[Boards: 3 / a / aco / adv / an / asp / b / bant / biz / c / can / cgl / ck / cm / co / cock / d / diy / e / fa / fap / fit / fitlit / g / gd / gif / h / hc / his / hm / hr / i / ic / int / jp / k / lgbt / lit / m / mlp / mlpol / mo / mtv / mu / n / news / o / out / outsoc / p / po / pol / qa / qst / r / r9k / s / s4s / sci / soc / sp / spa / t / tg / toy / trash / trv / tv / u / v / vg / vint / vip / vp / vr / w / wg / wsg / wsr / x / y ] [Search | Free Show | Home]

I need help removing a virus

This is a blue board which means that it's for everybody (Safe For Work content only). If you see any adult content, please report it.
  1. Home
  2. /g/ - Technology
  3. I need help removing a virus
Thread replies: 13
Thread images: 3

Anonymous
I need help removing a virus 2016-06-04 03:37:10 Post No.
[Report] Image search: [Google]
File: wtf is this.jpg (353KB, 1655x545px) Image search: [Google]
wtf is this.jpg
353KB, 1655x545px
I need help removing a virus Anonymous 2016-06-04 03:37:10 Post No. [Report]
So I noticed strange activity on my bandwidth monitor and decided to investigate. Here whats I discovered:

-After 65 seconds of inactivity, the files in the pic are created in a new temp folder
-It keeps connecting to "contentiously.com" through vds.exe
-upload and download rates are at 1.2 K
-It will not do any of this if TaskManager is open
-It will delete all the files it created if I touch the mouse or keyboard
-When TaskManager is opened, 2 instances of "COM Surrogate" suddenly closes (not sure if this is normal behavior)

Avast doesn't detect anything, but this is highly unusual and I suspect its a virus. From the "blake256" file alone, I assume its mining bitcoins. I googled the symptoms, but only one other person mentioned it and they never got a solution - so I suspect its something new.

Does anyone know what this is? Suggestions? Is there a tool to let you see what service/file is creating these files?
>>
Anonymous 2016-06-04 03:40:32 Post No.54900482
[Report]
Anonymous 2016-06-04 03:40:32 Post No.54900482 [Report]
>>54900449
install gentoo
>>
Anonymous 2016-06-04 03:41:48 Post No.54900495
[Report]
Anonymous 2016-06-04 03:41:48 Post No.54900495 [Report] 
nslookup contentiously.com
Server:        192.168.1.1
Address:    192.168.1.1#53

** server can't find contentiously.com: NXDOMAIN


It doesn't real
>>
Anonymous 2016-06-04 03:42:51 Post No.54900515
[Report]
Anonymous 2016-06-04 03:42:51 Post No.54900515 [Report]
>>51971506
>/g/ is NOT your personal tech support team
>For tech support/issues with computers, use /wsr/ - Worksafe Requests or one of the following:
>>
Anonymous 2016-06-04 03:44:10 Post No.54900527
[Report]
Anonymous 2016-06-04 03:44:10 Post No.54900527 [Report]
backup and reinstall
>>
Anonymous 2016-06-04 03:47:32 Post No.54900561
[Report] Image search: [Google]
Anonymous 2016-06-04 03:47:32 Post No.54900561 [Report]
File: Untitled.png (1KB, 1213x15px) Image search: [Google]
Untitled.png
1KB, 1213x15px
>>54900495
whois.net says it is. Also, it's changed what it connects to now. See pic.
>>
Anonymous 2016-06-04 03:52:27 Post No.54900622
[Report] Image search: [Google]
Anonymous 2016-06-04 03:52:27 Post No.54900622 [Report]
File: 1462076050243.jpg (367KB, 640x1190px)
1462076050243.jpg
367KB, 640x1190px
Is there a tool to let you see what service is creating files in a folder?
>>
Anonymous 2016-06-04 03:53:56 Post No.54900640
[Report]
Anonymous 2016-06-04 03:53:56 Post No.54900640 [Report]
Just reinstall.
>>
Anonymous 2016-06-04 03:57:04 Post No.54900677
[Report]
Anonymous 2016-06-04 03:57:04 Post No.54900677 [Report]
>>54900622
sysinternals probably has something you could use.
>>
Anonymous 2016-06-04 03:57:20 Post No.54900682
[Report]
Anonymous 2016-06-04 03:57:20 Post No.54900682 [Report]
MBAM or make a bootable USB with some free antivirus SW that allows it
>>
Anonymous 2016-06-04 04:03:52 Post No.54900747
[Report]
Anonymous 2016-06-04 04:03:52 Post No.54900747 [Report]
https://technet.microsoft.com/en-us/sysinternals/bb896645.aspx?f=255&MSPPError=-2147217396
Use this to find what program or service is creating those files and nuke it.
>>
Anonymous 2016-06-04 04:11:44 Post No.54900856
[Report]
Anonymous 2016-06-04 04:11:44 Post No.54900856 [Report]
I think I may have found the problem, but I don't have a solution

http://www.pcworld.com/article/2461120/stealthy-malware-poweliks-resides-only-in-system-registry.html
>>
Anonymous 2016-06-04 05:40:21 Post No.54901812
[Report]
Anonymous 2016-06-04 05:40:21 Post No.54901812 [Report]
Just FYI to future readers, I used system restore and rolled back to a week earlier (when the problem wasn't present). That worked.
Thread posts: 13
Thread images: 3
[Boards: 3 / a / aco / adv / an / asp / b / bant / biz / c / can / cgl / ck / cm / co / cock / d / diy / e / fa / fap / fit / fitlit / g / gd / gif / h / hc / his / hm / hr / i / ic / int / jp / k / lgbt / lit / m / mlp / mlpol / mo / mtv / mu / n / news / o / out / outsoc / p / po / pol / qa / qst / r / r9k / s / s4s / sci / soc / sp / spa / t / tg / toy / trash / trv / tv / u / v / vg / vint / vip / vp / vr / w / wg / wsg / wsr / x / y] [Search | Top | Home]

I'm aware that Imgur.com will stop allowing adult images since 15th of May. I'm taking actions to backup as much data as possible.
Read more on this topic here - https://archived.moe/talk/thread/1694/


If you need a post removed click on it's [Report] button and follow the instruction.
DMCA Content Takedown via dmca.com
All images are hosted on imgur.com.
If you like this website please support us by donating with Bitcoins at 16mKtbZiwW52BLkibtCr8jUg2KVUMTxVQ5
All trademarks and copyrights on this page are owned by their respective parties.
Images uploaded are the responsibility of the Poster. Comments are owned by the Poster.
This is a 4chan archive - all of the content originated from that site.
This means that RandomArchive shows their content, archived.
If you need information for a Poster - contact them.