Whistler-C infection

Viruses and worms
1

Hello,

Here is my aswmbr log. I didn’t hit “fix mbr”; I only have one partition.

XP pro SP3

Thanks!

Scott

2

In this case - [Whistler] ROOTKIT found:

http://public.avast.com/~gmerek/aswMBR4.png

  • scan again then click “FIXMBR” and reboot
3

David,

Thanks fo your help. A few more questions:

  1. Can I hit “Fix MBR” and not worry about the partition warning from aswMBR?

  2. Should I be concerned about the other “redlined” items (unknown, etc)?

  3. After I complete the fix and scan it again to make sure everything is rosy, should I just uninstall aswMBR or is there a special procedure for this?

Cheers,

Scott

4

What partition warning, I don’t see anything in the log ?
If you mean when you click fixMBR, then this may just be a general warning, if you have a single partition and no vendor (who made/built your laptop) recovery partition it shouldn’t be an issue.

However, I have never come across this and if you wish you can wait for essexboy when he comes on-line in a couple of hours.

The unknown item may well be related and once the rootkit is removed this might be seen by avast. But it would need further analysis by a malware removal specialist, so it may be best to wait for essexboy.

In which case you should run another analysis too for him to work with when he does got on-line.

Download OTL to your Desktop

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
CREATERESTOREPOINT
[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Attach both logs
[/quote]

The aswMBR.exe doesn’t install it is stand-alone and once we are done with it it can be removed.

5

Thanks. Should I attach the MBR.dat file generated by the aswMBR scan as well? I just attached the text file.

And yes, the warning I was referring to occurs when you hit “Fix MBR”, something like “Caution: overwriting the MBR may cause problems with partitions…” or something like that. I don’t know because I’m not at my laptop.

Scott

6

Only if essexboy asks for it.

In that case I would say since it is a general warning and you don’t have multiple partitions (multi boot, or custom MBR for something like a Dell?HP laptop), then it should be OK to proceed with the fixMBR when you are back at the laptop.

Then try another aswMBR scan and attach the log and see if that is resolved and if the Unknown item is still there. Followed up by a normal avast Quick scan.

Then Run OTL and attach the log.

7

Yes it is a general warning that will always appear when you change the MBR (Although why malware does not do that I don’t know unless it uses the F command)

Once done could you post the OTL log as there may well be remnants

8

Thank you gentlemen. I will do that this evening (east coast US time.)

Scott

9

I ran the fix in aswMBR, which seemed to do the trick. Rebooted, scanned again, then scanned with Avast…all good.

Attaching:

asMBR-1.txt (pre-fix log)
aswMBR.txt (post-fix log)
OTL.Txt and extras.txt (from post-fix OTL scan)

Thanks!

Scott

10

oops

11

Looks like the fixMBR has also resolved the Unknown issue. Unfortunately it will be a bit of time zone ping pong now, whilst essexboy is at work, before he is able to analyse the OTL data.

12
2011-08-31 20:35:34 > Infected 2011-08-31 20:54:42 > Clean
;D

What problems are you experiencing now ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL IE - HKU\S-1-5-21-4235968365-1079620218-1601690259-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1 O3 - HKU\S-1-5-21-4235968365-1079620218-1601690259-1005\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found. O3 - HKU\S-1-5-21-4235968365-1079620218-1601690259-1005\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found. O3 - HKU\S-1-5-21-4235968365-1079620218-1601690259-1005\..\Toolbar\WebBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found. O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

13

Ran OTL, generated the 09012011… file after reboot.

OTL.txt file from post-reboot scan.

Thanks again!

Scott

14

Any further problems ?

15

So far so good. If you didn’t see any thing suspect in the last logs, I think all is good.

Thanks again for your help!

Scott

NC/USA

16

No problem - if all is well tomorrow, let me know and I will remove my tools

17

Seems to be OK. Should I keep aswMBR and OTL or trash them and download in the future if I need them again?

Thanks

Scott

18

Essexboy would normally give advice on their removal and any other advice.

The aswMBR.exe is stand alone not installed, so that file can be deleted. I can’t recall if there is an uninstall button in the OTL interface or not, but for now it isn’t urgent.

Essexboy should in bed now, almost 2:30am in the UK now, so he will be back later this evening.

19

It is always advisable to remove old tools as they do get updated fairly regularly

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands [resethosts] [purity] [emptytemp] [EMPTYFLASH] [CLEARALLRESTOREPOINTS] [Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that
[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[]Click OK.

http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif
Your Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:
[] Go to this site and click Do I have Java
[] It will check your current version and then offer to update to the latest version

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes.

Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?Keep safe :wave: