1. Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

Nasty virus/malware - dont know what - **NASTY**

Discussion in 'Networking & Security' started by lemonadesoda, Apr 12, 2009.

  1. lemonadesoda

    lemonadesoda

    Joined:
    Aug 30, 2006
    Messages:
    6,260 (2.10/day)
    Thanks Received:
    967
    Just been down the last couple hours. A very nasty virus/malware of some kind. Didnt find out what it was called.

    What did it do?

    1./ Hijacked DNS so that every 1 in 5 internet pages would appear with its fake "Windows Firewall security" comment, click here to continue, click there to download...

    2./ It BLOCKED the website for Malwarebytes completely.

    3./ It BLOCKED the Windows installer for Malwarebytes. It would freeze at a certain point so that the installer would crash.

    4./ It would automatically deactive McAfee Antivirus ENTERPRISE after 5 seconds. If you reenabled it manually, 5 seconds later, it would turn off again.

    5./ SUPERAntispyware would install, and find all sorts of rubbish, and remove some, but points 1, 2, 3, and 4 would still be there! It was Superantispyware proof!

    6./ No joy tracking it down with sysinternals process explorer.

    7./ But I found this: RootRepeal http://rootrepeal.googlepages.com/ This managed to find and "force delete" the b14tch.

    I'm a bit worried it might have still left some damage somewhere, but will get back to you with more info if I get it.

    BE CAREFUL. Something nasty is out there. Keep you antivirus/malware shields up! :pimp:
     
    dr emulator (madmax) says thanks.
  2. lemonadesoda

    lemonadesoda

    Joined:
    Aug 30, 2006
    Messages:
    6,260 (2.10/day)
    Thanks Received:
    967
    OK, have now been able to install malwarebytes. Scan found another 8 nasties.

    After reboot, SUPERantispyware found nothing more.
    Malware found nothing more.

    Let's hope the system is now clean!!
     
  3. Taz100420

    Taz100420

    Joined:
    Oct 26, 2006
    Messages:
    1,929 (0.66/day)
    Thanks Received:
    100
    Location:
    Fremont, Ohio
    I had a couple of nasties on my old rig as to when you delete one file another would replicate in its place. Very annoying until I looked at the hidden files then got the source.......
     
  4. AsRock

    AsRock TPU addict

    Joined:
    Jun 23, 2007
    Messages:
    10,999 (4.10/day)
    Thanks Received:
    1,723
    Location:
    US
    OOh hope you have it sorted out... Don't think i'll get that one if it relays on DNS though as mines restricted to my ISP only.
     
  5. Sir_Real

    Sir_Real New Member

    Joined:
    Feb 24, 2009
    Messages:
    706 (0.34/day)
    Thanks Received:
    94
    Location:
    Lincoln England
    What i do is av 2 hds & av Driveimage XML installed bout once a fortnight i clone my mine drive to the slave. Then if i ever get a nasty just a case of going in the bios & swopping the boot up drive. Start up with the uninfected drive & clone this drive to the infected one. It formats the drive before cloning so theres no chance the virus still being on there. Takes me bout 20mins to clone my hd.

    You don't even need two hard drives eva ! You can do the same thing by partitioning your drive 50/50 But yeah you lose half your space so prob not an option if your hd not very big.
     
  6. lemonadesoda

    lemonadesoda

    Joined:
    Aug 30, 2006
    Messages:
    6,260 (2.10/day)
    Thanks Received:
    967
    ^ You can manage that issue with clever partitioning.

    c: at 60GB for your OS and programs
    d: for your data
    g: for games
    s: for your setup files
    z: (Hidden), a copy of your c:

    So you dont lose half your drive, just whatever the C: partition size is!
     
  7. TRIPTEX_CAN

    TRIPTEX_CAN

    Joined:
    Feb 10, 2008
    Messages:
    3,305 (1.35/day)
    Thanks Received:
    723
    Location:
    BC.CAN
    Did you disable System Restore to make sure nothing is in there still.
     
  8. Sir_Real

    Sir_Real New Member

    Joined:
    Feb 24, 2009
    Messages:
    706 (0.34/day)
    Thanks Received:
    94
    Location:
    Lincoln England
     
  9. lemonadesoda

    lemonadesoda

    Joined:
    Aug 30, 2006
    Messages:
    6,260 (2.10/day)
    Thanks Received:
    967
    ^ Not quite sure what you mean there. If you have a satisfactory install of c:, you use a partition manager, e.g. Acronis Disk Director (just one example) to make a 1-to-1 copy on a hidden partition, e.g. z: but you can give it NO drive letter, so it is NOT accessible to the Windows.

    When c: gets corrupted, you run the partition manager to copy 1-to-1 from the hidden partition to c:. There is no issue about drive letters and OS not being called c:

    Having 2 drives is of course better, since if you have a HARDWARE failure, a partition on the same drive aint going to help.
     
  10. Tau

    Tau New Member

    Joined:
    Mar 9, 2007
    Messages:
    821 (0.29/day)
    Thanks Received:
    92
    I dont even bother scanning the HDD on the unit that has a virus anymore (client PC's) i just pull em and scan em on my test bench faster than dicking around with safe mode and an infected environment.
     
  11. Mussels

    Mussels Moderprator Staff Member

    Joined:
    Oct 6, 2004
    Messages:
    42,381 (11.54/day)
    Thanks Received:
    9,684
    My advice: get kaspersky, and never suffer this again.
     
  12. Sir_Real

    Sir_Real New Member

    Joined:
    Feb 24, 2009
    Messages:
    706 (0.34/day)
    Thanks Received:
    94
    Location:
    Lincoln England
    Thats getting bit confusing now lol. I see what your saying tho. Your way there is no need to ever change the main drive from c:

    But i did run into probs with the OS installed on f: one prob i can remember was being totally unable to install adobe flash or shockwave ! the online installer just kept cuming up with an error bout drive unavailable.
     
    Last edited: Apr 12, 2009
  13. btarunr

    btarunr Editor & Senior Moderator Staff Member

    Joined:
    Oct 9, 2007
    Messages:
    28,713 (11.16/day)
    Thanks Received:
    13,669
    Location:
    Hyderabad, India
    Start your machine with the Windows install CD/DVD, start the recovery console, list the enabled drivers/services, disable anything you find suspicious.
     
  14. lemonadesoda

    lemonadesoda

    Joined:
    Aug 30, 2006
    Messages:
    6,260 (2.10/day)
    Thanks Received:
    967
    I do tend to agree with that. Manual discovery and fixing is often a lot more time consuming that just nuking the partition and reinstalling from an image... EXCEPT for all those blxxdy files in the users Documents and Settings folders, esp. mailboxes.

    I do wish Windows would offer a better method of pointing User directories at a NAS, rather than the network and cost intensive domain controllers with AD.

    For the small business, we need a rapid solution, not an enterprise expense.
     
  15. SonDa5

    SonDa5

    Joined:
    Aug 3, 2008
    Messages:
    1,645 (0.72/day)
    Thanks Received:
    344
    I just fixed a machine that was infected with some nasty "Kaka////C://...."

    Lots of kaka. Found about 3 different types of Viruses and malaware fraud type of crap.

    I think it is dead and zeroed out now.

    The system is now running with firewall and virus+spware software. It cost a little money but its well worth it.
    This particular machine was running with the firewall off with the wireless antenna on. No virus protection as well.
     
  16. dr emulator (madmax)

    dr emulator (madmax)

    Joined:
    May 5, 2009
    Messages:
    2,241 (1.12/day)
    Thanks Received:
    176
    Location:
    the uk that's all you need to know ;)
    hey i got Kaspersky Internet Security 2009 from my uncle (genuine copy has a 3 pc licence)only problem is now i have it installed it's stopped my wintv nova-t from workin got the old bsod so i uninstalled Kaspersky then tested my tv card and low and behold it worked so i unistalled my tv card (software and drivers)then reinstalled Kaspersky then reinstalled drivers for tv card then installed software then switched it on works for a second then same old c**p :banghead: irql_not _less_or_equal stop 0x0000000a( 0x7cf26533,0x00000002,0x00000000,0x804f21c3 argh, :mad:,:cry:,:wtf: is going on i thought Kaspersky Internet Security 2009 was supposed to be the best :eek: :confused: yes i did change the settings for tv card so kaspersky ignores it and sees it as safezone:banghead:
     
    Last edited: May 7, 2009
  17. dr emulator (madmax)

    dr emulator (madmax)

    Joined:
    May 5, 2009
    Messages:
    2,241 (1.12/day)
    Thanks Received:
    176
    Location:
    the uk that's all you need to know ;)
    crazy advice

    my advice to anyone reading this is 1 avoid all free porn sites especially dirty pics (worst for viruses )2 don't try to be a hero if you see somethin claiming to be childporn leave it well alone even taking a peek to see if it is real carries the risk of tailor made mallware being installed on your pc(usually from russia (sorry guys from there but it often is from there)plus the authorities will be monitoring the sites (hey thats what they get paid for)and you stand the great chance of gettin your ass thrown in jail and being put on the sex offenders register for life, plus loosing your lovely new pc.
    3 then there's the good old warez sites claiming to have the latest pc /xbox 360 /nintendo wii games or software ,god they always catch dumb asses out ,just think off it like this legitamate sites often have costs of $4-500 dollars a month or more so just ask yourself how do they do it ,lets face it theirs not even many generous millionares out there so how do people like say serbian ware get their money hm,by ripping poor people off who think theres someone being kind and generous in this ripoff world, well don't beleive them especially if they haven't got any popups or adverts or a donations page as it's bound to be suspect ,plus chances are it wont be the website that messes stuff up ,just that lovely new game you got with hidden trojans dotted through out it. it works i hear you say that's usually it often a crafty bit of coding that is actuated in the game itself and wam they've got ya ,if i'm suspicious of any thing i look for other peoples opinions then look at the cache in google
     

Currently Active Users Viewing This Thread: 1 (0 members and 1 guest)

Share This Page