A few words of thanks would be greatly appreciated.

How to remove TR.Vilsel/TR.Clicker/Whistler Bootkit ?

TR.Vilsel/TR.Clicker/Whistler Bootkit , or more explicitly Trojan Vilsel, Cycler Trojan and Trojan Clicker Bootkit Whistler are variants of malicious infections that can act as great threats to the security of the your system. If symptoms like a muted sound and loading of the iexplore.exe process under the System User etc, occurs, then it is clear that the system has been affected by these type of viruses.TR.Vilsel/TR.Clicker/Whistler Bootkit can load from the MBR by using the Bootkit feature which can be a threat to the system. The PC can be freed from them with the help of the MBRCheck,Bootkit Remover, and FixMBR command, etc.

What is the TR.Vilsel/Whistler Bootkit/TR.cycler infection?

There are several variants. They are sometimes called: Trojan Vilsel, Cycler Trojan, Trojan Clicker bootkit Whistler.

The symptoms are

  • Pop-up ads
  • No sound
  • Several iexplore.exe processes loaded under "SYSTEM" user
  • Ad Blocker

Examples of infected files:

C:\System Volume Information\_restore{d5fffa500b1b}\smss.exe        
C:\System Volume Information\_restore{d5fffa500b1b}\svchost.exe
c:\system volume information\Whistler\smss.exe
c:\system volume information\Whistler\svchost.exe


If you are running Windows Vista or 7:
You must disable UAC during disinfection.

TeaTimer (Spybot resident) should be disabled. Otherwise, it may interfere with the disinfection:
  • Start Spybot, click Mode, select Advanced Mode.
  • On the left, click Tools, then Resident.
  • Uncheck the "TeaTimer" box then exit Spybot

Methods of disinfection

First method: MBRCheck

  • Download MBRCheck on the desktop.
  • Close all applications and launch the program.
  • Follow the instructions, you'll be prompted to restart the PC.
  • Re-launch MBRCheck and you will get the following message "Windows XX (XX is your version of Windows) MBR code detected".

Second method: Bootkit Remover

  • Download Bootkit Remover and unzip to the desktop.
  • Download BTKR_Runbox to the desktop.
    • Note: You must have the files remover.exe and BTKR_Runbox.exe on the desktop for the tool to work correctly.
  • Start BTKR_Runbox then select option No.3
  • Confirm by pressing "1" then [Enter]
  • The PC will restart. After reboot, restart BTKR_Runbox by selecting No.1
  • If the procedure was a success, you should see " OK [DOS/Win32 Boot code found] "

Third method: FixMBR

  • If the two proposed tools do not work, it is possible to clean the MBR using the fixmbr command in Recovery Console.
  • To do this, we must access the Recovery Console

Once you have opened the Recovery Console, you must write a new boot sector:
  • Under XP: Simply type the command fixmbr and then validate by pressing the Enter button.
  • Under Vista/7: Use the command bootrec.exe /fixmbrand and validate by pressing Enter.
  • A confirmation will be requested, then restart the PC normally.
  • Note: The FixMBR command rewrites a standard MBR. It should not be used on tattooed hard disk (Packard Bell, HP ...)

Going further

To verify that nothing remains, it is better to do an online scan of your computer:

A few words of thanks would be greatly appreciated.

Ask a question
Jean-François Pillou

CCM is a leading international tech website. Our content is written in collaboration with IT experts, under the direction of Jeff Pillou, founder of CCM.net. CCM reaches more than 50 million unique visitors per month and is available in 11 languages.

Learn more about the CCM team


Published by . Latest update on by Jean-François Pillou.

This document, titled "How to remove TR.Vilsel/TR.Clicker/Whistler Bootkit ?," is available under the Creative Commons license. Any copy, reuse, or modification of the content should be sufficiently credited to CCM (https://ccm.net/).