Need my cloud scrubbed of malware
- Thread starter estwig
- Start date
After you've done a fresh install of Windows, do you keep it separated away from your laptop and cloud storage or do you then share sharing files across all three devices?
Unless this person has some kind of custom code they deployed on your PC, then if it was malware it would be picked up by a decent scanner.
Are you sure you're not installing an application, after your fresh Windows install, which is causing this behaviour?
Upvote
0
- Original Poster
- #44
The only thing being shared between the laptop and the pc that I can think of is Microsoft’s one drive, which I used to use but lost faith recently and changed to Dropbox. Onedrive has a very annoying habit, it keeps installing itself via windows updates and starting up without asking.
I’m starting to think along the lines of a remote access Trojan, which can then be used to install or doing anything. I’m seeing strange user accounts on the main pc, which as windows users I assume malware won’t detect as something malicious. At the moment the laptop is behaving itself, but that doesn’t mean there isn’t something there. The main pc was good as gold until yesterday.
Upvote
0
If it is a RAT phoning home, you should be able to see its network connections using the 'netstat' command.
That's a command prompt thing, but plenty of guidance on using it if you Google it.
That might give some clues as to what this is and how to deal with it.
Upvote
0
- Original Poster
- #49
If it is a RAT and it's looking likely, I assume that could have been used to install anything on the pc, so getting rid of the RAT, might not for example get rid of a rootkit that the RAT installed.
At the moment I'm struggling to find a solution to this, local PC experts aren't getting the problem, wiping the hard drive and reinstalling windows isn't good enough.
At the moment I'm struggling to find a solution to this, local PC experts aren't getting the problem, wiping the hard drive and reinstalling windows isn't good enough.
Upvote
0
Your problem lies most likely with the Microsoft Account as it syncs settings over the different devices.
Next using malwarebytes is already a problem, product for the bin at best and below average detection. Bitdefender or Kaspersky are my weapons of choice you pay them money and they do magic. Any free security tool is performing poor at best. If they dont pick it up I guess a browser extension is being installed using the Microsoft Accounts sync setting. The extension might pass scans but starts downloading code after being installed.
Also if you run any 3rd party updates the update server can be infected. e.g ccleaner had that issue.
make a Kaspersky rescue usb https://www.kaspersky.co.uk/downloads/thank-you/free-rescue-disk boot into it and run a full deep scan this will take hours. If it doesn't show up on there, copy the log file, upload it to onedrive or dropbox and share it here.
Next using malwarebytes is already a problem, product for the bin at best and below average detection. Bitdefender or Kaspersky are my weapons of choice you pay them money and they do magic. Any free security tool is performing poor at best. If they dont pick it up I guess a browser extension is being installed using the Microsoft Accounts sync setting. The extension might pass scans but starts downloading code after being installed.
Also if you run any 3rd party updates the update server can be infected. e.g ccleaner had that issue.
make a Kaspersky rescue usb https://www.kaspersky.co.uk/downloads/thank-you/free-rescue-disk boot into it and run a full deep scan this will take hours. If it doesn't show up on there, copy the log file, upload it to onedrive or dropbox and share it here.
Upvote
0
- Original Poster
- #51
I’ve never trusted MS and have no use for syncing, so it’s always been switched off, same goes for the daft thing where you can attach a mobile, don’t trust any of it. There was a very iffy browser extension in chrome, wether it was an actual browser extension or something named as a browser extension I don’t know, but it was there, I tried to find out it was but it vanished.
I’ll give kaspersky and bitdefender a go.
My current plan is to remove the SSHD from the pc, take the pc to a man to install a new one and install windows, I suspect my problems are coming from previous ‘IT experts’ who aren’t deleting everything from the drive before reinstalling windows.
I’m reading a lot about macros in ms docs, I don’t use any and plan to switch them off and maybe start using google docs, or something similar. I have to find out how nasty things live in pdfs and AutoCAD, both of which I do use a lot. I use jpegs a lot too, another thing to research.
And I have loads of clients screaming at me, whilst I try and dig myself out of a big hole. If mine was an easy way to make a living, everyone would be doing it!
Upvote
0
F
ffox
Good first step - from what you say, if the 'Experts' are leaving stuff on the drive, they are not formatting it properly. If the virus or malware is there, it will still be there after the re-install of Windows.
Malware can exist in almost any file, so Word, Excel, .PDF, .jepg, Google Doc can all carry the virus and it won't become visible until the file is used in an environment where it can access the PC operating system. From there it will re-infect the entire machine and anything else in the network the machine is connected to.
Get one machine back up virus free with no network, or Internet, connected. Then thoroughly test it.
Use your IoS iPad to communicate with the outside world and bring files back to the restored PC one at a time.
Re-install software on the restored PC one item at a time, and wait between each change. Be prepared for the whole thing to collapse on you at any time and note the point of failure. The last thing you did was the thing that re-introduced the virus - eliminate it.
There is no 'Royal Road' to the solution, only time and patience.
In the longer term - think about using less expensive kit and storage and build in redundancy.
Highly expensive single items of IT, unless absolutely essential to the work you do, tend to represent a single point of failure. Much safer to have fall back kit, a redundant system of working and test your disaster recovery frequently.
Hope this is of some help.
Upvote
0
- Original Poster
- #53
What I still don’t understand is the need to find out what it is, it would seem almost impossible to find out and even then the end result is the same, can’t trust anything.
I have a nasty feeling my pc has multiple nasty things on it, lurking in all sorts of places, I have to assume it has.
My current thinking is to get my main pc running and clean, then only access files and old emails on the laptop assuming at all times the laptop is infected. The problem comes with opening attachments on emails, from people I sent the attachment to in the first place. I do this a lot, send files to people who then work on them and send them back to me, potentially reinfecting me. For all I know my AutoCAD subbies are all infected and will just keep reinfecting me.
I have a nasty feeling my pc has multiple nasty things on it, lurking in all sorts of places, I have to assume it has.
My current thinking is to get my main pc running and clean, then only access files and old emails on the laptop assuming at all times the laptop is infected. The problem comes with opening attachments on emails, from people I sent the attachment to in the first place. I do this a lot, send files to people who then work on them and send them back to me, potentially reinfecting me. For all I know my AutoCAD subbies are all infected and will just keep reinfecting me.
Upvote
0
F
ffox
If you know what it is there will be a specific set of steps for removal, But, as you say, there may be many different things on the machine. This why, once you have a clean machine, you will need to go one step at a time and eliminate each file attachment that starts unwanted activity.
Good anti-virus software should identify and neutralise suspicious activity immediately it starts whether it comes onto the machine from a cloud resource, Internet download or email attachment.
Upvote
0
- Original Poster
- #58
Laptop is back, worked out to hold down the power button, it booted back into windows - big sigh of relief!
I’m well outta my depth, far too techy for me.
Back to plan A, take the SSHD outta the main machine, give the machine to an expert to install a new one and install windows. Have laptop checked by expert for malware/viruses, regardless of outcome wipe drive and install windows.
I’m well outta my depth, far too techy for me.
Back to plan A, take the SSHD outta the main machine, give the machine to an expert to install a new one and install windows. Have laptop checked by expert for malware/viruses, regardless of outcome wipe drive and install windows.
Upvote
0
- Original Poster
- #60
Because I outsource my cad work to others, I don’t actually do anything much other than yap on the phone and type emails. So my subbies email me cad files, which I print as pdfs or on paper and then send to clients, planning, building control, builders, etc.
Yes how to open AutoCAD files on a pc I want to keep clean, is a headache I haven’t solved yet. I can open cad files on an old laptop the same as I’m going to do with other files, but I need to have the cad files on my main machine.
The best I can currently come up with is to open the cad files on the old laptop, virus check them, then email them to the main pc. Autodesk may have a more elegant solution, I haven’t looked yet, I can’t be the first person to face this problem.
Upvote
0
- Original Poster
- #62
Thank you, but it’s onedrive, that would mean having a permanent link between the old laptop and the clean pc. Onedrive does have a very nasty habit of being all helpful and syncing all kinds of stuff without asking first, it could really bugger things up.
Auotdesk do a similar offering which I need to get my head around, I’m hoping it won’t try and sync everything, only cad files and it might even offer a way of accesses it them via the cloud for checking, before downloading to the clean pc.
Upvote
0
F
ffox
You don't have to install the OneDrive client on the local PC. Just open a browser, go to https://onedrive.live.com/, sign in and launch files from there. No Synching, no linking - you stay in control
Upvote
0
- Original Poster
- #65
An update, as much to clarify my own thoughts as to perhaps assist someone else:
Main infected pc in the shop minus the SSHD to have a new SSHD fitted and windows reinstalled, apologised profusely to the man for not trusting him to just wipe the drive, he was very good about it.
DL 40gb of files from Dropbox to an old laptop and checked with various anti-malware apps, Bitdefender found two trojans: Heur. BZC.YAX.Boxter and I found various odd looking files and things in the wrong place. Cleaned as best as possible, going to assume those files are always infected.
laptop is in the shop, it’s a surface-pro so a sealed unit, having the drive wiped and windows reinstalled, going to assume it is always infected.
Getting my head around opening all future ms.docs, PDF’s, etc in a protected mode, read only type thing.
Getting my head around how to open AutoCAD files without admin rights.
Getting my head around how Bitdefender works.
Getting my head around the various settings in my Draytek Vigor router, not easy!
Trust my iPad Pro and my Samsung S20 + 5g, did factory reset on both without backups and have never connected them to anything work related.
Changing all passwords on all accounts, again, there are a lot, via the iPad and writing them down old school style. Two step verification is on everything possible.
Need to work out a system where the old laptop is used for anything I’m not sure of, before forwarding whatever to the main pc, not easy as human error (me) and the passing of time will make things become lax.
Various clients getting very pissy with me, they’ll have to wait!
Main infected pc in the shop minus the SSHD to have a new SSHD fitted and windows reinstalled, apologised profusely to the man for not trusting him to just wipe the drive, he was very good about it.
DL 40gb of files from Dropbox to an old laptop and checked with various anti-malware apps, Bitdefender found two trojans: Heur. BZC.YAX.Boxter and I found various odd looking files and things in the wrong place. Cleaned as best as possible, going to assume those files are always infected.
laptop is in the shop, it’s a surface-pro so a sealed unit, having the drive wiped and windows reinstalled, going to assume it is always infected.
Getting my head around opening all future ms.docs, PDF’s, etc in a protected mode, read only type thing.
Getting my head around how to open AutoCAD files without admin rights.
Getting my head around how Bitdefender works.
Getting my head around the various settings in my Draytek Vigor router, not easy!
Trust my iPad Pro and my Samsung S20 + 5g, did factory reset on both without backups and have never connected them to anything work related.
Changing all passwords on all accounts, again, there are a lot, via the iPad and writing them down old school style. Two step verification is on everything possible.
Need to work out a system where the old laptop is used for anything I’m not sure of, before forwarding whatever to the main pc, not easy as human error (me) and the passing of time will make things become lax.
Various clients getting very pissy with me, they’ll have to wait!
Upvote
0
- Original Poster
- #66
I'm back, not sure how much use this is to anyone, I thought an update might be nice:
I have 2 pcs, one for dealing with 60gb of potentially infected files and one for doing actual work on. The infected PC syncs to dropbox and the clean PC syncs to Onedrive, both completely detached apart from the ability to drag and drop files into a browser window, after opening and checking with Bitdefender and Virustotal. PDF settings, MS doc settings and all other settings related to running anything are disabled, with the ability to enable them to see if anything springs to life on the infected PC.
Draytek router is all set up with various LAN's, all devices are isolated apart from the 'toys LAN', which is an old mobile, stereo, thermostat, and TV boxes. The main PC, printers and scanner, etc, doesn't have wifi. There isn't any DHCP running, everything is static ip addresses. All firewall settings are maxed out, I got a network man to help set this up and plug the holes in my understanding.
All accounts have two step verification, a new laptop is on standby to rescue me if needed, as is an ipad pro and a flagship samsung mobile.
As well as cloud, a samsung T5 ssd usb 3 hdd, is hidden in the house and dealing with backups.
Slowly getting my head around Paragon drive manager, for more backup and recovery options.
Just because you're paranoid, doesn't mean that they aren't out to get you!
I have 2 pcs, one for dealing with 60gb of potentially infected files and one for doing actual work on. The infected PC syncs to dropbox and the clean PC syncs to Onedrive, both completely detached apart from the ability to drag and drop files into a browser window, after opening and checking with Bitdefender and Virustotal. PDF settings, MS doc settings and all other settings related to running anything are disabled, with the ability to enable them to see if anything springs to life on the infected PC.
Draytek router is all set up with various LAN's, all devices are isolated apart from the 'toys LAN', which is an old mobile, stereo, thermostat, and TV boxes. The main PC, printers and scanner, etc, doesn't have wifi. There isn't any DHCP running, everything is static ip addresses. All firewall settings are maxed out, I got a network man to help set this up and plug the holes in my understanding.
All accounts have two step verification, a new laptop is on standby to rescue me if needed, as is an ipad pro and a flagship samsung mobile.
As well as cloud, a samsung T5 ssd usb 3 hdd, is hidden in the house and dealing with backups.
Slowly getting my head around Paragon drive manager, for more backup and recovery options.
Just because you're paranoid, doesn't mean that they aren't out to get you!
Upvote
0
Didn't read this when it was happening and I hope this discovery and its deletion solves your problems @estwig
I'm not an expert and don't know if it would have helped in this instance but Privazer is recommended by experts elsewhere, and may be useful for others on here.
https://privazer.com/en/
No affiliation etc
I'm not an expert and don't know if it would have helped in this instance but Privazer is recommended by experts elsewhere, and may be useful for others on here.
https://privazer.com/en/
No affiliation etc
Upvote
0
@Financial-Modeller it looks to me that cleans up information - it prevents recovery of deleted data by actually over writting it rather than simply marking it deleted.
A good thing to do, but not the same as removing malware.
@estwig, there has to be a better solution.
A good thing to do, but not the same as removing malware.
@estwig, there has to be a better solution.
Upvote
0
- Original Poster
- #72
Not that I can think of, I have 60gb of client files, anyone of those files could be infected and when opened, something nasty can spring to life. Now I've found my first trojan which has been placed inside a pdf doc that I bought from the land registry. This pdf was auto generated by an online app, Stanfords portal, so it was clean when I got it. I feel justified in my paranoia.
Don't feel sorry for me, it's my penchant for hookers in shiny PVC that has got me into this. I am digging myself out.
Upvote
0
- Original Poster
- #77
I'm finding different types of malware buried in pdf docs all over the place, these are docs that I've made, or that have been generated by various Gov and other reputable online services that I use. The malware has planted in them, not DL from a dodgy email.
It seems to be a game of: If you throw enough sh*t at a blanket, some of it will stick!
All the IT security experts I've chewed through in the last 4-5 months, looking at me like I'm a paranoid fruitcake, can all go sit on it!
It seems to be a game of: If you throw enough sh*t at a blanket, some of it will stick!
All the IT security experts I've chewed through in the last 4-5 months, looking at me like I'm a paranoid fruitcake, can all go sit on it!
Upvote
0
Latest Articles
-
The Most Dangerous Moment in Business Is When Everything Is Going WellThey Saw It Coming. They Did Nothing. The Lessons Every Business Owner...- Ozzy
- Updated:
-
AI and Your Business: Useful Tool, Not a Magic WandThere is no shortage of noise around artificial intelligence right now...
- Ozzy
- Updated:
-
Companies House WebFiling security incident: what happened, what to check, and what to do nextCompanies House has confirmed that its WebFiling service suffered a...
- Ozzy
- Updated:
-
Spring Budget 2026: A Quiet Update for UK BusinessesChancellor Rachel Reeves delivered the UK’s Spring Statement on 3 March...
- Ozzy
- Updated:
-
Practical Ways to Make Your Small Business More Resilient (Especially When the Unexpected Happens)Running a business means juggling plenty of things you can plan for and...- UKBF Editor
- Updated:
