Whistler@mbr [RTK} Infection... Need Help Verifying It's Gone

A friend of a friend asked me to print a document off her USB drive. I plugged the drive in and Avast went off immediately indicating a virus was detected. I deleted the virus and ran a boot scan, after Avast detected a Rootkit called whistler@mbr [rtk]. On the first scan it found 3 files and on the next it found 5 files.

I am fairly knowledgeable when it comes to computers, so I attempted to run Combofix based off of advice to other users I researched here in other posts. I took all the safeguards. That was a good thing because Combofix hanged various times. After several SafeMode starts and several additional apparent resumption scans that never really seemed to finish, my computer seems to working “normally” now. Avast has not gone off. I won’t run Combofix again without supervision!

I would like to ensure that my system is safe. I have scheduled a boot scan in Avast. So after I post this, I am going to reboot the PC, let avast do it’s thing, and then come back here with any results.

What else can I do to ensure my PC is free of any threat?

I ran an MBR Check just before I rebooted fir the Avasr scan…

Hi, there.

Please download aswMBR.exe to your desktop.

  • Double click aswMBR.exe to run it

  • Click the Scan button to start the scan

  • On completion of scan please save log to your desktop and post it in your next reply.

Hello, my computer seems to be infected too.I scanned it with aswMBR, here’s the log:

aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-03-22 21:26:01

21:26:01.671 OS Version: Windows 5.1.2600 Service Pack 2
21:26:01.671 Number of processors: 1 586 0x2C02
21:26:01.671 ComputerName: NEWAIM UserName:
21:26:05.781 Initialize success
21:26:25.656 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-3
21:26:25.656 Disk 0 Vendor: ST380013AS 3.00 Size: 76319MB BusType: 3
21:26:27.671 Disk 0 MBR read successfully
21:26:27.671 Disk 0 MBR scan
21:26:27.671 Disk 0 Whistler@MBR code has been found
21:26:27.671 Disk 0 MBR [Whistler] ROOTKIT
21:26:27.671 Disk 0 scanning C:\WINDOWS\system32\drivers
21:26:29.437 Service scanning
21:26:30.500 Disk 0 trace - called modules:
21:26:30.515 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
21:26:30.515 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x86385ab8]
21:26:30.515 3 CLASSPNP.SYS[f753d05b] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-3[0x86392d98]
21:26:30.515 Scan finished successfully

What should or could i do next?

Thanks for any help!

21:26:27.671 Disk 0 Whistler@MBR code has been found 21:26:27.671 Disk 0 MBR [Whistler] **ROOTKIT**
scan again and click "FIX MBR"

Thanks, looks fixed. :-*

i have notified Essexboy the malware remover expert, so check back to hear what he have to say

You may do this, then he can see if everything is gone

Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
(post the logs here in this topic and not in the guide)

To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( OTS log / Malwarebytes log )

Yep an OTS scan should show any remnants