Jump to content
drmike

Probable Bootkit Whistler infection

Recommended Posts

http://forums.malwarebytes.org/index.php

Greets:

I am having a problem with my Toshiba Satellite LD505 laptop. Problems include google redirections to spam sites and splogs as well as very slow upload speeds. This problem has been occurring for me for a couple of months now. I was using Free AVG as protection until about six months ago but switched over to the free version of Avast. I also have Malwarebytes installed as well. Both are run manually once a week, doing a manual update of program as well as the definition databases as well before hand. I was running Windows 7, manually updated daily, but just whipped the hard drive and reinstalled Vista, the OS that shipped with the laptop, in an attempt to resolve the issue.

Both Avast and Malwarebytes, running the most detailed scans that I can get them to report the system clean.

Some Google'ing for some of the google redirection urls finally drop me in this thread over at bleepingcomputer:

http://www.bleepingcomputer.com/forums/topic330813.html

What got me looking at that is that the problem continued on after the hard drive wipe so I;m now assuming that the MBR was affected as well. From that thread, I believe I'm looking at Bootkit Whistler.

The problem is that I can;t get rid of it.

Per the sticky:

Ran defogger. Ran fine with no errors presented, no errors in the logs, and got the Finshed popup. :P

Running GMER Rootkit Scanner causes a blue screen and dumps memory. Windows will not allow me access to the minidump with a denied error and the other two files mentioned in the report are in unaccessable directories.

Ran Malwarebytes with 5519 database and full scan selected. Log attached.

I ran the bootkit remover as administrator that was linked to in another thread but that appeared not to help. Log below:

Bootkit Remover

© 2009 eSage Lab

www.esagelab.com

Program version: 1.2.0.0

OS Version: Microsoft Windows Vista Home Premium Edition Service Pack 1 (build 6

001), 32-bit

System volume is \\.\C:

\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`5dd00000

Boot sector MD5 is: 0ec6b2481fc707d1e901dc2a875f2826

Size Device Name MBR Status

--------------------------------------------

232 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)

Done;

Press any key to quit...

Thanks,

-drmike

edit: Also including a log of a TDSSKiller scan that I ran.

Attach.txt

mbam_log_2011_01_14__12_19_14_.txt

TDSSKiller.2.4.13.0_14.01.2011_11.00.51_log.txt

Share this post


Link to post
Share on other sites

Since you wiped the computer, the first step would be to reset your router if you use one and see if that resolves the issue. Malware usually does not survive a reformat.

To reset your router, typically you will have to push the reset button for about 10 seconds with the router powered off. If you are not sure how to do this, please let me know what router you are using.

Share this post


Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.