Need my cloud scrubbed of malware

Discussion in 'IT & Internet' started by estwig, Aug 21, 2020.

  1. estwig

    estwig UKBF Legend Free Member

    12,464 4,408
    That sounds hopeful thank you, I shall read up.
     
    Posted: Aug 22, 2020 By: estwig Member since: Sep 29, 2006
    #41
  2. mattk

    mattk UKBF Newcomer Free Member

    2,297 844
    After you've done a fresh install of Windows, do you keep it separated away from your laptop and cloud storage or do you then share sharing files across all three devices?

    Unless this person has some kind of custom code they deployed on your PC, then if it was malware it would be picked up by a decent scanner.

    Are you sure you're not installing an application, after your fresh Windows install, which is causing this behaviour?
     
    Posted: Aug 22, 2020 By: mattk Member since: Dec 5, 2005
    #42
  3. DontAsk

    DontAsk UKBF Ace Free Member

    1,531 228
    It's Edge, LOL
     
    Posted: Aug 22, 2020 By: DontAsk Member since: Jan 7, 2015
    #43
  4. estwig

    estwig UKBF Legend Free Member

    12,464 4,408
    The only thing being shared between the laptop and the pc that I can think of is Microsoft’s one drive, which I used to use but lost faith recently and changed to Dropbox. Onedrive has a very annoying habit, it keeps installing itself via windows updates and starting up without asking.

    I’m starting to think along the lines of a remote access Trojan, which can then be used to install or doing anything. I’m seeing strange user accounts on the main pc, which as windows users I assume malware won’t detect as something malicious. At the moment the laptop is behaving itself, but that doesn’t mean there isn’t something there. The main pc was good as gold until yesterday.
     
    Posted: Aug 22, 2020 By: estwig Member since: Sep 29, 2006
    #44
  5. mattk

    mattk UKBF Newcomer Free Member

    2,297 844
    Have you installed anything since yesterday?
     
    Posted: Aug 22, 2020 By: mattk Member since: Dec 5, 2005
    #45
  6. KM-Tiger

    KM-Tiger UKBF Legend Full Member - Verified Business

    10,004 2,675
    If it is a RAT phoning home, you should be able to see its network connections using the 'netstat' command.

    That's a command prompt thing, but plenty of guidance on using it if you Google it.

    That might give some clues as to what this is and how to deal with it.
     
    Posted: Aug 22, 2020 By: KM-Tiger Member since: Aug 10, 2003
    #46
  7. mattk

    mattk UKBF Newcomer Free Member

    2,297 844
    Wouldn't reinstalling Windows have overwritten any Trojans installed?
     
    Posted: Aug 22, 2020 By: mattk Member since: Dec 5, 2005
    #47
  8. KM-Tiger

    KM-Tiger UKBF Legend Full Member - Verified Business

    10,004 2,675
    Yes, I meant in the event of reinfection.
     
    Posted: Aug 24, 2020 By: KM-Tiger Member since: Aug 10, 2003
    #48
  9. estwig

    estwig UKBF Legend Free Member

    12,464 4,408
    If it is a RAT and it's looking likely, I assume that could have been used to install anything on the pc, so getting rid of the RAT, might not for example get rid of a rootkit that the RAT installed.

    At the moment I'm struggling to find a solution to this, local PC experts aren't getting the problem, wiping the hard drive and reinstalling windows isn't good enough.
     
    Posted: Aug 24, 2020 By: estwig Member since: Sep 29, 2006
    #49
  10. Nico Albrecht

    Nico Albrecht UKBF Enthusiast Full Member - Verified Business

    829 168
    Your problem lies most likely with the Microsoft Account as it syncs settings over the different devices.

    Next using malwarebytes is already a problem, product for the bin at best and below average detection. Bitdefender or Kaspersky are my weapons of choice you pay them money and they do magic. Any free security tool is performing poor at best. If they dont pick it up I guess a browser extension is being installed using the Microsoft Accounts sync setting. The extension might pass scans but starts downloading code after being installed.

    Also if you run any 3rd party updates the update server can be infected. e.g ccleaner had that issue.

    make a Kaspersky rescue usb https://www.kaspersky.co.uk/downloads/thank-you/free-rescue-disk boot into it and run a full deep scan this will take hours. If it doesn't show up on there, copy the log file, upload it to onedrive or dropbox and share it here.
     
    Posted: Aug 24, 2020 By: Nico Albrecht Member since: May 2, 2017
    #50
  11. estwig

    estwig UKBF Legend Free Member

    12,464 4,408
    I’ve never trusted MS and have no use for syncing, so it’s always been switched off, same goes for the daft thing where you can attach a mobile, don’t trust any of it. There was a very iffy browser extension in chrome, wether it was an actual browser extension or something named as a browser extension I don’t know, but it was there, I tried to find out it was but it vanished.

    I’ll give kaspersky and bitdefender a go.

    My current plan is to remove the SSHD from the pc, take the pc to a man to install a new one and install windows, I suspect my problems are coming from previous ‘IT experts’ who aren’t deleting everything from the drive before reinstalling windows.

    I’m reading a lot about macros in ms docs, I don’t use any and plan to switch them off and maybe start using google docs, or something similar. I have to find out how nasty things live in pdfs and AutoCAD, both of which I do use a lot. I use jpegs a lot too, another thing to research.

    And I have loads of clients screaming at me, whilst I try and dig myself out of a big hole. If mine was an easy way to make a living, everyone would be doing it!
     
    Posted: Aug 25, 2020 By: estwig Member since: Sep 29, 2006
    #51
  12. ffox

    ffox UKBF Regular Free Member

    1,354 253
    Good first step - from what you say, if the 'Experts' are leaving stuff on the drive, they are not formatting it properly. If the virus or malware is there, it will still be there after the re-install of Windows.

    Malware can exist in almost any file, so Word, Excel, .PDF, .jepg, Google Doc can all carry the virus and it won't become visible until the file is used in an environment where it can access the PC operating system. From there it will re-infect the entire machine and anything else in the network the machine is connected to.

    Get one machine back up virus free with no network, or Internet, connected. Then thoroughly test it.

    Use your IoS iPad to communicate with the outside world and bring files back to the restored PC one at a time.

    Re-install software on the restored PC one item at a time, and wait between each change. Be prepared for the whole thing to collapse on you at any time and note the point of failure. The last thing you did was the thing that re-introduced the virus - eliminate it.

    There is no 'Royal Road' to the solution, only time and patience.

    In the longer term - think about using less expensive kit and storage and build in redundancy.

    Highly expensive single items of IT, unless absolutely essential to the work you do, tend to represent a single point of failure. Much safer to have fall back kit, a redundant system of working and test your disaster recovery frequently.

    Hope this is of some help.
     
    Posted: Aug 25, 2020 By: ffox Member since: Mar 11, 2004
    #52
    • Thanks Thanks x 1
    • Useful Useful x 1
    • List
  13. estwig

    estwig UKBF Legend Free Member

    12,464 4,408
    What I still don’t understand is the need to find out what it is, it would seem almost impossible to find out and even then the end result is the same, can’t trust anything.

    I have a nasty feeling my pc has multiple nasty things on it, lurking in all sorts of places, I have to assume it has.

    My current thinking is to get my main pc running and clean, then only access files and old emails on the laptop assuming at all times the laptop is infected. The problem comes with opening attachments on emails, from people I sent the attachment to in the first place. I do this a lot, send files to people who then work on them and send them back to me, potentially reinfecting me. For all I know my AutoCAD subbies are all infected and will just keep reinfecting me.
     
    Posted: Aug 25, 2020 By: estwig Member since: Sep 29, 2006
    #53
  14. ffox

    ffox UKBF Regular Free Member

    1,354 253
    If you know what it is there will be a specific set of steps for removal, But, as you say, there may be many different things on the machine. This why, once you have a clean machine, you will need to go one step at a time and eliminate each file attachment that starts unwanted activity.

    Good anti-virus software should identify and neutralise suspicious activity immediately it starts whether it comes onto the machine from a cloud resource, Internet download or email attachment.
     
    Posted: Aug 25, 2020 By: ffox Member since: Mar 11, 2004
    #54
  15. estwig

    estwig UKBF Legend Free Member

    12,464 4,408
    Appreciate your help, Kaspersky can't scan because of bitlocker, it can't get to the drive.
     
    Posted: Aug 25, 2020 By: estwig Member since: Sep 29, 2006
    #55
  16. estwig

    estwig UKBF Legend Free Member

    12,464 4,408
    This is going well, can’t get out of kaspersky, laptop is a brick!
     
    Posted: Aug 25, 2020 By: estwig Member since: Sep 29, 2006
    #56
  17. alan1302

    alan1302 UKBF Ace Free Member

    1,635 301
    Just format it and install a new copy of Windows
     
    Posted: Aug 25, 2020 By: alan1302 Member since: Jun 2, 2018
    #57
  18. estwig

    estwig UKBF Legend Free Member

    12,464 4,408
    Laptop is back, worked out to hold down the power button, it booted back into windows - big sigh of relief!

    I’m well outta my depth, far too techy for me.

    Back to plan A, take the SSHD outta the main machine, give the machine to an expert to install a new one and install windows. Have laptop checked by expert for malware/viruses, regardless of outcome wipe drive and install windows.
     
    Posted: Aug 25, 2020 By: estwig Member since: Sep 29, 2006
    #58
  19. Chris Ashdown

    Chris Ashdown UKBF Legend Free Member

    11,861 2,465
    Why do the autocad files come back to you as attachments that's asking for problems can they not describe the amendments or can you not open them on a offline computer with some good anti virus software setup on it
     
    Posted: Aug 25, 2020 By: Chris Ashdown Member since: Dec 7, 2003
    #59
  20. estwig

    estwig UKBF Legend Free Member

    12,464 4,408
    Because I outsource my cad work to others, I don’t actually do anything much other than yap on the phone and type emails. So my subbies email me cad files, which I print as pdfs or on paper and then send to clients, planning, building control, builders, etc.

    Yes how to open AutoCAD files on a pc I want to keep clean, is a headache I haven’t solved yet. I can open cad files on an old laptop the same as I’m going to do with other files, but I need to have the cad files on my main machine.

    The best I can currently come up with is to open the cad files on the old laptop, virus check them, then email them to the main pc. Autodesk may have a more elegant solution, I haven’t looked yet, I can’t be the first person to face this problem.
     
    Posted: Aug 25, 2020 By: estwig Member since: Sep 29, 2006
    #60