whistler@mbr

Hello,

avast! notified me after the last full scan that my MBR has a whistler infection.
It doesnt say Whistler-A/B/C or anything like that. Just whistler@mrb on Drive 0.
I’m running Win XP / SP3.

Before trying to fix it, I have some general questions:

1.) What does it actually do, and how dangerous is it? I didn’t notice any symptoms like pop-ups or random sounds like
some other users in this forum previously described. The only thing I can think of is a recent BSOD when starting an AV-Scan. The computer also boots fairly quick, I wouldn’t have noticed anything without the routine AV-check.

2.) Does it spread via USB-drives and -sticks? I am currently using a different computer, and wouldn’t want to get this one infected too. Also, I’m worried that while I’m backing up data from the infected drive, the drive I’m backing the data up to might also get infected and starts a vicious circle.

and last but not least: how should I proceed?

I already downloaded aswMBR, but it doesn’t find the whistler infection!
In addition, I would also like to scan the other drives, even though they’re not bootable.

Can I take the infected computer back online to download the scan/fix tools or is it safe to share the usb stick to download the tools?

From the threads I’ve seen on this forum until now, most users got rid of it, so I’m fairly confident you’ll be able to help me. I’m really impressed by the dedication some of the users here show to helping others. Thank you! :slight_smile:

Hi whistler@mbr,

There are a couple of variants of this Trojan Clicker Bootkit Whistler,
On Vista or 7 you have to disable UAC first and then perform a MBR cleansing routine under supervision of an official malware remover. Essexboy has been notified,

polonus

Can you post the contents of or attach the aswmbr.txt file to your next reply.

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
For detection on on demand scans, check C:\Documents And Settings\All Users\Application Data\Alwil Software\Avast5\Log (Windows 2000, Windows XP). Or C:\ProgramData\Alwil Software\Avast5\log (windows Vista, windows 7).

I am still a little worried (see the questions in my first post) about taking the computer back online or sharing USB-Sticks with it :frowning:

1.) What does it actually do, and how dangerous is it? I didn’t notice any symptoms like pop-ups or random sounds like
some other users in this forum previously described. The only thing I can think of is a recent BSOD when starting an AV-Scan. The computer also boots fairly quick, I wouldn’t have noticed anything without the routine AV-check.

2.) Does it spread via USB-drives and -sticks? I am currently using a different computer, and wouldn’t want to get this one infected too. Also, I’m worried that while I’m backing up data from the infected drive, the drive I’m backing the data up to might also get infected and starts a vicious circle.

1)Whistler is a bootkit,read more here http://blog.novirusthanks.org/2010/02/whistler-bootkit-a-new-powerful-windows-bootkit/

2)It doesn’t spread via USB-DRIVES or sticks.

Thanks for the info.

now, more questions :wink:

Should I be very worried about this infection? That website you posted only says what can theoretically be done with it. I also googled around before posting here and couldn’t find any real information regarding this question.

Also, is it a good idea to go online with that computer to post the log files here?

I’m really thinking about simply backing up the data and formatting the disk- will formatting
the disk get rid of the MBR infection or should I remove it before that?

Format?Are you crazy? ;D
Just wait for Essexboy,please.

There is no problem with going online, if you could post the aswMBR log we will see what it says and go from there

sorry if I don’t alaways answer immediately.

here’s the aswMBR log:

20:06:05.593 OS Version: Windows 5.1.2600 Service Pack 3
20:06:05.593 Number of processors: 2 586 0xE08
20:06:05.593 ComputerName: UserName:
20:06:05.859 Initialize success
20:06:06.515 AVAST engine defs: 11071100
20:06:20.796 Disk 0 \Device\Harddisk0\DR0 → \Device\Scsi\viamraid1Port3Path0Target0Lun0
20:06:20.828 Disk 0 Vendor: … Size: 100GB BusType: 1
20:06:20.843 Disk 1 (boot) \Device\Harddisk1\DR1 → \Device\Scsi\viamraid1Port3Path0Target2Lun0
20:06:20.859 Disk 1 Vendor: Size: 500GB BusType: 1
20:06:20.890 Device \Driver\viamraid → DriverStartIo SCSIPORT.SYS f74ce40e
20:06:20.906 Device \Driver\viamraid → MajorFunction 8a65d1f8
20:06:20.937 Disk 1 MBR read successfully
20:06:20.953 Disk 1 MBR scan
20:06:20.984 Disk 1 unknown MBR code
20:06:21.000 Disk 1 scanning sectors +976752000
20:06:21.062 Disk 1 scanning C:\WINDOWS\system32\drivers
20:06:28.859 Service scanning
20:06:30.234 Disk 1 trace - called modules:
20:06:30.265 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8a65d1f8]<<
20:06:30.609 1 nt!IofCallDriver → \Device\Harddisk1\DR1[0x8a69eab8]
20:06:30.968 3 CLASSPNP.SYS[f7657fd7] → nt!IofCallDriver → \Device\Scsi\viamraid1Port3Path0Target2Lun0[0x8a69ba38]
20:06:31.328 \Driver\viamraid[0x8a5fef38] → IRP_MJ_CREATE → 0x8a65d1f8
20:06:31.828 AVAST engine scan C:\WINDOWS
20:25:34.640 Disk 1 MBR has been saved successfully to …

One thing is interesting though:
Avast! says Drive 0 MBR is infected, but here it says Disk 1 is the system drive, which is correct.
Unless avast! treats the system disk as drive 0. (There is no OS on the other disk)

20:06:20.796 [b]Disk 0[/b] \Device\Harddisk0\DR0 -> \Device\Scsi\viamraid1Port3Path0Target0Lun0 20:06:20.828 Disk 0 Vendor: ... Size: 100GB BusType: 1 20:06:20.843 [b]Disk 1 (boot)[/b] \Device\Harddisk1\DR1 -> \Device\Scsi\viamraid1Port3Path0Target2Lun0
Are you running a raid system ?

Download MBRCheck.exe to your Desktop. Run the application.

If no infection is found, it will produce a report on the desktop. Post that report in your next reply.

If an infection is found, you will be presented with the following dialog:

[QUOTE]Enter ‘Y’ and hit ENTER for more options, or ‘N’ to exit:
[/quote]
Type N and press Enter. A report will be produced on the desktop. Post that report in your next reply.

Hey Essexboy,

thanks. I downloaded and ran MBRcheck.exe. Why did Avast! alert me to run it in the sandbox?

Here’s the log. Now this is interesting. The affected MBR is not the Windows disk. There’s
a second small disk in this computer that has never had an operating system on it. I think there’s only one program thats directly installed on it. This disk used to be an external drive.
And there’s a mistake in the logfile. The 2 disks should be different manufacturers, but it
says the same name for both (I’ll mark that part).
I don’t run RAID, it’s just an option that’s wired into this computer. (when booting it says ‘press tab for raid utility’)

(I shortened this. Is there a better way of posting the logs?)
lower left corner > Additional options > Attach...

^ done!

111 GB \.\PhysicalDrive0 Known-bad MBR code detected (Whistler / Black Internet)!"
You are infected.

Edited.

Run MBRCheck.exe once again.

You will be presented with the following dialog:

[QUOTE]Found non-standard or infected MBR.
Enter ‘Y’ and hit ENTER for more options, or ‘N’ to exit:
[/quote]
Enter Y and press Enter.

The following dialog will be presented:

[QUOTE]Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice:
[/quote]
Enter 2 and press Enter

The following dialog will be presented:

[QUOTE]Enter the physical disk number to fix (0-99, -1 to cancel):
[/quote]
Enter >>0<< and press Enter

The following dialog will be presented:

Enter >>1<< and press Enter

The following dialog will be presented:

[QUOTE]Do you want to fix the MBR code? Type ‘YES’ and hit ENTER to continue:
[/quote]
Type YES and press Enter (Must type the full word, YES). You will be inform if successfully wrote a new MBR code!

And last the following dialog will be presented:

[QUOTE]Done! Press ENTER to exit…
[/quote]
Press Enter. A report will be produced on the desktop. Post that report in your next reply.

Hey Essexboy,

I’ll try that and post the result.

done. see the log please.

Here another MBRcheck log after the fix.

I think it worked, neither MBRcheck nor AVAST! are still picking it up.

465 GB \.\PhysicalDrive1 Windows XP MBR code detected
111 GB \.\PhysicalDrive0 Windows XP MBR code detected

Clean ;D.
Any other problems?

Aye Avast didn’t get it because it was not on the boot drive, is this a raid system. So how is it running now ? Any problems ?

Avast did Pick it up, that’s how I found out. I’m not running a raid system.
But no more problems, thanks! Now about the consequences, should I change passwords
Or even reinstall my OS? This seems a little over the top though- is the system compromised?
By the way, why did avast want to block mbrcheck? Just curious.
Thanks for your help guys!