Results 1 to 2 of 2

Thread: Digging for Malware

  1. #1
    Junior Member
    Join Date
    May 2020
    Posts
    1

    Question Digging for Malware

    Ok, so first things first, I read about the first 1/3rd of the 'Before you Post' post. Good lord that thing is long.

    I searched the forum for DropBox, got too many hits to count. I searched the forum for ADS.. and got too many hits to count. So, I'm just going to go on the cautious side and ask questions below.

    Just to let you know, I am anything but a newb to security issues. In fact, I was helping give feedback and mold Spybot back in the day, circa 2005 was the oldest I could find in my Gmail account. However, I'm not sure I've been in this forum in over a decade, so I'm not surprised that I had to form a new account. In fact, I wouldn't be surprised if my old account was even older than Gmail

    Ok then, to the point:

    I'm seeing anomalous things that point to some sort of Malware.

    On both of my laptops, the first letter in the Grub bootloader loading screen has disappeared. (rootkit?)
    In Windows, when I click the Start Menu, I occasionally get a beep sound, that gets cut off in like 1/10th of a second (virus?)
    The program I'm working in occasionally minimizes, then re-maximizes a split second later (surveillance?)
    I occasionally get a CMD prompt window popping up, then disappearing a split second later. (malware delivery?)
    Sometimes I select text, and the entire Operating System becomes unresponsive for 5-10 seconds. (spyware?)
    One other thing! After I installed Spybot, it opened Spybot automatically. I was messing around in Spybot when I noticed that the installer was stuck open. When I closed SpyBot, the installer closed, then Spybot opened by itself, opened the settings menu (by itself) then got stuck on the locations tab. That freaked me out. It reminded me of old school shell stuff, where hackers opened your security programs and disabled them.

    I started out with Comodo, then FortiNet, then Heimdal, then SpyHunter, then MalwareBytes, and now Spybot. Everything including Spybot has only detected silly nonsense (cookies, ad delivery junk in the registry, etc.). Nothing I would consider a package containing a 'probable suspect' let alone a positive hit. Spybot is my 'old faithful', I always use it last to try to detect stuff, because I'm confident that it will find stuff that nothing else can. I'm at the point now where I would like to request official assistance, if you guys have time to help. My next step would be to download all of the offline virus scanners, and SuperSpyware and other junk to 'throw them at the wall and see what sticks'.

    Don't hate me, but I currently have Microsoft Security Essentials enabled, FortiNet is installed, but completely DISabled, Heimdal is running the full-version trial, and is enabled, SpyHunter5 says I have to wait 48 hours to 'uninstall' the Ad Delivery junk it found in the registry (I didn't bother removing that junk manually yet), but it's still enabled just the same, even though it's apparently handicapped, current version Spybot free is enabled, and I installed Anti-Beacon free, enabled all and ran it it as well for good measure.

    ---
    Side Note: I use the June Fabrics plug-in in Windows to use my cell phone as a USB Internet Tether device. I had to disable the 'plug-in' categories under Anti-Beacon to get my internet service running again.
    ---

    So, I ran the Spybot root-kit scanner. It found a TON of Alternate Data Streams under Dropbox, and a couple of others. I'm including a screenshot of that below. Currently, the window is just sitting there like that, with the Stop button grayed out, so I haven't done anything. I came here to ask you how to proceed. That involved me troubleshooting to figure out that Anti-Beacon killed my June Fabrics add-in before I could register and login here.. but here I am.

    Spybot rootkit results.jpg

    Earlier when I checked the settings, all of the options on the Scope Tab were grayed out. When I checked just now, they were not. However, my scan and my root kit scan were both run with only the system and active users ticked off. Normally, I would have tried to run them with everything enabled, maximum heuristics, etc.

    What's next?

  2. #2
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,625

    Default

    Hello crogonint,

    Quote Originally Posted by crogonint View Post
    I started out with Comodo, then FortiNet, then Heimdal, then SpyHunter, then MalwareBytes, and now Spybot. Everything including Spybot has only detected silly nonsense (cookies, ad delivery junk in the registry, etc.). Nothing I would consider a package containing a 'probable suspect' let alone a positive hit. Spybot is my 'old faithful', I always use it last to try to detect stuff, because I'm confident that it will find stuff that nothing else can. I'm at the point now where I would like to request official assistance, if you guys have time to help. My next step would be to download all of the offline virus scanners, and SuperSpyware and other junk to 'throw them at the wall and see what sticks'.
    That's a lot of programs.


    Quote Originally Posted by crogonint;484740
    So, I ran the Spybot root-kit scanner. It found a TON of Alternate Data Streams under Dropbox, and a couple of others. I'm including a screenshot of that below. Currently, the window is just sitting there like that, with the Stop button grayed out, so I haven't done anything. I came here to ask you how to proceed.

    [ATTACH=CONFIG
    13229[/ATTACH]
    The RootAlyzer is an analyst tool and not a scan and fix program. The log alone isn't waving a flag, sometimes even legitimate software uses rootkit technologies. For future reference the RootAlyzer forum is here.

    Quote Originally Posted by crogonint View Post
    Ok, so first things first, I read about the first 1/3rd of the 'Before you Post' post. Good lord that thing is long.
    The forum FAQ includes guidelines in post #1 and instructions in post #2 on how to provide the logs from Farbar Recovery Scan Tool and aswMBR, which are the logs used in the preliminary analysis.

    However, there isn't a volunteer analyst available at this time. I see you started a topic at the malwarebytes forum before posting here, please follow up with the assistance they offered.

    Best regards,

    tashi
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •