I am not sure if I am posting this in the correct place, if so feel free to tell me to move it. About 3 weeks ago I started to notice that my internet is slow. Primarily youtube would not buffer, but every thing was a bit slower. I thought it could be my wifi signal, but ruled that out with a hard wire. So I thought maybe it was just cookies, so I deleted all the firefox cookies. This did not solve the problem. IE is a little bit faster, but videos still take forever to buffer. I then thought virus. Ran avast and malwarebytes. Found nothing. Figured I should run them both in safemode. So I restated and presses f8 and windows started normally. So I restated and tried again, thinking that I just missed the timing. I did this ten times with no luck. Advanced boot options seems to be gone. So I loaded Windows and then flipped the psu switch. It then loaded to a limited Advanced boot options because I improperly shutdown Windows. I chose safemode with networking and ran the virus checks again. I then ran RKill. Nothing was found. Can a virus change the boot.ini where you loose boot options? I am about to backup and reinstall Windows, but figured I would post here and see if anyone knows what I could try.
Windows7 doesn't use a "boot.ini"....is uses a BCD....so the answer to that particular question is no, a virus could not change the boot.ini at all.
Like Sykozis, malware can't touch boot.ini as boot.ini has been removed in favour of BCD starting with Windows Vista. The malware can instead use up system resources instead which would cause the slowdown. deltatux
Malware can also infect the MBR (virus, trojan) and the BCD (rootkit). If there's an issue with the BCD, such as missing menus or menu items you need to find a good rootkit scanner. If your system has been infected by a rootkit your best option is to delete the partition, format the harddrive and reinstall everything. Here's Sophos Rootkit Remover: http://www.sophos.com/en-us/products/free-tools/sophos-anti-rootkit.aspx GMER Rootkit detector: http://www.gmer.net/ I would suggest downloading and running both of them.
You're being paranoid imo. Open a command prompt and type bcdedit, all your boot options will be displayed.
Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Users\????????>bcdedit Windows Boot Manager -------------------- identifier {bootmgr} device partition=\Device\HarddiskVolume1 description Windows Boot Manager locale en-US inherit {globalsettings} default {current} resumeobject {15d11e28-aedb-11e0-adc2-940a91fc79fb} displayorder {current} toolsdisplayorder {memdiag} timeout 0 displaybootmenu No Windows Boot Loader ------------------- identifier {current} device partition=C: path \Windows\system32\winload.exe description Windows 7 locale en-US loadoptions DDISABLE_INTEGRITY_CHECKS inherit {bootloadersettings} recoverysequence {15d11e2a-aedb-11e0-adc2-940a91fc79fb} recoveryenabled Yes osdevice partition=C: systemroot \Windows resumeobject {15d11e28-aedb-11e0-adc2-940a91fc79fb} nx OptIn pae Default sos Yes debug No C:\Users\???????>
If windows related why not just check it out with MSE ? Google Microsoft Security Essentials, it's totally free and pretty frickin good catching little critters.
MSE has only let me down once in the time it's been installed but otherwise MSE is all you need imo, but doesn't hurt to have a second opinion from Malware Bytes or AVG etc.
Ran both and GMER report is this: GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-08-10 00:49:53 Windows 6.1.7601 Service Pack 1 Running: gdmrffl3.exe ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\000272211b65 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\000272211b65@d488902890f8 0x5A 0xEF 0xC5 0x6F ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Pro\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x0D 0x03 0xCC 0x7A ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@a1 0x10 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@a0 0x7C 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@hdf12 0x87 0x6C 0xD4 0xC2 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0@hdf12 0x5B 0xA9 0xA0 0xC9 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq1@hdf12 0xB1 0x9E 0xA4 0xB8 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\000272211b65 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\000272211b65@d488902890f8 0x5A 0xEF 0xC5 0x6F ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Pro\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x0D 0x03 0xCC 0x7A ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@a1 0x10 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@a0 0x7C 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@hdf12 0x87 0x6C 0xD4 0xC2 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0@hdf12 0x5B 0xA9 0xA0 0xC9 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq1 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq1@hdf12 0xB1 0x9E 0xA4 0xB8 ... ---- EOF - GMER 1.0.15 ---- nothing was in red and Sophos gave me this: Troj/WhistMbr-A PHYSICAL:0081:0000:0000:0001 Next I will try a Windows repair (have to find my disk)
I have found this tool from Kaspersky to be useful of late. Click on "Change Parameters" and check the "Detect TDFLS file system" checkbox before scanning. http://support.kaspersky.com/faq/?qid=208283363
Sometimes it is wise to be paranoid. Anyways, if he were infected with a rootkit, he cannot trust what bcdedit tells him.
Yes, that's IF he were infected. However since we have no reason to suspect malware, we can give bcdedit the benefit of the doubt. If not, then you might as well tell him to Nuke the whole system immediately. Given that you see me as such a troll I'm surprised you even responded to my post.....
Baverdi you might consider nuking the hard drive, which means a full format.... providing Sophos is not giving a false positive. Anyway here are some removal instructions. http://www.sophos.com/en-us/support/knowledgebase/112129.aspx
McAfee has a functional rootkit scanner as well, but it has a limited list of known rootkits it will scan for. There's also utilities from F-Secure and Kaspersky http://www.f-secure.com/en/web/labs_global/removal-tools F-Secure Easy Clean http://support.kaspersky.com/faq/?qid=208283363 Kaspersky TDSSKiller
I think it said it could not. I'm running another scan now. Edit: 2012-08-08 02:43:10 >>> Virus 'Troj/WhistMbr-A' found in file PHYSICAL:0081:0000:0000:0001 2012-08-08 02:43:10 Disinfection failed