# Nasty virus/malware - dont know what - **NASTY**



## lemonadesoda (Apr 12, 2009)

Just been down the last couple hours. A very nasty virus/malware of some kind. Didnt find out what it was called.

What did it do?

1./ Hijacked DNS so that every 1 in 5 internet pages would appear with its fake "Windows Firewall security" comment, click here to continue, click there to download...

2./ It BLOCKED the website for Malwarebytes completely.

3./ It BLOCKED the Windows installer for Malwarebytes. It would freeze at a certain point so that the installer would crash.

4./ It would automatically deactive McAfee Antivirus ENTERPRISE after 5 seconds. If you reenabled it manually, 5 seconds later, it would turn off again.

5./ SUPERAntispyware would install, and find all sorts of rubbish, and remove some, but points 1, 2, 3, and 4 would still be there! It was Superantispyware proof!

6./ No joy tracking it down with sysinternals process explorer.

7./ But I found this: RootRepeal http://rootrepeal.googlepages.com/  This managed to find and "force delete" the b14tch.

I'm a bit worried it might have still left some damage somewhere, but will get back to you with more info if I get it.

BE CAREFUL. Something nasty is out there. Keep you antivirus/malware shields up!


----------



## lemonadesoda (Apr 12, 2009)

OK, have now been able to install malwarebytes.  Scan found another 8 nasties.

After reboot, SUPERantispyware found nothing more.
Malware found nothing more.

Let's hope the system is now clean!!


----------



## Taz100420 (Apr 12, 2009)

I had a couple of nasties on my old rig as to when you delete one file another would replicate in its place. Very annoying until I looked at the hidden files then got the source.......


----------



## AsRock (Apr 12, 2009)

OOh hope you have it sorted out...  Don't think i'll get that one if it relays on DNS though as mines restricted to my ISP only.


----------



## Sir_Real (Apr 12, 2009)

What i do is av 2 hds & av Driveimage XML installed bout once a fortnight i clone my mine drive to the slave. Then if i ever get a nasty just a case of going in the bios & swopping the boot up drive. Start up with the uninfected drive & clone this drive to the infected one. It formats the drive before cloning so theres no chance the virus still being on there. Takes me bout 20mins to clone my hd. 

You don't even need two hard drives eva ! You can do the same thing by partitioning your drive 50/50 But yeah you lose half your space so prob not an option if your hd not very big.


----------



## lemonadesoda (Apr 12, 2009)

^ You can manage that issue with clever partitioning.

c: at 60GB for your OS and programs
d: for your data
g: for games
s: for your setup files
z: (Hidden), a copy of your c:

So you dont lose half your drive, just whatever the C: partition size is!


----------



## TRIPTEX_CAN (Apr 12, 2009)

Did you disable System Restore to make sure nothing is in there still.


----------



## Sir_Real (Apr 12, 2009)

lemonadesoda said:


> ^ You can manage that issue with clever partitioning.
> 
> c: at 60GB for your OS and programs
> d: for your data
> ...


----------



## lemonadesoda (Apr 12, 2009)

^ Not quite sure what you mean there. If you have a satisfactory install of c:, you use a partition manager, e.g. Acronis Disk Director (just one example) to make a 1-to-1 copy on a hidden partition, e.g. z: but you can give it NO drive letter, so it is NOT accessible to the Windows.

When c: gets corrupted, you run the partition manager to copy 1-to-1 from the hidden partition to c:.  There is no issue about drive letters and OS not being called c:

Having 2 drives is of course better, since if you have a HARDWARE failure, a partition on the same drive aint going to help.


----------



## Tau (Apr 12, 2009)

I dont even bother scanning the HDD on the unit that has a virus anymore (client PC's)  i just pull em and scan em on my test bench  faster than dicking around with safe mode and an infected environment.


----------



## Mussels (Apr 12, 2009)

My advice: get kaspersky, and never suffer this again.


----------



## Sir_Real (Apr 12, 2009)

lemonadesoda said:


> ^ Not quite sure what you mean there. If you have a satisfactory install of c:, you use a partition manager, e.g. Acronis Disk Director (just one example) to make a 1-to-1 copy on a hidden partition, e.g. z: but you can give it NO drive letter, so it is NOT accessible to the Windows.
> 
> When c: gets corrupted, you run the partition manager to copy 1-to-1 from the hidden partition to c:.  There is no issue about drive letters and OS not being called c:
> 
> Having 2 drives is of course better, since if you have a HARDWARE failure, a partition on the same drive aint going to help.



Thats getting bit confusing now lol. I see what your saying tho. Your way there is no need to ever change the main drive from c:

But i did run into probs with the OS installed on f:  one prob i can remember was being totally unable to install adobe flash or shockwave ! the online installer just kept cuming up with an error bout drive unavailable.


----------



## btarunr (Apr 12, 2009)

Start your machine with the Windows install CD/DVD, start the recovery console, list the enabled drivers/services, disable anything you find suspicious.


----------



## lemonadesoda (Apr 12, 2009)

Tau said:


> I dont even bother scanning the HDD on the unit that has a virus anymore (client PC's)  i just pull em and scan em on my test bench  faster than dicking around with safe mode and an infected environment.


I do tend to agree with that. Manual discovery and fixing is often a lot more time consuming that just nuking the partition and reinstalling from an image... EXCEPT for all those blxxdy files in the users Documents and Settings folders, esp. mailboxes.

I do wish Windows would offer a better method of pointing User directories at a NAS, rather than the network and cost intensive domain controllers with AD.

For the small business, we need a rapid solution, not an enterprise expense.


----------



## SonDa5 (Apr 12, 2009)

I just fixed a machine that was infected with some nasty "Kaka////C://...."

Lots of kaka. Found about 3 different types of Viruses and malaware fraud type of crap.

I think it is dead and zeroed out now.

The system is now running with firewall and virus+spware software. It cost a little money but its well worth it.
This particular machine was running with the firewall off with the wireless antenna on.  No virus protection as well.


----------



## dr emulator (madmax) (May 7, 2009)

Mussels said:


> My advice: get kaspersky, and never suffer this again.



hey i got Kaspersky Internet Security 2009 from my uncle (genuine copy has a 3 pc licence)only problem is now i have it installed it's stopped my wintv nova-t from workin got the old bsod  so i uninstalled Kaspersky then tested my tv card and low and behold it worked so i unistalled my tv card (software and drivers)then reinstalled Kaspersky then reinstalled drivers for tv card then installed software then switched it on works for a second then same old c**p  irql_not _less_or_equal   stop 0x0000000a( 0x7cf26533,0x00000002,0x00000000,0x804f21c3   argh, ,, is going on i thought Kaspersky Internet Security 2009 was supposed to be the best   yes i did change the settings for tv card so kaspersky ignores it and sees it as safezone


----------



## dr emulator (madmax) (May 7, 2009)

*crazy advice*

my advice to anyone reading this is 1 avoid all free porn sites especially dirty pics (worst for viruses )2 don't try to be a hero if you see somethin claiming to be childporn leave it well alone even taking a peek to see if it is real carries the risk of tailor made mallware being installed on your pc(usually from russia (sorry guys from there but it often is from there)plus the authorities will be monitoring the sites (hey thats what they get paid for)and you stand the great chance of gettin your ass thrown in jail and being put on the sex offenders register for life, plus loosing your lovely new pc.  
 3 then there's the good old warez sites claiming to have the latest pc /xbox 360 /nintendo wii games or software ,god they always catch dumb asses out ,just think off it like this legitamate sites often have costs of $4-500 dollars a month or more so just ask yourself how do they do it ,lets face it theirs not even many generous millionares out there so how do people like say serbian ware get their money hm,by ripping poor people off who think theres someone being kind and generous in this ripoff world, well don't beleive them especially if they haven't got any popups or adverts or a donations page as it's bound to be suspect ,plus chances are it wont be the website that messes stuff up ,just that lovely new game you got with hidden trojans dotted through out it. it works i hear you say that's usually it often a crafty bit of coding that is actuated in the game itself and wam they've got ya ,if i'm suspicious of any thing i look for other peoples opinions then look at the cache in google


----------

