Need my cloud scrubbed of malware

Discussion in 'IT & Internet' started by estwig, Aug 21, 2020.

  1. gpietersz

    gpietersz UKBF Ace Full Member

    1,410 335
    It is critical information. If you can identify it you know the attack vectors, so you know what precautions you need to prevent reinfection.

    Which means that this:

    Is the equivalent of taking a medicine without a diagnosis. Much better if you know what the malware is.

    It will probably work but it may be more than you need to do (if its not in firmware) and if it is in firmware it could be in the GPU firmware, or somewhere else. It could something that is infecting your router, or on a website you use regularly, or ...... These are rare, but so are BIOS or SSD firmware infections (bar the NSA one which has been widely distributed) - if fact I think SSDs probably have to be infected at the point of manufacture (which is what the NSA did).

    If you cannot find out what the malware is (which really is better) would suggest:

    1. Use a Linux installer (what version does not matter) or a rescue USB to reformat the drives. Maybe Gparted Live ( https://gparted.org/livecd.php ) if you just want to wipe the drive, or GRML if you want to be able to scan as well (instructions on wiki are out of date, but should work).
    2. Reflash the BIOS. How you do it depends on the hardware. Ideally do this without reinstalling Windows - you might be able to do it from Linux or FreeDOS.
    3. Reinstall Windows. A baby Penguin dies every time you do this :).

    There is lots of firmware on a modern PC, and multiple processors besides the advertised ones. Most PCs actually have a separate processor running a different OS for things like remote management.

    Which would make it malware itself.

    Linux machines are much less likely to get infected. Macs and Linux are very likely to be hit by the same malware that got your Windows machine.

    Run malware scanners on both machines.
     
    Posted: Aug 22, 2020 By: gpietersz Member since: Sep 10, 2019
    #21
  2. mattk

    mattk UKBF Newcomer Free Member

    2,298 844
    Precisely what malware it is is the single most important piece of information. Most malware is a minor annoyance (popups, redirected search etc) and can be easily removed. Yours seems more stubborn, but it is hard to know whether the steps taken have been appropriate or you're just, no offence, over reacting.

    It is possible for firmware to get infected, but it is highly unlikely. The malware would have to have been written to target the specific hardware in your PC.

    Similarly, the chances of it infecting other hardware on your network is infinitely small, unless you've p**sed off a foreign superpower.
     
    Posted: Aug 22, 2020 By: mattk Member since: Dec 5, 2005
    #22
  3. mattk

    mattk UKBF Newcomer Free Member

    2,298 844
    Double post
     
    Posted: Aug 22, 2020 By: mattk Member since: Dec 5, 2005
    #23
  4. gpietersz

    gpietersz UKBF Ace Full Member

    1,410 335
    All the more important to find out what the malware is, then you know what it could have infected.

    If you have £10k of kit and are that worried, then even if you have to pay someone good £1k to do the job its worth it! Either that or just reflash firmware, wipe SSD and reinstall.
     
    Posted: Aug 22, 2020 By: gpietersz Member since: Sep 10, 2019
    #24
  5. gpietersz

    gpietersz UKBF Ace Full Member

    1,410 335
    or GCHQ!

    It was done by someone with physical access to the PC, and probably a login, and physical access to his other hardware. It rather widens the range of things that could have been planted.
     
    Posted: Aug 22, 2020 By: gpietersz Member since: Sep 10, 2019
    #25
  6. estwig

    estwig UKBF Legend Free Member

    12,464 4,408
    All i can work out is, it’s me infecting the machine, everything seems to be coming from my windows admin account, then multiple users appear all with different rights on the PC’s, but I don’t even know if I’m describing this correctly. I also had an extension installed in chrome, which I tried to get rid of, it seemed to disappear on its own. To make matters even worse I tried to fix it myself and in the process, have probably buggered up any chance of finding out what it is.

    I’d happily pay a grand or two for someone to come in and fix this. Where do I find someone to do this, and do it properly.
     
    Posted: Aug 22, 2020 By: estwig Member since: Sep 29, 2006
    #26
  7. mattk

    mattk UKBF Newcomer Free Member

    2,298 844
    What anti-malware are you running and what does it report?
     
    Posted: Aug 22, 2020 By: mattk Member since: Dec 5, 2005
    #27
  8. estwig

    estwig UKBF Legend Free Member

    12,464 4,408
    Malwarebytes amoung others, it doesn’t report as malware, I think it’s my windows admin account installing this ‘thing’. I don’t understand how this works, I don’t undertsand how it keeps coming back, even after wiping the hard drive and reinstalling windows. Then how does it make the jump to my laptop.
     
    Posted: Aug 22, 2020 By: estwig Member since: Sep 29, 2006
    #28
  9. gpietersz

    gpietersz UKBF Ace Full Member

    1,410 335
    When you say jump to the laptop, is that a different machine from the originally infected one, or do you mean it jumps back to the original machine?
     
    Posted: Aug 22, 2020 By: gpietersz Member since: Sep 10, 2019
    #29
  10. estwig

    estwig UKBF Legend Free Member

    12,464 4,408
    It made the move from my main machine which was first infected, to my laptop. I don’t know how because the laptop doesn’t have access to any cloud or work files.
     
    Posted: Aug 22, 2020 By: estwig Member since: Sep 29, 2006
    #30
  11. mattk

    mattk UKBF Newcomer Free Member

    2,298 844
    What behaviours makes you think you're infected if malware scanners are not reporting anything?
     
    Posted: Aug 22, 2020 By: mattk Member since: Dec 5, 2005
    #31
  12. gpietersz

    gpietersz UKBF Ace Full Member

    1,410 335
    I think @mattk's question is important. Better describe what is happening.

    if its on another machine and you do not know what it is, even buying a new, clean PC may not prevent reinfection.

    I think you really do need to get some professional help. They probably need to come round for hands on access to your hardware, so you probably need to ask for recommendations locally.
     
    Posted: Aug 22, 2020 By: gpietersz Member since: Sep 10, 2019
    #32
  13. Nico Albrecht

    Nico Albrecht UKBF Enthusiast Full Member - Verified Business

    829 168
    I think OP is just trolling us here to be honest and wasting everyone's time. Story changes to often and no clear answer provided or poorly evaded.
     
    Posted: Aug 22, 2020 By: Nico Albrecht Member since: May 2, 2017
    #33
  14. Chris Ashdown

    Chris Ashdown UKBF Legend Free Member

    11,861 2,465
    Have you contacted Microsoft about this problem

    What do you mean by wiping your hard drive exactly what did you do
     
    Posted: Aug 22, 2020 By: Chris Ashdown Member since: Dec 7, 2003
    #34
  15. Jeff FV

    Jeff FV UKBF Big Shot Staff Member

    3,699 1,762
    perhaps the malware has taken over his UKBF account and is making these posts ....
     
    Posted: Aug 22, 2020 By: Jeff FV Member since: Jan 10, 2009
    #35
  16. estwig

    estwig UKBF Legend Free Member

    12,464 4,408
    I didn’t do anything, the ‘IT professional’ assured me he had written zeros and ones to the hard drive and then reinstalled windows.

    Yesterday the main pc was going bonkers with the mouse jumping around, programs opening and closing on their own and lots of other odd behaviour. Which included turning the firewall off! Today it seems to all be fine, but it’s not on the internet if that matters.

    If I had to guess, I’m well outta my depth with this tech stuff, it’s some kind of remote access thing, maybe like teamviewer.
     
    Posted: Aug 22, 2020 By: estwig Member since: Sep 29, 2006
    #36
  17. estwig

    estwig UKBF Legend Free Member

    12,464 4,408
    I don’t have the technical knowledge, or the correct terminology to explain the problem correctly.
     
    Posted: Aug 22, 2020 By: estwig Member since: Sep 29, 2006
    #37
  18. mattk

    mattk UKBF Newcomer Free Member

    2,298 844
    Has the main PC had a fresh installation of Windows? If so, do you get the same behaviours as before?

    Do you have the same behaviours on your laptop?
     
    Posted: Aug 22, 2020 By: mattk Member since: Dec 5, 2005
    #38
  19. KM-Tiger

    KM-Tiger UKBF Legend Full Member - Verified Business

    10,004 2,675
    Sounds like it's a Remote Access Trojan or RAT.

    Reinstalling the OS would get rid of it, so the question is how is your PC getting reinfected? You will probably need a process of elimination to determine that.
     
    Posted: Aug 22, 2020 By: KM-Tiger Member since: Aug 10, 2003
    #39
  20. estwig

    estwig UKBF Legend Free Member

    12,464 4,408
    Yes main pc has a fresh install of windows, I’ve not seen behaviour as extreme on the laptop as I saw on the main PC. I’m currently running lots of virus scrubbers and malware apps on the laptop.

    I don’t expect to find any malware or other nasties. It was originally installed on my PC by a person, who was sat in front of the PC and logged in as me. The drive has been wiped three times in the last couple of months, with a fresh install of windows each time. It keeps coming back.
     
    Posted: Aug 22, 2020 By: estwig Member since: Sep 29, 2006
    #40