Hi, i’ve just been alerted by Avast this morning regarding a virus when i performed a full system scan.
The file name is MBR: \.\PHYSICALDRIVE0, Threat:Rootkit: hidden boot-sector
There has been random internet explorer ads popping up from time to time, and i’ve followed what avast suggested, to do a boot scan while it cleans up any problems. The boot scan turned up clean, and nothing seems to have been fixed. Also, avast continues to alert me about the virus, saying that a suspicious MBR: \.\PHYSICALDRIVE0 has been detected, after which it alerts me again, this time saying it’s Whistler. I’ve tried scanning with Malwarebytes as well, and nothing comes up as well.
Ah, i’ve also been experiencing bsod from time to time randomly, at times when i boot up my computer, or at completely random timings. It states invalid process detach attempt, and starts with the code 0x00000006. I’ve looked into the code and found out that it has something to do with hardware or driver problems, but just in case i thought i’d include this as well.
Another thing, the internet explorer ads having been popping before avast detected this rootkit, so i’m not sure whether it has been in my computer for a while, and avast only detected it today.
I have a external HD plugged in during the scan, so i’m not sure if it has been affected as well. Is there a way to confirm what has been infected?
After looking around the threads here, i’ve also tried checking with aswMBR and using MBRCheck. I’ve also included the latest quick scan log by malwarebytes done just a while ago.
Here are the three respective logs.
I’d appreciate it if anyone can spare me some help, thanks in advance.
To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( OTL.Txt. / Extras.Txt / )
I’ve tried scanning with OTL and GMER as well.
These are the logs of the scans. The GMER log appears to be too large to post, it’s about 180kb.
Also, i’ve tried scanning the attached external hard disk with Avast. There were no infected files. I was using uTorrent to download a 60gb photo rar file to the hard disk in the past few days, could there be any link between the torrent and the rootkit?
Once again, thanks in advance.
My computer froze after attempting to scan with GMER again and now all file extensions do not show after i restarted it, i’ve no idea what’s the cause of this as well. Edit: They reappeared after i went into control panel to uncheck hide known file extensions. Could this be the work of the rootkit?
Whilst I am looking at the other logs could you run ASWmbr again please and select fix
13:11:00.046 Disk 0 Whistler@MBR code has been found
13:11:00.062 Disk 0 MBR hidden
13:11:00.078 Disk 0 MBR [Whistler] **ROOTKIT**
13:11:00.093 Disk 0 trace - called modules:
I’ve tried running ASWmbr earlier, the fix option wasn’t available after scanning.
I’ve just redownloaded it and ran it again, the fix option is still not available after the scan.
OK thank you I will pass that on to GMER. Could you e-mail me the ASWMBR.dat file - it should be on your desktop. I will PM my e-mail address
Please read carefully and follow these steps.
[*]Download TDSSKiller and save it to your Desktop.
[*]Extract its contents to your desktop.
[*]Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
[*]If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
[*]If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste the contents of that file here.
I’ve followed your instructions and ran TDSSKiller.
The results of the scan revealed:
Trojan-Clicker.Win32.Wistler.a
Physical Drive
Name: \HardDisk0
as well as a suspicious file with the exact same details as the one in the screencap below.
However, when i chose continue, it says
Can’t cure MBR. Write standard boot code?
Do i go ahead and select Yes?
Sorry for the trouble.
I’m sorry, i do not have much knowledge on IT and stuff, so i don’t get what you mean by the make of my computer.
My father built this computer by himself though.
On another note, TDSS tells me that the infection will be cured after reboot.
It states
\HardDisk0 - processing error
\HardDisk0 - will be restored after reboot
Will now restore and paste the report here.
Also, is there anyway to double confirm whether my other files on my computer and ext HD(videos,pictures,songs) have been infected by any virus?
Thanks a lot for the help, it is very much appreciated.
The suspicious file detected by TDSS earlier still remains, is it due to the skip option?
Also, is there anyway for me to find out what could have caused this rootkit infection so that i can take precautions against it in the future?
I believe there were random pop ups from IE in the recent past when i was not using it, but when i scanned using mbam and avast in the past it showed no signs of infection, in fact avast only detected it this morning.
Is it safe to say that the virus has not taken any personal information or caused damage to any programs?
Also, is using avast and mbam enough to keep my computer protected?
Sorry for having bothered you so much today, your help is very much appreciated.
Oh, and regarding my external hard drive, can i consider it clean if a scan by avast and mbam turns up with no infections later on? (MBRcheck states that my ext HD has an unknown MBRcode)
Edit: Ah that’s right, the log from GMER showed the process Internet Explorer with hidden behind them, have they been fixed with TDSS?
I’ve also just finished scanning with avast, no threats found now.
hello, i am having the exact same problem. i had AVG anti-virus but no viruses were shown. however i knew i had one because all of a sudden a blue screen will appear, something to do with driver problem, and then my laptop would restart.
i have no downloaded AVAST 6.0 and it detects the virus. however when i try to move it to the chest , it says error.
i have done the boot start up and it comes out clean, and starts laptop up normally.
i am running the AVAST antivirus again, and i have just got a thing that has popped up saying SUSPICIOUS FILES FOUND . and the file name is \.\PHYSICALDRIVE0 MBR:TDL
\.\PHYSICALDRIVE0 MBR:TDL
i have already taken the action to delete it but this message still comes up.
When i run a quick scan or full scan , withing seconds, a virus is detected. this is called MBR: \.\PHYSICALDRIVE0 , and the status is 'Threat:Rootkit:hidden boot-sector.
i restart the laptop when AVAST asks me to, and i have done many of the BOOT START UP SCAN. and it still does not go.
[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Click on Minimal Output at the top
[*]Click on Scan all users
[*]Download the following file scan.txt to your Desktop. Click here to download it. You may need to right click on it and select “Save”
[*]Double click inside the Custom Scan box at the bottom
[*]A window will appear saying “Click Ok to load a custom scan from a file or Cancel to cancel”
[*]Click the Ok button and navigate to the file scan.txt which we just saved to your desktop
[*]Select scan.txt and click Open. Writing will now appear under the Custom Scan box
[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Please Attach all logs