Nasty virus/malware - dont know what - **NASTY**

[lemonadesoda]

Just been down the last couple hours. A very nasty virus/malware of some kind. Didnt find out what it was called.

What did it do?

1./ Hijacked DNS so that every 1 in 5 internet pages would appear with its fake "Windows Firewall security" comment, click here to continue, click there to download...

2./ It BLOCKED the website for Malwarebytes completely.

3./ It BLOCKED the Windows installer for Malwarebytes. It would freeze at a certain point so that the installer would crash.

4./ It would automatically deactive McAfee Antivirus ENTERPRISE after 5 seconds. If you reenabled it manually, 5 seconds later, it would turn off again.

5./ SUPERAntispyware would install, and find all sorts of rubbish, and remove some, but points 1, 2, 3, and 4 would still be there! It was Superantispyware proof!

6./ No joy tracking it down with sysinternals process explorer.

7./ But I found this: RootRepeal http://rootrepeal.googlepages.com/ This managed to find and "force delete" the b14tch.

I'm a bit worried it might have still left some damage somewhere, but will get back to you with more info if I get it.

BE CAREFUL. Something nasty is out there. Keep you antivirus/malware shields up!

[lemonadesoda]

OK, have now been able to install malwarebytes. Scan found another 8 nasties.

After reboot, SUPERantispyware found nothing more.
Malware found nothing more.

Let's hope the system is now clean!!

[Taz100420]

I had a couple of nasties on my old rig as to when you delete one file another would replicate in its place. Very annoying until I looked at the hidden files then got the source.......

[AsRock]

OOh hope you have it sorted out... Don't think i'll get that one if it relays on DNS though as mines restricted to my ISP only.

[Sir_Real]

What i do is av 2 hds & av Driveimage XML installed bout once a fortnight i clone my mine drive to the slave. Then if i ever get a nasty just a case of going in the bios & swopping the boot up drive. Start up with the uninfected drive & clone this drive to the infected one. It formats the drive before cloning so theres no chance the virus still being on there. Takes me bout 20mins to clone my hd.

You don't even need two hard drives eva ! You can do the same thing by partitioning your drive 50/50 But yeah you lose half your space so prob not an option if your hd not very big.

[lemonadesoda]

^ You can manage that issue with clever partitioning.

c: at 60GB for your OS and programs
d: for your data
g: for games
s: for your setup files
z: (Hidden), a copy of your c:

So you dont lose half your drive, just whatever the C: partition size is!

[TRIPTEX_CAN]

Did you disable System Restore to make sure nothing is in there still.

[Sir_Real]

[QUOTE=lemonadesoda;1316297]^ You can manage that issue with clever partitioning.

c: at 60GB for your OS and programs
d: for your data
g: for games
s: for your setup files
z: (Hidden), a copy of your c:

So you dont lose half your drive, just whatever the C: partition size is![/QUOTE

There is one prob with wot i said above bout cloning main drives with a partioned harddrive. If you partition your drive & av your os on C: then clone C: to say F: when you boot to F: your main drive is F: staiting the obveusly yeah ! But its strange aving your os on anything other drive than C: & i found it can occationly course a prob with installing progs some wont install to any other drive but c: But is a rare prob most progs it dont matter what drive letter your os is installed on.

Thats why i now av 2 harddrives.

[lemonadesoda]

^ Not quite sure what you mean there. If you have a satisfactory install of c:, you use a partition manager, e.g. Acronis Disk Director (just one example) to make a 1-to-1 copy on a hidden partition, e.g. z: but you can give it NO drive letter, so it is NOT accessible to the Windows.

When c: gets corrupted, you run the partition manager to copy 1-to-1 from the hidden partition to c:. There is no issue about drive letters and OS not being called c:

Having 2 drives is of course better, since if you have a HARDWARE failure, a partition on the same drive aint going to help.

[Tau]

I dont even bother scanning the HDD on the unit that has a virus anymore (client PC's) i just pull em and scan em on my test bench faster than dicking around with safe mode and an infected environment.

[Mussels]

My advice: get kaspersky, and never suffer this again.

[Sir_Real]

Quote:

Originally Posted by lemonadesoda

^ Not quite sure what you mean there. If you have a satisfactory install of c:, you use a partition manager, e.g. Acronis Disk Director (just one example) to make a 1-to-1 copy on a hidden partition, e.g. z: but you can give it NO drive letter, so it is NOT accessible to the Windows.

When c: gets corrupted, you run the partition manager to copy 1-to-1 from the hidden partition to c:. There is no issue about drive letters and OS not being called c:

Having 2 drives is of course better, since if you have a HARDWARE failure, a partition on the same drive aint going to help.

Thats getting bit confusing now lol. I see what your saying tho. Your way there is no need to ever change the main drive from c:

But i did run into probs with the OS installed on f: one prob i can remember was being totally unable to install adobe flash or shockwave ! the online installer just kept cuming up with an error bout drive unavailable.

[btarunr]

Start your machine with the Windows install CD/DVD, start the recovery console, list the enabled drivers/services, disable anything you find suspicious.

[lemonadesoda]

Quote:

Originally Posted by Tau

I dont even bother scanning the HDD on the unit that has a virus anymore (client PC's) i just pull em and scan em on my test bench faster than dicking around with safe mode and an infected environment.

I do tend to agree with that. Manual discovery and fixing is often a lot more time consuming that just nuking the partition and reinstalling from an image... EXCEPT for all those blxxdy files in the users Documents and Settings folders, esp. mailboxes.

I do wish Windows would offer a better method of pointing User directories at a NAS, rather than the network and cost intensive domain controllers with AD.

For the small business, we need a rapid solution, not an enterprise expense.

[SonDa5]

I just fixed a machine that was infected with some nasty "Kaka////C://...."

Lots of kaka. Found about 3 different types of Viruses and malaware fraud type of crap.

I think it is dead and zeroed out now.

The system is now running with firewall and virus+spware software. It cost a little money but its well worth it.
This particular machine was running with the firewall off with the wireless antenna on. No virus protection as well.

[dr emulator (madmax)]

Quote:

Originally Posted by Mussels

My advice: get kaspersky, and never suffer this again.

hey i got Kaspersky Internet Security 2009 from my uncle (genuine copy has a 3 pc licence)only problem is now i have it installed it's stopped my wintv nova-t from workin got the old bsod so i uninstalled Kaspersky then tested my tv card and low and behold it worked so i unistalled my tv card (software and drivers)then reinstalled Kaspersky then reinstalled drivers for tv card then installed software then switched it on works for a second then same old c**p irql_not _less_or_equal stop 0x0000000a( 0x7cf26533,0x00000002,0x00000000,0x804f21c3 argh, ,, is going on i thought Kaspersky Internet Security 2009 was supposed to be the best yes i did change the settings for tv card so kaspersky ignores it and sees it as safezone

[dr emulator (madmax)]

my advice to anyone reading this is 1 avoid all free porn sites especially dirty pics (worst for viruses )2 don't try to be a hero if you see somethin claiming to be childporn leave it well alone even taking a peek to see if it is real carries the risk of tailor made mallware being installed on your pc(usually from russia (sorry guys from there but it often is from there)plus the authorities will be monitoring the sites (hey thats what they get paid for)and you stand the great chance of gettin your ass thrown in jail and being put on the sex offenders register for life, plus loosing your lovely new pc.
3 then there's the good old warez sites claiming to have the latest pc /xbox 360 /nintendo wii games or software ,god they always catch dumb asses out ,just think off it like this legitamate sites often have costs of $4-500 dollars a month or more so just ask yourself how do they do it ,lets face it theirs not even many generous millionares out there so how do people like say serbian ware get their money hm,by ripping poor people off who think theres someone being kind and generous in this ripoff world, well don't beleive them especially if they haven't got any popups or adverts or a donations page as it's bound to be suspect ,plus chances are it wont be the website that messes stuff up ,just that lovely new game you got with hidden trojans dotted through out it. it works i hear you say that's usually it often a crafty bit of coding that is actuated in the game itself and wam they've got ya ,if i'm suspicious of any thing i look for other peoples opinions then look at the cache in google