Avast WEBforum

Other => Viruses and worms => Topic started by: epicelite on January 19, 2011, 08:19:52 PM

Title: Black Internet?
Post by: epicelite on January 19, 2011, 08:19:52 PM

Avast found something called "whistler@mbr [Rtk]
Google search says it is "Black Internet" and causes pop ups and sound to turn off and junk like that, though I never had any of those things happen. :|

Anyway, Avast didn't say it could deleted it or anything(Action and Result were blank), but when I did a second boot-time scan it didn't pick it up. So is it gone?

PS: Saw this when turning my puter' off and, maybe its nothing but. I can't read Chinese so?

(http://i201.photobucket.com/albums/aa52/lolercoptor/wat-3.png)

Title: Re: Black Internet?
Post by: Pondus on January 19, 2011, 08:25:11 PM

Quote

Anyway, Avast didn't say it could deleted it or anything(Action and Result were blank), but when I did a second boot-time scan it didn't pick it up. So is it gone?

have you looked in the virus chest, anything there ?

Title: Re: Black Internet?
Post by: epicelite on January 19, 2011, 08:34:05 PM

No, where would I find that?

Title: Re: Black Internet?
Post by: Pondus on January 19, 2011, 08:36:12 PM

open avast > maintenance (lower left )> virus chest

Title: Re: Black Internet?
Post by: epicelite on January 19, 2011, 08:40:49 PM

There is "A0048368.exe" and "WDUMP.exe" in there.

Title: Re: Black Internet?
Post by: Pondus on January 19, 2011, 08:46:54 PM

does the time and date match the incident you mentioned above ?

Title: Re: Black Internet?
Post by: epicelite on January 19, 2011, 08:50:07 PM

Nope.

Title: Re: Black Internet?
Post by: Pondus on January 19, 2011, 09:02:50 PM

i will ask Essexboy to have a look when he arrives



check your computer for malware with this
run a quick scan and post the log

Malwarebytes Anti-Malware 1.50.1 http://filehippo.com/download_malwarebytes_anti_malware/
always update the program so you have lates database before you scan
click the remove selected button to quarantine any infections found

Title: Re: Black Internet?
Post by: essexboy on January 19, 2011, 09:45:00 PM

Hi lets get rid of it for you

Please download MBRCheck.exe (http://ad13.geekstogo.com/MBRCheck.exe) to your desktop.

• Be sure to disable your security programs (http://forums.whatthetech.com/index.php?showtopic=96260)
  
• Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
• A window similar to this should open on your desktop:

(http://i677.photobucket.com/albums/vv132/RPMcMurphy_album_photos/mbrcheck.png)

• If you are prompted with options, enter N at the prompt and press Enter[/i]
  
• Press Enter[/i] again
  
• A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your deskop.  Please post the contents of that file.

.

THEN

Download OTL (http://oldtimer.geekstogo.com/OTL.exe)  to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Select All Users
  
• Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Attach all logs to your next reply

Title: Re: Black Internet?
Post by: epicelite on January 19, 2011, 11:50:53 PM

Ok, if you see "******" I was just covering up my name. :P

Title: Re: Black Internet?
Post by: essexboy on January 19, 2011, 11:54:23 PM

Could I have the mbrcheck log as that is the most important one

Title: Re: Black Internet?
Post by: epicelite on January 20, 2011, 12:04:45 AM

Added.

Title: Re: Black Internet?
Post by: essexboy on January 20, 2011, 09:15:19 PM

Confirmed whistler

• Run MBRCheck.exe
• Wait until you see the following line: Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  
• Please push the 'Y' key and then press Enter
• When program ask you Enter your choice: enter 2 and press the Enter key
  
• Now the program will ask you "Enter the physical disk number to fix (0-99, -1 to cancel):"
  
• Enter 0 and press the Enter key.
  
• The program will show Available MBR codes:, followed by a list of operating systems.  Please enter [ 1] Windows XP, and then press Enter.
  
• The program will prompt for confirmation.  Type YES and press Enter (Must type the full word, YES). You will be informed if successfully wrote a new MBR code!
  
• A text file will be saved to your desktop
• Paste that report into your next post
• Restart your PC.

Title: Re: Black Internet?
Post by: epicelite on January 21, 2011, 12:25:01 AM

Here you go.

Title: Re: Black Internet?
Post by: essexboy on January 21, 2011, 08:02:52 PM

What problems now remain ?

Title: Re: Black Internet?
Post by: epicelite on January 21, 2011, 08:04:12 PM

Well MBRchecker still says I have it so I dunno. :|

If I backup my stuff to a second partition, and format the windows installed one?
Will it like copy itself to my other partition too? :|

Title: Re: Black Internet?
Post by: essexboy on January 21, 2011, 08:56:45 PM

MBRCheck fixed the MBR - see the bolded part at the bottom.  If you want confirmation then re-run MBRcheck as per the initial run 

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:         
Windows Version:      Windows XP Home Edition
Windows Information:      Service Pack 3 (build 2600)
Logical Drives Mask:      0x0000003d

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00  (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x0000002e`031b3200  (NTFS)

PhysicalDrive0 Model Number: WDCWD2500KS-00MJB0, Rev: 02.01C03

      Size  Device Name          MBR Status
  --------------------------------------------
    232 GB  \\.\PhysicalDrive0   Known-bad MBR code detected (Whistler / Black Internet)!
            SHA1: 55D22FACFA0250F2B3D94EC565072522D6388C82


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Options:
  [1] Dump the MBR of a physical disk to file.
  [2] Restore the MBR of a physical disk with a standard boot code.
  [3] Exit.

Enter your choice: Enter the physical disk number to fix (0-99, -1 to cancel): 0Available MBR codes:
 [ 0] Default (Windows XP)
 [ 1] Windows XP
 [ 2] Windows Server 2003
 [ 3] Windows Vista
 [ 4] Windows 2008
 [ 5] Windows 7
 [-1] Cancel

Please select the MBR code to write to this drive: 1
Do you want to fix the MBR code?  Type 'YES' and hit ENTER to continue: YES
Successfully wrote new MBR code!
Please reboot your computer to complete the fix
Done!.

Title: Re: Black Internet?
Post by: epicelite on January 21, 2011, 10:10:41 PM

Yeah I rebooted but when I run MBRchecker it still says it found bad MBR/black internet. :|

Title: Re: Black Internet?
Post by: essexboy on January 21, 2011, 10:11:58 PM

OK new tool time, I gues it was only time before they circumvented that programme

 Download AVPTool from Here (http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/) to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan

On the first tab select all elements down to Computer and then select start scan
Once it has finished select report and post that.

(http://i1224.photobucket.com/albums/ee362/Essexboy3/avpfront.jpg)

[color="#FF0000"]Do not close AVPTool or it will self uninstall, if it does uninstall - then just rerun the setup file on your desktop[/color]

Now an analysis scan

Select the Manual Disinfection tab
Press the Gather System Information button
Once done Open the last report saved folder  then attach the zip file to your next post zip
The file is located at C:\Users\your name\Desktop\Virus Removal Tool\setup_9.0.0.722_05.01.2011_20-34\LOG\avptool_sysinfo.zip

(http://i1224.photobucket.com/albums/ee362/Essexboy3/avpmanual.jpg)

Title: Re: Black Internet?
Post by: epicelite on January 22, 2011, 03:04:55 AM

Here it is, only took 3 hours.

Title: Re: Black Internet?
Post by: essexboy on January 22, 2011, 02:00:32 PM

OK lets use combofix to install the recovery console, if Kas could not repair then there is only an outside chance that Combofix will - so we will need to do a fixmbr from the recovery console 

Download ComboFix from one of these locations:


Link 1 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 2 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

(http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif)

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

(http://img.photobucket.com/albums/v706/ried7/whatnext.png)


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

Title: Re: Black Internet?
Post by: epicelite on January 22, 2011, 07:59:12 PM

I will just format then.

Can this thing copy itself to my backup partition that's on the same HDD?

Thanks for your assistance.

Title: Re: Black Internet?
Post by: essexboy on January 22, 2011, 08:56:21 PM

No it will only use active partitions

Title: Re: Black Internet?
Post by: epicelite on January 22, 2011, 09:37:38 PM

What does active partition mean? The one with windows installed on it? :\

Title: Re: Black Internet?
Post by: essexboy on January 22, 2011, 11:02:17 PM

Yes that is correct as that is the bootable one