Jump to content

Computer virus is active, but can't find it.

tasho
By tasho
in Troubleshooting
 Share
Posted

Recently my computer got infected with a virus, which encrypted all my files with a .zzla extension and demanded a payment to get them back. Since all my valuable data was backed up, i decided that i would just reset windows entirely and it would kill the virus. I reset it from the settings, and selected the option to delete everything on the drives. After that, it seemed as if it worked, windows appeared to be normal, but windows security started acting really strange, turning off and on again, sending weird messages for programs which shouldn't be malicious(anvir task manager, gridin anti malware). And then - I get a ton of notifications from Discord - someone(or some virus) had sent a ton of fake phishing links to everyone on my friends list, and some random people. I deleted the messages and logged out, and I created a Windows Media Creation Tool, so I could start a completely new installation of Windows on a formatted drive. I formatted both my drives and the partitions, and again it seemed to be normal at first, but last night the same thing with Discord happened, but this time on Instagram - it posted on my account, my story and followed random people. I checked and saw that there was a log in from Helsinki, and I don't know how that's possible since I have two factor authentication turned on. But my guess is that since I was logged in Instagram on my PC, this hidden virus logged in from my browser and that's why it wasn't detected as a new log in. Mind you that this happened while I was asleep, and the PC was turned off. I don't know what to do, please if anyone has any idea what I can do, I would love some help. Windows Security doesn't detect anything, neither does Malwarebytes, Gridin antivirus, or Bitdefender. Would buying new drives and throwing away these help? Or can this thing attach itself on to the BIOS or something like that?

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

You will need to do the following. Delete windows entirely, zeroing the disks. Download Killdisk and make a bootable USB witht the program. (use another PC, when doing this).

Boot up from USB and run killdisk on all disks. 

Right after. Turn off PC and turn off PSU. Remove CMOS battery and remove RAM for 5-10 min. Flash BIOS.

Reinstall windows from original ISO, using media creation tool: https://www.microsoft.com/en-us/software-download/windows10

Depending on your router setup, I would also flash this to a newer firmware. (this is just an extra step. I would just do this to add more security. Most likely not infected)

CPU: Ryzen 5800X3D | Motherboard: Gigabyte B550 Elite V2 | RAM: G.Skill Aegis 2x16gb 3200 @3600mhz | PSU: EVGA SuperNova 750 G3 | Monitor: LG 27GL850-B , Samsung C27HG70 | 
GPU: Red Devil RX 7900XT | Sound: Odac + Fiio E09K | Case: Fractal Design R6 TG Blackout |Storage: MP510 960gb and 860 Evo 500gb | Cooling: CPU: Noctua NH-D15 with one fan

FS in Denmark/EU:

Asus Dual GTX 1060 3GB. Used maximum 4 months total. Looks like new. Card never opened. Give me a price. 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
2 minutes ago, DoctorNick said:

You will need to do the following. Delete windows entirely, zeroing the disks. Download Killdisk and make a bootable USB witht the program. (use another PC, when doing this).

Boot up from USB and run killdisk on all disks. 

Right after. Turn off PC and turn off PSU. Remove CMOS battery and remove RAM for 5-10 min. Flash BIOS.

Reinstall windows from original ISO, using media creation tool: https://www.microsoft.com/en-us/software-download/windows10

I forgot to mention, im on a laptop. Is the method the same there? Just asking for the CMOS battery and the BIOS flash, because I know most PC motherboards have a BIOS flashback function, but im not sure how that would work for a laptop.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
7 minutes ago, DoctorNick said:

You will need to do the following. Delete windows entirely, zeroing the disks. Download Killdisk and make a bootable USB witht the program. (use another PC, when doing this).

Boot up from USB and run killdisk on all disks. 

Right after. Turn off PC. Remove CMOS battery and remove RAM for 5-10 min. Flash BIOS.

Reinstall windows from original ISO, using media creation tool: https://www.microsoft.com/en-us/software-download/windows10

This is so unnecessary. All they need to do is make bootable media from another system and format the drive from the installer. OP isn't an NSA agent with mission critical files and the odds of their BIOS firmware being compromised are essentially zero.

 

17 minutes ago, tasho said:

Recently my computer got infected with a virus, which encrypted all my files with a .zzla extension and demanded a payment to get them back. Since all my valuable data was backed up, i decided that i would just reset windows entirely and it would kill the virus. I reset it from the settings, and selected the option to delete everything on the drives. After that, it seemed as if it worked, windows appeared to be normal, but windows security started acting really strange, turning off and on again, sending weird messages for programs which shouldn't be malicious(anvir task manager, gridin anti malware). And then - I get a ton of notifications from Discord - someone(or some virus) had sent a ton of fake phishing links to everyone on my friends list, and some random people. I deleted the messages and logged out, and I created a Windows Media Creation Tool, so I could start a completely new installation of Windows on a formatted drive. I formatted both my drives and the partitions, and again it seemed to be normal at first, but last night the same thing with Discord happened, but this time on Instagram - it posted on my account, my story and followed random people. I checked and saw that there was a log in from Helsinki, and I don't know how that's possible since I have two factor authentication turned on. But my guess is that since I was logged in Instagram on my PC, this hidden virus logged in from my browser and that's why it wasn't detected as a new log in. Mind you that this happened while I was asleep, and the PC was turned off. I don't know what to do, please if anyone has any idea what I can do, I would love some help. Windows Security doesn't detect anything, neither does Malwarebytes, Gridin antivirus, or Bitdefender. Would buying new drives and throwing away these help? Or can this thing attach itself on to the BIOS or something like that?

Make a Windows bootable installer on a DIFFERENT computer and use that. Make sure you delete the drive volume and recreate it (format). Also make sure to change the passwords to all of the accounts you use from that computer. Then try to figure out how you got compromised in the first place. If you're using pirated games/apps, stop it. This is what happens.

MacBook Pro 16 i9-9980HK - Radeon Pro 5500m 8GB - 32GB DDR4 - 2TB NVME

iPhone 12 Mini / Sony WH-1000XM4 / Bose Companion 20

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
1 minute ago, tasho said:

I forgot to mention, im on a laptop. Is the method the same there? Just asking for the CMOS battery and the BIOS flash, because I know most PC motherboards have a BIOS flashback function, but im not sure how that would work for a laptop.

Yes. You can just overwrite BIOS. Please give me the model. Laptop CMOS battery:

How to reset BIOS on if there's no COMS battery - Quora

CPU: Ryzen 5800X3D | Motherboard: Gigabyte B550 Elite V2 | RAM: G.Skill Aegis 2x16gb 3200 @3600mhz | PSU: EVGA SuperNova 750 G3 | Monitor: LG 27GL850-B , Samsung C27HG70 | 
GPU: Red Devil RX 7900XT | Sound: Odac + Fiio E09K | Case: Fractal Design R6 TG Blackout |Storage: MP510 960gb and 860 Evo 500gb | Cooling: CPU: Noctua NH-D15 with one fan

FS in Denmark/EU:

Asus Dual GTX 1060 3GB. Used maximum 4 months total. Looks like new. Card never opened. Give me a price. 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
1 minute ago, Roswell said:

This is so unnecessary. All they need to do is make bootable media from another system and format the drive from the installer. OP isn't an NSA agent with mission critical files and the odds of their BIOS firmware being compromised are essentially zero.

 

Make a Windows bootable installer on a DIFFERENT computer and use that. Make sure you delete the drive volume. Also make sure to change the passwords to all of the accounts you use from that computer. Then try to figure out how you got compromised in the first place. If you're using pirated games/apps, stop it. This is what happens.

This. If it wasn't clear in my post. I would imagine phishing

CPU: Ryzen 5800X3D | Motherboard: Gigabyte B550 Elite V2 | RAM: G.Skill Aegis 2x16gb 3200 @3600mhz | PSU: EVGA SuperNova 750 G3 | Monitor: LG 27GL850-B , Samsung C27HG70 | 
GPU: Red Devil RX 7900XT | Sound: Odac + Fiio E09K | Case: Fractal Design R6 TG Blackout |Storage: MP510 960gb and 860 Evo 500gb | Cooling: CPU: Noctua NH-D15 with one fan

FS in Denmark/EU:

Asus Dual GTX 1060 3GB. Used maximum 4 months total. Looks like new. Card never opened. Give me a price. 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
2 minutes ago, DoctorNick said:

Yes. You can just overwrite BIOS. Please give me the model. Laptop CMOS battery:

How to reset BIOS on if there's no COMS battery - Quora

My laptop is Asus ROG Strix GL503GE, and also, when i said that i reinstalled windows - I DID create the media tool on a different PC, and it still made no difference

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
9 minutes ago, Roswell said:

This is so unnecessary. All they need to do is make bootable media from another system and format the drive from the installer. OP isn't an NSA agent with mission critical files and the odds of their BIOS firmware being compromised are essentially zero.

 

Make a Windows bootable installer on a DIFFERENT computer and use that. Make sure you delete the drive volume and recreate it (format). Also make sure to change the passwords to all of the accounts you use from that computer. Then try to figure out how you got compromised in the first place. If you're using pirated games/apps, stop it. This is what happens.

So what. Might as well get it up to date when at it. Also, this is a way to make sure everything is wiped not leaving some partition. Edit: Depending on the PC knowledge of OP, it might be wise to just list what steps needs to happen. Also:

6 minutes ago, tasho said:

My laptop is Asus ROG Strix GL503GE, and also, when i said that i reinstalled windows - I DID create the media tool on a different PC, and it still made no difference

@Roswell

CPU: Ryzen 5800X3D | Motherboard: Gigabyte B550 Elite V2 | RAM: G.Skill Aegis 2x16gb 3200 @3600mhz | PSU: EVGA SuperNova 750 G3 | Monitor: LG 27GL850-B , Samsung C27HG70 | 
GPU: Red Devil RX 7900XT | Sound: Odac + Fiio E09K | Case: Fractal Design R6 TG Blackout |Storage: MP510 960gb and 860 Evo 500gb | Cooling: CPU: Noctua NH-D15 with one fan

FS in Denmark/EU:

Asus Dual GTX 1060 3GB. Used maximum 4 months total. Looks like new. Card never opened. Give me a price. 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
5 minutes ago, tasho said:

My laptop is Asus ROG Strix GL503GE, and also, when i said that i reinstalled windows - I DID create the media tool on a different PC, and it still made no difference

Download BIOS for EZ Flash utility and run on different machine:

https://www.asus.com/supportonly/rog_strix_gl503/HelpDesk_BIOS/

Use these steps to do so: https://www.asus.com/support/FAQ/1008859/

CPU: Ryzen 5800X3D | Motherboard: Gigabyte B550 Elite V2 | RAM: G.Skill Aegis 2x16gb 3200 @3600mhz | PSU: EVGA SuperNova 750 G3 | Monitor: LG 27GL850-B , Samsung C27HG70 | 
GPU: Red Devil RX 7900XT | Sound: Odac + Fiio E09K | Case: Fractal Design R6 TG Blackout |Storage: MP510 960gb and 860 Evo 500gb | Cooling: CPU: Noctua NH-D15 with one fan

FS in Denmark/EU:

Asus Dual GTX 1060 3GB. Used maximum 4 months total. Looks like new. Card never opened. Give me a price. 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
4 minutes ago, tasho said:

Ok got it, but what about the CMOS battery. Do i just remove it and put it back in?

Yes just remove for 5 min, it will clear bios settings.

You will need to run killdisk first. When removing CMOS battery, also remove laptop battery. You can just unplug it, without physically removing the battery. Optionally you could also remove ram, when removing CMOS battery anyway.

Check this teardown video for your laptop: 

Direct link to video:

 

 

 

CPU: Ryzen 5800X3D | Motherboard: Gigabyte B550 Elite V2 | RAM: G.Skill Aegis 2x16gb 3200 @3600mhz | PSU: EVGA SuperNova 750 G3 | Monitor: LG 27GL850-B , Samsung C27HG70 | 
GPU: Red Devil RX 7900XT | Sound: Odac + Fiio E09K | Case: Fractal Design R6 TG Blackout |Storage: MP510 960gb and 860 Evo 500gb | Cooling: CPU: Noctua NH-D15 with one fan

FS in Denmark/EU:

Asus Dual GTX 1060 3GB. Used maximum 4 months total. Looks like new. Card never opened. Give me a price. 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
1 minute ago, DoctorNick said:

Yes just remove for 5 min, it will clear bios settings.

You will need to run killdisk first. When removing CMOS battery, also remove laptop battery. You can just unplug it, without physically removing the battery. Optionally you could also remove ram, when removing CMOS battery anyway.

Check this teardown video for your laptop: 

 

 

 

I've been on the inside of the laptop, because i had to change the thermal paste, so i know how to get there. Well ok then, thanks for the advice and i hope i will get things done. Wish me luck!

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
32 minutes ago, tasho said:

Recently my computer got infected with a virus, which encrypted all my files with a .zzla extension and demanded a payment to get them back. Since all my valuable data was backed up, i decided that i would just reset windows entirely and it would kill the virus. I reset it from the settings, and selected the option to delete everything on the drives. After that, it seemed as if it worked, windows appeared to be normal, but windows security started acting really strange, turning off and on again, sending weird messages for programs which shouldn't be malicious(anvir task manager, gridin anti malware). And then - I get a ton of notifications from Discord - someone(or some virus) had sent a ton of fake phishing links to everyone on my friends list, and some random people. I deleted the messages and logged out, and I created a Windows Media Creation Tool, so I could start a completely new installation of Windows on a formatted drive. I formatted both my drives and the partitions, and again it seemed to be normal at first, but last night the same thing with Discord happened, but this time on Instagram - it posted on my account, my story and followed random people. I checked and saw that there was a log in from Helsinki, and I don't know how that's possible since I have two factor authentication turned on. But my guess is that since I was logged in Instagram on my PC, this hidden virus logged in from my browser and that's why it wasn't detected as a new log in. Mind you that this happened while I was asleep, and the PC was turned off. I don't know what to do, please if anyone has any idea what I can do, I would love some help. Windows Security doesn't detect anything, neither does Malwarebytes, Gridin antivirus, or Bitdefender. Would buying new drives and throwing away these help? Or can this thing attach itself on to the BIOS or something like that?

Damn you're typing those, A really long thread, People need to appreciate it actually..

So If you think you got Hacked at some point maybe try to backup all of your account, Such as Email account and password. And maybe change the Password in case somebody has been try to hack your account, Or like Reset API key in Steam if you have them. 

 

Then follow these step:

- Download Windows 10 ISO from Microsoft.com (Not from anything elses)

- Install the Windows

- Format the Drive

- Do a clean install in your PC

- Don't plug the internet when you're first time setting up your computer

- Use local account instead of Microsoft account

- Update the BIOS in your motherboard to the Latest version (if you haven't, But there are no virus that can really messing at the BIOS, Because the Virus is on the Drive it self not in the BIOS rom, It somewhat impossible to hack a BIOS with janky virus)

- Then if those thing work like a charm, Maybe be careful to browse the Internet, Use a Ad blocker, Don't trapped to a Fishing site, And maybe consider to use VPN.

Hello there... I'm both speedrunner and tech nerd. But not professional...

steam pcpartpicker.com speedrun.com

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
7 minutes ago, XnonXte said:

Damn you're typing those, A really long thread, People need to appreciate it actually..

So If you think you got Hacked at some point maybe try to backup all of your account, Such as Email account and password. And maybe change the Password in case somebody has been try to hack your account, Or like Reset API key in Steam if you have them. 

 

Then follow these step:

- Download Windows 10 ISO from Microsoft.com (Not from anything elses)

- Install the Windows

- Format the Drive

- Do a clean install in your PC

- Don't plug the internet when you're first time setting up your computer

- Use local account instead of Microsoft account

- Update the BIOS in your motherboard to the Latest version (if you haven't, But there are no virus that can really messing at the BIOS, Because the Virus is on the Drive it self not in the BIOS rom, It somewhat impossible to hack a BIOS with janky virus)

- Then if those thing work like a charm, Maybe be careful to browse the Internet, Use a Ad blocker, Don't trapped to a Fishing site, And maybe consider to use VPN.

Thanks for the advice, im gonna follow the steps listed by @DoctorNick. I know the virus most likely isn't on the BIOS, but i want to be 100% sure im going to be clean.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
2 minutes ago, tasho said:

Thanks for the advice, im gonna follow the steps listed by @DoctorNick. I know the virus most likely isn't on the BIOS, but i wan't to be 100% sure im going to be clean.

Alright cool, Good luck

Hello there... I'm both speedrunner and tech nerd. But not professional...

steam pcpartpicker.com speedrun.com

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

Also good to note here, your accounts were most likely compromised during the first infection, and any stored logins from any web browser are most likely now public to some regard. Change every single account password while you still have the time to do it, change your security questions as well just for good measure, and enable 2FA (two-factor authentication) where possible. This happened once to me on a school gmail account and after a few years with 2FA it hasn't happened to me again. Despite what you might be able to wipe clean computer-side, there's a good chance your accounts are already too far gone. Do what you can now before things get too bad and you lose all of your accounts for good.

 

Also worth noting, I have to agree with @XnonXtehere. You're doing a lot of risky stuff that honestly isn't entirely necessary. BIOS-level persistent hacks are extremely uncommon at best and are usually reserved for high-value cyber targets, not the average joe. Of course I do respect your want to be absolutely sure but you are now messing with very sensitive, expensive hardware and one bad cable pull or slipped screwdriver in a laptop enclosure can be the death of the system or hundreds of dollars in the pit. This is one of those leaps of faith where i can confidently say you should be fine without doing this. Especially given a virus with exploits of this caliber require years of dedicated penetration testing and advanced hardware and software knowledge along with specific hardware-targeting information and BIOS-level exploits that as a whole could be worth millions, if not billions of dollars, and that wouldn't be used on the average joe, at least not en-masse, and not without being extremely high-profile.

My profile picure is real. That's what I look like in real life. I'm actually a blue and white African Wild Dog.

Ryzen 9 5900X - MSI Ventus 2x OC 3060 Ti - 2x8GB Corsair Vengeance LPX 3200MHz CL16 - ASRock B550 Phantom Gaming ITX/ax

EVGA CLC 280 + 2x140mm NF-A14 - Samsung 850 EVO 500GB + WD Black SN750 1TB - Windows 11/10 - EVGA Supernova G3 1000W

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
Just now, DaJakerBoss said:
Spoiler

Also good to note here, your accounts were most likely compromised during the first infection, and any stored logins from any web browser are most likely now public to some regard. Change every single account password while you still have the time to do it, change your security questions as well just for good measure, and enable 2FA (two-factor authentication) where possible. This happened once to me on a school gmail account and after a few years with 2FA it hasn't happened to me again. Despite what you might be able to wipe clean computer-side, there's a good chance your accounts are already too far gone. Do what you can now before things get too bad and you lose all of your accounts for good.

 

Also worth noting, I have to agree with @XnonXtehere. You're doing a lot of risky stuff that honestly isn't entirely necessary. BIOS-level persistent hacks are extremely uncommon at best and are usually reserved for high-value cyber targets, not the average joe. Of course I do respect your want to be absolutely sure but you are now messing with very sensitive, expensive hardware and one bad cable pull or slipped screwdriver in a laptop enclosure can be the death of the system or hundreds of dollars in the pit. This is one of those leaps of faith where i can confidently say you should be fine without doing this. Especially given a virus with exploits of this caliber require years of dedicated penetration testing and advanced hardware and software knowledge along with specific hardware-targeting information and BIOS-level exploits that as a whole could be worth millions, if not billions of dollars, and that wouldn't be used on the average joe, at least not en-masse, and not without being extremely high-profile.

 

Tl;DR, change all your passwords and enable 2FA where you can, and while I can't necessarily stop you I will say that you would be fine not messing with the CMOS, you shouldn't mess with the CMOS, and you have no big reason to be worried that your BIOS is hacked.

My profile picure is real. That's what I look like in real life. I'm actually a blue and white African Wild Dog.

Ryzen 9 5900X - MSI Ventus 2x OC 3060 Ti - 2x8GB Corsair Vengeance LPX 3200MHz CL16 - ASRock B550 Phantom Gaming ITX/ax

EVGA CLC 280 + 2x140mm NF-A14 - Samsung 850 EVO 500GB + WD Black SN750 1TB - Windows 11/10 - EVGA Supernova G3 1000W

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
10 minutes ago, DaJakerBoss said:

Also good to note here, your accounts were most likely compromised during the first infection, and any stored logins from any web browser are most likely now public to some regard. Change every single account password while you still have the time to do it, change your security questions as well just for good measure, and enable 2FA (two-factor authentication) where possible. This happened once to me on a school gmail account and after a few years with 2FA it hasn't happened to me again. Despite what you might be able to wipe clean computer-side, there's a good chance your accounts are already too far gone. Do what you can now before things get too bad and you lose all of your accounts for good.

 

Also worth noting, I have to agree with @XnonXtehere. You're doing a lot of risky stuff that honestly isn't entirely necessary. BIOS-level persistent hacks are extremely uncommon at best and are usually reserved for high-value cyber targets, not the average joe. Of course I do respect your want to be absolutely sure but you are now messing with very sensitive, expensive hardware and one bad cable pull or slipped screwdriver in a laptop enclosure can be the death of the system or hundreds of dollars in the pit. This is one of those leaps of faith where i can confidently say you should be fine without doing this. Especially given a virus with exploits of this caliber require years of dedicated penetration testing and advanced hardware and software knowledge along with specific hardware-targeting information and BIOS-level exploits that as a whole could be worth millions, if not billions of dollars, and that wouldn't be used on the average joe, at least not en-masse, and not without being extremely high-profile.

Damn this is actually my first time in this forum someone is actually Agreeing with me lol, Ussualy I just got either a counter argument or tellling me to go f*ck your self, which is rude. But thanks for the agree here buddy, It's mean a lot

Hello there... I'm both speedrunner and tech nerd. But not professional...

steam pcpartpicker.com speedrun.com

Link to comment
Share on other sites
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing Troubleshooting

×