I could also use some help in removing the Whistler-C Rootkit. I am running XP Home, service pack3 and it’s up to date. I have System Restore turned off. This malware was originally detected by AVAST Free about two weeks ago, that level of Avast was unable to delete it. I now have a current version of Avast Internet Security. After detecting the [RTK] I have tried to have it deleted, moved to the chest, or repaired…but the sneaky devil returns on boot. The [RTK] is in the MBR 0. After deletion, I would like to try the FIXMBR comand but am unsure of how to get my system to boot from my original XP disk. Any help or comments would be great.
Thanks, Richard.

First you should have saved the log and attach that to your next post (use the Additional Options link to attach files) so we can see the contents.

Thanks for the quick reply DavidR. Give me a little help here, which logs do you need and what commands to get them?
Richard.

You can check if you have an MBR rootkit using this tool:

Log attached as requested…/ Richard

In this case - [Whistler] ROOTKIT found:

http://public.avast.com/~gmerek/aswMBR4.png

• scan again then click “FIXMBR” and reboot

It would probably be best to run aswMBR again after this and save the log to confirm that it has gone.

OK. Ran the tool, then FixMBR, did reboot and ran the tool again. It appears that the the [RTK] has been removed (see log attached). Now, I assume that before turning on system restore, all previous system restore point should be deleted?

Many thanks for all your help.
Richard, White Rock BC, CAN.

You’re welcome.

That looks good you are back with the default XP MBR code.

Yes, when you disable system restore and then re-enable it your old restore points should be gone.

That’s me for the night almost 3:30am here and my bed is calling.