Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't scan or scans take a long time, HOSTS files seem fishy.


  • Please log in to reply
12 replies to this topic

#1 necro2003

necro2003

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:54 PM

Posted 02 February 2015 - 06:44 PM

Hello! I've been having problems with my computer for a while now. I use Windows 7 Ultimate Edition. I've tried scanning with Malwarebytes, Spybot, and Avast! Free Antivirus, but those freeze up at some point and can't be completed. I've done scans with Roguekiller, adwcleaner, TDSSKiller, and Rkill, all of which take longer than they used to before I supposedly became infected, some longer than others. However, after they're done, they don't show anything seriously wrong, except with the Rkill log which says:

 

"* Cannot edit the HOSTS file.

 * Permissions Fixed. Administrators can now edit the HOSTS file."

 

But upon running again, it keeps giving this same message. When I use the immunize feature in Spybot and run Rkill after, it says the same thing but also lists a few of about 15,000 HOSTS files that have domain names that are obviously fishy, with some that have names that suggest pornography. Some of these HOSTS files are: 127.0.0.1 www.007guard.com, 127.0.0.1 007guard.com, 127.0.0.1 www.0scan.com, 127.0.0.1 1000gratisproben.com, 127.0.0.1 032439.com, 127.0.0.1 100sexlinks.com, 127.0.0.1 100888290cs.com, 127.0.0.1 www.1001namen.com, among others.

 

I've noticed since I've had these problems, my computer has significantly dropped in performance and freezes up programs constantly. There is also a csrss.exe running without description or file location, though I don't know if that is relevant to the main issue at hand.

  

All these problems stay constant in Safe Mode as well. It probably wasn't such a good idea running these things on my own, but it can't be helped now that it's been done... I'm not sure what to do as scans don't show really show anything or can't even complete scans that can quarantine malware, so some extra help would be greatly appreciated before I completely give up and get a new hard drive or something.



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:54 AM

Posted 02 February 2015 - 07:54 PM

There are several legitimate security programs which can add numerous entries to the HOSTS file. Spybot S&D offers four levels of protection to include...Immunization, Resident SDHelper, TeaTimer, Hosts file protection (adding entries).

If you use Spybot's immunization feature, the "Global (Hosts)" profile adds entries to the HOSTS file. Any inactive domains and those reported as false positives will be removed when doing immunization. However, the large size of the Hosts file created by Spybot immunisation has sometimes been reported to cause problems such as a significant delay when opening Internet Explorer.

If you open the Hosts file, the note at the top and bottom will show the entries were inserted by Spybot:
# Start of entries inserted by Spybot - Search & Destroy
# This list is Copyright 2000-2008 Safer Networking Limited
127.0.0.1	007guard.com
127.0.0.1	www.007guard.com
127.0.0.1	008i.com
127.0.0.1	008k.com
127.0.0.1	www.008k.com
127.0.0.1	00hq.com
127.0.0.1	www.00hq.com
127.0.0.1 	legal-at-spybot.info
127.0.0.1 	www.legal-at-spybot.info
127.0.0.1...
# This list is Copyright 2000-2007 Safer Networking Limited
# End of entries inserted by Spybot - Search & Destroy
If you perform an "Undo" via the Immunize button on the Spybot main screen, the entries Spybot added should be removed. From the Immunize panel, deselect the Hosts file protection as follows:
  • Click the Undo option at top of screen to remove all immunizations.
  • Uncheck Global Hosts...the last item in the list.
  • Click Immunize option at top of screen to re-apply immunization without the Hosts entries.
Try doing that and see if it helps.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:54 AM

Posted 02 February 2015 - 07:55 PM

FYI: mvps.org is no longer recommending Spybot S&D (or Ad-Aware) due to poor testing results. See here - (scroll down and read under Freeware Antispyware Products).

Most people don't understand how to use Spybot's TeaTimer and that feature can cause more problems than it's worth. TeaTimer monitors changes to certain critical keys in Windows registry but does not indicate if the change is normal or a modification made by a malware infection. The user must have an understanding of the registry and how TeaTimer works in order to make informed decisions to allow or deny the detected changes. If you don't have understanding how a particular security tool works, then you probably should not be using it. Additionally, TeaTimer may conflict with other security tools which do a much better job of protecting your computer and in some cases it will even prevent disinfection of malware by those tools.

With that said and to be fair, there are now new versions of Spybot such as Spybot 2 + AV (Home & Pro) and Spybot 2 Free but I have not used them, nor read any reviews as to how well they perform. I did find this article in regards to Spybot Search and Destroy 2.0 has bloatware issues

Spybot Search and Destroy is another candidate that I have been using back in the days. Back then it was an efficient cleaner that removed lots of adware and spyware that many professional solutions did not detect...Spybot Search & Destroy 2.0...has a download size of 52 Megabytes, which feels like a lot for a once lean and clean program. You quickly now why when you look at the components that it will install on your system if you do not select the custom installation option during installation...The program installs two background processes that are running all the time, SDTray.exe and SDWelcome.exe. Scans spawn a third process SDScan.exe which may use a serious amount of memory. Yes, that is more than 500 Megabyte for that process alone.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 necro2003

necro2003
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:54 PM

Posted 02 February 2015 - 09:54 PM

Hi, thanks for the help! I did what you said in your first post and I wasn't sure what to do after that so I ran Rkill again and it showed the same thing as the first quotation I put in my first post. I have done this before, though it hasnt helped in allowing scans to run or anything. Should I uninstall Spybot completely, considering it's not longer reliable?



#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:54 AM

Posted 02 February 2015 - 10:28 PM

Should I uninstall Spybot completely, considering it's not longer reliable?

I would but that is your decision.

Before removing older versions of Spybot it was recommended to undo some changes first (i.e. undo Immunization, HOST file changes, Miscellaneous locks). This most likely applies to the new versions as well but I would check with their support for more specific information. For example, Spybot 2 creates a folder that contains backups. Removing that folder removes backups that would allow the user to undo changes.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 necro2003

necro2003
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:54 PM

Posted 03 February 2015 - 10:55 PM

Alright, I undid immunization and restored a couple of things that were removed by Spybot. I believe those two things were a firewall override and something similar that antiviruses use to scan themselves, so this might have been the problem. I tried to run a Malwarebytes scan overnight to no avail, as my computer still froze up. Today I did another scan with it and it found the PUP OpenCandy, wherein I cancelled the scan and removed just that one found object because the scan was taking way too long. What would you recommend I do from here? I'm kind of lost still...



#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:54 AM

Posted 04 February 2015 - 05:53 AM

The speed and ability to complete an anti-virus or anti-malware scan depends on a variety of factors.

  • The program itself and how its scanning engine is designed to scan: using a signature database vs heuristic scanning or a combination of both.
  • Options to scan for rootkits, adware, riskware and potentially unwanted programs (PUPS).
  • Options to scan memory, boot sectors, registry and alternate data streams (ADS).
  • Type of scan performed: Deep, Threat (formerly Quick ) or Custom scanning.
  • What action has to be performed when malware is detected.
  • A computer's hard drive size.
  • Disk size and used capacity (number of files that have to be scanned).
  • Types of files (.exe, .dll, .sys, .cab, archived, compressed, packed, email, etc) that are scanned.
  • Whether external drives are included in the scan.
  • Competition for and utilization of system/CPU resources by the scanner.
  • Other running processes and programs in the background.
  • Whether the scanning engine stalls, hangs or freezes.
  • Interference from malware.
  • Interference from other security programs attempting to scan at the same time.
  • Interference from other programs attempting to update (download/install) components from the Internet.
  • Interference from the user (whether or not you use the computer during the scan).

-- If you have "Scan for rootkits" enabled (new MBAM 2.0 feature), it will increase the length of the average scan time from previous versions and sometimes cause the scanner to stall (hang). This defeats the purpose of routinely using the recommended THREAT Scan to quickly check the most prevalent places for active malware so that option can remain disabled unless needed for rootkits.

"Scan for rootkits" can be found under Settings > Detection and Protection Options and is disabled by default since it increases the time required to perform a scan...see Why is scan for rootkit off by default?.
Detection.png
 

 

 


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 necro2003

necro2003
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:54 PM

Posted 04 February 2015 - 11:30 PM

Alright, thanks, I'll try it. I'll update tomorrow, as I'll leave it to scan overnight in case it takes that long...



#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:54 AM

Posted 05 February 2015 - 05:59 AM

Not a problem.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 necro2003

necro2003
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:54 PM

Posted 05 February 2015 - 08:13 PM

Hi thanks for waiting! Okay, I left it on overnight and it didn't finish, so I left it until I came back from my classes and it was stuck at the same file and was unable to move my mouse to scan or anything... Here's a couple of photos:

 

IMG_0222_zpsfbaw8yke.jpg

 

IMG_0232_zpssgibuer5.jpg

 

Sorry for the bad photo quality, I couldn't take screencaps since the proccesses seemed to be down and my computer froze up.

I had to use Chameleon to run Malwarebytes as well because if I tried to start it normally, it would give me an error.



#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:54 AM

Posted 05 February 2015 - 08:25 PM

For any issues with Malwarebytes Anti-Malware 2.0 the development team recommend you start a new topic in the Malwarebytes Anti-Malware Help Forum and report them there. If one of the Staff or Honorary Members ask you to run some "Diagnostic Logs", please refer to this topic and post the logs in your original Malwarebytes topic, not here.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 necro2003

necro2003
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:54 PM

Posted 05 February 2015 - 09:32 PM

Alright, thanks for the help! 



#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:54 AM

Posted 05 February 2015 - 09:37 PM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users