How to remove TR.Vilsel/TR.Clicker/Whistler Bootkit ?What is the TR.Vilsel/Whistler Bootkit/TR.cycler infection?There are several variants.
They are sometimes called:
Trojan Vilsel, Cycler Trojan, Trojan Clicker bootkit Whistler.
The symptoms are
Infection displays pop-up ads.
Sound Mute
Several iexplore.exe process loaded under "
SYSTEM" user.
Ads Blocker
The infection make use of a bootkit feature to load from the MBR.
Example of infected files:C:\System Volume Information\_restore{d5fffa500b1b}\smss.exe
C:\System Volume Information\_restore{d5fffa500b1b}\svchost.exe
c:\system volume information\Whistler\smss.exe
c:\system volume information\Whistler\svchost.exe If you have Vista or 7:Note: You must disable UAC during disinfection.
If you have TeaTimer (Spybot resident), disable it otherwise it may impede on disinfection:
Start Spybot, click Mode, select Advanced Mode.
On the left, click Tools, then Resident.
Uncheck the box to Resident "TeaTimer" then exit Spybot:
Methods of disinfectionFirst method: MBRCheck Download MBRCheck on the desktop.
Close all applications and launch the program,
Follow the instructions, you'll be prompted to restart the PC.
Re-launch
MBRCheck and you will get the following message "
Windows XX (XX is your version of Windows) MBR code detected"
Second method: Bootkit Remover Download Bootkit Remover and unzip to the desktop.
Download BTKR_Runbox on the desktop.
Note: You must have the files
remover.exe and
BTKR_Runbox.exe on the desktop for the tool to work correctly.
Start
BTKR_Runbox then select
option No.3 Confirm by pressing "
1" then [
Enter]
The PC will restart. After reboot, restart BTKR_Runbox by selecting
No.1 If the procedure worked well, it should be written "
OK [DOS/Win32 Boot code found] "
Third method: FixMBR If the two proposed tools do not work, it is possible to clean the MBR using the fixmbr command in Recovery Console.
To do this, we must access the Recovery Console
Once the Recovery Console opened, you must write a new boot sector: Under XP: Simply type the command fixmbr and then validate by pressing the Enter button.
Under Vista/7: Use this commanf : bootrec.exe /fixmbrand validate by pressing the Enter.
A confirmation will be requested, then restart the PC normally.
Note that: The FixMBR command rewrites a standard MBR. It should not be used on tatooed hard disk (Packard Bell, HP ...)
To verify that nothing remains, it is better to do an online scan of your computer:Online scan BitDefenderOnline scan TrendMicroOnline scan Computer Associates Online scan F-Secure
