Infected with Whistler / Black internet

[youngsta]

Hi I'm really hoping to get some help on this. Firstly I'd just like to say that i haven't really been getting many problems ie. pop ups or excessive CPU or ram usage, the one problem that has bought me to this point is i keep getting incoming requests in comodo (which I've blocked) for svchost.exe, sometimes up to a thousand a day. Anyway I've scanned with avast at boot and normal nothing found, I've scanned with malwarebytes and superantispyware nothing found, i did a scan with TDSSKiller and it found "Trojan-Clicker.Win32.Wistler.a" but stated it could not fix it then ran MBRCheck and it found "Known-Bad MBR Code Detected Whistler / Black Internet" chose to rewrite MBR chose number 1 Windows XP it said done reboot so i rebooted ran it again and it was still there! I really don't know what to do what is this? and how do i get rid? Thank you very much if you can help.

[Left123]

Hi youngsta,

Download aswMBR.exe from here http://public.avast.com/~gmerek/aswMBR.htm

1)Double click the aswMBR.exe to run it
2)Click the [Scan] button to start scan
3)On completion of the scan click [Save log], save it to your desktop and post in your next reply

[youngsta]

Thanks, do i need to disable antivirus or anything?

[DavidR]

No just run it from windows normal mode.

[youngsta]

Here is the scan it looks like it only scanned 1 HDD, i probably should have mentioned i have 1 internal HDD with OS on then i have a 500GB external and a 1TB external the code was found on Disk 2 which is the 500GB.

aswMBR version 0.9.8.978 Copyright(c) 2011 AVAST Software
Run date: 2011-07-30 14:36:01
-----------------------------
14:36:01.703    OS Version: Windows 5.1.2600 Service Pack 3
14:36:01.703    Number of processors: 2 586 0x403
14:36:01.703    ComputerName: WORKGROUP-FFDC5F  UserName: Youngie
14:36:03.078    Initialize success
14:36:03.390    AVAST engine defs: 11073000
14:36:10.703    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-17
14:36:10.703    Disk 0 Vendor: Maxtor_6L160M0 BANC1G10 Size: 152587MB BusType: 3
14:36:12.734    Disk 0 MBR read successfully
14:36:12.734    Disk 0 MBR scan
14:36:12.734    Disk 0 Windows XP default MBR code
14:36:12.734    Disk 0 scanning sectors +312496380
14:36:12.843    Disk 0 scanning C:\WINDOWS\system32\drivers
14:36:20.093    Service scanning
14:36:21.421    Modules scanning
14:36:26.125    Disk 0 trace - called modules:
14:36:26.156    ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
14:36:26.156    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8aabfab8]
14:36:26.171    3 CLASSPNP.SYS[f74c7fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-17[0x8aab7d98]
14:36:26.671    AVAST engine scan C:\WINDOWS
14:36:30.500    AVAST engine scan C:\WINDOWS\system32
14:37:56.718    AVAST engine scan C:\WINDOWS\system32\drivers
14:38:07.625    AVAST engine scan C:\Documents and Settings\Youngie
14:50:17.390    AVAST engine scan C:\Documents and Settings\All Users
14:50:55.187    Scan finished successfully
14:53:43.312    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Youngie\Desktop\MBR.dat"
14:53:43.328    The log file has been saved successfully to "C:\Documents and Settings\Youngie\Desktop\aswMBR.txt"

[youngsta]

Here is the MBRCheck log.

[DavidR]

Are these tdsskiler and mbrcheck logs you have attached the ones you ran before aswmbr or after the aswmbr scan ?

Strange that MBRCheck and TDSSKiller would say they had found Whistler yet aswMBR shows that it finds the default mbr code.
14:36:12.734    Disk 0 Windows XP default MBR code

Which I would guess if you had run MBRcheck and chose to rewrite MBR chose number 1 Windows, that would be right ()
Did you have these external drives attached when you ran aswMBR, or it wouldn't see anything on those ?

These external drives surely aren't bootable are they ?
Or there would have to be a custom/modified MBR for a dual boot.

[youngsta]

I ran the MBRCheck and TDSSKiller before i scanned with aswMBR.
Disk 0 is OS internal, Disk 1 is external, Disk 2 is external.
aswMBR says Disk 0 Windows XP default MBR code.
MBRCheck says PhysicalDrive2   RE: Known-bad MBR code detected (Whistler / Black Internet)!.
The dodgy code was found on Disk 2.
Yes i did have these drives attached when i ran aswMBR.
I bought the external drive new it has never had an operating system on it.

I am a bit stumped myself as to why it is only on 1 of my external HDD's not on the other or my boot drive??? I know nothing about this type of thing.
Thanks for your help.

[DavidR]

I just wonder why aswmbr doesn't find these other disks (perhaps it doesn't consider external drives).

Then I have to wonder why these two disks have an MBR file since they aren't bootable ?

So I think it will require someone with more experience than I to look into this.

[essexboy]

Both aswMBR and TDSSKiller only determine that bootable drives warrant repair, ensure all drives are connected

Run MBRCheck.exe once again.
 
You will be presented with the following dialog:
 

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

 
Enter Y and press Enter.
 
The following dialog will be presented:

Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.
 
Enter your choice:

 
Enter 2 and press Enter
 
The following dialog will be presented:
 

Enter the physical disk number to fix (0-99, -1 to cancel):

 
Enter >>2<< and press Enter
 
The following dialog will be presented:

Available MBR codes:
[ 0] Default (Windows XP)
[ 1] Windows XP
[ 2] Windows Server 2003
[ 3] Windows Vista
[ 4] Windows 2008
[ 5] Windows 7
[-1] Cancel
 
Please select the MBR code to write to this drive:

 
Enter >>1<<  and press Enter
 
The following dialog will be presented:

Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue:

 
Type YES and press Enter (Must type the full word, YES). You will be inform if successfully wrote a new MBR code!
 
And last the following dialog will be presented:
 

Done! Press ENTER to exit...

 
Press Enter. A report will be produced on the desktop. Post that report in your next reply.

[DavidR]

Thanks essexboy for joining the topic and the info on aswMBR and TDSSKiller only considering bootable drives warrant repair.

[youngsta]

Hey thanks for your help, that's what i did the last time tho.

edit: Wasn't trying to be smart just stating that's what i did before

[youngsta]

Also do you think svchost.exe is related to this? I've just checked comodo and it says "Firewall has blocked 203 intrusions so far" since 2:50 this morning. Why would svchost.exe be trying to receive incoming connections?

[essexboy]

Unless drive 2 is active then it would not cause the alerts, they are probably related to something else - what do you use drive 2 for ?

 

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is too large to attach then upload to Mediafire and post the sharing link.

Download OTS  to your Desktop

• Close ALL OTHER PROGRAMS.
  
• Double-click on OTS.exe to start the program.
  
• Check the box that says Scan All Users
  
• Under Additional Scans check the following:

Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

• Under the Custom Scan box paste this in

%SYSTEMDRIVE%\*.exe
/md5start
volsnap.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
CREATERESTOREPOINT

• Now click the Run Scan button on the toolbar.
  
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
  
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  

Please attach the log in your next post.

[youngsta]

Sorry to ask again but do i need to disable antivirus? avast is telling me to open in sandbox is this normal?