Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Virus-rootkit infection, can't uptdate windows [Closed]

Started by samidelcueva , Jul 23 2015 10:49 AM

  • This topic is locked This topic is locked

#46
samidelcueva
Posted 27 July 2015 - 01:14 PM

samidelcueva

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts

ok, i will check later, because i'm outside home and i can't right now, but i will check it in the afternoon, and i will post what happened, and about my first computer, asus windows 8.1, i found something else with rkill:

 

 * HOSTS file entries found: 
 
  127.0.0.1 localhost
  0.0.0.0 0.0.0.0 # fix for traceroute and netstat display anomaly
  0.0.0.0 tracking.opencandy.com.s3.amazonaws.com
  0.0.0.0 media.opencandy.com
  0.0.0.0 cdn.opencandy.com
  0.0.0.0 tracking.opencandy.com
  0.0.0.0 api.opencandy.com
  0.0.0.0 installer.betterinstaller.com
  0.0.0.0 installer.filebulldog.com
  0.0.0.0 d3oxtn1x3b8d7i.cloudfront.net
  0.0.0.0 inno.bisrv.com
  0.0.0.0 nsis.bisrv.com
  0.0.0.0 cdn.file2desktop.com
  0.0.0.0 cdn.goateastcach.us
  0.0.0.0 cdn.guttastatdk.us
  0.0.0.0 cdn.inskinmedia.com
  0.0.0.0 cdn.insta.oibundles2.com
  0.0.0.0 cdn.insta.playbryte.com
  0.0.0.0 cdn.llogetfastcach.us
  0.0.0.0 cdn.montiera.com
 
  20 out of 35 HOSTS entries shown.
  Please review HOSTS file for further entries.
 
and rouge killer found that two, 
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 8 ¤¤¤
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-401314101-946683506-2006832327-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://asus13.msn.com/?pc=ASJB -> Not selected
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-401314101-946683506-2006832327-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://asus13.msn.com/?pc=ASJB -> Not selected
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-401314101-946683506-2006832327-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://asus13.msn.com/?pc=ASJB -> Not selected
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-401314101-946683506-2006832327-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://asus13.msn.com/?pc=ASJB -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 200.94.160.248 ([MEXICO (MX)])  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 200.94.160.248 ([MEXICO (MX)])  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{EEF98F8E-5F9D-4000-8E8A-75D19401AA9D} | DhcpNameServer : 200.94.160.248 ([X])  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{EEF98F8E-5F9D-4000-8E8A-75D19401AA9D} | DhcpNameServer : 200.94.160.248 ([MEXICO (MX)])  -> Not selected
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 0 ¤¤¤
 
¤¤¤ Hosts File : 34 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 0.0.0.0 # fix for traceroute and netstat display anomalyDeleted
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 tracking.opencandy.com.s3.amazonaws.comDeleted
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 media.opencandy.comDeleted
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.opencandy.comDeleted
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 tracking.opencandy.comDeleted
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 api.opencandy.comDeleted
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 installer.betterinstaller.comDeleted
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 installer.filebulldog.comDeleted
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 d3oxtn1x3b8d7i.cloudfront.netDeleted
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 inno.bisrv.comDeleted
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 nsis.bisrv.comDeleted
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.file2desktop.comDeleted
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.goateastcach.usDeleted
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.guttastatdk.usDeleted
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.inskinmedia.comDeleted
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.insta.oibundles2.comDeleted
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.insta.playbryte.comDeleted
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.llogetfastcach.usDeleted
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.montiera.comDeleted
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.msdwnld.comDeleted
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.mypcbackup.comDeleted
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.ppdownload.comDeleted
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.riceateastcach.usDeleted
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.shyapotato.usDeleted
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.solimba.comDeleted
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.tuto4pc.comDeleted
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.appround.bizDeleted
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.bigspeedpro.comDeleted
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.bispd.comDeleted
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.bisrv.comDeleted
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.cdndp.comDeleted
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.download.sweetpacks.comDeleted
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.dpdownload.comDeleted
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.visualbee.netDeleted
 
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: TOSHIBA MQ01ABF050 +++++
--- User ---
[MBR] 7566e601fc37fb011a6524949b91cc9c
[BSP] eefd9bcaf155d5eba732930c97cdddcb : Empty|VT.Unknown MBR Code
Partition table:
0 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2048 | Size: 100 MB
1 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 206848 | Size: 900 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 2050048 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 2312192 | Size: 455321 MB
4 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 934809600 | Size: 20490 MB
User = LL1 ... OK
User = LL2 ... OK
 
i choose to delete them, but after the restart the host entries are still there  :upset:

i run MBAM and found nothing


  • 0

Advertisements

#47
Essexboy
Posted 27 July 2015 - 02:10 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
The host entries are set by unchecky to stop adware calling home so need to be there



The others are default entries and again are of no import
  • 0

#48
samidelcueva
Posted 28 July 2015 - 08:20 AM

samidelcueva

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts

oh okay,thanks, well i finally could make the xboot in the second computer, and  both computers are extremely fast, it is incredible, man, thank you very much, and it was very fast all, i want to donate to you, but i was wondering if there was another option to make the deposit.

And the solution to the xboot was the next one: https://social.msdn....r?forum=wptk_v4


  • 0

#49
Essexboy
Posted 28 July 2015 - 08:37 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Thanks I had not got that far down yet :)

Any further problems before I tidy up ?
  • 0

#50
samidelcueva
Posted 28 July 2015 - 08:50 AM

samidelcueva

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts

yes, something occurs at last minute, i put avast rootkit as a prevention, and it found something, and after found it, the program crashed, i could not send you a log but i send you the information of the rootkit, that i can see, it says in red words "\Driver\atapi[0xfffffa8002e41d00] -> IRP_MJ_CREATE -> 0fffffa8002cf62c0".

 

And now comes to my memory that, when i put a time ago hitman pro to scan, it pups up a message that atapi.sys, where preventting to make a good analysis, so seems there is a rootkit still in this computer, (The second one), yesterday the computer were incredibly fast, but now today is still fast, but after they totally start, because the start up is again very slow :S 


Edited by samidelcueva, 28 July 2015 - 08:51 AM.

  • 0

#51
samidelcueva
Posted 28 July 2015 - 08:53 AM

samidelcueva

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts

and after i close the program the Screen of Death appears  :no:


  • 0

#52
Essexboy
Posted 28 July 2015 - 08:58 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
If ATAPI was infected TDSSKiller would have spotted it .. AswMBR will report anything out of the ordinary

Download the GMER Rootkit Scanner. to your Desktop, it will be a randomly named .exe file .

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click the file you downloaded. The program will begin to run.
GMER_Open.JPG

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.
Post the contents of GMER.txt in your next reply.
  • 0

#53
samidelcueva
Posted 28 July 2015 - 09:14 AM

samidelcueva

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts

it seems that found nothing, or at least any pop up comes up

Attached Files


  • 0

#54
samidelcueva
Posted 28 July 2015 - 09:44 AM

samidelcueva

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts

and here is the avast anti rootkit log before it crashes (because i have tried 2 times)

Attached Files


  • 0

#55
Essexboy
Posted 28 July 2015 - 10:03 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa8002cda2c0]<<sptd.sys

Unknown relates to SPTD.sys this is due to its behaviour and is a know anomaly which is of no import.


You say that the start up is slow again is that for both systems
  • 0

Advertisements

#56
Essexboy
Posted 28 July 2015 - 10:03 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa8002cda2c0]<<sptd.sys

Unknown relates to SPTD.sys this is due to its behaviour and is a know anomaly which is of no import.


You say that the start up is slow again is that for both systems
  • 0

#57
samidelcueva
Posted 28 July 2015 - 10:11 AM

samidelcueva

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts

yes, in my first computer is something slow after enable secure boot, because i had to disable a time ago tu run a rescue disk, so, after i enable is again slow (but faster than before), and the second computer (the second FRST log), after the xboot i can notice that the start up is more faster than before, but stills takes about 2 minutes to start, and its more slow before the users accounts appears


Edited by samidelcueva, 28 July 2015 - 10:13 AM.

  • 0

#58
Essexboy
Posted 28 July 2015 - 10:12 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK next step would be to run a clean boot to see what service is causing the delay

In the search box type Msconfig and select the programme that appears at the top

1.In the System Configuration Utility dialog box, click Selective Startup on the General tab.
Cleanboot1.JPG
2.Click to clear the Load Startup Items check box.
NoteThe Use Original Boot.ini check box is unavailable.
3.Click the Services tab.
4.Click to select the Hide All Microsoft Services check box.
cleanboot2.JPG
5.Click Disable All, and then click OK.
6.When you are prompted, click Restart.
7.Is the speed better
  • 0

#59
samidelcueva
Posted 28 July 2015 - 10:34 AM

samidelcueva

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts

in the first computer works, but in the second one i disable all services, and the start up time speed its the same  :upset:


  • 0

#60
Essexboy
Posted 28 July 2015 - 10:43 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
The second on has Comodo antivirus doesn't it
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP