1

I recently got redirected to a site which just made a loud beeping sound, when trying to just access a link in a YouTube video discription. My Anti Virus Program (Kaspersky Internet Security) instantly closed the browser tab and alarmed me. So I thought that I was alright.

One day later more and more sites wanted me to complete a captcha when trying to access them (every time), which after some research seems to belong to a service called CloudFlare. Also a web page keeps opening with a really poorly made fake of the ReCaptcha, which doesn't do anything anyway. I tried running a full scan through Kaspersky and Malware Bytes, with no success, neither with the Chrome Cleaning Tool.

I looked up my IP one some of those blacklist check websites and I found out that I seem to be on various blacklists (around 7-8). Also according to "Spam Rats" I am identified as a "worst offender".

In addition to that, some games and programs deny access, when I try to log in.

Is there anything I could do? Is it possible that I really am infected by some form of virus and should i be worried?

This post shows how to delete a virus in case of an infection. But in this case I am trying to find out whether I am even infected or what else could be causing this behavior.

Anders
  • 64,406
  • 24
  • 178
  • 215
Jan1902
  • 11
  • 3
  • 1
    Possible duplicate of [Help! My home PC has been infected by a virus! What do I do now?](https://security.stackexchange.com/questions/138606/help-my-home-pc-has-been-infected-by-a-virus-what-do-i-do-now) – CaffeineAddiction Dec 27 '17 at 16:34

1 Answers1

1

The challenge is that if the machine is compromised, and it sounds like it is, your ability to diagnose and revert the compromise can be extremely hard if not impossible. This is because the compromise might replace system tools so you can't see its processes, etc.

If the compromise occurred by visiting that page and your web browser was not running with admin privileges and you did not allow it to elevate via UAC prompt, then the compromise would be contained to the login profile in use. But if the session was running with admin, the compromise could extend system wide and if so the ability to revert the damage is a lot hard -- if not impossible.

Assuming the compromise happened within a non-admin context, you can login in with another admin account and see files & processes. Look for processes you don't recognize. Look for files created/modified around the time frame of the compromise. What you find will determine the path to revert the damage. Could be as simple as a malicious chrome plugin was installed. If you cannot determine the compromise and revert, you can create another user and profile and start fresh and copy only the things you know were not compromised -- like documents, etc.

If the compromise happened with elevated rights, while it may be possible to revert the compromise, the best recommendation that can be made without knowing the specific compromise is to restore the OS from factory or fresh from the OS media.

Thomas Carlisle
  • 809
  • 5
  • 9
  • I expected the compromise to only be contained in the browser, but unfortunately reinstalling the Chrome browser doesn't even delete settings, when reinstalling it i expected a fresh chrome, what I got is exactly the same how I left it, all my extensions and settings are still there, possibly containing the virus. In addition to that I found out that the Browser Windows with the Captcha are being opened by Teamspeak 3, which is doing the exact same thing on my laptop. And restoring my Computer to default is near impossible, due to no way to backup important projects, contained on my PC. – Jan1902 Dec 27 '17 at 17:21
  • Also i was not running the browser with admin rights, so i might try using a different windows profile. – Jan1902 Dec 27 '17 at 17:24
  • That would be a good place to start. If you have equipment like spare boxes, if you insert a box between this one and the rest of your network (or Internet) and sniff the traffic, that might help see what the compromise is sending out and also confirm that only happens when logged in as that user. – Thomas Carlisle Dec 27 '17 at 17:26
  • The problem with that is that I have little to no experience with network traffic unfortunately. The only thing I can see is that my PC keeps trying to connect to different services that belong to Cloud Flare, the service which blacklisted me, but i cannot find out which process is doing that. – Jan1902 Dec 27 '17 at 17:30
  • If you are on windows you can use resource monitor or netstat to see network traffic and what process it is coming from. But, if the compromise has affected the OS functionality that these tools leverage it could be hidden. – Thomas Carlisle Dec 27 '17 at 18:47
  • I tried netstat and currently nothing is being connected to that seems malicous, earlier today, a lot of connections went out to different service that belong to Cloud Flare, around every 2 seconds or so, which looked kind of suspicious, but thats gone, currently i can only really see some connections by my Anti Virus, Smart Home Devices, and local stuff. – Jan1902 Dec 27 '17 at 18:52
  • It could be that the malware only lived within that browser process, and got killed when the browser exited completely. – Thomas Carlisle Dec 29 '17 at 18:07