[SOLVED] whistler@mbr need help

Hi
Seems I’ve got a whistler@mbr virus.
Have read down some of the threads in this forum but still have the problem. It’s being picked up by the avast antivirus.
So far, i’ve run Malwarebytes anti-malware, no joy.
I’ve also downloaded OTS and have the log (saved as ANSI)attached.
Tried also to run MBRCheck.exe, it ran and produced a log but didn’t seem to give me the options as indicated in the threadi read as it ran; i.e to enter physical disk numbers etc. Log also attached.
This is the first time I’ve entered a forum for help like this so sorry if i seem a little wobbly on things.
Would appreciate any help pls?
Many thanks in advance.
bigneil

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the “Scan” button to start scan

http://public.avast.com/~gmerek/aswMBR1.png

On completion of the scan click save log, save it to your desktop and post in your next reply

Hi Many thanks for getting back to me so promptly. will try this.
Thanks once again.
N

Hi Again
Downloaded aswMBR,exe and ran it as advised. Pls see attached the log it generated.
Thanks and hope to hear from you soon.
N

17:36:25.515 Disk 2 Whistler@MBR code has been found 17:36:25.515 Disk 2 MBR hidden 17:36:25.515 Disk 2 MBR [Whistler] **ROOTKIT**
  • scan again, click “FIX MBR” and reboot
  • after reboot, scan again and click “SAVE LOG” post that log

Hi
Just rescanned and run “FIX MBR”.
Rebooted, scanned again and attached new log as advised.
Hoping this shows some good news.
Thanks once again.
N

I have PMd Essexboy so he will have a check on this :wink:

Hi
ok, many thanks. will wait to hear from you.
Speak soon i hope.
N

Hi you have been using infected USB drives by the look of it, I will clear the mountpoints and close some ports

Download the attached fix.txt to your desktop

Start OTS. click the Run Fix button.
A dialogue will open asking for the location of the fix.txt
Locate the file you downloaded to your desktop
Click run fix again

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Files, no company name:

sysprs7.dll → I:\WINDOWS\System32\sysprs7.dll → [2008/11/29 20:24:37 | 000,001,025 | ---- | C] ()
lsprst7.dll → I:\WINDOWS\System32\lsprst7.dll → [2008/11/29 20:24:37 | 000,000,205 | ---- | C] ()

What about those…? Just curious. :slight_smile:

This is what I have gleaned

"These files are directly related to our new SPSS/Clementine licensing scheme. When an SPSS or Clementine data file is opened the internal license manager will search for a valid license and set these files accordingly. [It] will first attempt to write these files to the \windows\system32 directory. If the user doesn't have permission to write there, [it then] writes them to the directory where the data files reside. [...] Our development is looking to see if this can be handled in a more elegant way in the future."

And that’s why it doesn’t occur with administrative privileges, since
those convey write access to system directories.

Hi Essexboy.
The pc didn’t seem to like that.
Downloaded the fix.txt file to desktop and ran OTS, located the fix.txt file from my desktop and ran fix again.
As i clicked the Run Fix icon,all the icons i have on my desktop vanished (but has left the wallpaper ok) and the ‘green progress bar’ (immediately above the OTS ‘additional scans’ section seemed to dance left and right for about 20 seconds - hope you can picture what i mean).
The progress bar did eventually go ‘100% completed’ after about 40 secs; still no icons on my desktop and there’s no box appeared saying ‘ok’ so of course there’s no log file.
Can you help with a next move? I can still move my mouse cursor and the OTS menu window is still showing, (with the run scan, quick scan, paste fix here bits etc etc, [Run fix button is greyed out]).
I’m writing this message from my laptop.
Should i reboot?
thanks
N. [and p.s. yes, just come back off hols and my son has popped around to do some work for his CV on the pc during the easter hols … using a usb drive!! (he’s been informed)]

When OTS runs and has a cleartemps instruction it will close all running processes including explorer. This is to ensure it gets everything in the first run. As for the time taken - the more junk in your temporary files the longer it will take to run

All that should be left in the fix box is [cleartemps] if after about 10 minutes or so it has not rebooted then control-Alt-delete and stop OTS from rinning via taskmanager. Then reboot

Hi
Thanks for getting back and also for clarifiying what had happened…
So, log file appeared after rebbot - pls find attached.
Thanks - much appreciated.
N

Please make sure the file is saved with code ANSI.
Open in Notepad, click “File” → “Save As”.

oops!! sorry.
here we go.
Thanks
N

Okay, thanks.

Need to have essexboy look at it - but as a tendency, I’ld say it’s looking good.
Please be patient until essexboy answers here.

Hi
Yes, will do - got plenty of patience!! Appreciate all your help and asistance.
Thanks
N

Total Files Cleaned = 202.00 mb
a little more free space ;D

What problems do you have at the moment ?

Hi
Hey, that’s really cool!!
Not sure if have any problems now, (apart from wife, kids, mortgage, undervalued - overworked… you know!!)
Still got my fingers crossed… Is the problem really fixed?
Do i need to re-run an avast scan to check? (not that i ever doubted you guys)
Can i say PHEW!! yet??
N