Boo/Whistler.db ?

Scam · 16 Jun 2012 at 22:31

Has anyone come across this? Avira has started picking it up, apparently on boot sectors of my C: and D: drives and HD0 and HD1 (dunno what they are :confused:

). Google seems to throw up a few instances of people attempting to fix this and having partitions go missing, but I can't seem to find any straightforward way of actually killing the thing. Malwarebytes doesn't even find it. Any ideas guys?

Thanks!

Snograt · 16 Jun 2012 at 22:44

Seems to be rife in Germany, for some reason.

C: and D: are the same thing as HD0 and HD1, assuming they're both hard drives.

KIA · 17 Jun 2012 at 10:29

Malwarebytes with latest definitions in safe mode.
Windows defender offline: http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline

Scam · 17 Jun 2012 at 15:17

KIA said:
Malwarebytes with latest definitions in safe mode.
Windows defender offline: http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline

Malwarebytes definitely isn't finding it :confused:

Trying WD now.. will report back!

Scam · 18 Jun 2012 at 13:36

Damnit, I thought WD had sorted this. It did find 4 other bits of malware and on a reboot Avira wasn't popping up to tell me about Whistler anymore. Just turned the PC on this afternoon and it's back

Any more ideas guys?

KIA · 18 Jun 2012 at 14:19

Are you running MBAM in safemode with latest defs?

Scam · 18 Jun 2012 at 17:06

Ah, maybe I wasn't running it in safemode. Would that make a difference in it finding it? I'll try in a sec..

KIA · 18 Jun 2012 at 17:36

It will make a difference. Make sure you update defs. Do a full system scan.

metalmackey · 18 Jun 2012 at 20:28

I can't remember which one it was but the makers of MBAM or Superantispyware recommend scanning in normal mode over safe mode as it can detect runing malware better than in safe mode. If its a boot sector virus wont it run in safe mode too anyway?

theheyes · 18 Jun 2012 at 20:41

tbh all bets are off if you're scanning a running system because it's inherently untrusted if malware is present. It's best to do an offline scan.

KIA · 19 Jun 2012 at 10:13

metalmackey said:
I can't remember which one it was but the makers of MBAM or Superantispyware recommend scanning in normal mode over safe mode as it can detect runing malware better than in safe mode. If its a boot sector virus wont it run in safe mode too anyway?

Live malware usually hides itself from anti-malware applications or is able to regenerate. From experience, safe mode kills 90% of malware and allows anti-malware applications to do their jobs.

Scam · 25 Jun 2012 at 18:46

theheyes said:
tbh all bets are off if you're scanning a running system because it's inherently untrusted if malware is present. It's best to do an offline scan.

What exactly do you mean by this? I did an offline scan with Windows Defender (booted from USB stick) but that didn't find it.

Unfortunately I still haven't resolved this. Avira keeps finding it and I've scanned with latest defs MBAM in both safe mode and not, still to no avail.

Any other ideas guys?

demonix · 26 Jun 2012 at 14:29

What you have is something called the black internet virus.

The only reason that the malware programs can't detect it is because the main part of the malware is embedded in the master boot record and you need to fix that before you can take out any of the other components.

I think I did post a tool ages ago that could detect this and fix it (although using fixmbr will do the job).