Need my cloud scrubbed of malware

[estwig]

Got myself mixed up with the wrong girl, being a single fella with little family the lockdown has hit me hard.

There is some kind of really nasty malware on my main machine, two attempts by different ‘IT experts’ to wipe my HHD hasn’t got rid of it, I’m going to buy a new PC.

I have just over 10gb of data in my Dropbox account, it’s nicely organised but obviously I no longer trust it.

How do I have the files professionally scrubbed clean, I’m looking for some kind of guarantee or indemnity that comes with a financial cost to the expert, should something go wrong.

 

[gpietersz]

There is some kind of really nasty malware on my main machine, two attempts by different ‘IT experts’ to wipe my HHD hasn’t got rid of it, I’m going to buy a new PC.

Wipe the hard drive and reinstall the OS. If your experts did not suggest that as a last resort, they are not experts. I would someone better before looking for more complex solutions.

As for cleaning files on Dropbox, do you know what the malware is, and what file types it can be carried by? The chances are all you need to do is to sync and scan the downloaded files. You could also look at file histories in Dropbox and go back to versions from before the malware infection (if you know when it it) - depending on whether any data loss is acceptable.

 

[estwig]

Wipe the hard drive and reinstall the OS. If your experts did not suggest that as a last resort, they are not experts. I would someone better before looking for more complex solutions.

As for cleaning files on Dropbox, do you know what the malware is, and what file types it can be carried by? The chances are all you need to do is to sync and scan the downloaded files. You could also look at file histories in Dropbox and go back to versions from before the malware infection (if you know when it it) - depending on whether any data loss is acceptable.

Appreciate your help, if it was as simple as this I would have fixed it long before now.

 

[ffox]

Appreciate your help, if it was as simple as this I would have fixed it long before now.

Are you saying that after wiping the HDD and Restoring the OS to factory default the malware is still there?

If so you need to keep the restored machine well away from the stuff in DropBox as that is probably re-infecting the PC when you reconnect.

 

[gpietersz]

Are you saying that after wiping the HDD and Restoring the OS to factory default the malware is still there?

Which means its in firmware? On the computer or on some hardware plugged into it? That means not only is the old computer suspect, so is anything ever connected to it unless you know which firmware can be infected.

 

[Deleted member 325090]

If you have multiple HDD's in the machine, take them all out except the one that(you want to have) your system OS on it.

Assuming it no longer has anything of worth on it, delete all the partitions on the HDD and reformat it with a single partition. Unless it's somehow managed to infect your firmware, I can't think of any way it could survive that.

Reinstall your OS, a virus checker, and use the machine for a bit and make sure there are no further issues. If you can do the above without connecting to the internet, all the better.

Once you're happy you can then start to systematically(i.e. one at a time) re-integrate various attachments, such as your dropbox, other HDDs, NAS etc, then using for a bit.

By doing this, you should find out where the offending files are that keep re-infecting you. You might need to repeat the steps a few times until you know what's safe and what needs wiping/fixing.

As for your final comment about indemnity, I think you need to look at it from the IT persons point of view. You've no idea what data or hardware is already infected, or what it's infected with, you don't know whether damage is already done to these files, yet you want them to provide guarantees?

I don't do this kind of work myself, but if I did, I can't imagine touching it with a barge pole if those were the contractual terms.

 

[gpietersz]

As for your final comment about indemnity, I think you need to look at it from the IT persons point of view. You've no idea what data or hardware is already infected, or what it's infected with, you don't know whether damage is already done to these files, yet you want them to provide guarantees?

I don't do this kind of work myself, but if I did, I can't imagine touching it with a barge pole if those were the contractual terms.

This. I was thinking of saying something similar (but Wayne has said it better than I was going to).

Assuming it no longer has anything of worth on it, delete all the partitions on the HDD and reformat it with a single partition. Unless it's somehow managed to infect your firmware, I can't think of any way it could survive that.

I assume from @estwig 's reply to my comment above, that he has done this and it still survives, which means it has to be firmware, or it gets reinfected from some thing else it connects to (hardware, something on the local network..?).

It might be worth syncing the dropbox files to a machine with a different OS and running a malware scanner on it there. Even the original machine with a different OS booted off USB, maybe something with security or sysadmin tools on it.

 

[Deleted member 325090]

I assume from @estwig 's reply to my comment above, that he has done this and it still survives, which means it has to be firmware, or it gets reinfected from some thing else it connects to (hardware, something on the local network..?).

Personally I think it's unlikely it's hit the firmware. Although it's not unheard of, I think it's - thankfully - far less common. I think it's far more likely that something more obvious has been missed.

I did wonder whether the people who'd reformatted the disk didn't reformat all the partitions? Or perhaps the virus lives off on some sort of attached storage that hasn't been wiped.

If it did infect the firmware too, then it would need a bios reflash before reformatting the HDDs.

 

[estwig]

Great answers guys thank you.

Either this malware is a very serious peace of kit, I have been keeping some very iffy company of late and it is very possible, or:

The ‘IT guys’ are mugging me off and haven’t actually done anything properly
The PC is being reinfected by my Dropbox or other attached source
Or it’s in the firmware

Where is the firmware, is it on the motherboard?

This PC is a serious piece of kit, £3k worth, I’m looking at just buying another one, I need to know it’s fixed but £3k is a tough thing to swallow!

 

[Deleted member 325090]

The firmware is typically stored in a chip on the motherboard. It's also often known as the 'bios'.

You can usually 'flash' it back to factory defaults with a utility provided for free by the motherboard manufacturer. It only takes a couple of minutes if you're comfortable with it.

In your case, I'd exhaust all the other possible points of failure first before I looked at that. I certainly wouldn't brick/sell the PC.

 

[estwig]

The firmware is typically stored in a chip on the motherboard. It's also often known as the 'bios'.

You can usually 'flash' it back to factory defaults with a utility provided for free by the motherboard manufacturer. It only takes a couple of minutes if you're comfortable with it.

In your case, I'd exhaust all the other possible points of failure first before I looked at that. I certainly wouldn't brick/sell the PC.

Thank you, all over options have already been exhausted, I desperately need peace of mind. I’m going new motherboard and new SSD.

Can anything nasty live in RAM?
Can anything live in the graphics card?

 

[Nico Albrecht]

Gotta love all those guessing advice here. You never mentioned what you actually have as malware. Would be my first thing to actually post. In regards to cleaning it there are services but you might not like the costs of that. Malware loves ram and gpus their favourite place to breed and they survive in volatile memory for many month after you removed the power lead.

 

[estwig]

I don’t know what malware it is, I’m not sure it’s relevant to find out. Wouldn’t the end result be the same regardless, throw the PC away, scrub the cloud and start again.

 

[fisicx]

Scrubbing the cloud may not work.

It's possible the malware isn't in your dropbox. But one of the files you download or sync to then phones home and downloads the malware. The files all pass the malware checks and scrubbers because the there isn't any malware. It's only after you check the files the malware is downloaded.

It could be a word document that links to a bit of javascript or an external reference. All very innocent until the document gets onto your PC.

 

[JEREMY HAWKE]

HA HA HA

This is the best post on here by miles

Well done @estwig

 

[Darren_Ssc]

What to do if your files were corrupted or renamed by ransomware...

https://help.dropbox.com/accounts-billing/security/ransomware-recovery

 

[Chris Ashdown]

If you spent £3K on a computer why did you not pay a few quid for your own cloud backup rather than use dropbox

How do you know you have a virus and not a machine fault

 

[estwig]

It’s starting to look like I’m gonna need some kind of system involving two computers, one I assume is always infected, possibly a mac or Linux machine, and a PC that I keep clean.

The problem comes in sending files between the two machines.

 

[AllUpHere]

It’s starting to look like I’m gonna need some kind of system involving two computers, one I assume is always infected, possibly a mac or Linux machine, and a PC that I keep clean.

The problem comes in sending files between the two machines.

Just buy a cheap laptop for porn / booking hookers online etc and keep your work machine completely separate ( once it's sorted).

You might want to warn clients that if they get unexpected mail from you that they should delete it, and not open attachments.

What you were doing using a 3 grand machine for 'personal use' I really don't know. I thought you were smarter than that.

 

[estwig]

This malware was installed on my machine, whilst it was running and it was done by someone I know. Don’t ask how that happened, it’s complicated and rather sleezy!

My email is secure, all accounts and there are a lot are all secure with two step verification, my web hosting is being checked as I type. Apple and android appear to be clean, typing this on a iPad Pro.

My main PC and my laptop are both infected, possibly everything else on my home network too, tv boxes, scanner, snom phone, printers, etc, they all connect to each other and to the outside world. I’m sat here in my little back bedroom surrounded by over £10k of IT kit.

For all I know, even my google thermostat is infected!

 

[gpietersz]

I don’t know what malware it is, I’m not sure it’s relevant to find out.

It is critical information. If you can identify it you know the attack vectors, so you know what precautions you need to prevent reinfection.

Which means that this:

I’m going new motherboard and new SSD.

Is the equivalent of taking a medicine without a diagnosis. Much better if you know what the malware is.

It will probably work but it may be more than you need to do (if its not in firmware) and if it is in firmware it could be in the GPU firmware, or somewhere else. It could something that is infecting your router, or on a website you use regularly, or ...... These are rare, but so are BIOS or SSD firmware infections (bar the NSA one which has been widely distributed) - if fact I think SSDs probably have to be infected at the point of manufacture (which is what the NSA did).

If you cannot find out what the malware is (which really is better) would suggest:

1. Use a Linux installer (what version does not matter) or a rescue USB to reformat the drives. Maybe Gparted Live ( https://gparted.org/livecd.php ) if you just want to wipe the drive, or GRML if you want to be able to scan as well (instructions on wiki are out of date, but should work).
2. Reflash the BIOS. How you do it depends on the hardware. Ideally do this without reinstalling Windows - you might be able to do it from Linux or FreeDOS.
3. Reinstall Windows. A baby Penguin dies every time you do this .

There is lots of firmware on a modern PC, and multiple processors besides the advertised ones. Most PCs actually have a separate processor running a different OS for things like remote management.

But one of the files you download or sync to then phones home and downloads the malware.

Which would make it malware itself.

It’s starting to look like I’m gonna need some kind of system involving two computers, one I assume is always infected, possibly a mac or Linux machine, and a PC that I keep clean.

Linux machines are much less likely to get infected. Macs and Linux are very likely to be hit by the same malware that got your Windows machine.

The problem comes in sending files between the two machines.

Run malware scanners on both machines.

 

[mattk]

I don’t know what malware it is, I’m not sure it’s relevant to find out. Wouldn’t the end result be the same regardless, throw the PC away, scrub the cloud and start again.

Precisely what malware it is is the single most important piece of information. Most malware is a minor annoyance (popups, redirected search etc) and can be easily removed. Yours seems more stubborn, but it is hard to know whether the steps taken have been appropriate or you're just, no offence, over reacting.

It is possible for firmware to get infected, but it is highly unlikely. The malware would have to have been written to target the specific hardware in your PC.

Similarly, the chances of it infecting other hardware on your network is infinitely small, unless you've p**sed off a foreign superpower.

 

[mattk]

Double post

 

[gpietersz]

I’m sat here in my little back bedroom surrounded by over £10k of IT kit.

All the more important to find out what the malware is, then you know what it could have infected.

If you have £10k of kit and are that worried, then even if you have to pay someone good £1k to do the job its worth it! Either that or just reflash firmware, wipe SSD and reinstall.

 

[gpietersz]

Similarly, the chances of it infecting other hardware on your network is infinitely small, unless you've p**sed off a foreign superpower.

or GCHQ!

It was done by someone with physical access to the PC, and probably a login, and physical access to his other hardware. It rather widens the range of things that could have been planted.

 

[estwig]

All i can work out is, it’s me infecting the machine, everything seems to be coming from my windows admin account, then multiple users appear all with different rights on the PC’s, but I don’t even know if I’m describing this correctly. I also had an extension installed in chrome, which I tried to get rid of, it seemed to disappear on its own. To make matters even worse I tried to fix it myself and in the process, have probably buggered up any chance of finding out what it is.

I’d happily pay a grand or two for someone to come in and fix this. Where do I find someone to do this, and do it properly.

 

[mattk]

What anti-malware are you running and what does it report?

 

[estwig]

What anti-malware are you running and what does it report?

Malwarebytes amoung others, it doesn’t report as malware, I think it’s my windows admin account installing this ‘thing’. I don’t understand how this works, I don’t undertsand how it keeps coming back, even after wiping the hard drive and reinstalling windows. Then how does it make the jump to my laptop.

 

[gpietersz]

Then how does it make the jump to my laptop.

When you say jump to the laptop, is that a different machine from the originally infected one, or do you mean it jumps back to the original machine?

 

[estwig]

When you say jump to the laptop, is that a different machine from the originally infected one, or do you mean it jumps back to the original machine?

It made the move from my main machine which was first infected, to my laptop. I don’t know how because the laptop doesn’t have access to any cloud or work files.

 

[mattk]

Malwarebytes amoung others, it doesn’t report as malware, I think it’s my windows admin account installing this ‘thing’. I don’t understand how this works, I don’t undertsand how it keeps coming back, even after wiping the hard drive and reinstalling windows. Then how does it make the jump to my laptop.

What behaviours makes you think you're infected if malware scanners are not reporting anything?

 

[gpietersz]

I think @mattk's question is important. Better describe what is happening.

if its on another machine and you do not know what it is, even buying a new, clean PC may not prevent reinfection.

I think you really do need to get some professional help. They probably need to come round for hands on access to your hardware, so you probably need to ask for recommendations locally.

 

[Nico Albrecht]

I think OP is just trolling us here to be honest and wasting everyone's time. Story changes to often and no clear answer provided or poorly evaded.

 

[Chris Ashdown]

Malwarebytes amoung others, it doesn’t report as malware, I think it’s my windows admin account installing this ‘thing’. I don’t understand how this works, I don’t undertsand how it keeps coming back, even after wiping the hard drive and reinstalling windows. Then how does it make the jump to my laptop.

Have you contacted Microsoft about this problem

What do you mean by wiping your hard drive exactly what did you do

 

[Jeff FV]

I think OP is just trolling us here to be honest and wasting everyone's time. Story changes to often and no clear answer provided or poorly evaded.

perhaps the malware has taken over his UKBF account and is making these posts ....

 

[estwig]

Have you contacted Microsoft about this problem

What do you mean by wiping your hard drive exactly what did you do

I didn’t do anything, the ‘IT professional’ assured me he had written zeros and ones to the hard drive and then reinstalled windows.

Yesterday the main pc was going bonkers with the mouse jumping around, programs opening and closing on their own and lots of other odd behaviour. Which included turning the firewall off! Today it seems to all be fine, but it’s not on the internet if that matters.

If I had to guess, I’m well outta my depth with this tech stuff, it’s some kind of remote access thing, maybe like teamviewer.

 

[estwig]

I think OP is just trolling us here to be honest and wasting everyone's time. Story changes to often and no clear answer provided or poorly evaded.

I don’t have the technical knowledge, or the correct terminology to explain the problem correctly.

 

[mattk]

I didn’t do anything, the ‘IT professional’ assured me he had written zeros and ones to the hard drive and then reinstalled windows.

Yesterday the main pc was going bonkers with the mouse jumping around, programs opening and closing on their own and lots of other odd behaviour. Which included turning the firewall off! Today it seems to all be fine, but it’s not on the internet if that matters.

If I had to guess, I’m well outta my depth with this tech stuff, it’s some kind of remote access thing, maybe like teamviewer.

Has the main PC had a fresh installation of Windows? If so, do you get the same behaviours as before?

Do you have the same behaviours on your laptop?

 

[KM-Tiger]

Yesterday the main pc was going bonkers with the mouse jumping around, programs opening and closing on their own and lots of other odd behaviour. Which included turning the firewall off! Today it seems to all be fine, but it’s not on the internet if that matters.

If I had to guess, I’m well outta my depth with this tech stuff, it’s some kind of remote access thing, maybe like teamviewer.

Sounds like it's a Remote Access Trojan or RAT.

Reinstalling the OS would get rid of it, so the question is how is your PC getting reinfected? You will probably need a process of elimination to determine that.

 

[estwig]

Has the main PC had a fresh installation of Windows? If so, do you get the same behaviours as before?

Do you have the same behaviours on your laptop?

Yes main pc has a fresh install of windows, I’ve not seen behaviour as extreme on the laptop as I saw on the main PC. I’m currently running lots of virus scrubbers and malware apps on the laptop.

I don’t expect to find any malware or other nasties. It was originally installed on my PC by a person, who was sat in front of the PC and logged in as me. The drive has been wiped three times in the last couple of months, with a fresh install of windows each time. It keeps coming back.