More malware poopoo

For system help, all hardware / software topics NOTE: use Coders Corner for all coders topics.

Moderators: Krom, Grendel

Post Reply
User avatar
dissent
DBB Fleet Admiral
DBB Fleet Admiral
Posts: 2157
Joined: Thu Oct 28, 2004 12:17 pm
Location: Illinois

More malware poopoo

Post by dissent »

Maybe the knowledgeable folks here can give me some ideas, cause I'm fresh out.

As the family IT guy (yeah, yeah, I know; but my rates ARE cheap), I got called in to help with an apparent malware problem. Some clown was trying to con them into paying $175 to "fix their computer". [yes, I have spoken to this individual about how it should never have gotten to this point]. However, now we can't get an internet connection with this machine. Had to hook up a separate machine in order to bring in TDSSkiller, Malwarebytes. etc. Scanned with them and found nothing. Tried Hitman Pro, but it didn't seem to want to run without the internet to get updated.

Tried to roll back to a restore point; system said it "encountered a problem"; so did nothing. Tried to do a windows 8.1 refresh; same thing. Windows 8.1 restore; same thing. Tried to boot from a Kaspersky Rescue disk 10; wouldn't do it. Got on a chat with Acer support and we tried to do a re-install of the network drivers; didn't work.

Windows 8.1 boots fine, but the machine seems to be locked out from the world. So my idea is to just pull the current hard drive, put in a new one, and buy and install a clean copy of Windows as the simplest option to get this thing back up and running again. Am I on a reasonable track here? I'm thinking the malware has crapped up the C: drive and partitions and I need to start over. Should I be concerned that the malware got into the motherboard? Could that be detected/fixed short of replacing the motherboard? Will be happy to entertain any ideas or comments on these issues.

Thanks.
"I've long called these people Religious Maniacs because, of course, they are. I always point out that you don't need a god to be religious maniac; you just need a dogma and a Devil." - Ace @ Ace of SpadesHQ, 13 May 2015, 1900 hr
User avatar
Krom
DBB Database Master
DBB Database Master
Posts: 16039
Joined: Sun Nov 29, 1998 3:01 am
Location: Camping the energy center. BTW, did you know you can have up to 100 characters in this location box?
Contact:

Re: More malware poopoo

Post by Krom »

Pull the hard drive and run a full scan of it offline with a different computer.
User avatar
dissent
DBB Fleet Admiral
DBB Fleet Admiral
Posts: 2157
Joined: Thu Oct 28, 2004 12:17 pm
Location: Illinois

Re: More malware poopoo

Post by dissent »

Hey there Krom. What would you recommend to use for scanning the drive? Should I be concerned that malware on the bad drive will try to write something over to the scanning computer?
"I've long called these people Religious Maniacs because, of course, they are. I always point out that you don't need a god to be religious maniac; you just need a dogma and a Devil." - Ace @ Ace of SpadesHQ, 13 May 2015, 1900 hr
User avatar
Krom
DBB Database Master
DBB Database Master
Posts: 16039
Joined: Sun Nov 29, 1998 3:01 am
Location: Camping the energy center. BTW, did you know you can have up to 100 characters in this location box?
Contact:

Re: More malware poopoo

Post by Krom »

You aren't going to run anything from the drive so it should be fine (don't autorun the drive). Scan it with a regular antivirus program (avira free if you don't have one), you could also hit it with an online scanner like trend micro or something like that, a second run of malwarebytes from the other computer probably wouldn't hurt either.
User avatar
Duper
DBB Master
DBB Master
Posts: 9214
Joined: Thu Nov 22, 2001 3:01 am
Location: Beaverton, Oregon USA

Re: More malware poopoo

Post by Duper »

Have you checked the router? Did the ports get locked down?
(sorry, just brain storming here)
User avatar
dissent
DBB Fleet Admiral
DBB Fleet Admiral
Posts: 2157
Joined: Thu Oct 28, 2004 12:17 pm
Location: Illinois

Re: More malware poopoo

Post by dissent »

It's Comcast. The wireless still works fine. I have a backup laptop running through that.
"I've long called these people Religious Maniacs because, of course, they are. I always point out that you don't need a god to be religious maniac; you just need a dogma and a Devil." - Ace @ Ace of SpadesHQ, 13 May 2015, 1900 hr
User avatar
Krom
DBB Database Master
DBB Database Master
Posts: 16039
Joined: Sun Nov 29, 1998 3:01 am
Location: Camping the energy center. BTW, did you know you can have up to 100 characters in this location box?
Contact:

Re: More malware poopoo

Post by Krom »

Did you try checking the adapter settings in the network and sharing center and make sure its driver is loading properly from device manager? Have you double checked your proxy settings and make sure it isn't trying to go through a proxy on 127.0.0.1 which is a common malware tactic? (Check all browser proxy settings as well.)

You can also look for network related errors in event viewer...
User avatar
dissent
DBB Fleet Admiral
DBB Fleet Admiral
Posts: 2157
Joined: Thu Oct 28, 2004 12:17 pm
Location: Illinois

Re: More malware poopoo

Post by dissent »

Hmm. All sound like good suggestions. I'll check them out over the next day or two. Thanks.
"I've long called these people Religious Maniacs because, of course, they are. I always point out that you don't need a god to be religious maniac; you just need a dogma and a Devil." - Ace @ Ace of SpadesHQ, 13 May 2015, 1900 hr
User avatar
dissent
DBB Fleet Admiral
DBB Fleet Admiral
Posts: 2157
Joined: Thu Oct 28, 2004 12:17 pm
Location: Illinois

Re: More malware poopoo

Post by dissent »

Crazy weekend.

In the Network and Sharing Center, the top item says "The service to detect this status is disabled". So I clink on the more information link under that and I get a button saying do you want to turn on the Network List Service? and when I click to turn it on I get a box saying "The dependency service or group failed to start".

Windows Firewall says it is not using the recommended settings, but I can't change them. Also can't open the Windows Firewall Advanced Settings.

I'm not sure if I can resurrect this thing. Anyone ever heard of a malware that does this - Allows Windows to boot, but shuts off the computer from the outside world?

Should I be concerned that the BIOS is screwed? Does my idea to replace the hard drive and install a clean copy of Windows have any merit? Anything else I'm missing?
"I've long called these people Religious Maniacs because, of course, they are. I always point out that you don't need a god to be religious maniac; you just need a dogma and a Devil." - Ace @ Ace of SpadesHQ, 13 May 2015, 1900 hr
User avatar
Krom
DBB Database Master
DBB Database Master
Posts: 16039
Joined: Sun Nov 29, 1998 3:01 am
Location: Camping the energy center. BTW, did you know you can have up to 100 characters in this location box?
Contact:

Re: More malware poopoo

Post by Krom »

Malware screwed with the services config, if you aren't comfortable messing with them just wipe the drive and start over. Don't replace the hard drive since there is nothing wrong with it, just load up an administrator command prompt, start diskpart, select that drive and run the "clean" command. It will delete the partition tables, effectively resetting the drive to its original factory default state (data could still be recovered since it isn't a full secure erase, but it will prevent any malware from hiding in the boot sectors when you reinstall).
User avatar
dissent
DBB Fleet Admiral
DBB Fleet Admiral
Posts: 2157
Joined: Thu Oct 28, 2004 12:17 pm
Location: Illinois

Re: More malware poopoo

Post by dissent »

Sorry for the delay; just getting back to this. Was out of commission with a sinus cold thing the week before (wiped me out for the whole damn week) and spent all of last week getting caught up with work and home stuff.

I see that diskpart has a bunch of options associated with it. Am I basically just going to follow what this guy does here ?
Any advantage to using "clean all", or just "clean"?
Do I need to set up any partitions on the cleaned disk, or will Windows 8.1 setup just handle that for me?

And what about drivers? How do I go about getting a list of drivers off of the machine before I wipe this disk? Do I even need to do that?
"I've long called these people Religious Maniacs because, of course, they are. I always point out that you don't need a god to be religious maniac; you just need a dogma and a Devil." - Ace @ Ace of SpadesHQ, 13 May 2015, 1900 hr
User avatar
Krom
DBB Database Master
DBB Database Master
Posts: 16039
Joined: Sun Nov 29, 1998 3:01 am
Location: Camping the energy center. BTW, did you know you can have up to 100 characters in this location box?
Contact:

Re: More malware poopoo

Post by Krom »

Clean all just wipes every disk attached to the system (potentially bad if you are doing this on another system). The only relevant driver you would need would be the LAN (or wireless) driver, everything else can be downloaded to the machine if you have either of those.

Windows setup will handle partitioning the disk optimally, you don't need to create one.
User avatar
dissent
DBB Fleet Admiral
DBB Fleet Admiral
Posts: 2157
Joined: Thu Oct 28, 2004 12:17 pm
Location: Illinois

Re: More malware poopoo

Post by dissent »

Bummer for me. Can't get diskpart to run from a command prompt. I get a UAC popup ask me if I want to let the program make changes to the computer; I say yes and then nothing happens; I just get the cmd window back.

I'm really beginning to hate this piece of malware.

edit - doesn't matter if I turn off UAC. When I type in diskpart at the cmd prompt the cmd window just flashed briefly and returns to the cmd prompt.
"I've long called these people Religious Maniacs because, of course, they are. I always point out that you don't need a god to be religious maniac; you just need a dogma and a Devil." - Ace @ Ace of SpadesHQ, 13 May 2015, 1900 hr
User avatar
Krom
DBB Database Master
DBB Database Master
Posts: 16039
Joined: Sun Nov 29, 1998 3:01 am
Location: Camping the energy center. BTW, did you know you can have up to 100 characters in this location box?
Contact:

Re: More malware poopoo

Post by Krom »

Just boot from the windows 8 media then, when prompted delete all partitions from the drive and then install normally. Or you can boot from any number of free downloadable CDs that have disk wipe utilities on them, wipe it that way, then install windows 8 like normal.
User avatar
dissent
DBB Fleet Admiral
DBB Fleet Admiral
Posts: 2157
Joined: Thu Oct 28, 2004 12:17 pm
Location: Illinois

Re: More malware poopoo

Post by dissent »

Well, I had my doubts, since previously I was unable to boot from and rescue cd or dvd. However, I did boot from the new windows 8.1 disk i bought. Windows Setup started. This is an acer box with 5 partitions on the hard drive: Recovery, System, MSR (Reserved), Primary and Recovery. Should I delete all the partitions? format them?


edit - yeah I just deleted all the old partitions, clicked new which created new partitions, then formatted the primary partition.
Looks like things are installing normally.

edit2 - well,it looks like things are back to normal on the formerly ransomware borked pc. The Win 8.1 repartition and reinstall restored the system and got the network connection back. A couple of minor driver issues, but even with that things seem to be working normally.

Thanks, Krom!
"I've long called these people Religious Maniacs because, of course, they are. I always point out that you don't need a god to be religious maniac; you just need a dogma and a Devil." - Ace @ Ace of SpadesHQ, 13 May 2015, 1900 hr
Post Reply