Guru3D.com Forums

Go Back   Guru3D.com Forums > General > Operating Systems
Operating Systems Is Windows 2000, XP or Vista giving you a hard time ? Wanna try out Linux ?


Reply
 
Thread Tools Display Modes
Possible Windows 7 virus
Old
  (#1)
baverdi
Member Guru
 
Videocard: Sapphire 7870
Processor: Phenom II 945 95 watt
Mainboard: XFX 8200 MI-A78S-8209
Memory: 4gb Corsair TWINX PC6400
Soundcard: Realtec
PSU: XFX 850 watt
Default Possible Windows 7 virus - 08-08-2012, 00:22 | posts: 62 | Location: Chicago

I am not sure if I am posting this in the correct place, if so feel free to tell me to move it.

About 3 weeks ago I started to notice that my internet is slow. Primarily youtube would not buffer, but every thing was a bit slower. I thought it could be my wifi signal, but ruled that out with a hard wire. So I thought maybe it was just cookies, so I deleted all the firefox cookies. This did not solve the problem. IE is a little bit faster, but videos still take forever to buffer.

I then thought virus.

Ran avast and malwarebytes. Found nothing. Figured I should run them both in safemode. So I restated and presses f8 and windows started normally. So I restated and tried again, thinking that I just missed the timing. I did this ten times with no luck. Advanced boot options seems to be gone. So I loaded Windows and then flipped the psu switch. It then loaded to a limited Advanced boot options because I improperly shutdown Windows. I chose safemode with networking and ran the virus checks again. I then ran RKill. Nothing was found.

Can a virus change the boot.ini where you loose boot options? I am about to backup and reinstall Windows, but figured I would post here and see if anyone knows what I could try.
   
Reply With Quote
 
Old
  (#2)
sykozis
Ancient Guru
 
sykozis's Avatar
 
Videocard: Radeon R7 240
Processor: AMD Athlon 5350
Mainboard: Asus AM1M-A
Memory: 8gb G.Skill DDR3-1866
Soundcard: Creative SB X-Fi Go!
PSU: Unk 300watt
Default 08-08-2012, 01:22 | posts: 16,766 | Location: US East Coast

Windows7 doesn't use a "boot.ini"....is uses a BCD....so the answer to that particular question is no, a virus could not change the boot.ini at all.


   
Reply With Quote
Old
  (#3)
deltatux
Ancient Guru
 
deltatux's Avatar
 
Videocard: GIGABYTE Radeon R9 280
Processor: Intel Core i5 3570K @4.5
Mainboard: GIGABYTE GA-Z77X-UD5H
Memory: Patriot 4 x 4GB DDR3-1600
Soundcard: Auzentech X-Raider 7.1
PSU: OCZ ModXStream Pro 500W
Default 08-08-2012, 01:24 | posts: 19,054 | Location: Toronto, Canada

Like Sykozis, malware can't touch boot.ini as boot.ini has been removed in favour of BCD starting with Windows Vista. The malware can instead use up system resources instead which would cause the slowdown.

deltatux
   
Reply With Quote
Old
  (#4)
sykozis
Ancient Guru
 
sykozis's Avatar
 
Videocard: Radeon R7 240
Processor: AMD Athlon 5350
Mainboard: Asus AM1M-A
Memory: 8gb G.Skill DDR3-1866
Soundcard: Creative SB X-Fi Go!
PSU: Unk 300watt
Default 08-08-2012, 03:35 | posts: 16,766 | Location: US East Coast

Malware can also infect the MBR (virus, trojan) and the BCD (rootkit). If there's an issue with the BCD, such as missing menus or menu items you need to find a good rootkit scanner. If your system has been infected by a rootkit your best option is to delete the partition, format the harddrive and reinstall everything.

Here's Sophos Rootkit Remover: http://www.sophos.com/en-us/products...i-rootkit.aspx
GMER Rootkit detector: http://www.gmer.net/

I would suggest downloading and running both of them.


   
Reply With Quote
 
Old
  (#5)
Ice Cube
Banned
 
Videocard: Gigabyte GTX 670
Processor: 2700K@4.5GHz/ Corsair H70
Mainboard: Asus P8Z77-V
Memory: Gskill RipJaws 8GB-1600
Soundcard: Onboard
PSU: Seasonic 850W(80+Gold)
Default 08-08-2012, 06:55 | posts: 191 | Location: Refrigerator

My experience, although not much, says that a fresh installation of windows is your best bet.
   
Reply With Quote
Old
  (#6)
Pill Monster
Ancient Guru
 
Pill Monster's Avatar
 
Videocard: 7950 Vapor-X 1175/1550
Processor: AMD FX-8320 @4.8
Mainboard: ASUS Sabertooth 990FX R2
Memory: 8GB Kingston HyperX 2400
Soundcard: X-Fi Fatal1ty
PSU: AcBel M8 750
Default 08-08-2012, 09:51 | posts: 24,427 | Location: NZ

You're being paranoid imo.

Open a command prompt and type bcdedit, all your boot options will be displayed.
   
Reply With Quote
Old
  (#7)
baverdi
Member Guru
 
Videocard: Sapphire 7870
Processor: Phenom II 945 95 watt
Mainboard: XFX 8200 MI-A78S-8209
Memory: 4gb Corsair TWINX PC6400
Soundcard: Realtec
PSU: XFX 850 watt
Default 08-09-2012, 10:16 | posts: 62 | Location: Chicago

Quote:
Originally Posted by Pill Monster View Post
You're being paranoid imo.

Open a command prompt and type bcdedit, all your boot options will be displayed.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Users\????????>bcdedit

Windows Boot Manager
--------------------
identifier {bootmgr}
device partition=\Device\HarddiskVolume1
description Windows Boot Manager
locale en-US
inherit {globalsettings}
default {current}
resumeobject {15d11e28-aedb-11e0-adc2-940a91fc79fb}
displayorder {current}
toolsdisplayorder {memdiag}
timeout 0
displaybootmenu No

Windows Boot Loader
-------------------
identifier {current}
device partition=C:
path \Windows\system32\winload.exe
description Windows 7
locale en-US
loadoptions DDISABLE_INTEGRITY_CHECKS
inherit {bootloadersettings}
recoverysequence {15d11e2a-aedb-11e0-adc2-940a91fc79fb}
recoveryenabled Yes
osdevice partition=C:
systemroot \Windows
resumeobject {15d11e28-aedb-11e0-adc2-940a91fc79fb}
nx OptIn
pae Default
sos Yes
debug No

C:\Users\???????>
   
Reply With Quote
Old
  (#8)
Hilbert Hagedoorn
Don Vito Corleone
 
Hilbert Hagedoorn's Avatar
 
Videocard: AMD | NVIDIA
Processor: Core i7 4770K
Mainboard: Z77
Memory: 8GB
Soundcard: X-Fi - GigaWorks 7.1
PSU: 1200 Watt
Default 08-09-2012, 10:19 | posts: 21,561 | Location: Guru3D testlab

If windows related why not just check it out with MSE ?

Google Microsoft Security Essentials, it's totally free and pretty frickin good catching little critters.


Follow Guru3D on twitter.
Follow Guru3D on facebook.
   
Reply With Quote
Old
  (#9)
(.)(.)
Ancient Guru
 
(.)(.)'s Avatar
 
Videocard: 580sli (water)
Processor: 2600k @ 4.7
Mainboard: Asus M4E
Memory: Corsair Vengence
Soundcard: onboard
PSU: Enermax Rev 1250w
Default 08-09-2012, 10:45 | posts: 5,385 | Location: Logd n jst 2 change avatar

MSE has only let me down once in the time it's been installed but otherwise MSE is all you need imo, but doesn't hurt to have a second opinion from Malware Bytes or AVG etc.
   
Reply With Quote
Old
  (#10)
baverdi
Member Guru
 
Videocard: Sapphire 7870
Processor: Phenom II 945 95 watt
Mainboard: XFX 8200 MI-A78S-8209
Memory: 4gb Corsair TWINX PC6400
Soundcard: Realtec
PSU: XFX 850 watt
Default 08-10-2012, 08:04 | posts: 62 | Location: Chicago

Quote:
Originally Posted by sykozis View Post
Malware can also infect the MBR (virus, trojan) and the BCD (rootkit). If there's an issue with the BCD, such as missing menus or menu items you need to find a good rootkit scanner. If your system has been infected by a rootkit your best option is to delete the partition, format the harddrive and reinstall everything.

Here's Sophos Rootkit Remover: http://www.sophos.com/en-us/products...i-rootkit.aspx
GMER Rootkit detector: http://www.gmer.net/

I would suggest downloading and running both of them.
Ran both and GMER report is this:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-08-10 00:49:53
Windows 6.1.7601 Service Pack 1
Running: gdmrffl3.exe


---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Par ameters\Keys\000272211b65
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Par ameters\Keys\000272211b65@d488902890f8 0x5A 0xEF 0xC5 0x6F ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14 919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14 919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Pro\
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14 919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14 919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x0D 0x03 0xCC 0x7A ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14 919EA49A8F3B4AA3CF1058D9A64CEC\00000002
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14 919EA49A8F3B4AA3CF1058D9A64CEC\00000002@a1 0x10 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14 919EA49A8F3B4AA3CF1058D9A64CEC\00000002@a0 0x7C 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14 919EA49A8F3B4AA3CF1058D9A64CEC\00000002@hdf12 0x87 0x6C 0xD4 0xC2 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14 919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14 919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0@hdf12 0x5B 0xA9 0xA0 0xC9 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14 919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq1
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14 919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq1@hdf12 0xB1 0x9E 0xA4 0xB8 ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Paramet ers\Keys\000272211b65 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Paramet ers\Keys\000272211b65@d488902890f8 0x5A 0xEF 0xC5 0x6F ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919E A49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919E A49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Pro\
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919E A49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919E A49A8F3B4AA3CF1058D9A64CEC@hdf12 0x0D 0x03 0xCC 0x7A ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919E A49A8F3B4AA3CF1058D9A64CEC\00000002 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919E A49A8F3B4AA3CF1058D9A64CEC\00000002@a1 0x10 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919E A49A8F3B4AA3CF1058D9A64CEC\00000002@a0 0x7C 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919E A49A8F3B4AA3CF1058D9A64CEC\00000002@hdf12 0x87 0x6C 0xD4 0xC2 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919E A49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919E A49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0@hdf12 0x5B 0xA9 0xA0 0xC9 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919E A49A8F3B4AA3CF1058D9A64CEC\00000002\gdq1 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919E A49A8F3B4AA3CF1058D9A64CEC\00000002\gdq1@hdf12 0xB1 0x9E 0xA4 0xB8 ...

---- EOF - GMER 1.0.15 ----

nothing was in red

and Sophos gave me this:

Troj/WhistMbr-A
PHYSICAL:0081:0000:0000:0001

Next I will try a Windows repair (have to find my disk)
   
Reply With Quote
 
Old
  (#11)
dfwny
Ancient Guru
 
dfwny's Avatar
 
Videocard: EVGA GTX280 SSC Ed. 1GB
Processor: Intel Q9450 Quad
Mainboard: EVGA 750SLI FTW
Memory: 4 GB OCZ Platinum
Soundcard: Onboard :(
PSU: Antec 550W
Default 08-10-2012, 19:00 | posts: 3,054 | Location: California

I have found this tool from Kaspersky to be useful of late. Click on "Change Parameters" and check the "Detect TDFLS file system" checkbox before scanning.

http://support.kaspersky.com/faq/?qid=208283363
   
Reply With Quote
Old
  (#12)
gammelhat
Member Guru
 
Videocard:
Processor:
Mainboard:
Memory:
Soundcard:
PSU:
Default 08-10-2012, 19:06 | posts: 96

Quote:
Originally Posted by Pill Monster View Post
You're being paranoid imo.

Open a command prompt and type bcdedit, all your boot options will be displayed.
Sometimes it is wise to be paranoid. Anyways, if he were infected with a rootkit, he cannot trust what bcdedit tells him.
   
Reply With Quote
Old
  (#13)
Pill Monster
Ancient Guru
 
Pill Monster's Avatar
 
Videocard: 7950 Vapor-X 1175/1550
Processor: AMD FX-8320 @4.8
Mainboard: ASUS Sabertooth 990FX R2
Memory: 8GB Kingston HyperX 2400
Soundcard: X-Fi Fatal1ty
PSU: AcBel M8 750
Default 08-10-2012, 19:51 | posts: 24,427 | Location: NZ

Quote:
Originally Posted by gammelhat View Post
Sometimes it is wise to be paranoid. Anyways, if he were infected with a rootkit, he cannot trust what bcdedit tells him.
Yes, that's IF he were infected. However since we have no reason to suspect malware, we can give bcdedit the benefit of the doubt.
If not, then you might as well tell him to Nuke the whole system immediately.


Given that you see me as such a troll I'm surprised you even responded to my post.....
   
Reply With Quote
Old
  (#14)
sykozis
Ancient Guru
 
sykozis's Avatar
 
Videocard: Radeon R7 240
Processor: AMD Athlon 5350
Mainboard: Asus AM1M-A
Memory: 8gb G.Skill DDR3-1866
Soundcard: Creative SB X-Fi Go!
PSU: Unk 300watt
Default 08-10-2012, 23:08 | posts: 16,766 | Location: US East Coast

Quote:
Originally Posted by baverdi View Post
and Sophos gave me this:

Troj/WhistMbr-A
PHYSICAL:0081:0000:0000:0001

Next I will try a Windows repair (have to find my disk)
Sophos detected a trojan. Did it attempt to remove it?


   
Reply With Quote
Old
  (#15)
Pill Monster
Ancient Guru
 
Pill Monster's Avatar
 
Videocard: 7950 Vapor-X 1175/1550
Processor: AMD FX-8320 @4.8
Mainboard: ASUS Sabertooth 990FX R2
Memory: 8GB Kingston HyperX 2400
Soundcard: X-Fi Fatal1ty
PSU: AcBel M8 750
Default 08-10-2012, 23:27 | posts: 24,427 | Location: NZ

Baverdi you might consider nuking the hard drive, which means a full format.... providing Sophos is not giving a false positive.

Anyway here are some removal instructions.
http://www.sophos.com/en-us/support/...se/112129.aspx

Last edited by Pill Monster; 08-10-2012 at 23:38.
   
Reply With Quote
Old
  (#16)
sykozis
Ancient Guru
 
sykozis's Avatar
 
Videocard: Radeon R7 240
Processor: AMD Athlon 5350
Mainboard: Asus AM1M-A
Memory: 8gb G.Skill DDR3-1866
Soundcard: Creative SB X-Fi Go!
PSU: Unk 300watt
Default 08-11-2012, 01:24 | posts: 16,766 | Location: US East Coast

McAfee has a functional rootkit scanner as well, but it has a limited list of known rootkits it will scan for. There's also utilities from F-Secure and Kaspersky

http://www.f-secure.com/en/web/labs_.../removal-tools F-Secure Easy Clean
http://support.kaspersky.com/faq/?qid=208283363 Kaspersky TDSSKiller


   
Reply With Quote
Old
  (#17)
baverdi
Member Guru
 
Videocard: Sapphire 7870
Processor: Phenom II 945 95 watt
Mainboard: XFX 8200 MI-A78S-8209
Memory: 4gb Corsair TWINX PC6400
Soundcard: Realtec
PSU: XFX 850 watt
Default 08-11-2012, 06:07 | posts: 62 | Location: Chicago

Quote:
Originally Posted by sykozis View Post
Sophos detected a trojan. Did it attempt to remove it?
I think it said it could not. I'm running another scan now.

Edit:
2012-08-08 02:43:10 >>> Virus 'Troj/WhistMbr-A' found in file PHYSICAL:0081:0000:0000:0001
2012-08-08 02:43:10 Disinfection failed

Last edited by baverdi; 08-11-2012 at 06:11.
   
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump



Powered by vBulletin®
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
vBulletin Skin developed by: vBStyles.com
Copyright (c) 1995-2014, All Rights Reserved. The Guru of 3D, the Hardware Guru, and 3D Guru are trademarks owned by Hilbert Hagedoorn.