avast! notified me after the last full scan that my MBR has a whistler infection.
It doesnt say Whistler-A/B/C or anything like that. Just whistler@mrb on Drive 0.
I’m running Win XP / SP3.
Before trying to fix it, I have some general questions:
1.) What does it actually do, and how dangerous is it? I didn’t notice any symptoms like pop-ups or random sounds like
some other users in this forum previously described. The only thing I can think of is a recent BSOD when starting an AV-Scan. The computer also boots fairly quick, I wouldn’t have noticed anything without the routine AV-check.
2.) Does it spread via USB-drives and -sticks? I am currently using a different computer, and wouldn’t want to get this one infected too. Also, I’m worried that while I’m backing up data from the infected drive, the drive I’m backing the data up to might also get infected and starts a vicious circle.
and last but not least: how should I proceed?
I already downloaded aswMBR, but it doesn’t find the whistler infection!
In addition, I would also like to scan the other drives, even though they’re not bootable.
Can I take the infected computer back online to download the scan/fix tools or is it safe to share the usb stick to download the tools?
From the threads I’ve seen on this forum until now, most users got rid of it, so I’m fairly confident you’ll be able to help me. I’m really impressed by the dedication some of the users here show to helping others. Thank you!
There are a couple of variants of this Trojan Clicker Bootkit Whistler,
On Vista or 7 you have to disable UAC first and then perform a MBR cleansing routine under supervision of an official malware remover. Essexboy has been notified,
Can you post the contents of or attach the aswmbr.txt file to your next reply.
What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
For detection on on demand scans, check C:\Documents And Settings\All Users\Application Data\Alwil Software\Avast5\Log (Windows 2000, Windows XP). Or C:\ProgramData\Alwil Software\Avast5\log (windows Vista, windows 7).
1.) What does it actually do, and how dangerous is it? I didn’t notice any symptoms like pop-ups or random sounds like
some other users in this forum previously described. The only thing I can think of is a recent BSOD when starting an AV-Scan. The computer also boots fairly quick, I wouldn’t have noticed anything without the routine AV-check.
2.) Does it spread via USB-drives and -sticks? I am currently using a different computer, and wouldn’t want to get this one infected too. Also, I’m worried that while I’m backing up data from the infected drive, the drive I’m backing the data up to might also get infected and starts a vicious circle.
Should I be very worried about this infection? That website you posted only says what can theoretically be done with it. I also googled around before posting here and couldn’t find any real information regarding this question.
Also, is it a good idea to go online with that computer to post the log files here?
I’m really thinking about simply backing up the data and formatting the disk- will formatting
the disk get rid of the MBR infection or should I remove it before that?
20:06:05.593 OS Version: Windows 5.1.2600 Service Pack 3
20:06:05.593 Number of processors: 2 586 0xE08
20:06:05.593 ComputerName: UserName:
20:06:05.859 Initialize success
20:06:06.515 AVAST engine defs: 11071100
20:06:20.796 Disk 0 \Device\Harddisk0\DR0 → \Device\Scsi\viamraid1Port3Path0Target0Lun0
20:06:20.828 Disk 0 Vendor: … Size: 100GB BusType: 1
20:06:20.843 Disk 1 (boot) \Device\Harddisk1\DR1 → \Device\Scsi\viamraid1Port3Path0Target2Lun0
20:06:20.859 Disk 1 Vendor: Size: 500GB BusType: 1
20:06:20.890 Device \Driver\viamraid → DriverStartIo SCSIPORT.SYS f74ce40e
20:06:20.906 Device \Driver\viamraid → MajorFunction 8a65d1f8
20:06:20.937 Disk 1 MBR read successfully
20:06:20.953 Disk 1 MBR scan
20:06:20.984 Disk 1 unknown MBR code
20:06:21.000 Disk 1 scanning sectors +976752000
20:06:21.062 Disk 1 scanning C:\WINDOWS\system32\drivers
20:06:28.859 Service scanning
20:06:30.234 Disk 1 trace - called modules:
20:06:30.265 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8a65d1f8]<<
20:06:30.609 1 nt!IofCallDriver → \Device\Harddisk1\DR1[0x8a69eab8]
20:06:30.968 3 CLASSPNP.SYS[f7657fd7] → nt!IofCallDriver → \Device\Scsi\viamraid1Port3Path0Target2Lun0[0x8a69ba38]
20:06:31.328 \Driver\viamraid[0x8a5fef38] → IRP_MJ_CREATE → 0x8a65d1f8
20:06:31.828 AVAST engine scan C:\WINDOWS
20:25:34.640 Disk 1 MBR has been saved successfully to …
One thing is interesting though:
Avast! says Drive 0 MBR is infected, but here it says Disk 1 is the system drive, which is correct.
Unless avast! treats the system disk as drive 0. (There is no OS on the other disk)
Download MBRCheck.exe to your Desktop. Run the application.
If no infection is found, it will produce a report on the desktop. Post that report in your next reply.
If an infection is found, you will be presented with the following dialog:
[QUOTE]Enter ‘Y’ and hit ENTER for more options, or ‘N’ to exit:
[/quote]
Type N and press Enter. A report will be produced on the desktop. Post that report in your next reply.
thanks. I downloaded and ran MBRcheck.exe. Why did Avast! alert me to run it in the sandbox?
Here’s the log. Now this is interesting. The affected MBR is not the Windows disk. There’s
a second small disk in this computer that has never had an operating system on it. I think there’s only one program thats directly installed on it. This disk used to be an external drive.
And there’s a mistake in the logfile. The 2 disks should be different manufacturers, but it
says the same name for both (I’ll mark that part).
I don’t run RAID, it’s just an option that’s wired into this computer. (when booting it says ‘press tab for raid utility’)
[QUOTE]Found non-standard or infected MBR.
Enter ‘Y’ and hit ENTER for more options, or ‘N’ to exit:
[/quote]
Enter Y and press Enter.
The following dialog will be presented:
[QUOTE]Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.
Enter your choice:
[/quote]
Enter 2 and press Enter
The following dialog will be presented:
[QUOTE]Enter the physical disk number to fix (0-99, -1 to cancel):
[/quote]
Enter >>0<< and press Enter
The following dialog will be presented:
Enter >>1<< and press Enter
The following dialog will be presented:
[QUOTE]Do you want to fix the MBR code? Type ‘YES’ and hit ENTER to continue:
[/quote]
Type YES and press Enter (Must type the full word, YES). You will be inform if successfully wrote a new MBR code!
And last the following dialog will be presented:
[QUOTE]Done! Press ENTER to exit…
[/quote]
Press Enter. A report will be produced on the desktop. Post that report in your next reply.
Avast did Pick it up, that’s how I found out. I’m not running a raid system.
But no more problems, thanks! Now about the consequences, should I change passwords
Or even reinstall my OS? This seems a little over the top though- is the system compromised?
By the way, why did avast want to block mbrcheck? Just curious.
Thanks for your help guys!