[SOLVED] whistler@mbr need help

[bigneil]

Hi
Seems I've got a whistler@mbr virus.
Have read down some of the threads in this forum but still have the problem. It's being picked up by the avast antivirus.
So far, i've run Malwarebytes anti-malware, no joy.
I've also downloaded OTS and have the log (saved as ANSI)attached.
Tried also to run MBRCheck.exe, it ran and produced a log but didn't seem to give me the options as indicated in the threadi read as it ran; i.e to enter physical disk numbers etc. Log also attached.
This is the first time I've entered a forum for help like this so sorry if i seem a little wobbly on things.
Would appreciate any help pls?
Many thanks in advance.
bigneil

[Zyndstoff (aka Steven Gail)]

Download aswMBR.exe ( 511KB ) to your desktop.
 
Double click the aswMBR.exe to run it
 
Click the "Scan" button to start scan

 
On completion of the scan click save log, save it to your desktop and post in your next reply

[bigneil]

Hi Many thanks for getting back to me so promptly. will try this.
Thanks once again.
N

[bigneil]

Hi Again
Downloaded aswMBR,exe and ran it as advised. Pls see attached the log it generated.
Thanks and hope to hear from you soon.
N

[Pondus]

17:36:25.515    Disk 2 Whistler@MBR code has been found
17:36:25.515    Disk 2 MBR hidden
17:36:25.515    Disk 2 MBR [Whistler]  **ROOTKIT**

* scan again, click "FIX MBR" and reboot
* after reboot, scan again and click "SAVE LOG" post that log

[bigneil]

Hi
Just rescanned and run "FIX MBR".
Rebooted, scanned again and attached new log as advised.
Hoping this shows some good news.
Thanks once again.
N

[Pondus]

I have PMd Essexboy so he will have a check on this   

[bigneil]

Hi
ok, many thanks. will wait to hear from you.
Speak soon i hope.
N

[essexboy]

Hi you have been using infected USB drives by the look of it, I will clear the mountpoints and close some ports

Download the attached fix.txt to your desktop

Start OTS. click the Run Fix button.
A dialogue will open asking for the location of the fix.txt
Locate the file you downloaded to your desktop
Click run fix again

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.  Post that information back here

I will review the information when it comes back in.

[Zyndstoff (aka Steven Gail)]

Files, no company name:

sysprs7.dll -> I:\WINDOWS\System32\sysprs7.dll -> [2008/11/29 20:24:37 | 000,001,025 | ---- | C] ()
lsprst7.dll -> I:\WINDOWS\System32\lsprst7.dll -> [2008/11/29 20:24:37 | 000,000,205 | ---- | C] ()

What about those...? Just curious.

[essexboy]

This is what I have gleaned

"These files are directly related to our new SPSS/Clementine licensing
scheme. When an SPSS or Clementine data file is opened the internal
license manager will search for a valid license and set these files
accordingly. [It] will first attempt to write these files to the
\windows\system32 directory. If the user doesn't have permission to
write there, [it then] writes them to the directory where the data
files reside. [...] Our development is looking to see if this can be
handled in a more elegant way in the future."

And that's why it doesn't occur with administrative privileges, since
those convey write access to system directories.

[bigneil]

Hi Essexboy.
The pc didn't seem to like that.
Downloaded the fix.txt file to desktop and ran OTS, located the fix.txt file from my desktop and ran fix again.
As i clicked the Run Fix icon,all the icons i have on my desktop vanished (but has left the wallpaper ok) and the 'green progress bar' (immediately above the OTS 'additional scans' section seemed to dance left and right for about 20 seconds - hope you can picture what i mean).
The progress bar did eventually go '100% completed' after about 40 secs; still no icons on my desktop and there's no box appeared saying 'ok' so of course there's no log file.
Can you help with a next move? I can still move my mouse cursor and the OTS menu window is still showing, (with the run scan, quick scan, paste fix here bits etc etc, [Run fix button is greyed out]).
I'm writing this message from my laptop.
Should i reboot?
thanks
N. [and p.s. yes, just come back off hols and my son has popped around to do some work for his CV on the pc during the easter hols ...... using a usb drive!! (he's been informed)]

[essexboy]

When OTS runs and has a cleartemps instruction it will close all running processes including explorer.  This is to ensure it gets everything in the first run.  As for the time taken - the more junk in your temporary files the longer it will take to run

All that should be left in the fix box is [cleartemps] if after about 10 minutes or so it has not rebooted then control-Alt-delete and stop OTS from rinning via taskmanager.  Then reboot

[bigneil]

Hi
Thanks for getting back and also for clarifiying what had happened....
So, log file appeared after rebbot - pls find attached.
Thanks - much appreciated.
N

[Zyndstoff (aka Steven Gail)]

Please make sure the file is saved with code ANSI.
Open in Notepad, click "File" -> "Save As".