• We've upgraded our forums. Please post any issues/requests in this thread.

Nasty virus/malware - dont know what - **NASTY**

Joined
Aug 30, 2006
Messages
6,374 (1.54/day)
Likes
983
System Name ICE-QUAD // ICE-CRUNCH
Processor Q6600 // 2x Xeon 5472
Memory 2GB DDR // 8GB FB-DIMM
Video Card(s) HD3850-AGP // FireGL 3400
Display(s) 2 x Samsung 204Ts = 3200x1200
Audio Device(s) Audigy 2
Software Windows Server 2003 R2 as a Workstation now migrated to W10 with regrets.
#1
Just been down the last couple hours. A very nasty virus/malware of some kind. Didnt find out what it was called.

What did it do?

1./ Hijacked DNS so that every 1 in 5 internet pages would appear with its fake "Windows Firewall security" comment, click here to continue, click there to download...

2./ It BLOCKED the website for Malwarebytes completely.

3./ It BLOCKED the Windows installer for Malwarebytes. It would freeze at a certain point so that the installer would crash.

4./ It would automatically deactive McAfee Antivirus ENTERPRISE after 5 seconds. If you reenabled it manually, 5 seconds later, it would turn off again.

5./ SUPERAntispyware would install, and find all sorts of rubbish, and remove some, but points 1, 2, 3, and 4 would still be there! It was Superantispyware proof!

6./ No joy tracking it down with sysinternals process explorer.

7./ But I found this: RootRepeal http://rootrepeal.googlepages.com/ This managed to find and "force delete" the b14tch.

I'm a bit worried it might have still left some damage somewhere, but will get back to you with more info if I get it.

BE CAREFUL. Something nasty is out there. Keep you antivirus/malware shields up! :pimp:
 
Joined
Aug 30, 2006
Messages
6,374 (1.54/day)
Likes
983
System Name ICE-QUAD // ICE-CRUNCH
Processor Q6600 // 2x Xeon 5472
Memory 2GB DDR // 8GB FB-DIMM
Video Card(s) HD3850-AGP // FireGL 3400
Display(s) 2 x Samsung 204Ts = 3200x1200
Audio Device(s) Audigy 2
Software Windows Server 2003 R2 as a Workstation now migrated to W10 with regrets.
#2
OK, have now been able to install malwarebytes. Scan found another 8 nasties.

After reboot, SUPERantispyware found nothing more.
Malware found nothing more.

Let's hope the system is now clean!!
 
Joined
Oct 26, 2006
Messages
1,937 (0.48/day)
Likes
103
Location
Fremont, Ohio
System Name The Darkside
Processor Intel i7-2600K
Motherboard Gigabyte Z77X-UD3H
Cooling OEM
Memory 8 GB GSKILL Ares PC3-12800
Video Card(s) VisionTek R9 270x
Storage 250GB, 320GB, 1TB, & 2TB Seagate
Display(s) 40" Sharp Aquos Quattron 1080p
Case Antec 1200
Audio Device(s) Onboard Reltek
Power Supply Silverstone Strider 500W
Software Windows 7 Ultimate x64
#3
I had a couple of nasties on my old rig as to when you delete one file another would replicate in its place. Very annoying until I looked at the hidden files then got the source.......
 

AsRock

TPU addict
Joined
Jun 23, 2007
Messages
15,317 (4.00/day)
Likes
4,724
Location
US
Processor 2500k \ 3770k
Motherboard ASRock Z68 \ Z77
Memory Samsung low profile 1600
Video Card(s) XFX 6770 \ XFX R9 290X
Storage Intel 80Gb (SATA2) WD 250Gb \ Team SSD+Samsung Evo 250Gb+500Gb+ 2xCorsair Force+WD250GbHDD
Display(s) Samsung 1080P \ Toshiba HDTV 1080P
Case HTPC400 \ Thermaltake Armor case ( original ), With Zalman fan controller ( wattage usage ).
Audio Device(s) Yamaha RX-V475 \ Marantz SR5008 Tannoy Mercury MKII Paradigm 5SE + Tannoy Mercury F4
Power Supply PC&Power 750w \ Seasonic 750w MKII
Mouse MS intelimouse \ Logitech G700s + Steelseries Sensei wireless
Keyboard Logitech K120 \ ROCCAT MK Pro ( modded amber leds )
Benchmark Scores Meh benchmarks.
#4
OOh hope you have it sorted out... Don't think i'll get that one if it relays on DNS though as mines restricted to my ISP only.
 

Sir_Real

New Member
Joined
Feb 24, 2009
Messages
706 (0.22/day)
Likes
94
Location
Lincoln England
Processor PC 1: Q6600@3.25,1.34v / PC 2: E8200@3.88,1.35v
Motherboard PC 1: Asus P5Q-SE / PC 2: Asus P5Q-E
Cooling PC 1: Air / PC 2: Air
Memory PC 1: 4gb Ocz PC8500 / PC 2: 4gb Kingston hx PC8500
Video Card(s) PC 1: Saphirre HD4870x2 2GB / PC 2: 2x XFX HD4870 1GB in xfire
Storage PC 1: Samsung 750GB (win7) + Seagate Barracuda 500GB (XP pro) / PC 2: Seagate Barracuda 160GB
Display(s) 2x HANNS-G HH251 24.6" 1980x1080 LCD
Power Supply PC 1: CIT gold 750watt / PC 2: Powercool 850watt modular
Software PC 1: Win7 home 64 + XP pro 32 / PC 2: Win7 home 64
Benchmark Scores PC 1: 3Dmark2006: 18674 PC 2: 3Dmark2006: 19250
#5
What i do is av 2 hds & av Driveimage XML installed bout once a fortnight i clone my mine drive to the slave. Then if i ever get a nasty just a case of going in the bios & swopping the boot up drive. Start up with the uninfected drive & clone this drive to the infected one. It formats the drive before cloning so theres no chance the virus still being on there. Takes me bout 20mins to clone my hd.

You don't even need two hard drives eva ! You can do the same thing by partitioning your drive 50/50 But yeah you lose half your space so prob not an option if your hd not very big.
 
Joined
Aug 30, 2006
Messages
6,374 (1.54/day)
Likes
983
System Name ICE-QUAD // ICE-CRUNCH
Processor Q6600 // 2x Xeon 5472
Memory 2GB DDR // 8GB FB-DIMM
Video Card(s) HD3850-AGP // FireGL 3400
Display(s) 2 x Samsung 204Ts = 3200x1200
Audio Device(s) Audigy 2
Software Windows Server 2003 R2 as a Workstation now migrated to W10 with regrets.
#6
^ You can manage that issue with clever partitioning.

c: at 60GB for your OS and programs
d: for your data
g: for games
s: for your setup files
z: (Hidden), a copy of your c:

So you dont lose half your drive, just whatever the C: partition size is!
 

Sir_Real

New Member
Joined
Feb 24, 2009
Messages
706 (0.22/day)
Likes
94
Location
Lincoln England
Processor PC 1: Q6600@3.25,1.34v / PC 2: E8200@3.88,1.35v
Motherboard PC 1: Asus P5Q-SE / PC 2: Asus P5Q-E
Cooling PC 1: Air / PC 2: Air
Memory PC 1: 4gb Ocz PC8500 / PC 2: 4gb Kingston hx PC8500
Video Card(s) PC 1: Saphirre HD4870x2 2GB / PC 2: 2x XFX HD4870 1GB in xfire
Storage PC 1: Samsung 750GB (win7) + Seagate Barracuda 500GB (XP pro) / PC 2: Seagate Barracuda 160GB
Display(s) 2x HANNS-G HH251 24.6" 1980x1080 LCD
Power Supply PC 1: CIT gold 750watt / PC 2: Powercool 850watt modular
Software PC 1: Win7 home 64 + XP pro 32 / PC 2: Win7 home 64
Benchmark Scores PC 1: 3Dmark2006: 18674 PC 2: 3Dmark2006: 19250
#8
^ You can manage that issue with clever partitioning.

c: at 60GB for your OS and programs
d: for your data
g: for games
s: for your setup files
z: (Hidden), a copy of your c:

So you dont lose half your drive, just whatever the C: partition size is![/QUOTE

There is one prob with wot i said above bout cloning main drives with a partioned harddrive. If you partition your drive & av your os on C: then clone C: to say F: when you boot to F: your main drive is F: staiting the obveusly yeah ! But its strange aving your os on anything other drive than C: & i found it can occationly course a prob with installing progs some wont install to any other drive but c: But is a rare prob most progs it dont matter what drive letter your os is installed on.

Thats why i now av 2 harddrives.
 
Joined
Aug 30, 2006
Messages
6,374 (1.54/day)
Likes
983
System Name ICE-QUAD // ICE-CRUNCH
Processor Q6600 // 2x Xeon 5472
Memory 2GB DDR // 8GB FB-DIMM
Video Card(s) HD3850-AGP // FireGL 3400
Display(s) 2 x Samsung 204Ts = 3200x1200
Audio Device(s) Audigy 2
Software Windows Server 2003 R2 as a Workstation now migrated to W10 with regrets.
#9
^ Not quite sure what you mean there. If you have a satisfactory install of c:, you use a partition manager, e.g. Acronis Disk Director (just one example) to make a 1-to-1 copy on a hidden partition, e.g. z: but you can give it NO drive letter, so it is NOT accessible to the Windows.

When c: gets corrupted, you run the partition manager to copy 1-to-1 from the hidden partition to c:. There is no issue about drive letters and OS not being called c:

Having 2 drives is of course better, since if you have a HARDWARE failure, a partition on the same drive aint going to help.
 

Tau

New Member
Joined
Mar 9, 2007
Messages
821 (0.21/day)
Likes
92
#10
I dont even bother scanning the HDD on the unit that has a virus anymore (client PC's) i just pull em and scan em on my test bench faster than dicking around with safe mode and an infected environment.
 

Mussels

Moderprator
Staff member
Joined
Oct 6, 2004
Messages
46,125 (9.57/day)
Likes
13,558
Location
Australalalalalaia.
System Name Daddy Long Legs
Processor Ryzen R7 1700, 3.9GHz 1.375v
Motherboard MSI X370 Gaming PRO carbon
Cooling Fractal Celsius S24 (Silent fans, meh pump)
Memory 16GB 2133 generic @ 2800
Video Card(s) MSI GTX 1080 Gaming X (BIOS modded to Gaming Z - faster and solved black screen bugs!)
Storage 1TB Intel SSD Pro 6000p (60TB USB3 storage)
Display(s) Samsung 4K 40" HDTV (UA40KU6000WXXY) / 27" Qnix 2K 110Hz
Case Fractal Design R5. So much room, so quiet...
Audio Device(s) Pioneer VSX-519V + Yamaha YHT-270 / sennheiser HD595/518 + bob marley zion's
Power Supply Corsair HX 750i (Platinum, fan off til 300W)
Mouse Logitech G403 + KKmoon desk-sized mousepad
Keyboard Corsair K65 Rapidfire
Software Windows 10 pro x64 (all systems)
Benchmark Scores Laptops: i7-4510U + 840M 2GB (touchscreen) 275GB SSD + 16GB i7-2630QM + GT 540M + 8GB
#11
My advice: get kaspersky, and never suffer this again.
 

Sir_Real

New Member
Joined
Feb 24, 2009
Messages
706 (0.22/day)
Likes
94
Location
Lincoln England
Processor PC 1: Q6600@3.25,1.34v / PC 2: E8200@3.88,1.35v
Motherboard PC 1: Asus P5Q-SE / PC 2: Asus P5Q-E
Cooling PC 1: Air / PC 2: Air
Memory PC 1: 4gb Ocz PC8500 / PC 2: 4gb Kingston hx PC8500
Video Card(s) PC 1: Saphirre HD4870x2 2GB / PC 2: 2x XFX HD4870 1GB in xfire
Storage PC 1: Samsung 750GB (win7) + Seagate Barracuda 500GB (XP pro) / PC 2: Seagate Barracuda 160GB
Display(s) 2x HANNS-G HH251 24.6" 1980x1080 LCD
Power Supply PC 1: CIT gold 750watt / PC 2: Powercool 850watt modular
Software PC 1: Win7 home 64 + XP pro 32 / PC 2: Win7 home 64
Benchmark Scores PC 1: 3Dmark2006: 18674 PC 2: 3Dmark2006: 19250
#12
^ Not quite sure what you mean there. If you have a satisfactory install of c:, you use a partition manager, e.g. Acronis Disk Director (just one example) to make a 1-to-1 copy on a hidden partition, e.g. z: but you can give it NO drive letter, so it is NOT accessible to the Windows.

When c: gets corrupted, you run the partition manager to copy 1-to-1 from the hidden partition to c:. There is no issue about drive letters and OS not being called c:

Having 2 drives is of course better, since if you have a HARDWARE failure, a partition on the same drive aint going to help.
Thats getting bit confusing now lol. I see what your saying tho. Your way there is no need to ever change the main drive from c:

But i did run into probs with the OS installed on f: one prob i can remember was being totally unable to install adobe flash or shockwave ! the online installer just kept cuming up with an error bout drive unavailable.
 
Last edited:

btarunr

Editor & Senior Moderator
Staff member
Joined
Oct 9, 2007
Messages
34,335 (9.22/day)
Likes
17,427
Location
Hyderabad, India
System Name Long shelf-life potato
Processor Intel Core i7-4770K
Motherboard ASUS Z97-A
Cooling Xigmatek Aegir CPU Cooler
Memory 16GB Kingston HyperX Beast DDR3-1866
Video Card(s) 2x GeForce GTX 970 SLI
Storage ADATA SU800 512GB
Display(s) Samsung U28D590D 28-inch 4K
Case Cooler Master CM690 Window
Audio Device(s) Creative Sound Blaster Recon3D PCIe
Power Supply Corsair HX850W
Mouse Razer Abyssus 2014
Keyboard Microsoft Sidewinder X4
Software Windows 10 Pro Creators Update
#13
Start your machine with the Windows install CD/DVD, start the recovery console, list the enabled drivers/services, disable anything you find suspicious.
 
Joined
Aug 30, 2006
Messages
6,374 (1.54/day)
Likes
983
System Name ICE-QUAD // ICE-CRUNCH
Processor Q6600 // 2x Xeon 5472
Memory 2GB DDR // 8GB FB-DIMM
Video Card(s) HD3850-AGP // FireGL 3400
Display(s) 2 x Samsung 204Ts = 3200x1200
Audio Device(s) Audigy 2
Software Windows Server 2003 R2 as a Workstation now migrated to W10 with regrets.
#14
I dont even bother scanning the HDD on the unit that has a virus anymore (client PC's) i just pull em and scan em on my test bench faster than dicking around with safe mode and an infected environment.
I do tend to agree with that. Manual discovery and fixing is often a lot more time consuming that just nuking the partition and reinstalling from an image... EXCEPT for all those blxxdy files in the users Documents and Settings folders, esp. mailboxes.

I do wish Windows would offer a better method of pointing User directories at a NAS, rather than the network and cost intensive domain controllers with AD.

For the small business, we need a rapid solution, not an enterprise expense.
 
Joined
Aug 3, 2008
Messages
1,644 (0.48/day)
Likes
344
System Name Black Killing Machine
Processor Delidded NO IHS mount Intel i7-4770k
Motherboard Gigabyte Z87X-OC
Cooling Swiftech DIR655 pump, Watercool HEATKILLER® GPU-X³ 79X0 Ni-Bl gpu, DT SNIPER CPU block, UT60 420 RAD
Memory Gskill Trident 2400mhz CL9 Samsung IC9
Video Card(s) SAPPHIRE HD7950 OC 950mhz Edition, VaporX HD7950
Storage 2xM4 Crucial 64GB RAID 0, 1 OCZ AGILILITY 3 60GB, WDCB 500GB x2RAID0, WD Green, Hitachi 1TB
Display(s) Samsung SyncMaster 226BW and 24" 120hz BenQ gamer
Case SilverStone Raven rv-02
Audio Device(s) Audio Technica ATH-AD900 headphones, Topping D2 DAC/Headphone AMP
Power Supply Seasonic Platinum 860
Software Windows 7 Pro 64bit
Benchmark Scores http://hwbot.org/user/sonda5/ Delidding is magic. http://valid.canardpc.com/2878462
#15
I just fixed a machine that was infected with some nasty "Kaka////C://...."

Lots of kaka. Found about 3 different types of Viruses and malaware fraud type of crap.

I think it is dead and zeroed out now.

The system is now running with firewall and virus+spware software. It cost a little money but its well worth it.
This particular machine was running with the firewall off with the wireless antenna on. No virus protection as well.
 
Joined
May 5, 2009
Messages
2,261 (0.72/day)
Likes
171
Location
the uk that's all you need to know ;)
System Name not very good (wants throwing out window most of time)
Processor xp3000@ 2.17ghz pile of sh** /i7 920 DO on air for now
Motherboard msi kt6 delta oap /gigabyte x58 ud7 (rev1.0)
Cooling 1 green akasa 8cm(rear) 1 multicoloured akasa(hd) 1 12 cm (intake) 1 9cm with circuit from old psu
Memory 1.25 gb kingston hyperx @333mhz/ 3gb corsair dominator xmp 1600mhz
Video Card(s) (agp) hd3850 not bad not really suitable for mobo n processor/ gb hd5870
Storage wd 320gb + samsung 320 gig + wd 1tb 6gb/s
Display(s) compaq mv720
Case thermaltake XaserIII skull / coolermaster cm 690II
Audio Device(s) onboard
Power Supply corsair hx 650 w which solved many problems (blew up) /850w corsair
Software xp pro sp3/ ? win 7 ultimate (32 bit)
Benchmark Scores 6543 3d mark05 ye ye not good but look at the processor /uknown as still not benched
#16
My advice: get kaspersky, and never suffer this again.
hey i got Kaspersky Internet Security 2009 from my uncle (genuine copy has a 3 pc licence)only problem is now i have it installed it's stopped my wintv nova-t from workin got the old bsod so i uninstalled Kaspersky then tested my tv card and low and behold it worked so i unistalled my tv card (software and drivers)then reinstalled Kaspersky then reinstalled drivers for tv card then installed software then switched it on works for a second then same old c**p :banghead: irql_not _less_or_equal stop 0x0000000a( 0x7cf26533,0x00000002,0x00000000,0x804f21c3 argh, :mad:,:cry:,:wtf: is going on i thought Kaspersky Internet Security 2009 was supposed to be the best :eek: :confused: yes i did change the settings for tv card so kaspersky ignores it and sees it as safezone:banghead:
 
Last edited:
Joined
May 5, 2009
Messages
2,261 (0.72/day)
Likes
171
Location
the uk that's all you need to know ;)
System Name not very good (wants throwing out window most of time)
Processor xp3000@ 2.17ghz pile of sh** /i7 920 DO on air for now
Motherboard msi kt6 delta oap /gigabyte x58 ud7 (rev1.0)
Cooling 1 green akasa 8cm(rear) 1 multicoloured akasa(hd) 1 12 cm (intake) 1 9cm with circuit from old psu
Memory 1.25 gb kingston hyperx @333mhz/ 3gb corsair dominator xmp 1600mhz
Video Card(s) (agp) hd3850 not bad not really suitable for mobo n processor/ gb hd5870
Storage wd 320gb + samsung 320 gig + wd 1tb 6gb/s
Display(s) compaq mv720
Case thermaltake XaserIII skull / coolermaster cm 690II
Audio Device(s) onboard
Power Supply corsair hx 650 w which solved many problems (blew up) /850w corsair
Software xp pro sp3/ ? win 7 ultimate (32 bit)
Benchmark Scores 6543 3d mark05 ye ye not good but look at the processor /uknown as still not benched
#17
crazy advice

my advice to anyone reading this is 1 avoid all free porn sites especially dirty pics (worst for viruses )2 don't try to be a hero if you see somethin claiming to be childporn leave it well alone even taking a peek to see if it is real carries the risk of tailor made mallware being installed on your pc(usually from russia (sorry guys from there but it often is from there)plus the authorities will be monitoring the sites (hey thats what they get paid for)and you stand the great chance of gettin your ass thrown in jail and being put on the sex offenders register for life, plus loosing your lovely new pc.
3 then there's the good old warez sites claiming to have the latest pc /xbox 360 /nintendo wii games or software ,god they always catch dumb asses out ,just think off it like this legitamate sites often have costs of $4-500 dollars a month or more so just ask yourself how do they do it ,lets face it theirs not even many generous millionares out there so how do people like say serbian ware get their money hm,by ripping poor people off who think theres someone being kind and generous in this ripoff world, well don't beleive them especially if they haven't got any popups or adverts or a donations page as it's bound to be suspect ,plus chances are it wont be the website that messes stuff up ,just that lovely new game you got with hidden trojans dotted through out it. it works i hear you say that's usually it often a crafty bit of coding that is actuated in the game itself and wam they've got ya ,if i'm suspicious of any thing i look for other peoples opinions then look at the cache in google