Ask a question »

How to remove TR.Vilsel/TR.Clicker/Whistler Bootkit ?

July 2015

TR.Vilsel/TR.Clicker/Whistler Bootkit , or more explicitly Trojan Vilsel, Cycler Trojan and Trojan Clicker Bootkit Whistler are variants of malicious infections that can act as great threats to the security of the your system. If symptoms like a muted sound and loading of the iexplore.exe process under the System User etc, occurs, then it is clear that the system has been affected by these type of viruses.TR.Vilsel/TR.Clicker/Whistler Bootkit can load from the MBR by using the Bootkit feature which can be a threat to the system. The PC can be freed from them with the help of the MBRCheck,Bootkit Remover, and FixMBR command, etc.

How to remove TR.Vilsel/TR.Clicker/Whistler Bootkit ?




What is the TR.Vilsel/Whistler Bootkit/TR.cycler infection?

There are several variants. They are sometimes called: Trojan Vilsel, Cycler Trojan, Trojan Clicker bootkit Whistler.

The symptoms are

  • Pop-up ads
  • No sound
  • Several iexplore.exe processes loaded under "SYSTEM" user
  • Ad Blocker


Examples of infected files:

C:\System Volume Information\_restore{d5fffa500b1b}\smss.exe        
C:\System Volume Information\_restore{d5fffa500b1b}\svchost.exe       
c:\system volume information\Whistler\smss.exe       
c:\system volume information\Whistler\svchost.exe       

Preliminaries


If you are running Windows Vista or 7:
You must disable UAC during disinfection.

If you have TeaTimer (Spybot resident), disable it otherwise it may interfere with the disinfection:
  • Start Spybot, click Mode, select Advanced Mode.
  • On the left, click Tools, then Resident.
  • Uncheck the "TeaTimer" box then exit Spybot

Methods of disinfection

First method: MBRCheck

  • Download MBRCheck on the desktop.
  • Close all applications and launch the program.
  • Follow the instructions, you'll be prompted to restart the PC.
  • Re-launch MBRCheck and you will get the following message "Windows XX (XX is your version of Windows) MBR code detected".

Second method: Bootkit Remover

  • Download Bootkit Remover and unzip to the desktop.
  • Download BTKR_Runbox to the desktop.
    • Note: You must have the files remover.exe and BTKR_Runbox.exe on the desktop for the tool to work correctly.
  • Start BTKR_Runbox then select option No.3
  • Confirm by pressing "1" then [Enter]
  • The PC will restart. After reboot, restart BTKR_Runbox by selecting No.1
  • If the procedure worked well, you should see " OK [DOS/Win32 Boot code found] "

Third method: FixMBR

  • If the two proposed tools do not work, it is possible to clean the MBR using the fixmbr command in Recovery Console.
  • To do this, we must access the Recovery Console



Once you have opened the Recovery Console, you must write a new boot sector:
  • Under XP: Simply type the command fixmbr and then validate by pressing the Enter button.
  • Under Vista/7: Use the command bootrec.exe /fixmbrand and validate by pressing Enter.
  • A confirmation will be requested, then restart the PC normally.
  • Note: The FixMBR command rewrites a standard MBR. It should not be used on tattooed hard disk (Packard Bell, HP ...)

Going further


To verify that nothing remains, it is better to do an online scan of your computer:
For unlimited offline reading, you can download this article for free in PDF format:
How-to-remove-tr-vilsel-tr-clicker-whistler-bootkit.pdf

See also

In the same category

Published by jak58.
This document entitled « How to remove TR.Vilsel/TR.Clicker/Whistler Bootkit ? » from CCM (ccm.net) is made available under the Creative Commons license. You can copy, modify copies of this page, under the conditions stipulated by the license, as this note appears clearly.