I think I just contracted a nasty trojan

Nick Kaufman

protector of human kind from spoilers
Lifetime Member
SoSH Member
Aug 2, 2003
13,402
A Lost Time
So I did a google search, clicked on a link containing an article. Milliseconds after the page containing the article started loading I got transferred to a new page that informed me that I had an outdated version of adobe flash and I should download the new version. Stupidly I did so, but immediately it didn't feel right. Neither the supposed update could be found on my downloads folder nor could I run the update.

A few minutes later I made a post on another other board, but once I clicked the post button it gave me a "Connection has been Reset" error message. Somehow the post got posted, but then I tried clicking the edit button I get a wall of xml gibberish.

Soon afterwards, I conducted a scan with avira and antimalwarebytes, but they only found a spigot ad feeder or something.

I tried googling for fake adobe update virus. Certain pages I visited talk of a virus which infects a user's router. So far I don't see any evidence of this. Other pages talk of ransomware and this is one my big fears at the moment.

Thankfully, all of this happened on my virtualbox installation and my main installation seems so far unaffected as well. However, my virtualbox install has access to all the computer drives save the one containing the main install.

So questions are.

How do I proceed in order to eradicate the infection?

How do I protect myself against a potential ransomware infection?

PS Are acronis backup files also infected?

Thanks
 
Last edited:

djbayko

Member
SoSH Member
Jul 18, 2005
25,864
Los Angeles, CA
I don't have much. All I can say is that I also use Avira, Antimalwarebytes, and SpyBot, and I never have any problems.

Gook luck!
 

Detts

Well-Known Member
Lifetime Member
SoSH Member
Jul 20, 2005
5,165
Greenville, SC
My kids do this crap all the time.

It probably created a hidden folder to download the executable.

Check your 'installed applications' to see if any new programs have been installed. Uninstall them. You may have to do this in safe mode.

If you do find things to delete make sure you rerun your malware detectors afterwards.
 

Nick Kaufman

protector of human kind from spoilers
Lifetime Member
SoSH Member
Aug 2, 2003
13,402
A Lost Time
Thanks for the well wishes. Update:

Checked the various processes running and I noticed that tor.exe *32 was running. That's highly unusual since I ve never run TOR and you know it's associated with browsing the dark web. So I opened the containing folder, turns out it's my Appdata/Roaming folder and it's just there on its own along with a tor folder I I delete both and then I notice a folder full of alphanumeric characters which was installed today. I also delete that folder as well. Went back to the other forum and this time I was able to log back in and I am also able to make and edit posts. Seems like the problem is gone.

This seems too easy, doesn't it?
 

Blacken

Robespierre in a Cape
SoSH Member
Jul 24, 2007
12,152
You didn't solve the problem. Nuke the VM and reinstall from known-good Windows install media. (This is why virtual machines exist.)

Don't use Virtualbox unless you hate yourself. Use VMware or Parallels.

Don't use Windows unless you really hate yourself. Use a Mac.
 

AlNipper49

Huge Member
Dope
SoSH Member
Apr 3, 2001
44,840
Mtigawi
Thanks for the well wishes. Update:

Checked the various processes running and I noticed that tor.exe *32 was running. That's highly unusual since I ve never run TOR and you know it's associated with browsing the dark web. So I opened the containing folder, turns out it's my Appdata/Roaming folder and it's just there on its own along with a tor folder I I delete both and then I notice a folder full of alphanumeric characters which was installed today. I also delete that folder as well. Went back to the other forum and this time I was able to log back in and I am also able to make and edit posts. Seems like the problem is gone.

This seems too easy, doesn't it?
I'll bet you $1000 that it's still there
 

Detts

Well-Known Member
Lifetime Member
SoSH Member
Jul 20, 2005
5,165
Greenville, SC
All you did was disable the programs that were masking all the crap that it did, which is why you have to re-scan and/or start over.
 

Nick Kaufman

protector of human kind from spoilers
Lifetime Member
SoSH Member
Aug 2, 2003
13,402
A Lost Time
I'll bet you $1000 that it's still there
Yeah, I am not taking that bet. It does seem strange that it was so easy for me to delete it; In my experience virus infected files resist deletion by user.

I will have to restore an early virtual machine backup I guess.

My main concern right now is whether this infected the rest of the drives and there's a ransomware bomb ticking away at one of them. Any suggestions on what to do? Obviously backup critical files and drives, but what if they are infected?
 

Nick Kaufman

protector of human kind from spoilers
Lifetime Member
SoSH Member
Aug 2, 2003
13,402
A Lost Time
All you did was disable the programs that were masking all the crap that it did, which is why you have to re-scan and/or start over.
FWIW, I don't think I deleted the programs that were masking what it did. I think I deleted the program that was communicating with the hacker- although obviously, if the trojan is still present, it can reinstall it.
 

AlNipper49

Huge Member
Dope
SoSH Member
Apr 3, 2001
44,840
Mtigawi
Yeah, I am not taking that bet. It does seem strange that it was so easy for me to delete it; In my experience virus infected files resist deletion by user.

I will have to restore an early virtual machine backup I guess.

My main concern right now is whether this infected the rest of the drives and there's a ransomware bomb ticking away at one of them. Any suggestions on what to do? Obviously backup critical files and drives, but what if they are infected?
Yeah, run Tron
 

Time to Mo Vaughn

RIP Dernell
SoSH Member
Mar 24, 2008
7,180
Yeah, I am not taking that bet. It does seem strange that it was so easy for me to delete it; In my experience virus infected files resist deletion by user.

I will have to restore an early virtual machine backup I guess.

My main concern right now is whether this infected the rest of the drives and there's a ransomware bomb ticking away at one of them. Any suggestions on what to do? Obviously backup critical files and drives, but what if they are infected?
Ransomware is generally never a ticking time bomb. It's the smash and grab attack of Infosec. If it can get a connection externally to exchange the encryption key, it's going to then go ahead and encrypt your files as fast as possible.
 

Harry Hooper

Well-Known Member
Lifetime Member
SoSH Member
Jan 4, 2002
34,365
FWIW, I don't think I deleted the programs that were masking what it did. I think I deleted the program that was communicating with the hacker- although obviously, if the trojan is still present, it can reinstall it.
You can always try running a few of the bootable antivirus tools from the likes of Kaspersky or Bitdefender. See here.
 

Nick Kaufman

protector of human kind from spoilers
Lifetime Member
SoSH Member
Aug 2, 2003
13,402
A Lost Time
Yeah, run Tron
Thanks, I ll check it out.
Ransomware is generally never a ticking time bomb. It's the smash and grab attack of Infosec. If it can get a connection externally to exchange the encryption key, it's going to then go ahead and encrypt your files as fast as possible.
That seems reasonable. Besides, it seems unlikely for any time bombs to go off without the main virus program having access to them. Also unlikely main program installed in non-system drive. Hopefully, that's the case.

You can always try running a few of the bootable antivirus tools from the likes of Kaspersky or Bitdefender. See here.
Thanks, I will also check that out.