Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I am at my wits end and need serious help with what i am assuming is a virus.


  • Please log in to reply
9 replies to this topic

#1 rainblo

rainblo

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:44 PM

Posted 12 September 2016 - 02:25 PM

To be specific, i was running seatools DOS version on one of my older hdds to see if she was dead  luckily not yet :D. So when i reboot my pc it boots all the way back to the windows 10 login screen but freezes the keyboard was working because i could click the caps and scroll lock and watch the lights activate. so i go and try to reboot again and this time i get my trust linux mint live usb out to check it out. IMMEDIATELY linux reports that my home folder is filling up and it was not even a second after the bootloader. i open my drive for windows and there it goes folders just appearing from the nether shortly there after the live usb crashed and here i am... this is beyond my scope and i have been fixing pcs since i was a yee lad, to me this behavior is exactly what a worm is right? i have heard of tragedies back in the 80's of peoples pc's being ruined by them beyond repair...maybe i am just a little worried though. like i said i have never experienced anything of this sort its quite maddening and i have solved some arduous problems in my day.  any type of help greatly appreciated . please PLEASE help me ;-; i am currently going to try booting to kaspersky rescue disc and see if i can get any kind of some control over the desktop maybe dsome video or pictures  or logs if that is even posssible so i can show more info
also i tottaly get i may have lost everything on my hdds i just want this plague gone. lol
kudos and happy computing, Moe

Edit: Moved topic from Windows 10 to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 Dono2

Dono2

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:44 PM

Posted 12 September 2016 - 05:26 PM

So, you are saying that the home folder is filling up even if you boot to linux from your usb key and then click to your hard drive?

If this is the case, I'd be very surprised if it was a virus/worm issue.

 

What is the naming convention of the folders being created?

Are they numbered sequentially? 



#3 thedarkness

thedarkness

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 12 September 2016 - 06:50 PM

If it's happening on either os then I would be thinking it's closer towards a drive or hardware problem. Did kaspersky help



#4 rainblo

rainblo
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:44 PM

Posted 12 September 2016 - 10:09 PM

it happening on the live usb too



#5 rainblo

rainblo
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:44 PM

Posted 12 September 2016 - 10:12 PM

i got it to calm down but i think its starting up again? noticing "spilt " files everywhere on windows ther like 2 files of one thing and one is half or less of the other 
just to clarify "calm down" i ran kapersky live usb it detected no viruses. so i just got frustrated erased all 3 of my hdds 4 flash drives and lost all my media... *doone*.still to see if it comes back



#6 rainblo

rainblo
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:44 PM

Posted 12 September 2016 - 10:14 PM

So, you are saying that the home folder is filling up even if you boot to linux from your usb key and then click to your hard drive?

If this is the case, I'd be very surprised if it was a virus/worm issue.

 

What is the naming convention of the folders being created?

Are they numbered sequentially? 
 


When the virus is active...thast what im calling it, when it is Active i cant boot to anything it stops right at start of operating system right where all files load but your stuck in a graphical interlock so someting is back there doing things.. doesnt matter if you turn off pc either it doesnt stop them from filling the hdds



#7 rainblo

rainblo
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:44 PM

Posted 12 September 2016 - 10:36 PM

well decided to run chrootkit
it actually found a rootkit

posting output



sudo chkrootkit
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `crontab'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not found
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not tested
Checking `inetdconf'... not found
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... can't exec ./strings-static, not tested
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not found
Checking `mingetty'... not found
Checking `netstat'... not infected
Checking `named'... not found
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not found
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not found
Checking `sshd'... not infected
Checking `syslogd'... not tested
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not found
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while...
/usr/lib/debug/.build-id /usr/lib/jvm/.java-1.8.0-openjdk-amd64.jinfo /usr/lib/python2.7/dist-packages/PyQt4/uic/widget-plugins/.noinit /usr/lib/python3/dist-packages/PyQt4/uic/widget-plugins/.noinit /usr/lib/python3/dist-packages/PyQt5/uic/widget-plugins/.noinit /lib/modules/4.4.0-21-generic/vdso/.build-id
/usr/lib/debug/.build-id /lib/modules/4.4.0-21-generic/vdso/.build-id
Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for bleepC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... nothing found
Searching for Suckit rootkit... Warning: /sbin/init INFECTED
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for rootedoor... nothing found
Searching for ENYELKM rootkit default files... nothing found
Searching for common ssh-scanners default files... nothing found
Searching for Linux/Ebury - Operation Windigo ssh... Possible Linux/Ebury - Operation Windigo installetd
Searching for 64-bit Linux Rootkit ... nothing found
Searching for 64-bit Linux Rootkit modules... nothing found
Searching for suspect PHP files... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... not tested: can't exec
Checking `rexedcs'... not found
Checking `sniffer'... not tested: can't exec ./ifpromisc
Checking `w55808'... not infected
Checking `wted'... not tested: can't exec ./chkwtmp
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... not tested: can't exec ./chklastlog
Checking `chkutmp'... not tested: can't exec ./chkutmp
Checking `OSX_RSPLUG'... not infected
mint@mint ~ $



#8 Dono2

Dono2

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:44 PM

Posted 13 September 2016 - 06:32 AM

http://askubuntu.com/questions/25176/chkrootkit-says-sbin-init-is-infected-what

Maybe try rkhunter? This is really looking like a hard drive issue. Can you get your hands on another drive to temporarily install Windows or Linux? I find it hard to believe 2 operating systems booting from 2 different locations are showing the same symptoms.

#9 Al1000

Al1000

  • Global Moderator
  • 8,109 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:12:44 AM

Posted 13 September 2016 - 07:18 AM

Searching for Suckit rootkit... Warning: /sbin/init INFECTED


This is a known false positive for chkrootkit.

https://bugs.launchpad.net/cyborg/+bug/454566

#10 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,802 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:04:44 PM

Posted 13 September 2016 - 08:48 AM

Please run Malwarebytes AntiMalware
 
Please download Malwarebytes Anti-Malware
 
1)  Double-click on mbam-setup.exe, then click on Run to install the application, follow the prompts through the installation.
 
2)  Malwarebytes will automatically open.  You will see an image like the one below, click on Update Now.  
 
mbam1_zps98e7fba9.png
 
3)  Click on Settings, you will see a image like the one below.
 
malware%20settings_zpsixkea5sd.png
 
When Settings opens click on Detection and Protection, then under Non-Malware Protection, click on the down arrow for PUP (Potentially Unwanted Programs) detections and select Treat detections as malware.  Under Detection Options place a check in the box for Scan for rootkits
 
4)  Click on Scan (next to Settings), then click on Scan Now.  The scan will automatically run now.
 
5)  When the scan is complete the results will be displayed.  Click on Delete All.
 
malwarenew_zps34b58fdc.png
 
6)  Please post the Malwarebytes log.
 
To find your Malwarebytes log,download mbam-check.exe from here and save it to your desktop.
 
To open the log double click on mbam-check.exe on your desktop.  Copy and paste the log in your topic.
 
 

Please download and run RogueKiller.​
 

Mod Edit Please DO NOT run RogueKiller in this forum, See rules below. If needed we will move you and run it,thanks ~~ Mod boopme

 

http://www.bleepingcomputer.com/forums/t/250928/instructions-for-posting-advice-in-am-i-infected-forum/

 

Please run the ESET OnlineScan

This scan takes quite a long time to run, so be prepared to allow this to run
till it is completed.

***Please note. If you run this scan using Internet Explorer you won't need
to download the Eset Smartinstaller.***

ESET Online Scanner

  • Click here to download the installer for ESET Online Scanner and save it to your Desktop.
  • Disable all your antivirus and antimalware software - see how to do that
    here
    .
  • Right click on esetsmartinstaller_enu.exe and select Run as Administrator.
  • Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.
  • Select Enable detection of potentially unwanted applications.
  • Click Advanced Settings, then place a checkmark in the following:
    • Remove found threats
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start to begin scanning.
  • ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.
  • When the scan is done, click List threats (only available if ESET Online Scanner found something).
  • Click Export, then save the file to your desktop.
  • Click Back, then Finish to exit ESET Online Scanner.

Please download and install Speccy to provide us with information about your computer.  Clicking on this link will automatically initiate the download. 
 
When Speccy opens you will see a screen similar to the one below.
 
speccy...1png_zpsr3irze6o.png
 
Click on File which is outlined in red in the screen above, and then click on Publish Snapshot.
 
The following screen will appear, click on Yes.
 
speccy...2_zpsia3rp09d.png
 
The following screen will appear, click on Copy to Clipboard.
 
speccy...3_zpsnj1twsfh.png
 
In your next post right click inside the Reply to Topic box, then click on Paste.  This will load a link to the Speccy log.


Edited by boopme, 14 September 2016 - 12:15 PM.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users