Scam

[emperor76]

I wrote an entire guide on how to get rid of these:

http://www.computerforums.org/forum...er-software/how-clean-infected-pc-223695.html

Brilliant, I've just book marked that so hopefully it should come in handy, I'm going to make sure it's gone, Avast did pick up a couple of infections, but I don't trust buying anything online until I'm sure, I don't know whether or not key loggers and things can be installed like this or not, but I'm currently not accessing my bank or doing anything involving money until I'm sure it's gone, not had chance to do it yet though

 

[jmacavali]

Brilliant, I've just book marked that so hopefully it should come in handy, I'm going to make sure it's gone, Avast did pick up a couple of infections, but I don't trust buying anything online until I'm sure, I don't know whether or not key loggers and things can be installed like this or not, but I'm currently not accessing my bank or doing anything involving money until I'm sure it's gone, not had chance to do it yet though

Great ideas. Yes they can be installed. I only ever feel completely safe on my relatives computers if I reload them after that kind of virus (or any kind really). You just never know what might have been installed.

 

[emperor76]

I wrote an entire guide on how to get rid of these:

http://www.computerforums.org/forum...er-software/how-clean-infected-pc-223695.html

Just part of the way through the process, there are a couple of steps I didn't need to follow, as the computer wasn't locked (although I did follow the advice for safe mode with networking, which it was letting me do) I am astonished at how many infections Malware bytes found when Avast only found 2, this found 50, there were a small portion I ignored as they were programs and games I have installed, but most I have removed, thanks again for your help, very good guide!

 

[emperor76]

Just found this, I don't like the look of it, would you be suspicious? I did remove one file called end with no file type!

 

[iPwn]

I did remove one file called end with no file type!

Dead give away.

the "END" file triggers the end of a scan process. Something scanned your drive, and stopped when it hit the END file.

EDIT:

Just found this, I don't like the look of it, would you be suspicious?

Nothing is needed (that is visible) on root C:
Many times, programs will put logs or related there that are used during install, but they should have cleaned them up. Anything on root C (outside of a folder), should trigger some alarms in your head to start at least looking and spot checking.

That BiosAddr=cfdf98d2... that's an IP address. Translating to 207.223.152.210 (IP in Kansas, US)
What you've found is probably the config for a trojan.

 

[emperor76]

Dead give away.

the "END" file triggers the end of a scan process. Something scanned your drive, and stopped when it hit the END file.

EDIT:


Nothing is needed (that is visible) on root C:
Many times, programs will put logs or related there that are used during install, but they should have cleaned them up. Anything on root C (outside of a folder), should trigger some alarms in your head to start at least looking and spot checking.

That BiosAddr=cfdf98d2... that's an IP address. Translating to 207.223.152.210 (IP in Kansas, US)
What you've found is probably the config for a trojan.

I thought it looked bad, when I seen bios I automatically thought there could be a boot sector virus somewhere a long the line, but that probably just shows my lack of knowledge, I wasn't sure, probably just letting my fear get the better of me. Is deleting that good enough? although to be fair, I've not reached the end of your guide yet, so I don't know if you get to that in due course, I thought my computer had been running a little slow though.

 

[iPwn]

The 'BiosAddr' is a variable in their program, named such to look like something else... however, the 'cfdf98d2' is certainly hex, and it translates to a valid IP, given the variable 'Port' right next to it... I'm assuming that's nothing good.

re: Just deleting
No.
The guide does get into that a little... you basically delete anything not related to the Windows system, or a known program, then perform some other functions that help prevent the resurgence of anything removed. Then again with a malware scan.

 

[emperor76]

The 'BiosAddr' is a variable in their program, named such to look like something else... however, the 'cfdf98d2' is certainly hex, and it translates to a valid IP, given the variable 'Port' right next to it... I'm assuming that's nothing good.

re: Just deleting
No.
The guide does get into that a little... you basically delete anything not related to the Windows system, or a known program, then perform some other functions that help prevent the resurgence of anything removed. Then again with a malware scan.

Okay, I was short on time so I decided I would just reformat my computer, since I only have one hard drive and about 200gb of back up data, I was unable to re format the whole drive as the back up partition has all my data on, so I only reformatted the main one, I've never had this before, every time in the past, a reformat solved everything, but it's back! my girlfriend is on nights soon, so I'll have to sit up all night and follow your guide step by step, excuse me while I eat my computer, Aaaaargh!

 

[iPwn]

There are two possibilities here:

1. You didn't do a true format
2. The virus found its way into the kernel files

Either way, the only way to truly be sure that it won't come back on the next install is to run a program like DBAN and truly format the drive.

Windows' definition of a format is removing the File Allocation Tables... the directory of where the files are. This doesn't actually remove anything, it only 'turns a blind eye' to its existence, allowing it to be written over.

The problem you're going to have is that you DBAN will only wipe entire drives. If you have data on different partitions, DBAN only sees the drive and will wipe it all.

Now, the question you need to ask is; how important is it to me that I get this off my PC?

I would get an external drive, or large USB... anything you can store that data on for the time being. Boot up DBAN and wipe that drive clean. Re-install Windows (WITHOUT AN INTERNET CONNECTION!!!) and immediately put some AV software on there. Connect to the internet and immediately update Windows/Drivers/etc. Update your AV software and then connect the USB and scan it.

On my desktop, I just went through this entire process, only to get another, much more vicious virus only a few days after the rebuild... so I know how frustrating this is. Sucks that I now have to go through the entire process again, but I'd much rather the NSA be the only people spying on me, not joe schmoe who wrote some code.

 

[emperor76]

There are two possibilities here:

1. You didn't do a true format
2. The virus found its way into the kernel files

Either way, the only way to truly be sure that it won't come back on the next install is to run a program like DBAN and truly format the drive.

Windows' definition of a format is removing the File Allocation Tables... the directory of where the files are. This doesn't actually remove anything, it only 'turns a blind eye' to its existence, allowing it to be written over.

The problem you're going to have is that you DBAN will only wipe entire drives. If you have data on different partitions, DBAN only sees the drive and will wipe it all.

Now, the question you need to ask is; how important is it to me that I get this off my PC?

I would get an external drive, or large USB... anything you can store that data on for the time being. Boot up DBAN and wipe that drive clean. Re-install Windows (WITHOUT AN INTERNET CONNECTION!!!) and immediately put some AV software on there. Connect to the internet and immediately update Windows/Drivers/etc. Update your AV software and then connect the USB and scan it.

On my desktop, I just went through this entire process, only to get another, much more vicious virus only a few days after the rebuild... so I know how frustrating this is. Sucks that I now have to go through the entire process again, but I'd much rather the NSA be the only people spying on me, not joe schmoe who wrote some code.

I didn't do a true format, it was only the windows 7 installation format, is this the same as the XP format? as I remember that taking a while when I chose a full format, yet this does it in seconds. I did delete the main partition and xp partition, but that's about as far as it went. As I understood it, it writes over the data ready to be used again, probably not as good explanation as you gave though. Also, on my back up partition, last time I transferred all the files to the main one, reformatted and transferred it all back, yet this came back in the picture, I was highly confused!

when I first got windows back on, the trojan file on the main partition wasn't there, it appeared at some point after my drivers were installed, I'm guessing the network one, but not sure.

I do have about 25 dvd's and about 40 cd's, I've been considering getting as much as I can on them. I do have a feeling my dvd drive might be on it's way out though, but I'm not certain, could the virus affect the efficiency of this drive?

I was going to get an external drive a couple of months ago, but upgraded to 8gb ram instead, just my luck this would happen and make me regret my decision. I do have ultimate boot C.D is this program likely to be on there, or is it free ware?

I did try to back up the massive back up folder over the network to my laptop, but I'm sure you can understand how long this would take, so I gave up, I do have a 4gb usb stick which I'm considering transfering the data bit by bit to the laptop.

thanks for all your time on this, it is genuinely appreciated. I can't understand people I would like to explain descriptive words I shall not repeat on here that have nothing better to do than mess with peoples computers!