whistler virus and how use BTKR_RunBox on usb hard drive

[krass]

hi
- my query  concerns how to use cleaning tools rather than diagnosis.

i'm on win xp  - i updated my free avast to the new version and the first auto scan threw up alert for whistler virus

my pc has one internal hard drive (drive number 0) and several other external usb drives - when i ran MBRCheck.exe it showed whistler virus in the mbr of all the drives

nothing i tried would clean the mbr of the drives until i ran BTKR_RunBox.exe which successfully replaced the infected mbr on the internal drive

i have no experience of using command line, and my query is how to get BTKR_RunBox.exe to repair the mbr in the usb drives?

i have BTKR_RunBox.exe and remover.exe  on my desktop - if i run the following script (by savinng it on desktop  as a .cmd file and then clicking on it):

Code: [Select]

@echo off
start remover.exe fix \\.\PhysicalDrive5
exit

the result i get is:-

Code: [Select]

Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.2.0.0
OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`03ec1000
Restoring boot code at \\.\PhysicalDrive5...
ATA_Read(): DeviceIoControl() ERROR 50
ERROR: Can't read first sector of the disk.

Done;
Press any key to quit...

does anyone know how i get bootkit remover to fix the usb drives? it seems the perfect tool to deal with mbr infection


as an alterntive i tried reformatting one of the usb drive using the "format" option in windows explorer , but that didnt touch the mbr -  is there a better way to reformat a usb hard drive that will re-write the mbr also?



thanks
chris

[Pondus]

Essexboy is notified...... 

[essexboy]

You will need to repair the following drives using MBRcheck

931 GB  \\.\PhysicalDrive

5   RE: Known-bad MBR code detected (Whistler / Black Internet)!
            SHA1: 4973D7019145FF4B8F768E312288EA01106B0E8F
465 GB  \\.\PhysicalDrive7   MBR Code Faked (known infection: Whistler / Black Internet)!
            SHA1: EA461F558215548F2DFEC9E39AA5F26AAA73855C
149 GB  \\.\PhysicalDrive8    Known-bad MBR code detected (Whistler / Black Internet)!
            SHA1: 4973D7019145FF4B8F768E312288EA01106B0E8F

[list=1]

• Run MBRCheck.exe
• Wait until you see the following line: Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  
• Please push the 'Y' key and then press Enter
• When program ask you Enter your choice: enter 2 and press the Enter key
  
• Now the program will ask you "Enter the physical disk number to fix (0-99, -1 to cancel):"
  
• Enter 5 and press the Enter key.
  
• The program will show Available MBR codes:, followed by a list of operating systems.  Please enter [ 1] Windows XP, and then press Enter.
  
• The program will prompt for confirmation.  Type YES and press Enter (Must type the full word, YES). You will be informed if successfully wrote a new MBR code!
  
• A text file will be saved to your desktop
• Paste that report into your next post
• Restart your PC.

Then repeat for drives 7 and 8

[krass]

thanks for the very prompt reply!

unfortunately mbrcheck doesnt fix any of the drives - it says it has but when you run it again it shows the same infections - i'd already tried it (& i've just tried it again)

the only tool that worked is BTKR_RunBox - it successfully, and very easily,  replaced the infected mbr on drive number0 - the problem is i don't know how to get it to fix the other (usb)drives

[essexboy]

Hmm tis a bit of a problem - as you cannot run Fixmbr on those drives as far as I am aware

I wonder whether AVP can cure it

Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan

On the first tab select all elements down to include all removable drives and then select start scan
Once it has finished select report and post that.



Do not close AVPTool or it will self uninstall, if it does uninstall - then just rerun the setup file on your desktop

[krass]

thanks - i'll do that & post report

is there a means of re-formatting the usb drives that will also re write the mbr?  that might be another solution do you think?

[essexboy]

The thing is that as non- booting drives I am not sure if they need an MBR - but I will need to check that out

[krass]

apologies for not replying earlier

i ran the kaspersky - it took for ever, because it kept stopping to ask what to do when it found something - it didnt find anything that other progs hadnt already found (i hve a few files on my pc which give false postives in all anti-virus progs)

i now only have the whistler virus in the mbr of my non-bootable, usb hdd's  - as far as i can make out, it isnt a threat there (as long as i dont boot up from them), so,  since i cant find any way of re-writing those mbr's, i'm going to ignore the presence of the virus

i thought i'd outline what i did to remove the virus from my internal, bootable hdd, just for anyone else whose avast tells them they have whistler


1. download and run mbrcheck  to confirm its in the bootable drive(s)

2.download and run BTKR_RunBox to re-write the mbr on those drives

it was , in fact , extremely easy

unfortunately all the mbr fixing tools seem to be command line, which i know nothing at all about, but which, i think, doesnt work over usb connections - so you cant clean the mbr of usb drives, but if they're non-bootable (no OS installed on them) then i  dont think it matters (fingers crossed!)

thanks to essexboy, and everone else for all the help!

chris 

[gentle4ug]

Just thinking out loud here about things I might try.

1.  Try installing an operating system on the USB drives.  Since you have already tried the format route, i assume they do not have any important files on them.  This should rewrite the MBR.  Then reformat to get rid of the operating system.  It may leave an MBR behind, but at least it should be clean.

2.  Microsft has a free piece of software to make an installation usb drive.  By making the drives bootable installation drives, the MBR may also be overwritten.  I've done this a couple of times on USB thumb drives and just reformatted to recycle the drive.

3.  Disassemble the drives and install them in your system.  Unplug your primary drive,boot from and OS install disc and install the OS.  Do this for each drive.  Then remove the drives and reconnect your original primary drive.  Put the externals back together and reformat.  Any MBR left behind should be clean.

These are just brainstorming ideas, but one of them may save the drives.  I would be hesitant to use them for anything knowing they are dirty.

[krass]

thanks for the brainstorms gentle4ug!  they sound really good idea!

however, i've now discovered i was talking rubbish ("as usual" my wife would say...) re command line progs and usb connections -  i found a prog  called "testdisc" which does re-write the mbr of an external usb hdd.

http://www.cgsecurity.org/wiki/TestDisk

i used it on 2 drives - the first i reformatted - mbrcheck still showed whistler still there- so i then rerote mbr with testdisc & mbrcheck showed "unknown mbr code"

the 2nd drive i didnt bother re-formatting, just backed up data, & used testdisc, after which mbrcheck showed "mbr code faked!"  - i assune that means no whistler

[essexboy]

Neat tool, I have only seent the techs use that before.  But now I may add it to my armoury

[krass]

Neat tool, I have only seent the techs use that before.  But now I may add it to my armoury

it was certainly easy to use! (if i can do it, anyone can!)

thanks again for the help


chris

[essexboy]

And thank you for the tool