Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Whistler Bootkit problem


  • This topic is locked This topic is locked
6 replies to this topic

#1 verybusy

verybusy

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:16 PM

Posted 24 May 2010 - 10:48 AM

Hi All,

I've been working on this computer for over a week. I have run several antivirus and antimalware programs on it but one keeps coming back. This bootkit causes random popups from 2-3 iexplore processes that run at startup and keep restarting no matter what I do.

Originally, there were 2 processes smss.exe and svchost.exe running inside "C:\System Volume Information\Whistler\" and when I succeeded in removing them they came back as "C:\System Volume Information\_restore{d5fffa500b1b}\".

The following is a DDS log which doesn't show the smss.exe or svchost.exe processes...


DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 11:32:15.92 on Mon 05/24/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.80 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

Executable.exe 4
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\DOCUME~1\Bina\LOCALS~1\Temp\TeamViewer\Version5\TeamViewer_Service.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\2M8IMZ12\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.msn.com
uSearchURL,(Default) = hxxp://g.msn.ca/0SEENCA/SAOS01?FORM=TOOLBR
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
dRun: [Microsoft service Machines] wissmsgr.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://dc34.spaces.msn.com//PhotoUpload/MsnPUpld.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} - hxxp://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/PhtPkMSN.cab
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-5-19 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-5-19 29512]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-5-19 242896]
R2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2010-5-17 1872320]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-5-19 308064]
R2 TeamViewer5;TeamViewer 5;"c:\docume~1\bina\locals~1\temp\teamviewer\version5\teamviewer_service.exe" -service --> c:\docume~1\bina\locals~1\temp\teamviewer\version5\TeamViewer_Service.exe [?]
S2 calrivdtipcflw;\??\c:\docume~;\??\c:\docume~1\balla\locals~1\temp\fvnxxsmcvdpy.sys --> c:\docume~1\balla\locals~1\temp\fvnxxsmcvdpy.sys [?]
S2 NAVAPEL;NAVAPEL;\??\c:\program files\symantec_client_security\symantec antivirus\navapel.sys --> c:\program files\symantec_client_security\symantec antivirus\NAVAPEL.SYS [?]
S3 NAVAP;NAVAP;\??\c:\progra~1\symant~1\symant~1\navap.sys --> c:\progra~1\symant~1\symant~1\NAVAP.sys [?]
S3 NAVENG;NAVENG;\??\c:\progra~1\common~1\symant~1\virusd~1\20100513.002\naveng.sys --> c:\progra~1\common~1\symant~1\virusd~1\20100513.002\NAVENG.sys [?]
S3 NAVEX15;NAVEX15;\??\c:\progra~1\common~1\symant~1\virusd~1\20100513.002\navex15.sys --> c:\progra~1\common~1\symant~1\virusd~1\20100513.002\NAVEX15.sys [?]

=============== Created Last 30 ================

2010-05-21 14:49:18 0 d-----w- C:\_OTL
2010-05-21 14:24:23 0 d-sha-r- C:\cmdcons
2010-05-21 14:07:28 0 d-----w- c:\program files\Unlocker
2010-05-21 13:31:24 44089904 ----a-w- C:\avira_antivir_personal_en.exe
2010-05-21 13:30:45 0 d-----w- C:\antivir_rootkit
2010-05-21 13:30:30 65893 ----a-w- C:\antivir_rootkit.zip
2010-05-21 13:26:34 6369648 ----a-w- C:\pvxinst312.exe
2010-05-21 13:21:31 933296 ----a-w- C:\PREVXCSIFREE.EXE
2010-05-21 12:54:16 0 d-----w- C:\%SystemDrive%
2010-05-21 12:53:34 1339288 ----a-w- C:\sar_15_sfx.exe
2010-05-21 12:50:10 147456 ----a-w- C:\catchme.exe
2010-05-21 12:48:14 77312 ----a-w- C:\mbr.exe
2010-05-21 12:44:23 1137360 ----a-w- C:\fsbl.exe
2010-05-21 12:42:14 0 d-----w- C:\RootRepeal
2010-05-21 12:41:32 465298 ----a-w- C:\RootRepeal.rar
2010-05-21 12:40:32 472064 ----a-w- C:\RootRepeal.exe
2010-05-19 16:00:08 0 d-----w- C:\$AVG
2010-05-19 13:04:19 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-05-19 13:04:19 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-05-19 13:04:12 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-05-19 13:03:45 0 d-----w- c:\windows\system32\drivers\Avg
2010-05-19 13:03:15 0 d-----w- c:\program files\AVG
2010-05-19 12:49:47 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-05-18 16:47:11 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-18 14:12:26 0 d-----w- c:\program files\ESET
2010-05-18 13:02:31 39424 ----a-w- c:\windows\system32\grpconv.exe
2010-05-18 12:51:28 98816 ----a-w- c:\windows\sed.exe
2010-05-18 12:51:28 77312 ----a-w- c:\windows\MBR.exe
2010-05-18 12:51:28 256512 ----a-w- c:\windows\PEV.exe
2010-05-18 12:51:28 161792 ----a-w- c:\windows\SWREG.exe
2010-05-17 05:27:44 0 d-----w- c:\program files\a-squared Free
2010-05-17 00:33:12 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-05-16 17:17:26 0 d-----w- c:\documents and settings\administrator\DoctorWeb
2010-05-16 17:13:30 0 d-sh--w- c:\documents and settings\administrator\PrivacIE
2010-05-16 15:25:14 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2010-05-16 15:22:21 0 d-sh--w- c:\documents and settings\administrator\IETldCache
2010-05-16 11:17:35 1033728 ----a-w- c:\windows\explorer.exe
2010-05-14 00:33:30 0 d-----w- c:\windows\system32\NtmsData
2010-05-14 00:26:39 0 d--h--w- c:\windows\system32\GroupPolicy
2010-05-13 23:59:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-13 23:59:18 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-13 23:59:17 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-13 23:59:17 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2004-03-11 20:27:22 40960 ----a-w- c:\program files\Uninstall_CDS.exe

============= FINISH: 11:33:40.00 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 verybusy

verybusy
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:16 PM

Posted 24 May 2010 - 12:35 PM

I found the following on a site (it's been translated from the native language and my apologies for bad formatting). Orignally the poster said the only solution was to reformat the computer which I didn't do because I hoped someone would find a solution. I haven't tried it yet but I will once I've had a chance to see what it does. The original post can be found here...

http://translate.google.ca/translate?hl=en...00b1b%26hl%3Den
The fix...

http://www.esagelab.com/files/bootkit_remover.rar

For those experts on this forum who know way more than me, if you could analyze what the recommended fix does, perhaps you could let me know if this would work?

Cheers,

Marc



Friday, May 21, 2010 Friday, May 21, 2010
Whistler Whistler Bootkit Bootkit
Recently I bumped into at the Whistler Bootkit treating HijackThis logs. Recently I bumped Writing At The Whistler Bootkit treating HijackThis logs.

This malware takes aggressive and imperceptibly possession of your PC. This malware takes aggressive and imperceptibly Possession of Your PC.
Gmer, Avenger 2, Combofix, .. Gmer, Avenger 2, Combofix, .. to no avail. to no avail.


Following symptoms apply: Apply Following Symptoms:

Kaspersky: Kaspersky:

Heure: Trojan.Win32.Generic in the C: \ System Volume Information folder Heure: Trojan.Win32.Generic in the C: \ System Volume Information folder

Dr. Web: Dr. Web:

smss.exe C: \ System Volume Information \ Whistler Win32.HLLC.Asdas.8 Not repareerbaar.Verplaatst. smss.exe C: \ System Volume Information \ Whistler Win32.HLLC.Asdas.8 Not repareerbaar.Verplaatst.

svchost.exe C: \ System Volume Information \ Whistler Win32.HLLC.Asdas.8 Not repareerbaar.Verplaatst. svchost.exe C: \ System Volume Information \ Whistler Win32.HLLC.Asdas.8 Not repareerbaar.Verplaatst.


The HijackThis log is as follows apparent: The HijackThis log is as follows notice-able:

Running processes: Running processes:

C: \ System Volume Information \ Whistler \ svchost.exe C: \ System Volume Information \ Whistler \ svchost.exe
C: \ System Volume Information \ Whistler \ smss.exe C: \ System Volume Information \ Whistler \ smss.exe

or after an executed System: or after an executed System:

C: \ System Volume Information \ _restore (d5fffa500b1b) \ svchost.exe C: \ System Volume Information \ _restore (d5fffa500b1b) \ svchost.exe
C: \ System Volume Information \ _restore (d5fffa500b1b) \ smss.exe C: \ System Volume Information \ _restore (d5fffa500b1b) \ smss.exe


Combofix shows us: Combofix shows us:

Other Active Processes ------------------------ ----------------------- - Other Active Processes ------------------------ ---------------------- - -
c: \ System Volume Information \ _restore (d5fffa500b1b) \ svchost.exe c: \ System Volume Information \ _restore (d5fffa500b1b) \ svchost.exe
c: \ System Volume Information \ _restore (d5fffa500b1b) \ smss.exe c: \ System Volume Information \ _restore (d5fffa500b1b) \ smss.exe



The StartupList from HijackThis let our next show: The StartupList from HijackThis Allows us to see the:

Windows NT 'Wininit.ini "Windows NT" Wininit.ini':

PendingFileRenameOperations: C: \ System Volume Information \ _restore (d5fffa500b1b) \ svchost.exeC: \ System Volume Information \ _restore (d5fffa500b1b) \ smss.exeC: \ System Volume Information \ _restore (d5fffa500b1b) \ SMSS.EXEC: \ System Volume Information \ _restore (d5fffa500b1b) \ SVCHOST.EXE PendingFileRenameOperations: C: \ System Volume Information \ _restore (d5fffa500b1b) \ svchost.exeC: \ System Volume Information \ _restore (d5fffa500b1b) \ smss.exeC: \ System Volume Information \ _restore (d5fffa500b1b) \ SMSS.EXEC: \ System Volume Information \ _restore (d5fffa500b1b) \ SVCHOST.EXE


The PendingFileRenameOperations value under [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Session Manager] was not present. The PendingFileRenameOperations value under [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Session Manager] was not present.

Delete ComboFix and Avenger are the two files, but after a reboot immediately returned. Delete ComboFix and Avenger are the two files, but after a reboot Immediately Returned.


Identification: Identification:

Deeper and intesiever search on Google shows me Deeper and intesiever search on Google shows me
that we are dealing with Whistler Bootkit. That we are dealing with Whistler Bootkit.


The solution: The solution:

Because this infection is embedded in the boot sector, speed and accuracy is important. Because this infection is embedded in the boot sector, speed and accuracy is important.

Step 1 Step 1

Download bootkit_remover.rar (INFO) Download bootkit_remover.rar (INFO)
Unzip it. Unzip it.
Open the folder and double click bootkit_remover remover.exe. Open the folder and double click bootkit_remover remover.exe.
Post anything in the display. Post anything in the display.

Step 2 Step 2

An infected boot sector can look alsvolgd: An infected boot sector Can Look alsvolgd:

Bootkit Remover version 1.0.0.1
2009 eSage Lab
http://www.esagelab.com/
\ \. \ C: ->
\ \. \ PhysicalDrive0
MD5: 274955059efe9236c07688c5ff9242b2
Device Size
Name MBR Status
--------------------------------------------
74 GB
\ \. \ PhysicalDrive0 Unknown bootcode

Unknown bootcode Has Been Found on
Some of your physical disks.
To inspect the code manually, boot, dump the
master boot sector remover.exe dump [output_file]
To disinfect
the master boot sector, use the following command: fix remover.exe
Bootkit Remover version 1.0.0.1
2009 eSage Lab
http://www.esagelab.com/
\ \. \ C: ->
\ \. \ PhysicalDrive0
MD5: 274955059efe9236c07688c5ff9242b2
Device Size
Name MBR Status
--------------------------------------------
74 GB
\ \. \ PhysicalDrive0 Unknown bootcode

Unknown bootcode Has Been Found on
Some of your physical disks.
To inspect the code manually, boot, dump the
master boot sector remover.exe dump [output_file]
To disinfect
the master boot sector, use the following commandline: remover.exe fix
Bootkit Remover version 1.0.0.1
2009 eSage Lab
http://www.esagelab.com/
\ \. \ C: ->
\ \. \ PhysicalDrive0
MD5: 274955059efe9236c07688c5ff9242b2
Device Size
Name MBR Status
--------------------------------------------
74 GB
\ \. \ PhysicalDrive0 Unknown bootcode

Unknown bootcode Has Been Found on
Some of your physical disks.
To inspect manually, the boot code, dump the
master boot sector remover.exe dump [output_file]
To disinfect
the master boot sector, use the following commandline: remover.exe fix


This immediately attracts our attention: \ \. \ PhysicalDrive0 attract our attention This Immediately: \ \. \ PhysicalDrive0


We are going to remove it with a batch in which we put a switch for remover.exe: We are going to remove it with a batch in Which We put a switch for remover.exe:




@ ECHO OFF @ ECHO OFF
START remover.exe fix \ \. \ PhysicalDrive0 START remover.exe fix \. \ PhysicalDrive0
EXIT EXIT


When running this batch, the PC immediately restarted. When running this batch, the PC restarted Immediately.
This is important, otherwise we give the infection a chance to herinitializeren. This is important, we give Otherwise the infection a chance to herinitializeren.

Also we require a restart after the remover.exe log. Also we Require a restart after the remover.exe log.
So you let remover.exe after the restart, run back and asks for the output. So you watch remover.exe after the restart, run back and asks for the output.

If all went well, you get this: If all went well, you get this:

Bootkit Remover version 1.0.0.1 Bootkit Remover version 1.0.0.1
2009 eSage Lab 2009 eSage Lab
http://www.esagelab.com http://www.esagelab.com

\ \. \ C: -> \ \. \ PhysicalDrive0 \ \. \ C: -> \ \. \ PhysicalDrive0
MD5: MD5 6def5ffcbcdbdb4082f1015625e597bd: 6def5ffcbcdbdb4082f1015625e597bd

MBR MBR Status Size Device Name Device Name Size Status
------ -------------------------------------------- --------------------------------------
74 GB \ \. \ PhysicalDrive0 OK (DOS/Win32 Boot code found) 74 GB \ \. \ PhysicalDrive0 OK (DOS/Win32 Boot code found)

For safety and to monitor, just to check all charges Gmer and HijackThis. For safety and to monitor, just to check all charges Gmer and HijackThis.

It is also advisable to change passwords. Also it is advisable to change passwords.

Emphyrio:) Emphyrio:)
Posted by 1:26 p.m. on Emphyrio Emphyrio Posted by at 1:26 pm


#3 verybusy

verybusy
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:16 PM

Posted 24 May 2010 - 03:55 PM

I just wanted to confirm that the Whistler Bootkit I had been trying to remove for almost a week was removed by the bootkit_remover in my previous post.

I noticed that a number of people are having issues (and giving up trying to fix them) with recurring smss.exe, svchost.exe and iexplore.exe processes and popups that are caused by files in one of two folders...

#1 (before an antivirus removes the files)
C: \ System Volume Information \ Whistler \ svchost.exe
C: \ System Volume Information \ Whistler \ svchost.exe

or #2 (after an antivirus removes the files)

C: \ System Volume Information \ _restore (d5fffa500b1b) \ svchost.exe
C: \ System Volume Information \ _restore (d5fffa500b1b) \ svchost.exe

If anyone sees other posters having the same problem in the future, please let them know about this possible fix.

http://www.esagelab.com/files/bootkit_remover.rar

Cheers,

Marc
P.S. I posted my requested for help here because I had given up. It was a fluke that I found the solution minutes after posting my request.


#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:16 AM

Posted 26 May 2010 - 11:45 AM

Hi,

thanks for letting us know! thumbup2.gif Do you still want your PC checked out or should I close this topic?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 verybusy

verybusy
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:16 PM

Posted 29 May 2010 - 08:39 AM

Please go ahead and close this topic.

Thanks for following up myrti.

I am curious however why the various antivirus and antimalware programs did not detect the bootkit in the MBR. I ran all of them and nothing found the MBR issue yet several claim to scan the MBR. Many of the programs knew that the smss.exe and svchost.exe files were infected but none of them knew how to remove the cause (i.e. infected MBR).

Cheers,

Marc




#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:16 AM

Posted 29 May 2010 - 11:09 AM

Hi,

while most anti virus programs nowadays to have rootkit detection included in their programs (anti malware programs usually don't), mbr rootkits are particularly hard to see. In such cases it is usually best to run dedicated tools such as the bootkit_remover for example.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:16 AM

Posted 27 June 2010 - 04:04 AM

Since this topic appears to be resolved, I will now close it. Thanks for letting us know.

If you need this topic re-opened please send me a PM.

Everyone else, please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users