I think my computer is infected with whistler rootkit

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.
Joined
Apr 7, 2010
Messages
166
Hi diggets,

Ok, we'll need to use a different tool. Do you have a blank CD and a usb device such as a flash drive we can use?
 
Joined
Apr 7, 2010
Messages
166
Hi diggets,

Ok we'll use a CD that we will make bootable. We also need a USB flashdrive that has some space on it. We will not be changing any of the data on the usb device just using it for a file.

You will also need to use FireFox to download a file as Internet Explorer seems to mangle the download.

If you have an problems with these steps please let me know. These may look complicated but it's fairly straight forward and for the most part automated.


Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe by double clicking it.
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and when finished, it will open BurnCDCC which will be ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD
Using FireFox, please download and save dumpit to your usb device.

You may want to print out this part as you will not be able to view these instructions.

  • Leave the usb device attached to the computer
  • Boot the infected computer with the CD you just burned
    • with the CD in the computer, restart the computer
  • The computer must be set to boot from the CD,depending on your computer you can either do this by pressing F12 and selecting the CD as the first boot option or it can be set in the BIOS
  • Once you have the computer set to boot from the CD allow it to boot
  • A Welcome to xPUD screen will appear
  • Click on File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)

    (you will be able to tell if it the right one as the screen will populate with your files)
  • Locate the file you downloaded and saved earlier, dumpit
  • double click it to run it
  • a black window will open, follow the instructions to close the window when it's finished
  • a file called MBR.zip should now be placed in the right hand panel
  • Click the Home icon at top
  • Remove the CD and click Power off
  • Click restart
Once the computer has rebooted open the usb device and attach the MBR.zip file to your next reply.

Thanks
 

diggets

Thread Starter
Joined
Nov 7, 2011
Messages
36
sorry about the delay, its been very busy the last couple days. should have this done tommarow
 

diggets

Thread Starter
Joined
Nov 7, 2011
Messages
36
"download GETxPUD.exe to the desktop of your clean computer" this is going to take another day or two. the only computer I have is this one.
 
Joined
Apr 7, 2010
Messages
166
Hi diggets,

Sorry about that. I have generic directions to suit all situations and I forgot to edit that line. You can use your computer to create the CD.

The line should have read

Download GETxPUD.exe to the your desktop.
 
Joined
Apr 7, 2010
Messages
166
Hi diggets,

Please do these steps in the order posted.

Open the usb device and delete MBR.zip

You may want to print out this part as you will not be able to view these instructions.

  • Attach the usb device attached to the computer
  • Boot the infected computer with the xPUD CD
    • with the CD in the computer, restart the computer
    • The computer must be set to boot from the CD,depending on your computer you can either do this by pressing F12 and selecting the CD as the first boot option or it can be set in the BIOS
  • Once you have the computer set to boot from the CD allow it to boot
  • A Welcome to xPUD screen will appear
  • Click on File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
    (you will be able to tell if it the right one as the screen will populate with your files)
  • Press Tool at the top
  • Choose Open Terminal
  • Type the following and press enter:


    parted /dev/sda set 1 boot on

    (note: there is a space after parted, a space after sda, a space after set, a space after 1 and a space after boot}
  • When it's finished close the terminal window
Next
  • Locate dumpit
  • double click it to run it
  • a black window will open, follow the instructions to close the window when it's finished
  • a file called MBR.zip should now be placed in the right hand panel
  • Click the Home icon at top
  • Remove the CD and click Power off
  • Click restart
Once the computer has rebooted open the usb device and attach the MBR.zip file to your next reply.

How's the computer? Still getting ads?

Thanks
 
Joined
Apr 7, 2010
Messages
166
Hi diggets,

Good job. (y)

Let's get rid of the rest of it. I need you to go into xPUD one more time.

Please do these steps in the order posted.

Open the usb device and delete MBR.zip





You may want to print out this part as you will not be able to view these instructions.
  • Attach the usb device attached to the computer
  • Boot the infected computer with the xPUD CD
    • with the CD in the computer, restart the computer
    • The computer must be set to boot from the CD,depending on your computer you can either do this by pressing F12 and selecting the CD as the first boot option or it can be set in the BIOS
  • Once you have the computer set to boot from the CD allow it to boot
  • A Welcome to xPUD screen will appear
  • Click on File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
    (you will be able to tell if it the right one as the screen will populate with your files)
  • Press Tool at the top
  • Choose Open Terminal
  • Type the following and press enter:

    parted /dev/sda rm 2


    (note: there is a space after parted, a space after sda, and a space after rm}
  • When it's finished close the terminal window
Next
  • Locate dumpit
  • double click it to run it
  • a black window will open, follow the instructions to close the window when it's finished
  • a file called MBR.zip should now be placed in the right hand panel
  • Click the Home icon at top
  • Remove the CD and click Power off
  • Click restart
Once the computer has rebooted open the usb device and attach the MBR.zip file to your next reply.

How's the computer?

Thanks
 

diggets

Thread Starter
Joined
Nov 7, 2011
Messages
36
ok I think I did everything right. as best as I can tell all the highly visible symptoms of the problem seem to have been dealt with as my following the instructions of your other post
 

Attachments

Joined
Apr 7, 2010
Messages
166
Hi diggets,

Looks like you are good to go.

Tidy things up a bit and clean up the tools.

Next


Please open OTL.
  • Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, click the None button near the top (it may looked greyed out)
  • In the window under Custom Scans/Fixes copy and paste the following
    :services
    :commands
    [emptytemp]

  • Click the Run Scan button. Do not change any settings unless otherwise told to do so.
No need to post the log.



From your desktop, please delete, if present
  • any notepads/logs that we created
  • DDS.scr
  • MBRCheck.exe
  • aswMBR.exe
you can also delete mbr.zip and dumpit from your usd device.


Next

Click the Start button, click Run. [Vista users, go Start>"Start search"] Copy and paste the following line into the run box and click OK

Combofix /uninstall


Open OTL then click the Clean Up button. You may get prompted by your firewall that OTL wants to contact the internet - allow this. A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will do some clean up tasks and delete some of the tools you have downloaded plus itself.


I suggest you keep MBAM. Keep it updated and use it regularly.


Some Recommendations and prevention tips

Basic security consists of 1 antivirus program, 1 resident antispyware program, 1 on demand antispyware program and a firewall. Just add a firewall to what you have.

* If you are behind a router Windows firewall should be fine. Otherwise a 3rd party firewall with outbound monitoring is recommended.

Click FIREWALL for links and tutorials to good, free and paid for firewalls. (Note: Zone Alarm is becoming bloatware)


You should also use Spyware Blaster to help immunize your computer.
- SpywareBlaster will add a large list of programs and sites into your Internet Explorer
settings that will protect you from running and downloading known malicious programs.

OR

A guide to understanding and using the hosts file.
Learn how your Hosts file can protect you and how you can protect it.
Besides the Hosts file information, there are links to a very good updated hosts file, a host file manager. and some programs that can protect your hosts file.

HOSTS
Please read the info on disabling the DNS Client before installing a custom hosts file.


-Secure your Internet Explorer

From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.


- Keeping your Windows up-to-date is crucial to your computer's security. Please go to the Windows Update Site (using Internet Explorer) and download and install all critical updates on a regular basis

- Make sure you have reset Automatic Updates to your chosen optionClick your start button > Control Panel > System > Automatic Updates tab

- Keep your antivirus program updated, as well as any other security programs you have.

Please post back if you have any problems. Click the "Marked solved" button at the top if you are satisfied.

Take care
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top