PDA

View Full Version : Digging for Malware



crogonint
2020-05-13, 04:33
Ok, so first things first, I read about the first 1/3rd of the 'Before you Post' post. Good lord that thing is long.

I searched the forum for DropBox, got too many hits to count. I searched the forum for ADS.. and got too many hits to count. So, I'm just going to go on the cautious side and ask questions below.

Just to let you know, I am anything but a newb to security issues. In fact, I was helping give feedback and mold Spybot back in the day, circa 2005 was the oldest I could find in my Gmail account. However, I'm not sure I've been in this forum in over a decade, so I'm not surprised that I had to form a new account. In fact, I wouldn't be surprised if my old account was even older than Gmail ;)

Ok then, to the point:

I'm seeing anomalous things that point to some sort of Malware.

On both of my laptops, the first letter in the Grub bootloader loading screen has disappeared. (rootkit?)
In Windows, when I click the Start Menu, I occasionally get a beep sound, that gets cut off in like 1/10th of a second (virus?)
The program I'm working in occasionally minimizes, then re-maximizes a split second later (surveillance?)
I occasionally get a CMD prompt window popping up, then disappearing a split second later. (malware delivery?)
Sometimes I select text, and the entire Operating System becomes unresponsive for 5-10 seconds. (spyware?)
One other thing! After I installed Spybot, it opened Spybot automatically. I was messing around in Spybot when I noticed that the installer was stuck open. When I closed SpyBot, the installer closed, then Spybot opened by itself, opened the settings menu (by itself) then got stuck on the locations tab. That freaked me out. It reminded me of old school shell stuff, where hackers opened your security programs and disabled them.

I started out with Comodo, then FortiNet, then Heimdal, then SpyHunter, then MalwareBytes, and now Spybot. Everything including Spybot has only detected silly nonsense (cookies, ad delivery junk in the registry, etc.). Nothing I would consider a package containing a 'probable suspect' let alone a positive hit. Spybot is my 'old faithful', I always use it last to try to detect stuff, because I'm confident that it will find stuff that nothing else can. I'm at the point now where I would like to request official assistance, if you guys have time to help. My next step would be to download all of the offline virus scanners, and SuperSpyware and other junk to 'throw them at the wall and see what sticks'.

Don't hate me, but I currently have Microsoft Security Essentials enabled, FortiNet is installed, but completely DISabled, Heimdal is running the full-version trial, and is enabled, SpyHunter5 says I have to wait 48 hours to 'uninstall' the Ad Delivery junk it found in the registry (I didn't bother removing that junk manually yet), but it's still enabled just the same, even though it's apparently handicapped, current version Spybot free is enabled, and I installed Anti-Beacon free, enabled all and ran it it as well for good measure.

---
Side Note: I use the June Fabrics plug-in in Windows to use my cell phone as a USB Internet Tether device. I had to disable the 'plug-in' categories under Anti-Beacon to get my internet service running again.
---

So, I ran the Spybot root-kit scanner. It found a TON of Alternate Data Streams under Dropbox, and a couple of others. I'm including a screenshot of that below. Currently, the window is just sitting there like that, with the Stop button grayed out, so I haven't done anything. I came here to ask you how to proceed. That involved me troubleshooting to figure out that Anti-Beacon killed my June Fabrics add-in before I could register and login here.. but here I am. :)

13229

Earlier when I checked the settings, all of the options on the Scope Tab were grayed out. When I checked just now, they were not. However, my scan and my root kit scan were both run with only the system and active users ticked off. Normally, I would have tried to run them with everything enabled, maximum heuristics, etc.

What's next?

tashi
2020-05-17, 23:39
Hello crogonint,



I started out with Comodo, then FortiNet, then Heimdal, then SpyHunter, then MalwareBytes, and now Spybot. Everything including Spybot has only detected silly nonsense (cookies, ad delivery junk in the registry, etc.). Nothing I would consider a package containing a 'probable suspect' let alone a positive hit. Spybot is my 'old faithful', I always use it last to try to detect stuff, because I'm confident that it will find stuff that nothing else can. I'm at the point now where I would like to request official assistance, if you guys have time to help. My next step would be to download all of the offline virus scanners, and SuperSpyware and other junk to 'throw them at the wall and see what sticks'.

That's a lot of programs. :)



13229[/ATTACH]


The RootAlyzer is an analyst tool and not a scan and fix program. The log alone isn't waving a flag, sometimes even legitimate software uses rootkit technologies. For future reference the RootAlyzer forum is here (https://forums.spybot.info/forumdisplay.php?46-RootAlyzer).


Ok, so first things first, I read about the first 1/3rd of the 'Before you Post' post. Good lord that thing is long.

The forum FAQ includes guidelines in post #1 and instructions in post #2 on how to provide the logs from Farbar Recovery Scan Tool and aswMBR, which are the logs used in the preliminary analysis.

However, there isn't a volunteer analyst available at this time. I see you started a topic (https://forums.malwarebytes.com/topic/259676-maptool/?tab=comments#comment-1381037) at the malwarebytes forum before posting here, please follow up with the assistance they offered. :kboard:

Best regards,

tashi