MBR:whistler-C [rtk]

[essexboy]

Intriguing could you run a quick mbrcheck scan and post the log - so that I can see what it says

[fraise]

hi its not saveing the log to the desk top when I run mbrcheck.exe

[fraise]

ok got it

[essexboy]

Hmm it is not allowing anything to clear it - probably because it is not bootable

The alternatives are

1. Leave it.
2. Reformat the offending drive.

As it stands it can do no harm to your computer though

[fraise]

Oh ok , so I shouldn't worry about any passwords being stolen or anything like that?

If I wanted to reformat the drive I would have to transfer my files to another drive, where is this virus so I don't transfer it to another drive? Is it in a particular folder?

Thank you

[essexboy]

It is actually on the first sector of the drive and moving files to another drive is OK as you will be unable to move the MBR

[fraise]

Ok let me try moving the files to a new drive and see how this works thank you I really apprciat your help 

[essexboy]

Probably at one time you did have a whistler infection on that drive - did it have an old XP installation on it ?

[fraise]

I only saw this month it had this problem, I have always had XP , only yesterday I put win 7 on the C drive.

[essexboy]

In that case it may be alerting on the backup copy that whistler/mebroot places on the drive... This is still present after the MBR is fixed and is of no consequence 

[siska]

I also have the whistler-c virus.

This is my log

aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-10-30 19:13:49
-----------------------------
19:13:49.093    OS Version: Windows 5.1.2600 Service Pack 3
19:13:49.093    Number of processors: 2 586 0x4303
19:13:49.093    ComputerName: NEWFAMILY  UserName: Franziska
19:13:50.546    Initialize success
19:13:50.921    AVAST engine defs: 11103000
19:14:25.875    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T1L0-3
19:14:25.875    Disk 0 Vendor: WDC_WD5000AAKS-00YGA0 12.01C02 Size: 476940MB BusType: 3
19:14:27.906    Disk 0 MBR read successfully
19:14:27.906    Disk 0 MBR scan
19:14:27.906    Disk 0 MBR:Whistler-C [Rtk]
19:14:27.906    Disk 0 Whistler@MBR code has been found
19:14:27.906    Disk 0 MBR [Whistler]  **ROOTKIT**
19:14:27.921    Disk 0 scanning C:\WINDOWS\system32\drivers
19:14:42.578    Service scanning
19:14:43.093    Service sptd C:\WINDOWS\System32\Drivers\sptd.sys **LOCKED** 32
19:14:43.625    Modules scanning
19:14:48.015    Disk 0 trace - called modules:
19:14:48.046    ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spln.sys >>UNKNOWN [0x8b537938]<<
19:14:48.046    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b4c1ab8]
19:14:48.046    3 CLASSPNP.SYS[b8108fd7] -> nt!IofCallDriver -> \Device\00000085[0x8b48af18]
19:14:48.046    5 ACPI.sys[b7e6a620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T1L0-3[0x8b4c6d98]
19:14:49.484    AVAST engine scan C:\WINDOWS
19:15:07.609    File: C:\WINDOWS\mpcodecplg.dll  **INFECTED** Win32:Adware-gen [Adw]
19:15:15.812    AVAST engine scan C:\WINDOWS\system32
19:17:05.812    AVAST engine scan C:\WINDOWS\system32\drivers
19:17:26.546    AVAST engine scan C:\Documents and Settings\Franziska
19:33:25.937    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Franziska\Desktop\downloads\MBR.dat"
19:33:25.937    The log file has been saved successfully to "C:\Documents and Settings\Franziska\Desktop\downloads\aswMBR.txt"

[Asyn]

I also have the whistler-c virus.

Please start your own topic.

[Pondus]

@siska  seems you may have more then just whistler

so do as Asyn say
start a new topic, follow the guide here and attach the logs
http://forum.avast.com/index.php?topic=53253.0