new virus not discovered by anti virus software

[liambarr]

Just FYI (for your information): SYSTEM and Administrators always have full access to everything.

I am aware that ONLY SYSTEM and Admin have full access. MY point is that these folders install and grant themselves SYSTEM, ADMIN and also Authenticated USER ACCESS
you state you are 40 years in the repair business. I also am a long time computer user 34 or 35 years and my first computer was a SORD using CPM 80 with dual 8 inch floppy disks before the IBM PC was on the market.
Also like you I am still learning and don't know everything.
But I do know what is happening on my computer and I NEVER saw software before installing itself and granting itself FULL access as ADMIN, System and also Authenticated USER.

 

[Saltgrass]

Are you keeping the system isolated from your network?

Have you checked Task Manager to see if anything is showing on the Startup tab you don't recognize? There is another utility you might use to check for startup items, if you could get access from another system without exposing that system also.

Have you tried running one of the anti-virus programs from a virtual desktop, Taskview?

I am wondering if the anti-virus programs would run in Safe Mode or from the limited boot with only Microsoft process being allowed.

Do any of your anti-virus programs have the ability to check your system during the boot?

Using a Linux (Ubuntu) Live version might allow you to use the system to download or other interactions with your network.. I don't know if trying an anti-virus from that would be a possibility but downloading something like the System Internals suite should work.

Troubleshooting will be a pain.. Cleaning everything out would be best..

 

[liambarr]

My computer is a stand alone computer so no other computers on network.
I use PORT EXPERT to scan for an external source on internet.
I also regularly check with task manager to check what programs are running etc..
I believe someone / something had installed a HIDDEN USER account with full admin access
that is why all these strange folders have full ADMIN, System and Authenticated user access.but
when I delete even the hidden folders they all reappear again will new names.
I should be the ONLY user on computer but I am NOT.

 

[Tim Locke]

Okay Liambarr. A trojan could have been inserted into some email or web page and then could have executed and downloaded more of itself before it showed any effects to you. I think that trojans of this 'quality' are not that common but they do exist. It could attach part of itself to any program that runs to detect external devices and I would think could uplift its own privilege level to add an account with admin level. It only has to do that last thing once and it is then capable forever.

The only totally safe thing to do would be to wipe the whole machine including all disk partitions even the partition that the machine manufacturer has installed and then reload from some true clean OS media...and start again loading all the apps from the original sources. I would not trust any data files that have been on that machine since this started, I would not be surprised if one of them is not suspiciously bigger than it was.

 

[Norton]

Liambarr Whatever you call it you have a mess. When you attempt to get rid of the unwanted folders they just it just re-spawn.
Take members advice given and perform a clean install.
Personally, I wouldn't be reinstalling Baidu antivirus from the reviews I read on it from PC Magazine. Use Windows defender or any other antivirus program other than Baidu Antivirus 2015. There are many out there. Note: only download programs from the original vendors sites. You will be up and running in no time, with a clean OS and a pristine registry.

 

[liambarr]

Liambarr Whatever you call it you have a mess. When you attempt to get rid of the unwanted folders they just it just re-spawn.
Take members advice given and perform a clean install.
Personally, I wouldn't be reinstalling Baidu antivirus from the reviews I read on it from PC Magazine. Use Windows defender or any other antivirus program other than Baidu Antivirus 2015. There are many out there. Note: only download programs from the original vendors sites. You will be up and running in no time, with a clean OS and a pristine registry.

windows defender is worse than Baidu. It is only my 3rd anti virus as Malware anti malware is 1st and tencents is 2nd as THIS was the ONLY anti virus to recognize this virus/malware.

Okay Liambarr. A trojan could have been inserted into some email or web page and then could have executed and downloaded more of itself before it showed any effects to you. I think that trojans of this 'quality' are not that common but they do exist. It could attach part of itself to any program that runs to detect external devices and I would think could uplift its own privilege level to add an account with admin level. It only has to do that last thing once and it is then capable forever.

The only totally safe thing to do would be to wipe the whole machine including all disk partitions even the partition that the machine manufacturer has installed and then reload from some true clean OS media...and start again loading all the apps from the original sources. I would not trust any data files that have been on that machine since this started, I would not be surprised if one of them is not suspiciously bigger than it was.

. I think I will have to do a clean install after I download a full version of win 10 as my laptop came with windows pre installed.

Okay Liambarr. A trojan could have been inserted into some email or web page and then could have executed and downloaded more of itself before it showed any effects to you. I think that trojans of this 'quality' are not that common but they do exist. It could attach part of itself to any program that runs to detect external devices and I would think could uplift its own privilege level to add an account with admin level. It only has to do that last thing once and it is then capable forever.

The only totally safe thing to do would be to wipe the whole machine including all disk partitions even the partition that the machine manufacturer has installed and then reload from some true clean OS media...and start again loading all the apps from the original sources. I would not trust any data files that have been on that machine since this started, I would not be surprised if one of them is not suspiciously bigger than it was.

I have worked with computers a long time and have not seen malware this good. I am thinking hidden 'sticky keys' as the source of a hidden admin user file. I can delete all these USER files, deny ALL admin authority, yet they reappear under new names. The total payload of all the files combined is about 12 MB so it is a big payload.

 

[Norton]

If it came with Windows pre-installed, there is most likely a Win 10 OEM partition.
If so, just do a OS factory reset.

 

[Trouble]

I have worked with computers a long time and have not seen malware this good. I am thinking hidden 'sticky keys' as the source of a hidden admin user file. I can delete all these USER files, deny ALL admin authority, yet they reappear under new names. The total payload of all the files combined is about 12 MB so it is a big payload.

Probably time to stop talking about it and do something to regain control of your computer.
It's almost certainly a backdoor worm of some type that is likely not beneficial to either your computer nor your personal data / accounts / passwords / etc.
These types of malicious software can hide in very remote temp files or even in a system restore point and be called by a hidden task running as practically anything.

Personally, I wouldn't consider anything that is or has ever been attached to this computer as safe, including the factory partition.
I'd use something like Kill Disk or Boot and Nuke and burn it to the ground and start from scratch.

 

[Saltgrass]

If you are interested in tracking down the problem, this link will give you some interesting reading regarding tracking down the Stuxnet virus. The site belongs to Microsoft and is safe, at least for now . There is also a forum available.

https://blogs.technet.microsoft.com...infection-with-the-sysinternals-tools-part-1/

 

[Allan10]

Hi liambarr,

Some thoughts I have

Do you regularly back up just your data? Perhaps you can identify a data file backup that occurred before the infection. And then consider using that rather than trying to back up anything from the infected system. Have you tried to format that USB key with 'quick format' unchecked to see if you can get away with it, without it getting infected again as Tim suggests could happen? If it does propagate back onto the mem stick, that's scary! If so, I believe it will take a carefully thought out, forensic approach to the clean install to ensure it doesn't slip back in.

Please keep us posted. I for one wish to know what the heck that thing is and how to stop it. I would be totally beside myself if stuff like that was happening to me.