My PC obliterated by malware from hell

I will try to remain calm as I write this. Crap!:behead::icon4::cussing:

Fellow Noobsters it’s been a while since I’ve posted and, well, I’m no longer at my nice new computer writing this to you now. That beautiful Dell XPS-410 has crashed and burned – big time and in a a very wierd way. Someone jacked up my rig! I need your advice as I try to save it. I thought perhaps I could lay out the details and you guys could help me avoid problems like this in the future. Now my Noobsters contributions have to be made from places than my workstation and that’s problematic. But I had to log on and get some tech support / encouragement from you guys.

Oh, and if the preliminary details don’t interest you please skip down to the “crazy part of the story” in all caps text.

So I have been working on a multimedia slideshow/video of family photos for my niece’s birthday coming up in a month. The project had consumed me to the point that I didn’t realize my PC was being consumed by some kind of very dirty malicious software.

I first noticed weird misspellings in the “RAID- BIOS” startup screen three weeks ago. There were multicolored letters too. Right at the very beginning of the startup sequence. Then quite at random the monitor would show multicolored pixels scattered at various, interchanging points on my monitor in those RAID-BIOS startup screens. Like a fool I ignored it – consumed with my family video project. And then yesterday…

And then yesterday my PC would not even load Windows XP. I have a licensed copy that came with my Dell XPS-410. I was in deep shit. It constantly restarted itself without me pressing any buttons. It was madness. It continually said that a crucial part of the Windows OS was missing. I realized at that point that this PC detonation had been building for weeks. OMG time, big time.

It seemed like everything was going haywire right up to that point and I blamed it on the video project, not malicious software. I couldn’t work on my project without the computer locking up, no media would play from the hard drives (no matter what media player I used) etc. It was a cascade of crap.

And then I thought all my personal data was lost. I couldn’t get into XP even in Safe Mode.

Then by some miracle I managed to get into XP. Random fantastic last-minute luck. A fluke. It logged me on and then I began dumping all my documents, pictures, videos, EVRYTHING that I had carefully packaged in case of an emergency immediately onto an external drive. I had to slash and burn all that wasn’t vital before the computer totally locked up for good – in the end I saved it all 90 gig of data right in the nick of time. Ninety gig of personal data, saved. Thank heavens for that.

BUT HERE IS THE CRAZY PART OF MY PC MELTDOWN STORY: When I went to reformat my PC something else took over! I put in the disk, went through all the partition deletion stuff and noticed there were two partitions I didn’t recognize (in FAT format) above and below my C: partition. WTF is all that about?

Then check this out: I let the XP install disk do its thing and then whammo! Twenty minutes or so into the installation process a flashing warning sign popped up on the screen! It said (in standard eye-grabbing red & white background) DO NOT TOUCH ANY KEYS! APPLICATIONS BEING INSTALLED!

That's balony and we all know it! (See screen pic in my following post. It's a photo of the screen that I took with my camera as it was being hijacked). That’s not XP doing that! I can also see behind the big flashing sign on my screen a C: prompt window open. Something was installing itself right into my operating system right as I was reformatting it! Guys what the hell could do something like this to a PC? It hijacked my reformatting process! Have you ever heard of such a thing?!

So I didn’t sleep at all last night. I was furious. Here are the facts: The hard drive was declared 100% OK in terms of sectors by the Geek Squad / Western Digital Diagnostic Utility that I ran right before the meltdown. The hard drive totally checks out as far as hardware is concerned and that includes the self-diagnostic that tells temperature and spin-up time and stuff. So apparently the hard drive itself is OK as a piece of hardware….

But I have something in my registry or whateverthehell that is imposing it’s will on my PC! I still have the weird random pixel things, I still have the opening screen misspellings and now I see that my registry has all kinds of evil whatnot on it according to a diagnostic tool I have. And this is before I have installed anything! I HAVE INSTALLED NOTHING ON MY PC YET! And I’ve already got bad .exe madness on my rig already according to Hijack This! Holy crap I’m not a happy guy right now.

It must have been something I installed…from you-know-where. I have no idea which application was rigged with this malicious software. I’ve gotta find out, too. Norton Antivirus and all that stuff didn’t catch it. I don’t know how to prevent this in the future as I plan to install the stuff I had on there previously. What would you do? How do you check for software as malicious as this that had been embedded into an install program? How will I know what to install and what to delete from my treasure trove of applications? How will I know what has this malicious capability?

Can you protect your registry somehow? I gotta know how.

So I’m taking it to a computer repair place tomorrow. Oh man I need some confidence right now because I don’t have a lot of cash. Working at my PC is at the heart of my day. Now I’m like a vagabond inside the house on days like today – not even good weather for yard work right now. And I have work to do. I have no idea – NO IDEA how much this is going to cost to fix. I’ve got a good repair place in mind but I’m spooked to hand over my tower and get ugly news in return. I feel the bad news coming…

So how much does it cost (reasonably) to rebuild a hard drive from the ground up? Does that reset my IP address? Wouldn’t that then invalidate my copy of XP that came with the PC? Dammit I have 1,000,000 questions and very few dollars to answer them. Anyone have any suggestions as I make the painful march to the computer repair place tomorrow? Help a guy out and comment, please. Thanks heavens I got the data out! But I’m a bit shaken in a way only a total PC meltdown can do to a person. Damn.

Do you have the OS install disk? If so, i'd just buy a new hard drive. Reinstall everything. Since you were able to save all that important stuff like you said, you can start fresh. Either that, or have you been able to run SpyBot, and Adaware? I run those weekly and whenever my pc gets sluggish. Fixes it right up.

http://aumha.org/a/parasite.htm, this might help. I caught a parasite that would throw a naked pussy or a big dick up on the screen without warning. I was able to isolate the problem by going to this site and found that there was a trojan that had some how sneaked by the firewall and Kapersky. Also, I run CCleaner about once a week to get rid of pests. Once a month I run spybot search and destroy to find anything that the others don't. I know NJ, it sounds like I am anal about it. But like you said, malware just ain't cool when you don't have your 'puter up and running like it should. I wish you godspeed in finding the varmit that has hijacked your system. If all else fails, do what JahSun told you. Mine is freeware and I like the price. Kaspersky is available somewhere here. JTM.

sorry to hear of your problems but... i cant be of any help but i hope ya get it fixed and back to your normal self.. catch ya later mahng

Thanks for the input guys - it looks like this problemo is still keeping me up nights. It’s 4:14am here and I’m wide awake. I’ve got to drive my girlfriend to the city hospital for work in two hours (she’s a nurse there) and then head back home, pack up my tower and head for the PC repair place. It promises to be an eventful day.

I will most likely get a new hard drive and have them go from there. No sense in trying to re-work a drive that has been ass-rammed so hard. I reformatted again tonight (just for laughs) and yes - the malware embedded at the root code level (is that how you say it?) kicked back in a hijacked the reformatting process once again. Unbelievable. What balls on these guys. And brains, too.

No anti-spyware or any other program can root out this bastard – that much I know. It's just time to start over. But thank you sweet heaven I got all my data out in time. That was such a stroke of good fortune - and the last of the 90 gig of priceless family photos and wedding videos right at the moment PC locked up for the final time! Somebody up there wants me to get that family movie made for my niece I guess. Something like that.

I have never heard of malware that hijacks your rig during a reformatting session. That is cold-blooded. And I am still clueless as to what application of mine had the nasty parasite in it. I have plenty of apps from you-know-where and I need them for various projects. And I don't want to have to got thru this two times so I guess I'll just try to remember when it all started and not put those apps in...or something like that. And nothing goes in to my new drive without a virus scan first (not that it will help much given the nature of the bug). It will be cross-your-fingers time for me for the next few days as I rebuild my rig on the software end of things. Oh well – at least I have a PC repair place that I trust to take care of the hardware side. I see the president of that local company at Mass every Sunday. Maybe that will get me the extra mile to get the job done right.

At the bottom of this post is a picture I just took of the sucker-ass screen that comes on as the hijack program messes with my reformatting process. “Installing applications – do not press any key”. Give me a break you hijacking dogs. That sure doesn’t look like XP reformatting stuff to me. I guess at that point in the hijacking process they don’t care if you buy into their line of BS or not. They’ve got you by then.

What a bunch of jerks. They just cost me a chunk of my tax return (we’ll see just how much this afternoon). But at least they didn’t destroy my data. Thank goodness for small miracles. And thanks for the input guys. Much appreciated.


http://img145.imageshack.us/img145/3554/thehijackersscreenonxprrl0.jpg (http://imageshack.us)

1. The FAT partitions could be the manual on one drive and the image of the original install on the other. If one was about 5mb and the other about 8Gb, then that is normal with Dell computers.

2. When you were at the partition part, did you delete all of the partitions, and just create one or more new partitions. And, after that, did you do a full format with NTFS (as in, not the format option that says quick at the end)? If not, try that.

3. You could have a boot sector virus. You might be able to download the bios for your comp elsewhere and flash your bios if the issue still happens. Or, you might need to pull your cmos battery to clear it (try pressing and holding the power button for a full minute to do a basic reset).

4. Do you have your internet unplugged during the process?


hope something here helps. afterwords, Superantispyware is a good antispyware. Ive been using Avast as an antivirus and have been very happy.

If the problem remains, you should only need a new HD, which is about $100. Don't bother tryingn to rebuild it, its more money then its worth. Your IP doesn't give a shit about your HD, so no worries there. The cd key for your XP will still work , it goes by what you type and is hardcoded on the mobo, so no worries there.

I haven't seen that one in all my years with PC's, so congrats on getting the most f'd up virus I've seen so far. But, it should only cost you a new HD, so shouldn't be too much. And, if you've ever installed a HD (which is about the easiest thing to do with a comps hardware), then you can save yourself 20-40 bucks by not having somebody at a store do anything.

Thanks DarkHelmet my man you are right on target as per usual. You've answered a lot of my questions (specifically about price and the IP address thing). I have a good deal more confidence now as I prepare to journey forth to the PC repair joint.

As for your questions yes - I did have it totally unplugged from the 'net but it didn't help. Thanks for the heads-up on the other partitions situation - I didn't delete them because I don't know what I'm doing when it comes to that BIOS stuff and the FAT-formatted stuff. And you were right on target - the partitions are exactly the size you said they would be. I appreciate your insight on the Dell way of doing things. Big time thanks for that.

Instead of going into the PC repair store begging for help it looks like thanks to my fellow Noobsters I will know what to ask for and what to say in general. That's priceless advice from you in particular DarkHelmet. I'm going to re-write my letter to the PC repair place with those facts in hand right now. Thanks a million to all of you.

And I'll get my hands on that anti-virus (and anti-spyware) program you use Helmet. And a big LOL from me for winning your prize for the must jacked-up hijacking you've ever seen. That certainly confirms my suspicion about this malware being unusually bad news.

Any ideas on how to prevent this from happening in the future when I re-install my apps? Would a WinRar virus scan help in the future? And what do I do about the apps I already have? Do I throw them all out of my external drive and hunt down new ones? One of the ones I saved may well be app with the evil in it - at least 50% possible because I nuked a lot of stuff off the external drive to make room for the really important stuff. That means danger still lurks when I re-install my remaining apps. Does anyone have any ideas for finding the application that was the culprit?

Thanks again for all the input guys. Keep it coming!

NJ. As DH has indicated a lot of Lappy sellers (including Dell) secure a portion of reserved HD space to keep their installation image safe for reinstalls. We actually used the same principal on one of corporate clients (even for their desktops!). Some of the more experienced IT hics would say wtf. Exactly..... but it saved time having to pull the image over the wire as our install image was a couple of Gigs! if it was already installed in a separate partition. Then all you had to do was tell the image to install itself!

But I digress......If the reserved partition has become corrupted in any way due to some foreign nasties then I would fry the drive with FDISK or something similar. This would overwrite the complete drive killing all primary and extended partitions. You could then repartition and format the drives knowing you'd munted whatever was hiding itself in that reserved partition. However, you'd need to obtain an installation disk from the laptop seller in order to reinstall your OS again. You may have to convince them that the image had been fragged so they will have to give you a replacement CD or copy a new image onto the HD.

If you don't have a floppy on your laptop then you'd need to instal FDISK onto a CD/ DVD ROM in order to access it. Just offering another option for you to consider.

NB. Apologies if you've already considered this option. If so then dump my post ;-P

mAVERICK you have skills and abilities which are clear in your post and clearly way over my feeble PC skill set! I'm going to come back to this thread many times in the next few days and cut/paste the suggestions like yours onto MS Word for later analysis. That way I can try to figure out all these good ideas when I have the time. Right now it's about rebuilding my rig and software set with what I know how to do (which is not as much knowledge as I wish I had right now). But your advice is no doubt sound advice (thank you) and I'm going to dissect your comment and others in the time to come.

I see now that I have to get a one-touch backup drive if I am going to keep installing the apps from you-know-where and avoid this disaster again. That way if I install an application and it hijacks my system like this I will just slap my PC back to its previous state with one-touch capability. I have to figure out which backup models are best. And I will be vigilant as hell about tracking my PC's performance and internal workings before I back it up! I don't want to accidentally back up a corrupt hard drive image! So I'm going to be really cautious from now on and get alone-touch backup as an insurance policy. It's the only way I can see avoiding this problem again.

I'll be updating this thread and probably be asking for more advice in the coming days. This ain't over yet. With my limited income I have to find cost-effective ways to make this work. Thanks for the ideas fellas. Keep 'em coming!

If you're looking for a new HDD, here's two that are cheap (about $65), both from good Manufacturers (WD and Seagate), both SATA, and both 250 Gigs.

http://www.newegg.com/Product/Product.aspx?Item=N82E16822148262

http://www.newegg.com/Product/Product.aspx?Item=N82E16822136161

I'm thinking your malware isn't in the hard drive. (because it was messing up your bios boot screen). I'm thinking it's in the bios itself, which, unfortunately for you, sucks. If you have a floppy drive, here's what you do... 1st off, you can try and flash the bios. That works sometimes. Look to see if there's a bios jumper that you can switch, or go the old-tech way and just pull the battery out, turn the computer on and off, then put the battery back in. If that doesn't fix it, you can update the bios from a floppy drive. You'll need to see if you have a Phoenix, Award, or whatever bios. It usually flashes by pretty quick on the screen when you first boot up. Then use another computer and find the bios manufacturer's website. They should have a bios-upgrading utility and instructions on there. (For example, theres Awardflash.exe and then you need the latest bios update on the floppy too...). boot from the floppy (there should be instructions on the bios maker's website) and update the bios.

It's a pain in the A$$, but it should (theoretically) work. I've had to do it once or twice, and it sucks. Bios bugs are the hardest to get rid of.

If you're looking for a new HDD, here's two that are cheap (about $65), both from good Manufacturers (WD and Seagate), both SATA, and both 250 Gigs.

http://www.newegg.com/Product/Product.aspx?Item=N82E16822148262

I got the 320gb version of the Seagate drive... it's really great. Quite and fast... not to mention the 5 year warranty which no other company has.

njohnson747: You don't actually have a RAID array set up on your computer do you? Most likely not... but w/ those Dells it comes turned on in BIOS by default. Just switch it to auto-detect (in the PC BIOS) and see if that helps things. I've seen people complaining about it causing issues w/ OS installs.

I kind of think it's a hardware problem cause of your initial information (jacked up colors & text @ boot)... I don't really see anyone writing a virus targeted at RAID-BIOS since it's an uncommon feature in most computers, there are more than a few different kinds & it's tough to get a virus that will flash your BIOS. So the odds of someone making a virus that could target your RAID-BIOS & persist after you format and reinstall, then add applications afterward w/ a loading screen (when it could just do it silently) are just way too improbable in my opinion.

I believe that red loading screen is because it's a Dell modified copy of XP.

If your computer is still under warranty just tell Dell it's screwed up. Hopefully just disabling the RAID-BIOS will solve your problems. You could even download new BIOS and update it (overwriting any potential BIOS-flash based virii).

Found this very similar to your pb, unfort. you need to give some $ to access it :(
You can also use UnHackMe Bootwatch Anti-Rootkit (http://www.greatis.com/) ! ask if you need it ;)

I worked at Dell for over 2 years, that is not a Dell screen. There are boot viruses (rare, but they are out there). You could try turning off raid if you don't use it, but the odds of that fixing it are slim.

That's good advice from FauxReal. If your computer is still under warranty, get Dell to fix it. Also: I've had several Western Digital hard drives go bad on me. On my keychain, I have 3 of the aluminum hard drive holding rings. All 3 were from drives that gave out on me. I've never had a problem with Seagate though. It's possible that I'm just unlucky with WD drives, but I think I blew the odds of that out the door with hard drive #3. But anyway, from my experience, go Seagate as opposed to WD, if you're going to get a new HDD. just my .02

i've never had a Seagate. My old WD HDD was 120 gigs when that was the largest they made. I've used it right up until a few months ago, when it finally gave out. I'm still holding onto it hoping to find a way to fix it and use it as another backup external.

Whatever you do, do NOT get a Quantum bigfoot hard
drive. They die a LOT. My buddy who worked as a tech at the local computer shop told me about that. The little motor that spins the disk gives out (usually right around the time the warranty expires). You can maybe boot once or twice off it, but it involves either hitting it on the side with a screwdriver or opening it up and manually spinning the disk. And then you have to get all your data off QUICK.

I worked at Dell for over 2 years, that is not a Dell screen. There are boot viruses (rare, but they are out there). You could try turning off raid if you don't use it, but the odds of that fixing it are slim.
How long ago? I've rarely used Dells... but I googled the text of that screen and it only gave hits to people talking about Dell computers and others saying that's what it does after it installs XP.

Not very many hits at all came up either for something that, if it is a virus or other problem, should show up more often on the net.

I guess his best bet is to just ask Dell, warranty or not, hopefully they can answer a simple question.

just stopped working there less then a month ago, have a friend who currently works there and has never seen that screen.

So, NJ, did you get your HD fixed yet? Just curious.....

Thanks for all the input guys. FYI - the rest of the story:

As it turns out the PC madness that hit me was the result of a video card in its death throes and motherboard/BIOS stuff that I don’t understand. They triple checked the hard drive that I double checked and it's all good. Wild. The Western Digital hard drive is perfectly fine and did not need to be replaced.

It took the PC repair shop (very impressive service and support) forever to isolate the real problem tho. And guess why!

Because of that crazy screen I took a picture of for both them and Noobsters. And FauxReal gets the gold medal for snuffing out my PC paranoia with some esoteric facts: that is indeed a Dell screen. The guys at the repair shop had never seen it before but they did some checking and yeah – that flashing message that looks like malware is actually official Dell install stuff in progress. It doesn’t have any Dell logo on it and it doesn’t say “relax while work is in progress” it just flashes bright red to white super fast and warns the user not to dare touch the computer for 30 minutes (with! an! exclamation! point!)

It is an unnecessarily alarming (and PC panic-provoking) screen but as it turns out not malware of any kind. So I jumped the gun. I made a false assumption – an understandable one but still an error. And in the interest of the Noobsters knowledge base I now ‘fess up to my mistake. It’s not malware – its damn Dell!

Hindsight is 20/20 of course because the life of my XPS-410 motherboard was in grave doubt until just this afternoon. That’s when they flashed the BIOS and then popped in a video card that they had laying around and everything worked great. They triple checked their work (again) and everything worked great. Great! No virus.

I'm glad I'm not paying them by the hour.

Now I’m shelling out just $75 dollars for labor (a great bargain per hour) but the brand new (and much faster) replacement video card has to be ordered from Chicago…and out comes my wallet. They sent for it today. That video card is going to be pricey but the actual retail price of the card was much higher than the reduced rate they got from their supplier. I trust those repair guys - they do strong work and don't oversell their hardware. And again - they do not charge by the hour.

So I will have an even better video card with which to do any video editing (and play Gears of War finally) so all’s well that ends well.

I get my PC back on Friday. Hooray! I’m going to give that video card a workout. But for now I’m resigned to using my girlfriend’s PC that I gave to her (an oldie-but-goldie Dell 4600 from five years ago) which I said I would never touch. Why? Every time I sit down at her workstation she’s afraid I will find a problem. Even if there isn’t one. This time – for once – she had it right.

Awesome news! Good deal on finding a PC place that isn't full of fucksticks.

I knew it. I just chose not to say anything. :pbag:

I knew it. I just chose not to say anything. :pbag:

haha

glad to hear everything got sorted out, and that's good to know for future reference. I've never heard of any shit like that happening.

Also, anything you deleted in your mad rush to save data should (hopefully) be recoverable through one of the many fine additions in the vault.

learn something new everyday. good to hear things are on an upturn.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

that is a great link, satman. everyone should download that tool, and maybe hijackthis (but don't just screw around with hijackthis if you don't know a lot about computers). those tools, standard AV/AS software and a couple of those sites (I used bleepingcomputers.com a lot when I worked on computers).

found combo fix a while back when my pal's computer was almost taken over...been using it ever since.....its awesome.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

I downloaded this and Kaspersky thought it was an invasion of some sort. I dunno, what is up with that? I ran it anyway and did not seem to find anything wrong other than the recovery console did not launch(?). WTF? Maybe thats why I can not get a restore point. If anyone knows for sure, let me know I am stumped on that one.