Avast WEBforum

Other => Viruses and worms => Topic started by: flodefence on January 29, 2011, 08:12:56 AM

Title: whistler@mbr[RTk]...help?
Post by: flodefence on January 29, 2011, 08:12:56 AM

So, I'm not the smartest guy when it comes to anti-virus but I did a scan on my computer today and found a Whistler@mbr virus. I don't know how long I've had it. but so far, the computer is fine. Yet, I don't feel safe leaving my computer the way it is. Can anyone help me out? Thanks in advance.

Title: Re: whistler@mbr[RTk]...help?
Post by: Pondus on January 29, 2011, 09:26:14 AM

Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
(post the logs here in this topic and not in the guide)


To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( OTL.Txt. / Extras.Txt / Malwarebytes scan log )



Essexboy will be notified when the logs are posted.....

Title: Re: whistler@mbr[RTk]...help?
Post by: flodefence on January 29, 2011, 09:42:35 AM

Okay, thanks Pondus. The three logs are attached. :)

Title: Re: whistler@mbr[RTk]...help?
Post by: Pondus on January 29, 2011, 09:47:40 AM

Essexboy is notified, he is usually in here from 8:00pm to 11:59pm UK time on week days
In weekend he arrives when he is out of bed and get his Tea....unless there is Cricket on TV   ;D

Title: Re: whistler@mbr[RTk]...help?
Post by: flodefence on January 29, 2011, 09:48:48 AM

Haha, okay then. Is it safe to turn off my computer?

Title: Re: whistler@mbr[RTk]...help?
Post by: Pondus on January 29, 2011, 09:54:54 AM

Have no idea   ???

Title: Re: whistler@mbr[RTk]...help?
Post by: essexboy on January 29, 2011, 01:56:15 PM

Rebooting will have no effect at this stage, due to the evolving nature of this programme I would like you to run two programmes

• Run MBRCheck.exe
• Wait until you see the following line: Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  
• Please push the 'Y' key and then press Enter
• When program ask you Enter your choice: enter 2 and press the Enter key
  
• Now the program will ask you "Enter the physical disk number to fix (0-99, -1 to cancel):"
  
• Enter 0 and press the Enter key.
  
• The program will show Available MBR codes:, followed by a list of operating systems.  Please enter [ 1] Windows XP, and then press Enter.
  
• The program will prompt for confirmation.  Type YES and press Enter (Must type the full word, YES). You will be informed if successfully wrote a new MBR code!
  
• A text file will be saved to your desktop
• Paste that report into your next post
• Restart your PC.

.
THEN

Download ComboFix from one of these locations:


Link 1 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 2 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

(http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif)

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

(http://img.photobucket.com/albums/v706/ried7/whatnext.png)


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

Title: Re: whistler@mbr[RTk]...help?
Post by: flodefence on January 30, 2011, 02:31:24 AM

Thanks essexboy.

Title: Re: whistler@mbr[RTk]...help?
Post by: essexboy on January 30, 2011, 02:02:28 PM

Looks like MBRexe killed that one  ;D

What are your current problems ?

Title: Re: whistler@mbr[RTk]...help?
Post by: flodefence on January 31, 2011, 08:23:01 AM

What do you mean by problems? Like PC problems? From what I can see, none.
But whenever I run a scan, it still says I have a whistler@mbr infection.

Title: Re: whistler@mbr[RTk]...help?
Post by: mikaelrask on January 31, 2011, 09:17:24 AM

i suggest a boot scan might do the trick here sens it sounds avast is detecting he malware but is unable to do anything about it?

http://www.schmahl.net/avastbootscan.php

then a scan with malwarebytes might be good.

http://filehippo.com/download_malwarebytes_anti_malware/

what i can think off if essexbox doesn't have outer program up his sleeves :D

good luck

Title: Re: whistler@mbr[RTk]...help?
Post by: essexboy on January 31, 2011, 07:21:05 PM

Could you re-run MBRCheck please - just the first analysis part

As both programmes seem to indicate that whistler has gone

Title: Re: whistler@mbr[RTk]...help?
Post by: flodefence on February 01, 2011, 12:47:02 PM

Here you go.

Title: Re: whistler@mbr[RTk]...help?
Post by: essexboy on February 01, 2011, 08:16:54 PM

Could you re-run the fix on drive 0 please

Title: Re: whistler@mbr[RTk]...help?
Post by: flodefence on February 02, 2011, 09:12:34 AM

Yep, done.

Title: Re: whistler@mbr[RTk]...help?
Post by: essexboy on February 02, 2011, 07:35:46 PM

Lets try the new tool

Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it
(http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR1.png)

Click the "Scan" button to start scan
(http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR2.png)

Click the "Fix" in case of infection
(http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR3.png)

Save the aswMBR.log to the desktop.  Then post the log here
(http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR4.png)

Title: Re: whistler@mbr[RTk]...help?
Post by: flodefence on February 04, 2011, 04:15:26 PM

Okay, I did the scan, but I couldn't fix because it showed the scan as if there was nothing to fix.

Title: Re: whistler@mbr[RTk]...help?
Post by: essexboy on February 04, 2011, 08:51:00 PM

And yet Avast is still alerting on it ?

I will be playing with a new tool so I may not have the next part of the fix for a few hours

Title: Re: whistler@mbr[RTk]...help?
Post by: flodefence on February 05, 2011, 01:51:49 AM

Yep, still showing up as an whistler@mbr[Rtk].
Yep, take your time, whenever you're ready. :)

Title: Re: whistler@mbr[RTk]...help?
Post by: essexboy on February 05, 2011, 12:42:38 PM

Whilst I am testing the testdisc to ensure I get it right - lets try a left field tool for this infection

Please read carefully and follow these steps. 

• Download TDSSKiller (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) and save it to your Desktop.
  
• Extract its contents to your desktop.
• Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
   
   
  (http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillermain.png)
   
   
  
• If an infected file is detected, the default action will be Cure, click on Continue.
   
   
  (http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerMal-1.png)
   
   
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
   
   
  (http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerSuspicious.png)
   
   
  
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
   
   
  (http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerCompleted.png)
   
   
  
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  
• If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
  

Title: Re: whistler@mbr[RTk]...help?
Post by: flodefence on February 07, 2011, 08:00:49 AM

Here you go.

Title: Re: whistler@mbr[RTk]...help?
Post by: essexboy on February 07, 2011, 07:40:10 PM

OK looks like TDSSKiller has added that to its reportoire - nice to know

What problems are you experiencing now ?

Title: Re: whistler@mbr[RTk]...help?
Post by: flodefence on February 09, 2011, 08:16:17 AM

I don't think I have any problem anymore! Not showing up in my scan anymore. Thank you!

Title: Re: whistler@mbr[RTk]...help?
Post by: essexboy on February 09, 2011, 09:17:27 PM

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

 Now the best part of the day ----- Your log now appears clean  :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset  System Restore points:

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  Quote

  :Commands
  [resethosts]
  [purity]
  [emptytemp]
  [EMPTYFLASH]
  [CLEARALLRESTOREPOINTS]
  [Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done

Click Start > Run  and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Run OTL and hit the cleanup button.  It will remove all the programmes we have used plus itself.  MBAM can be uninstalled via control panel add/remove along with ERUNT.  But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View Tab.
• Under the Hidden files and folders heading select Do not show hidden files and folders.
  
• Click Yes to confirm.
• Click OK.

SPRING CLEAN

 
Download and run Puran Disc Defragmenter (http://www.puransoftware.com/Puran-Defrag-Download.html)
For the first run I would recommend a boot defrag and disk check

(http://i1224.photobucket.com/albums/ee362/Essexboy3/Bootdefrag.jpg)


Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
 
(http://img233.imageshack.us/img233/7729/mbamicontw5.gif) Malwarebytes (http://www.malwarebytes.org/mbam-download.php).  Update and run weekly to keep your system clean

Download and install FileHippo update checker (http://www.filehippo.com/updatechecker/) and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

• Microsoft Windows Update (http://windowsupdate.microsoft.com)
  

To learn more about how to protect yourself while on the internet read our little guide  How did I get infected in the first place ? (http://www.geekstogo.com/forum/topic/225044-preventing-malware-and-safe-computing/)
Keep safe  :wave: