Possible Windows 7 virus

Discussion in 'Operating Systems' started by baverdi, Aug 8, 2012.

  1. baverdi

    baverdi Active Member

    Messages:
    62
    Likes Received:
    0
    GPU:
    Sapphire 7870
    I am not sure if I am posting this in the correct place, if so feel free to tell me to move it.

    About 3 weeks ago I started to notice that my internet is slow. Primarily youtube would not buffer, but every thing was a bit slower. I thought it could be my wifi signal, but ruled that out with a hard wire. So I thought maybe it was just cookies, so I deleted all the firefox cookies. This did not solve the problem. IE is a little bit faster, but videos still take forever to buffer.

    I then thought virus.

    Ran avast and malwarebytes. Found nothing. Figured I should run them both in safemode. So I restated and presses f8 and windows started normally. So I restated and tried again, thinking that I just missed the timing. I did this ten times with no luck. Advanced boot options seems to be gone. So I loaded Windows and then flipped the psu switch. It then loaded to a limited Advanced boot options because I improperly shutdown Windows. I chose safemode with networking and ran the virus checks again. I then ran RKill. Nothing was found.

    Can a virus change the boot.ini where you loose boot options? I am about to backup and reinstall Windows, but figured I would post here and see if anyone knows what I could try.
     
  2. sykozis

    sykozis Ancient Guru

    Messages:
    20,017
    Likes Received:
    30
    GPU:
    XFX RX 470
    Windows7 doesn't use a "boot.ini"....is uses a BCD....so the answer to that particular question is no, a virus could not change the boot.ini at all.
     
  3. deltatux

    deltatux Ancient Guru

    Messages:
    19,047
    Likes Received:
    0
    GPU:
    GIGABYTE Radeon R9 280
    Like Sykozis, malware can't touch boot.ini as boot.ini has been removed in favour of BCD starting with Windows Vista. The malware can instead use up system resources instead which would cause the slowdown.

    deltatux
     
  4. sykozis

    sykozis Ancient Guru

    Messages:
    20,017
    Likes Received:
    30
    GPU:
    XFX RX 470
    Malware can also infect the MBR (virus, trojan) and the BCD (rootkit). If there's an issue with the BCD, such as missing menus or menu items you need to find a good rootkit scanner. If your system has been infected by a rootkit your best option is to delete the partition, format the harddrive and reinstall everything.

    Here's Sophos Rootkit Remover: http://www.sophos.com/en-us/products/free-tools/sophos-anti-rootkit.aspx
    GMER Rootkit detector: http://www.gmer.net/

    I would suggest downloading and running both of them.
     

  5. Ice Cube

    Ice Cube Banned

    Messages:
    191
    Likes Received:
    0
    GPU:
    Gigabyte GTX 670
    My experience, although not much, says that a fresh installation of windows is your best bet.
     
  6. Pill Monster

    Pill Monster Banned

    Messages:
    25,234
    Likes Received:
    0
    GPU:
    7950 Vapor-X 1100/1500
    You're being paranoid imo.

    Open a command prompt and type bcdedit, all your boot options will be displayed.
     
  7. baverdi

    baverdi Active Member

    Messages:
    62
    Likes Received:
    0
    GPU:
    Sapphire 7870
    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation. All rights reserved.

    C:\Users\????????>bcdedit

    Windows Boot Manager
    --------------------
    identifier {bootmgr}
    device partition=\Device\HarddiskVolume1
    description Windows Boot Manager
    locale en-US
    inherit {globalsettings}
    default {current}
    resumeobject {15d11e28-aedb-11e0-adc2-940a91fc79fb}
    displayorder {current}
    toolsdisplayorder {memdiag}
    timeout 0
    displaybootmenu No

    Windows Boot Loader
    -------------------
    identifier {current}
    device partition=C:
    path \Windows\system32\winload.exe
    description Windows 7
    locale en-US
    loadoptions DDISABLE_INTEGRITY_CHECKS
    inherit {bootloadersettings}
    recoverysequence {15d11e2a-aedb-11e0-adc2-940a91fc79fb}
    recoveryenabled Yes
    osdevice partition=C:
    systemroot \Windows
    resumeobject {15d11e28-aedb-11e0-adc2-940a91fc79fb}
    nx OptIn
    pae Default
    sos Yes
    debug No

    C:\Users\???????>
     
  8. Hilbert Hagedoorn

    Hilbert Hagedoorn Don Vito Corleone Staff Member

    Messages:
    30,140
    Likes Received:
    279
    GPU:
    AMD | NVIDIA
    If windows related why not just check it out with MSE ?

    Google Microsoft Security Essentials, it's totally free and pretty frickin good catching little critters.
     
  9. (.)(.)

    (.)(.) Banned

    Messages:
    9,098
    Likes Received:
    0
    GPU:
    GTX 970
    MSE has only let me down once in the time it's been installed but otherwise MSE is all you need imo, but doesn't hurt to have a second opinion from Malware Bytes or AVG etc.
     
  10. baverdi

    baverdi Active Member

    Messages:
    62
    Likes Received:
    0
    GPU:
    Sapphire 7870
    Ran both and GMER report is this:

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-08-10 00:49:53
    Windows 6.1.7601 Service Pack 1
    Running: gdmrffl3.exe


    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\000272211b65
    Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\000272211b65@d488902890f8 0x5A 0xEF 0xC5 0x6F ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Pro\
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x0D 0x03 0xCC 0x7A ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@a1 0x10 0x00 0x00 0x00 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@a0 0x7C 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@hdf12 0x87 0x6C 0xD4 0xC2 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0@hdf12 0x5B 0xA9 0xA0 0xC9 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq1
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq1@hdf12 0xB1 0x9E 0xA4 0xB8 ...
    Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\000272211b65 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\000272211b65@d488902890f8 0x5A 0xEF 0xC5 0x6F ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Pro\
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x0D 0x03 0xCC 0x7A ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@a1 0x10 0x00 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@a0 0x7C 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@hdf12 0x87 0x6C 0xD4 0xC2 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0@hdf12 0x5B 0xA9 0xA0 0xC9 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq1 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq1@hdf12 0xB1 0x9E 0xA4 0xB8 ...

    ---- EOF - GMER 1.0.15 ----

    nothing was in red

    and Sophos gave me this:

    Troj/WhistMbr-A
    PHYSICAL:0081:0000:0000:0001

    Next I will try a Windows repair (have to find my disk)
     

  11. dfwny

    dfwny Ancient Guru

    Messages:
    3,055
    Likes Received:
    1
    GPU:
    EVGA GTX280 SSC Ed. 1GB
  12. gammelhat

    gammelhat Active Member

    Messages:
    96
    Likes Received:
    0
    Sometimes it is wise to be paranoid. Anyways, if he were infected with a rootkit, he cannot trust what bcdedit tells him.
     
  13. Pill Monster

    Pill Monster Banned

    Messages:
    25,234
    Likes Received:
    0
    GPU:
    7950 Vapor-X 1100/1500
    Yes, that's IF he were infected. However since we have no reason to suspect malware, we can give bcdedit the benefit of the doubt.
    If not, then you might as well tell him to Nuke the whole system immediately.


    Given that you see me as such a troll I'm surprised you even responded to my post.....
     
  14. sykozis

    sykozis Ancient Guru

    Messages:
    20,017
    Likes Received:
    30
    GPU:
    XFX RX 470
    Sophos detected a trojan. Did it attempt to remove it?
     
  15. Pill Monster

    Pill Monster Banned

    Messages:
    25,234
    Likes Received:
    0
    GPU:
    7950 Vapor-X 1100/1500
    Last edited: Aug 10, 2012

  16. sykozis

    sykozis Ancient Guru

    Messages:
    20,017
    Likes Received:
    30
    GPU:
    XFX RX 470
  17. baverdi

    baverdi Active Member

    Messages:
    62
    Likes Received:
    0
    GPU:
    Sapphire 7870
    I think it said it could not. I'm running another scan now.

    Edit:
    2012-08-08 02:43:10 >>> Virus 'Troj/WhistMbr-A' found in file PHYSICAL:0081:0000:0000:0001
    2012-08-08 02:43:10 Disinfection failed
     
    Last edited: Aug 11, 2012

Share This Page