Infected with Whistler / Black internet

Hi I’m really hoping to get some help on this. Firstly I’d just like to say that i haven’t really been getting many problems ie. pop ups or excessive CPU or ram usage, the one problem that has bought me to this point is i keep getting incoming requests in comodo (which I’ve blocked) for svchost.exe, sometimes up to a thousand a day. Anyway I’ve scanned with avast at boot and normal nothing found, I’ve scanned with malwarebytes and superantispyware nothing found, i did a scan with TDSSKiller and it found “Trojan-Clicker.Win32.Wistler.a” but stated it could not fix it then ran MBRCheck and it found “Known-Bad MBR Code Detected Whistler / Black Internet” chose to rewrite MBR chose number 1 Windows XP it said done reboot so i rebooted ran it again and it was still there! I really don’t know what to do what is this? and how do i get rid? Thank you very much if you can help.

Hi youngsta,

Download aswMBR.exe from here http://public.avast.com/~gmerek/aswMBR.htm

1)Double click the aswMBR.exe to run it
2)Click the [Scan] button to start scan
3)On completion of the scan click [Save log], save it to your desktop and post in your next reply

Thanks, do i need to disable antivirus or anything?

No just run it from windows normal mode.

Here is the scan it looks like it only scanned 1 HDD, i probably should have mentioned i have 1 internal HDD with OS on then i have a 500GB external and a 1TB external the code was found on Disk 2 which is the 500GB.

aswMBR version 0.9.8.978 Copyright(c) 2011 AVAST Software
Run date: 2011-07-30 14:36:01

14:36:01.703 OS Version: Windows 5.1.2600 Service Pack 3
14:36:01.703 Number of processors: 2 586 0x403
14:36:01.703 ComputerName: WORKGROUP-FFDC5F UserName: Youngie
14:36:03.078 Initialize success
14:36:03.390 AVAST engine defs: 11073000
14:36:10.703 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP1T0L0-17
14:36:10.703 Disk 0 Vendor: Maxtor_6L160M0 BANC1G10 Size: 152587MB BusType: 3
14:36:12.734 Disk 0 MBR read successfully
14:36:12.734 Disk 0 MBR scan
14:36:12.734 Disk 0 Windows XP default MBR code
14:36:12.734 Disk 0 scanning sectors +312496380
14:36:12.843 Disk 0 scanning C:\WINDOWS\system32\drivers
14:36:20.093 Service scanning
14:36:21.421 Modules scanning
14:36:26.125 Disk 0 trace - called modules:
14:36:26.156 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
14:36:26.156 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x8aabfab8]
14:36:26.171 3 CLASSPNP.SYS[f74c7fd7] → nt!IofCallDriver → \Device\Ide\IdeDeviceP1T0L0-17[0x8aab7d98]
14:36:26.671 AVAST engine scan C:\WINDOWS
14:36:30.500 AVAST engine scan C:\WINDOWS\system32
14:37:56.718 AVAST engine scan C:\WINDOWS\system32\drivers
14:38:07.625 AVAST engine scan C:\Documents and Settings\Youngie
14:50:17.390 AVAST engine scan C:\Documents and Settings\All Users
14:50:55.187 Scan finished successfully
14:53:43.312 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\Youngie\Desktop\MBR.dat”
14:53:43.328 The log file has been saved successfully to “C:\Documents and Settings\Youngie\Desktop\aswMBR.txt”

Here is the MBRCheck log.

Are these tdsskiler and mbrcheck logs you have attached the ones you ran before aswmbr or after the aswmbr scan ?

Strange that MBRCheck and TDSSKiller would say they had found Whistler yet aswMBR shows that it finds the default mbr code.
14:36:12.734 Disk 0 Windows XP default MBR code

Which I would guess if you had run MBRcheck and chose to rewrite MBR chose number 1 Windows, that would be right (???)
Did you have these external drives attached when you ran aswMBR, or it wouldn’t see anything on those ?

These external drives surely aren’t bootable are they ?
Or there would have to be a custom/modified MBR for a dual boot.

I ran the MBRCheck and TDSSKiller before i scanned with aswMBR.
Disk 0 is OS internal, Disk 1 is external, Disk 2 is external.
aswMBR says Disk 0 Windows XP default MBR code.
MBRCheck says PhysicalDrive2 RE: Known-bad MBR code detected (Whistler / Black Internet)!.
The dodgy code was found on Disk 2.
Yes i did have these drives attached when i ran aswMBR.
I bought the external drive new it has never had an operating system on it.

I am a bit stumped myself as to why it is only on 1 of my external HDD’s not on the other or my boot drive??? I know nothing about this type of thing.
Thanks for your help.

I just wonder why aswmbr doesn’t find these other disks (perhaps it doesn’t consider external drives).

Then I have to wonder why these two disks have an MBR file since they aren’t bootable ?

So I think it will require someone with more experience than I to look into this.

Both aswMBR and TDSSKiller only determine that bootable drives warrant repair, ensure all drives are connected

Run MBRCheck.exe once again.

You will be presented with the following dialog:

[QUOTE]Found non-standard or infected MBR.
Enter ‘Y’ and hit ENTER for more options, or ‘N’ to exit:
[/quote]
Enter Y and press Enter.

The following dialog will be presented:

[QUOTE]Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice:
[/quote]
Enter 2 and press Enter

The following dialog will be presented:

[QUOTE]Enter the physical disk number to fix (0-99, -1 to cancel):
[/quote]
Enter >>2<< and press Enter

The following dialog will be presented:

Enter >>1<< and press Enter

The following dialog will be presented:

[QUOTE]Do you want to fix the MBR code? Type ‘YES’ and hit ENTER to continue:
[/quote]
Type YES and press Enter (Must type the full word, YES). You will be inform if successfully wrote a new MBR code!

And last the following dialog will be presented:

[QUOTE]Done! Press ENTER to exit…
[/quote]
Press Enter. A report will be produced on the desktop. Post that report in your next reply.

Thanks essexboy for joining the topic and the info on aswMBR and TDSSKiller only considering bootable drives warrant repair.

Hey thanks for your help, that’s what i did the last time tho.

edit: Wasn’t trying to be smart just stating that’s what i did before :slight_smile:

Also do you think svchost.exe is related to this? I’ve just checked comodo and it says “Firewall has blocked 203 intrusions so far” since 2:50 this morning. Why would svchost.exe be trying to receive incoming connections?

Unless drive 2 is active then it would not cause the alerts, they are probably related to something else - what do you use drive 2 for ?

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is too large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop

[*]Close ALL OTHER PROGRAMS.
[*]Double-click on OTS.exe to start the program.
[*]Check the box that says Scan All Users
[*]Under Additional Scans check the following:

Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

[*]Under the Custom Scan box paste this in


%SYSTEMDRIVE%*.exe
/md5start
volsnap.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
CREATERESTOREPOINT

[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

Sorry to ask again but do i need to disable antivirus? avast is telling me to open in sandbox is this normal?

Do not let Avast sandbox it, it needs to run normally

Avast does not need to be disabled as this is just analysis

Thanks for your help i really appreciate it. The HDD in question is only used for storage, mostly music, videos and backups. Is it right that as it has never been used to boot it shouldn’t have an MBR?

Did you install this ?
C:\Program Files\Winnydows

No apparent malware is visible, it may be well worth emptying the backup disc with the MBR anomoly and doing a full reformat on it

I did it was XVID4PSP which i uninstalled, just deleted the empty folder.
Is there no way to get rid of it? I don’t have the space to move all my files off the drive until i can get a new one, also i use this pc for online banking so basically i will not be able to trust my pc to do anything.
And i really do appreciate your help, thanks.

Given what essexboy said to stop all programs then perhaps yes disable the anti-virus. However if you still get the autosandbox alert in that window just select run normally.

See image example.