hi
Yes, will do - got plenty of patience!! Appreciate all your help and asistance.
Thanks
N
-
Total Files Cleaned = 202.00 mb
a little more free space ;D
What problems do you have at the moment ?
-
Hi
Hey, that's really cool!!
Not sure if have any problems now, (apart from wife, kids, mortgage, undervalued - overworked..... you know!!)
Still got my fingers crossed... Is the problem really fixed?
Do i need to re-run an avast scan to check? (not that i ever doubted you guys)
Can i say PHEW!! yet??
N
-
Yep lets say phew ;D
OK a final check for orphans
(http://img233.imageshack.us/img233/7729/mbamicontw5.gif) Please download Malwarebytes' Anti-Malware from Here (http://www.malwarebytes.org/mbam-download.php).
Double Click mbam-setup.exe to install the application.
- Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select "Perform Quick Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
-
I can start to feel a big PHEW coming up... will run the malwarebytes straight and and get back to you.
Many thnaks.
N
-
Hi
Well, I'm smilin'; pls find below the copied and pasted log.
No infections reported as being found, (even i can tell that's good news)... so PHHEEWWW!!! and a million thanks.
I don't know you guys do this, but mucho respect and your efforts are very very much appreciated. Well done and thanks once again.
Hoping that's the end of malware for a while.
Rgds
N
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6521
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13
06/05/2011 22:13:04
mbam-log-2011-05-06 (22-13-04).txt
Scan type: Quick scan
Objects scanned: 162685
Time elapsed: 8 minute(s), 9 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
-
Perfect.
Your PHEW was well spent. ;D
Run OTS a final time and hit the Clean Up button to remove OTS from your PC.
I hope essexboy won't be mad at my interfering here... 8) but I doubt he will.
Finally, please go to your first post, click modify in upper right of that post and add [SOLVED] in front of the thread title. Thank you.
Happy & safe surfin'
Zyndstoff
-
Saves my limited typing skills ;D
-
Hi Guys. Done as requested.
Once again, a million thanks - i don't know how you guys do it, but i'm well impressed. Also, reassuring there's guys like you out there to help.
Cheers.
N
-
Our pleasure ;D