Solved Need help removing trojan-clicker.win32.wistler.a

Good news :)

TDSSKiller still detects the virus
Click to expand...
It definitely gives a false location (see my reply #43).
Neither MBRCheck, or Combofix see it on drive C, which is crucial.

Now, you have to repeat, OTL cleanup and system restore reset as in my reply #31 (important!)
 
Broni said:
Good news :)


It definitely gives a false location (see my reply #43).
Neither MBRCheck, or Combofix see it on drive C, which is crucial.

Now, you have to repeat, OTL cleanup and system restore reset as in my reply #31 (important!)
Click to expand...

Well, I left System Restore off.

I will run OTL again and let you know by tomorrow if anything is up.
 
That's your drive E.

since it's not bootable drive, MBR (master boot record) is not active.
It shouldn't have any impact on safety of your computer.
Click to expand...

If you're willing to format E drive and have a peace of mind, you're more than welcome to do so.
 
Broni said:
That's your drive E.



If you're willing to format E drive and have a peace of mind, you're more than welcome to do so.
Click to expand...

Could you show me the most efficient and fool-proof way to go about doing that, please?

I want to make sure it is clean and remains clean.
 
Broni said:
Did you go for full format, or quick format?
Please, post fresh MBRCheck log.
Click to expand...

Full, I think.

I right clicked on the drive, clicked on "Format", then clicked on "Restore Device Default" and left quick format unchecked, then I let it format in peace until it was done.

Also, here's the MBRCheck log.
 

Attachments

  • MBRCheck_08.28.10_16.02.57.txt
    13.7 KB · Views: 1
There is something wrong here and even, if your computer behaves fine, I don't like it.

Let's double check something.
If you have any Combofix file on your desktop, delete it.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt"
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
OK, Combofix doesn't see any infection and it definitely detects Whistler bootkit, if one is present.

Let's run one more tool.

Download Bootkit Remover to your Desktop.

  • You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
  • After extracing remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
  • It will show a Black screen with some data on it.
  • Right click on the screen and click Select All.
  • Press CTRL+C
  • Open a Notepad and press CTRL+V
  • Post the output back here.
 
Nothing found:
298 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)
Click to expand...
The result in bold is exactly what you expect on a clean drive.

At this point, I have no other choice, but to declare your computer as being clean.
I see nothing wrong there.
 
Broni said:
Nothing found:

The result in bold is exactly what you expect on a clean drive.

At this point, I have no other choice, but to declare your computer as being clean.
I see nothing wrong there.
Click to expand...

Alright, guess I'll have to deal with it since it's not causing me any problems.

Thanks for the help, Norton would have charged me an eye and a tooth just to get it fixed, then gave me no guarantee it would remain fixed.

I just hope it is actually a false alarm and doesn't bite me in the butt down the road.
 
You should be perfectly fine.
If anything, you know, where to find me :)

Just to be safe, reset your restore points to create fresh, clean restore point.

Good luck :)
 

Similar threads

S
Recovering Data from Laptop with (Likely) Broken RAM
Replies
6
Views
385
Brickwizard
Brickwizard
T
Do I need to turn off "Secure Boot" in my BIOS to be able to boot up into a USB Linux Mint distro?
Replies
6
Views
877
Brickwizard
Brickwizard
Cal Jeffrey
Valve banned The Verge from its secret Deadlock playtest for leaking information on the game
2
Replies
36
Views
1K
ZedRM
ZedRM

Latest posts

Back