• 0

I think I have a Virus, but nothing shows up in scans

Asked by jnelsoninjax,

 Share

Question

Grand Master

jnelsoninjax

Posted
Posted

Lately my system has been exhibiting signs that it is infected, UAC gets turned off, the system is very slow in responding to any request, and yesterday random redirects in firefox. I have run a scan with Kaspersky Pure, and a full scan with Malware bytes, both report nothing. I have process explorer and do not see anything that should not be running. Yesterday while my wife was playing, Kaspersky popped ip a warning, but she ignored it before I could even get a chance to respond. What should I do next?

Link to comment
Share on other sites

52 answers to this question

Recommended Posts

  • 0
Grand Master

jnelsoninjax

Posted
  • Author
Posted

# AdwCleaner v4.107 - Report created 11/01/2015 at 09:37:46

# Updated 07/01/2015 by Xplode

# Database : 2015-01-03.1 [Live]

# Operating System : Windows 7 Professional Service Pack 1 (64 bits)

# Username : Jon_2 - JON-PC

# Running from : D:\Web Downloads\AdwCleaner.exe

# Option : Clean

***** [ Services ] *****

[x] Not Deleted : BackupStack

[#] Service Deleted : Orbiter

***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\Trymedia

[x] Not Deleted : C:\Program Files (x86)\JustCloud

Folder Deleted : C:\Program Files (x86)\ORBTR

Folder Deleted : C:\Users\Jon\AppData\Roaming\iWin

Folder Deleted : C:\Users\Jon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Free Ride Games

Folder Deleted : C:\Users\Jon_2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\JustCloud

[x] Not Deleted : C:\Users\Jon_2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JustCloud.lnk

[x] Not Deleted : C:\Users\Jon_2\Desktop\Sync Folder.lnk

***** [ Scheduled Tasks ] *****

Task Deleted : Driver Booster Scan

Task Deleted : Driver Booster Update

Task Deleted : LaunchApp

Task Deleted : LaunchSignup

Task Deleted : RunAsStdUser Task

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{57C052A7-AAD7-4230-860D-F6768C8EA59F}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{57C052A7-AAD7-4230-860D-F6768C8EA59F}

Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{57C052A7-AAD7-4230-860D-F6768C8EA59F}

Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{57C052A7-AAD7-4230-860D-F6768C8EA59F}

Key Deleted : HKLM\SOFTWARE\Conduit

Key Deleted : HKLM\SOFTWARE\SearchProtect

Key Deleted : HKLM\SOFTWARE\ORBTR

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17496

-\\ Mozilla Firefox v34.0.5 (x86 en-US)

[e10ek6im.default\prefs.js] - Line Deleted : user_pref("extensions.jid1-dgnIBwQga0SIBw@jetpack.history", "[[\"?? ???????????? ????, ??????? ??????? ??????????? ? ??????? ???? ? ???? ???????. ????????????? ?????????? ??????? ???????? ???????? ? ?[...]

*************************

AdwCleaner[R0].txt - [2179 octets] - [11/01/2015 09:33:52]

AdwCleaner[s0].txt - [2158 octets] - [11/01/2015 09:37:46]

########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [2218 octets] ##########

TDDS found nothing...

Link to comment
Share on other sites
  • 0
Proficient

AStaUK

Posted
Posted

As others have already suggested I would try an offline scan. My preference would be the Kaspersky Rescue CD freely available from their support site.

Link to comment
Share on other sites
  • 0
Mentor

Som

Posted
Posted

[x] Not Deleted : BackupStack

[x] Not Deleted : C:\Program Files (x86)\JustCloud

 

 

Two things not deleted, try manually removing them through control panel,  the first one Should be called MyPC Backup and the other is JustCloud.

 

Also check and see it the Firefox shortcut has any extra entries in it and check the extensions too

Link to comment
Share on other sites
  • 0
Grand Master

T3X4S

Posted
Posted

Two things not deleted, try manually removing them through control panel,  the first one Should be called MyPC Backup and the other is JustCloud.

 

Also check and see it the Firefox shortcut has any extra entries in it and check the extensions too

Why should he remove JustCloud ?  What if he uses that for cloud storage / backup ?

 

Link to comment
Share on other sites
  • 0
Grand Master

Brandon H Supervisor

Posted
  • Supervisor
Posted

as others have said, Offline Boot Scanners are your friend.

 

but if they don't find the culprit or your system is still acting funky afterwords then like it or not your best bet may just be to nuke if from orbit (aka zero out the drive then reinstall windows)

Link to comment
Share on other sites
  • 0
Grand Master

jnelsoninjax

Posted
  • Author
Posted

I do use justcloud for backup. I ran hitman pro and it found 1 Trojan in the temp folder and a bunch of tracking cookies in my daughters Firefox profile, including sites like animalporn, etc. which she says she has never heard of these sites... regardless I'm making progress and would really like to be able to narrow down when/where the infection occurred.

Edit: after reading about just cloud, I'm going to uninstall it, I don't have anything important stored there.

Link to comment
Share on other sites
  • 0
Apprentice

Jones111

Posted
Posted

Save personal files

Zero out drive

Reinstall Windows

 

Zeroing out a drive won't help more than a simple format does. It simply ages the drive.

Remember that malware can hide in office files, hidden folders etc.

Link to comment
Share on other sites
  • 0
Apprentice

Jones111

Posted
Posted

I do use justcloud for backup. I ran hitman pro and it found 1 Trojan in the temp folder and a bunch of tracking cookies in my daughters Firefox profile, including sites like animalporn, etc. which she says she has never heard of these sites... regardless I'm making progress and would really like to be able to narrow down when/where the infection occurred.

Edit: after reading about just cloud, I'm going to uninstall it, I don't have anything important stored there.

 

I don't think there was any real infection at all. The things you've found were most likely installed when someone added "free" software on your PC. My first step in such a situation is to simply clean up the mess. But if you really want to know, you should search for the time when software was installed and compare that with the time when the browser add-ons were installed.

 

Cookies are annoying, but not dangerous. Depending on the age of your daughter, you should consider turning on the "Family Safety" feature for her account. If she is Admin, you should definitely remove those rights. Kids and teens are more likely to install unwanted things. One Admin Account per PC is enough: Less rights, less problems. Also turn up UAC so it pops up at any change. That can be a bit annoying, but it helps you as admin to remember not to grant rights easily. Also, it prevents any non-admin to temper with the settings.

 

There are even more drastic things you could do:

- Delete any add-ons on browser startup or disable them completely

- Auto-sandboxing your browser(s) via sandboxie

- Resetting the computer to a defined state on every reboot

Link to comment
Share on other sites
  • 0
Grand Master

vcfan

Posted
Posted

A lot of new viruses use stub generators that make them FUD.. Even with the best AV software..

packer stubs are the easiest thing to detect(ex: destroyed IAT = guilty). in fact, a lot of AV software automatically flag any software just because of the presence of a stub. even legitimate software using commercial packers have to get white listed by AV companies. what makes malware a pain in the behind to detect is custom bytecode interpreters, AKA virtual machines. 100+ opcode handlers interleaved between each other,randomly generated for each binary is hard to resolve.

  • fusi0n and goretsky
  • Like 2
Link to comment
Share on other sites
  • 0
Grand Master

Praetor

Posted
Posted

the last time i have to deal with an malware infection i lost so much time in that client cleaning the computer that when my company charged him he could have bought a new computer. It was a ridiculous difficult infection and the first thing i told the client was "backup the important stuff and refresh the computer". But no, he wanted the stuff cleaned.

 

Problem was no av solution found anything at all because it was a new malware in the wild, so no signatures existed. Also no heuristics because the darn thing was pretty good at hiding. And no antimalware software caught anything, autoruns also didn't found anything special and process manager wasn't showing anything weird.. until when navigating into a backing site a process would start.

 

The interesting stuff is that process would inject into the HTML on the fly (the digital certificate the site has was untouched and nothing visible in the HTML was changed) and it tryed to gather some data from that particular banking (there was a small piece of javascript code injected into the HTML that the real site didn't had), sending back that data into a server in Ukraine (possible not the end server - see the rest of the post). The attack was very sophisticated since it didn't asked anything at all, it just showed a particular gif after the successful attack that the client found out of place in that site (and called me since i was doing other stuff in that client anyway - for the curious it was a loading bar that was exactly like the real one, but with different colors). If it wasn't for that gif the client would never suspect anything at all.

 

A couple of months later i found via someone that works in a confidential place that it was a specially crafted program made for that attack, that targeted a couple of enterprises whos admins traveled into a couple of countries like Angola or Brasil (hence why i found that server in Ukraine was just a proxy) and it tryed to gather not only the security code but the complete security matrix card, in an attempt to recreate it. How it went into there i dunno.

 

In the end if the computer was refreshed i would never learn this, but then again the quantity of time wasted trying to clean it...

Link to comment
Share on other sites
This topic is now closed to further replies.
 Share
Go to question listing

  • Recently Browsing   0 members

    • No registered users viewing this page.