Virus/malware attacked Windows 10 pro, and possibly FreeBSD as well

usernamekiran

usernamekiran

Hello.
I am kind of a security/privacy conscious person.
On my desktop, I have FreeBSD and Windows 10 pro.

Yesterday, my FreeBSD setup was acting up, but I didn't think much about it. Whenever I was trying to access password vault/manager from firefox, I was getting error "something went wrong, try again later".
A few hours ago, I logged into the windows 10 pro, and it seemed normal at first glance. But the password vault was not opening there. I tried to update the firefox, but it said "couldnt check for updates". I thought something was up with password vault, so I tried to look it up online.
Surprisingly, I couldnt open any domain containing the name "norton".
So as I do regularly, I ran the live update, and initiated a full system scan. Thats when the CoreGuard Antivirus 2009 caught my eye when Norton 360 was scanning it. The complete scan did not detect any threats.
I looked it up, and as per suggestions, I tried to run Norton Power Eraser, but in the very beginning, it could not connect to the server, and it failed completely to scan the system.

I tried again to visit Norton site, but I could never visit it. Then out of curiosity, I visited a few banking websites (that I do not have accounts with), and they were sort of slow to load.

Then I logged in to FreeBSD, and the GUI based DSBMC was not even initiating. I tried to visit Norton site(s), but loading them was a hit and miss even on FreeBSD. I tried to open some media files, and even the VLC media player is not initiating at all.

My question is:
I am willing to perform clean installation of both the Windows 10, as well as FreeBSD. But the thing is, I have 500GB SSD where I have both the operating systems, and I have a 2TB internal HDD (NTFS).
To access that HDD from FreeBSD, I first have to mount it. I had mounted that HDD once since the system was acting up. Now I am unable to mount it (thats why I am doubting FreeBSD was affected as well, among other reasons). So to copy some data, I might have to connect some thumb drive, or USB HDD.

That brings us to the real question: if I perform clean installation of both the operating systems (on SSD), is there a possibility of infection from the internal HDD or the external drive that I might need to copy the data?

What should I do, and what might have caused the infection/attack in the first place? I rarely visit suspicious sites from Windows. Even on FreeBSD, I avoid visiting unknown/suspicious sites. I am kind of surprised that even my Windows got infected.

Any help/suggestions will be appreciated a lot.
Regards,
usernamekiran.
 
My suggestion would be to first do a factory reset on your modem/router. It might need a firmware upgrade, and definitely a couple decent passwords, one for administration, and another for actual Internet connections. If possible, use dd-wrt or openWRT for router firmware.

Second - ditch the outdated brand-name antivirus software (OP's is from 2009!). Win10 comes with Windows Defender built-in, and in my experience, it does an perfectly adequate job if you keep your win10 system up-to-date with regular updates. In fact, brand-name AV software is frankly of dubious value - so keep things simple.

Third (Yes, order matters here!), do reinstall the OS'es.
usernamekiran said:
That brings us to the real question: if I perform clean installation of both the operating systems (on SSD), is there a possibility of infection from the internal HDD or the external drive that I might need to copy the data?
Click to expand...
In a nutshell: No.

Real answer: You might want to be careful when copying the data to an external drive. Yes, that means painstakingly rescuing/copying files one by one. One good way to do that is to boot a FreeBSD installation stick in rescue mode, mount the internal HDD read-only, then external stick read-write, and then safely copy what you need.

Don't worry about accidentally running something that way - in default rescue mode, you can't even run /usr/local/bin/nano, let alone a Windows binary.
 
SirDice said:
Ehm, what kind of modem/router do you have? There's definitely some malware that's able to break into certain popular models. One of the things it does is redirect your DNS requests.
Click to expand...
Hello. Yes, that's a possibility. But I can access the password vault, and Norton websites from the same router using my mobile witout any problems.

But this does not explain the odd behaviour like VLC not initialising (neither by double clicking on a file, nor through whiskers > multimedia > VLC) (I use xfce). Same with DSBMC.
 
I'd have a look on your network devices and see if some are not flagged as dangerous (older EOL things etc). Check any DNS value and see if Windows is not "proxified" by the malware.
Best advice from a long pro Windows user : don't use Norton, that's a bad antivirus. You might get even better results with the sh***y Avast.
I'd suggest Bitdefender Antivirus or Kaspersky (broken by war...) with Fort Firewall, and Internet only with Firefox using uBlock and Noscript 😄
 
usernamekiran said:
Hello. Yes, that's a possibility. But I can access the password vault, and Norton websites from the same router using my mobile witout any problems.
Click to expand...
This is why I suggested the factory reset and up-to-date firmware for the router.


usernamekiran said:
But this does not explain the odd behaviour like VLC not initialising (neither by double clicking on a file, nor through whiskers > multimedia > VLC) (I use xfce). Same with DSBMC.
Click to expand...
Just reinstall both OSes... and stick with Windows Defender, not brand-name AV stuff that frankly does more bad than good. That will solve your problems there. It is a sledgehammer approach, true, but I think it's better to keep things simple and reliable here.
 
I also had a working VLC which suddenly crashed for no reason (and didn't want to debug it). I switched to mplayer meanwhile, and someday, VLC started to work again - without any pkg upgrade. Might not be relevant in your case...?
 
Perceval said:
I also had a working VLC which suddenly crashed for no reason (and didn't want to debug it). I switched to mplayer meanwhile, and someday, VLC started to work again - without any pkg upgrade. Might not be relevant in your case...?
Click to expand...
Actually, it's not even clear to me if OP's VLC and DSBMC issues are on Windows or FreeBSD... I suspect the issues are on the Windows side, but that's nothing that a clean reinstall can't fix.
 
astyle said:
Actually, it's not even clear to me if OP's VLC and DSBMC issues are on Windows or FreeBSD... I suspect the issues are on the Windows side, but that's nothing that a clean reinstall can't fix.
Click to expand...
Even a fresh install of Windows can bring some magical bugs 😂
 
usernamekiran To make sure the virus is in the router or computer , you have to go on a different internet connection different wifi or use your mobile's connection and then try to do what you were doing.

If it is still doing those things , then your computer might be infected , if not! then the router is infected.

Because rootkits exists they don't care if you have unix or windows.
 
dummy0 said:
Because rootkits exists they don't care if you have unix or windows.
Click to expand...
Now that's just a misguided assumption. Any given rootkit is targeted towards specific architectures and OSes, because some minimal cooperation with the initial infected host still needs to happen. If you compile a.c into a.out on SPARC architecture, you can't just copy a.out to a Windows machine and magically expect it to run, much less do anything useful or malicious.

I have suggested an easy sledgehammer solution earlier in this thread (post #6)...
 
There are rootkits that target different OS and which can survive a reinstall. Those are usually found in TLAs and they are not used on Joe Sixpack, normally. But who knows?
 
You must log in or register to reply here.
Back
Top