Whistler-B@mber [Rtk]

Threat is not found in the Quick Scan but is in the Full System Scan and Weekly Scan. Avast doesn’t allow any actions to be taken to get rid of the threat.

I ran MBRCheck and it says it fixes the problem but the problem is back after I reboot and run it again. Below is the txt file generated by MBRCheck.

Any help getting rid of this thing would be appreciated.

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x000006fc

Kernel Drivers (total 118):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E5000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xBA0B8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA330000 PartMgr.sys
0xBA0C8000 VolSnap.sys
0xB9F31000 atapi.sys
0xB9E6A000 iaStor.sys
0xBA0D8000 disk.sys
0xBA0E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9E4A000 fltmgr.sys
0xB9E38000 sr.sys
0xBA0F8000 PxHelp20.sys
0xB9E21000 KSecDD.sys
0xB9D94000 Ntfs.sys
0xB9D67000 NDIS.sys
0xB9D4D000 Mup.sys
0xBA2B8000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB966F000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xB965B000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB961A000 \SystemRoot\system32\DRIVERS\e1e5132.sys
0xBA3D0000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB95F6000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA3D8000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB95CE000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xBA3E8000 \SystemRoot\system32\DRIVERS\fdc.sys
0xBA2C8000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA2D8000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA2E8000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB95AB000 \SystemRoot\system32\DRIVERS\ks.sys
0xBA73B000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA2F8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA58C000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB9594000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA308000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA318000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA410000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB9583000 \SystemRoot\system32\DRIVERS\psched.sys
0xBA128000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA420000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA430000 \SystemRoot\system32\DRIVERS\raspti.sys
0xBA138000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA438000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA440000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA5C4000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB9525000 \SystemRoot\system32\DRIVERS\update.sys
0xBA5A0000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xBA168000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xBA178000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA5C8000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xB5F86000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xB5F62000 \SystemRoot\system32\drivers\portcls.sys
0xBA188000 \SystemRoot\system32\drivers\drmk.sys
0xBA588000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xBA5CE000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBA775000 \SystemRoot\System32\Drivers\Null.SYS
0xBA5D2000 \SystemRoot\System32\Drivers\Beep.SYS
0xBA480000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xBA488000 \SystemRoot\System32\drivers\vga.sys
0xBA5D6000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA5DA000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xBA498000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBA4A8000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB9515000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB5E3F000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB5DE6000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xBA1A8000 \SystemRoot\System32\Drivers\aswTdi.SYS
0xB5DC0000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xBA1B8000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xB5D70000 \SystemRoot\system32\DRIVERS\netbt.sys
0xBA380000 \SystemRoot\System32\Drivers\aswRdr.SYS
0xB5D4E000 \SystemRoot\System32\drivers\afd.sys
0xBA1C8000 \SystemRoot\system32\DRIVERS\netbios.sys
0xB5D23000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB5CB3000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xBA1E8000 \SystemRoot\System32\Drivers\Fips.SYS
0xB5C6C000 \SystemRoot\System32\Drivers\aswSP.SYS
0xBA3A0000 \SystemRoot\System32\Drivers\Aavmker4.SYS
0xB5E96000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xBA218000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xBA3C0000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xBA228000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xBA3F0000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xB5E86000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xB5E7E000 \SystemRoot\system32\DRIVERS\wdcsam.sys
0xBA3F8000 \SystemRoot\system32\DRIVERS\NuidFltr.sys
0xBA238000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS
0xB5BC9000 \SystemRoot\system32\DRIVERS\Wdf01000.sys
0xB5E72000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0xB9519000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA418000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA686000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\nv4_disp.dll
0xBF53E000 \SystemRoot\System32\ATMFD.DLL
0xB591D000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0xB58C1000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xBA468000 \SystemRoot\system32\DRIVERS\pnarp.sys
0xBA478000 \SystemRoot\system32\DRIVERS\purendis.sys
0xB570A000 \SystemRoot\System32\Drivers\aswMon2.SYS
0xB5609000 \SystemRoot\System32\Drivers\Udfs.SYS
0xB534C000 \SystemRoot\system32\drivers\wdmaud.sys
0xB5521000 \SystemRoot\system32\drivers\sysaudio.sys
0xB52FE000 \SystemRoot\system32\drivers\kmixer.sys
0xB504F000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xB4E07000 ??\C:\WINDOWS\system32\drivers\tmcomm.sys
0xB4C97000 \SystemRoot\system32\DRIVERS\srv.sys
0xB4666000 \SystemRoot\System32\Drivers\HTTP.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Remainder of txt file

Processes (total 44):
0 System Idle Process
4 System
656 C:\WINDOWS\system32\smss.exe
704 csrss.exe
728 C:\WINDOWS\system32\winlogon.exe
780 C:\WINDOWS\system32\services.exe
792 C:\WINDOWS\system32\lsass.exe
956 C:\WINDOWS\system32\svchost.exe
1024 svchost.exe
1120 C:\WINDOWS\system32\svchost.exe
1256 svchost.exe
1372 svchost.exe
1452 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
1844 C:\WINDOWS\explorer.exe
2044 C:\WINDOWS\system32\spoolsv.exe
572 C:\Program Files\Dell Support Center\bin\sprtcmd.exe
708 C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
980 C:\Program Files\Pure Networks\Network Magic\nmapp.exe
1068 C:\PROGRA~1\ALWILS~1\Avast5\AvastUI.exe
1148 C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
1356 C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
1588 C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe
1604 C:\WINDOWS\system32\ctfmon.exe
244 svchost.exe
288 C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
460 C:\Program Files\Windows Desktop Search\WindowsSearch.exe
564 C:\WINDOWS\system32\nvsvc32.exe
604 C:\Program Files\Dell Support Center\bin\sprtsvc.exe
680 sqlbrowser.exe
1212 C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
1304 C:\WINDOWS\system32\svchost.exe
2348 C:\WINDOWS\system32\searchindexer.exe
2428 C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
2436 C:\Program Files\Dell Support Center\gs_agent\dsc.exe
2836 C:\WINDOWS\system32\wuauclt.exe
3076 wmiprvse.exe
2552 C:\WINDOWS\system32\searchprotocolhost.exe
2708 alg.exe
1812 searchfilterhost.exe
3680 C:\WINDOWS\system32\searchprotocolhost.exe
3436 C:\Program Files\Alwil Software\Avast5\Setup\avast.setup
3096 C:\WINDOWS\system32\svchost.exe
2236 C:\WINDOWS\system32\wscntfy.exe
2648 C:\Documents and Settings\Jim Hollingsworth\Desktop\MBRCheck.exe

\.\C: → \.\PhysicalDrive0 at offset 0x00000000036e8e00 (NTFS) \\.\K: --> \\.\PhysicalDrive5 at offset 0x0000000000100000 (NTFS)

PhysicalDrive0 Model Number: SAMSUNGHD501LJ, Rev: CR100-13
PhysicalDrive5 Model Number: WDMy Book 1110, Rev: 2003

  Size  Device Name          MBR Status

465 GB  \\.\PhysicalDrive0   Known-bad MBR code detected (Whistler / Black Internet)!
        SHA1: 597895E38B8A93C1C7CD7B0BD0A75FCBB8FBA07A
465 GB  \\.\PhysicalDrive5   RE: Windows XP MBR code detected
        SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

Found non-standard or infected MBR.
Enter ‘Y’ and hit ENTER for more options, or ‘N’ to exit:
Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice: Enter the physical disk number to fix (0-99, -1 to cancel): 0Available MBR codes:
[ 0] Default (Windows XP)
[ 1] Windows XP
[ 2] Windows Server 2003
[ 3] Windows Vista
[ 4] Windows 2008
[ 5] Windows 7
[-1] Cancel

Please select the MBR code to write to this drive: 1
Do you want to fix the MBR code? Type ‘YES’ and hit ENTER to continue: YES
Successfully wrote new MBR code!
Please reboot your computer to complete the fix.

Done!

That is getting a tad resilient now. Two programmes for you to run: The first is the Avast tool being developed to cure this, the second is in case Avast cannot clear it

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

http://i1224.photobucket.com/albums/ee362/Essexboy3/Capture.jpg

Click the “Scan” button to start scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR2.png

Click the “Fix” in case of infection

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR3.png

Save the aswMBR.log to the desktop

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR4.png

Please read carefully and follow these steps.

[*]Download TDSSKiller and save it to your Desktop.
[*]Extract its contents to your desktop.
[*]Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillermain.png

[*]If an infected file is detected, the default action will be Cure, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerMal-1.png

[*]If a suspicious file is detected, the default action will be Skip, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerSuspicious.png

[*]It may ask you to reboot the computer to complete the process. Click on Reboot Now.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerCompleted.png

[*]If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
[*]If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste the contents of that file here.

aswMBR version 0.9.2 Copyright(c) 2011 avast! Software
Run date: 2011-02-14 20:01:40

14:01:40.062 OS Version: Windows 5.1.2600 Service Pack 3
14:01:40.062 Number of processors: 4 586 0xF0B
14:01:40.062 ComputerName: D2JZC5G1 UserName:
14:01:41.062 Initialize success
14:01:51.265 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-3
14:01:51.265 Disk 0 Vendor: SAMSUNG_HD501LJ CR100-13 Size: 476940MB BusType: 3
14:01:51.265 Disk 1 \Device\Harddisk1\DR4 → \Device\00000078
14:01:51.265 Disk 1 Vendor: TEAC____ 4.08 Size: 476940MB BusType: 7
14:01:51.281 Disk 2 \Device\Harddisk2\DR5 → \Device\00000079
14:01:51.281 Disk 2 Vendor: TEAC____ 4.08 Size: 476940MB BusType: 7
14:01:51.296 Disk 3 \Device\Harddisk3\DR6 → \Device\0000007a
14:01:51.296 Disk 3 Vendor: TEAC____ 4.08 Size: 476940MB BusType: 7
14:01:51.312 Disk 4 \Device\Harddisk4\DR7 → \Device\0000007b
14:01:51.312 Disk 4 Vendor: TEAC____ 4.08 Size: 476940MB BusType: 7
14:01:51.328 Disk 5 \Device\Harddisk5\DR8 → \Device\0000007c
14:01:51.328 Disk 5 Vendor: WD______ 2003 Size: 476270MB BusType: 7
14:01:51.343 Disk 0 MBR read successfully
14:01:51.343 Disk 0 MBR scan
14:01:51.359 Disk 0 scanning sectors +976768065
14:01:51.406 Disk 0 trace - called modules:
14:01:51.406 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
14:01:51.406 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x8ac90ab8]
14:01:51.406 3 CLASSPNP.SYS[ba0e8fd7] → nt!IofCallDriver → \Device\00000067[0x8acbbf18]
14:01:51.406 5 ACPI.sys[b9f7f620] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-3[0x8ac93d98]
14:01:51.406 Scan finished successfully

TDSSKiller file attached

TDSSKiller reported that it removed it - Is Avast still reporting it ?

Thanks essexboy. I will run later tonight and let you know.

Thanks for your help.

No threat detected. ;D

Thanks again.

Just delete the programmes from your desktop and let me know if you encounter any further problems

Also could you look in the same place as the ASWmbr log for a file called mbr.dat could you zip that file and send it to me please

I will send my e-mail address by PM

Sent. Did you get it?

It won’t hurt to leave those programs on my computer will it?

Yes thank you - I will pass it to GMER

You can delete the programmes from your desktop as they are regularly updated ;D