Absent for a little bit soon

[sixer9682]

I'm heading out of town this Thursday through Sunday to go hiking and shit
Also, I used one of my wife's flash drives and now I'm pretty sure there's a trojan virus on my machine. It took an hour to log into windows, can't access recovery files or my backup images on my spare drives. Even better, since we moved I can't find my Windows disk so I might just get a new copy and do a fresh install of everything after I wipe this drive.

 

[Rhyker]

sixer, could you provide me with a HJT log, I might be able to help you get rid of it without you having to wipe the drive, unless you want to wipe it.

HJT Download: http://www.bleepingcomputer.com/download/hijackthis/

 

[sixer9682]

What's an HUT log?

 

[Rhyker]

HJT = HijackThis, basically is makes a list of all running processes and a few other things, I might be able to pick out the virus from it. If you don't feel comfortable with that, it's ok.

 

[sixer9682]

I ran that and saved the log here it is

 

[sixer9682]

Right now I don't have access to some programs like my image recovery, Paragon, any other drives either newly connected or existing.

 

[Rhyker]

Can't see anything wrong in there. I noticed you have MBAM (Malware Bytes anti-Malware) give that a run, and see if it picks anything up.

 

[sixer9682]

It didn't pick anything up but Norton Power Eraser found a trojan and the HJK states it can not access the host file.

 

[Rhyker]

Hmm, can you manually browse to C:/windows/system32/drivers/etc and see if there is a file in there called hosts ?

 

[sixer9682]

Hostname is the only file I find in there that's even close to hosts.

 

[sixer9682]

Oh what Norton found was Trojan.Gen.2

 

[sixer9682]

I'm trying Norton's Bootable recovery tool to try and fix this since the Power Eraser didn't do the job...don't have much confidence in it but I'll try it.

 

[Rhyker]

If you got a sec, and you are able to, pop onto TS, so I can talk with ya. Also, try and type this into your search bar and press enter C:/windows/system32/drivers/etc/hosts

 

[sixer9682]

Give me a few and I'll be on TS. I copied that in the search bar and got this:
# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost

 

[Rhyker]

For some reason it's missing a line. It should look like this

# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost

127.0.0.1 localhost

 

[sixer9682]

Rkill 2.6.8 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 09/22/2014 01:53:28 PM in x64 mode.
Windows Version: Windows 8.1 Pro

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* Windows Defender Disabled

[HKLM\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware" = dword:00000001

Checking Windows Service Integrity:

* E1G60 [Missing Service]

* gpsvc => %windir%\system32\svchost.exe -k GPSvcGroup [Incorrect ImagePath]

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* No issues found.

Program finished at: 09/22/2014 01:53:33 PM
Execution time: 0 hours(s), 0 minute(s), and 5 seconds(s)

 

[sixer9682]

Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Users\rb>attrib c:/windows32/drivers/etc/hosts
Path not found - C:\windows32\drivers\etc

C:\Users\rb> attrib-r-h-s c/windows/system32/drivers/etc/hosts
'attrib-r-h-s' is not recognized as an internal or external command,
operable program or batch file.

C:\Users\rb>attrib -r -h -s c/windows/system32/drivers/etc/hosts
Path not found - C:\Users\rb\c\windows\system32\drivers\etc

C:\Users\rb>attrib -r -h -s c:/windows/system32/drivers/etc/hosts
Access denied - C:\windows\system32\drivers\etc\hosts

C:\Users\rb>cd c:\windows\system32\drivers\etc

c:\Windows\System32\drivers\etc>rename hosts hosts2
Access is denied.

c:\Windows\System32\drivers\etc>rename hosts hosts2
Access is denied.

c:\Windows\System32\drivers\etc>rename hosts hosts2
Access is denied.

c:\Windows\System32\drivers\etc>rename hosts hosts2
Access is denied.

c:\Windows\System32\drivers\etc>attrib c:/windows/system32/drivers/etc/hosts
C:\windows\system32\drivers\etc\hosts

c:\Windows\System32\drivers\etc>

 

[Rhyker]

Sixer, I'm going to assume that didn't help at all, seeing as it's taking you forever to come back online. I'm not overly familiar with windows 8, Seeing as MBAM didn't pick anything up, and norton only found 1, I honestly have no clue what you've gotten infected with. Unless someone else here has a better idea on what's going on, your best option may be to wipe. Seeing as system restore is disabled. I've gotta run out for a bit, I'll be back in about 2 or 3 hours. Hopefully you get this sorted out, if not, I'll try and figure something out when I get back.

 

[sixer9682]

Yeah, it's better but still took 15 minutes to load into windows and still not access to any other drives, external or internal. I'm going out of town this weekend so I don't know if I'll have time to get a copy of Win and reinstall before I leave.

I might not be back online for about a week or more since I'll probably want to pick up a new cpu while I'm at Microcenter and then I'll need to drain my system, install the new cpu, refill the loop etc....it'll be a little time consuming but one thing at a time.

 

[2Tartu]

There is some special service software on boot discs... that would probably help you out of a lot of doodoo, but sadly i have forgotten the name of that godly service disc with which i acquired admin passwords in my school