Trying to find a virus that is hard to detect that opens programs and files and closes browser tabs

[Joshuacm]

i ran farbar and malwarebytes and have some files. People are only telling me to uninstall security software and not telling me why. I noticed that the logs say i have firefox, but i don't. They also say many programs fail to start, but it does not seem to say it was because of avast. it also shows missing files, which i think was due to windows update. i want to find the virus so i can transfer files to a new computer. the new update seems to make it so the battery percentage does not display correctly. Note: some security software displayed in the logs is not running. malware bytes was ran in safe mode, and never has detected anything any of the last 5 years. i also ran eset in safe mode with networking, and it only said avast browser uninstall tool was unsafe.

I suspect that uninstalling all security software is just going to test if malwarebytes will detect anything. i have also found that some software will mark things like garmin software, and various other software as false positives. So far, nothing has detected what is opening and closing things on my computer. If I did have to pay for some tech at a shop to find something, i do not want to pay for them to find nothing, when something is obviously there. I did notice that the cursor moves in airplane mode and at the login screen. i am hoping that somebody has an idea of how to help me resolve this. so far, everyone seems to say "use farbar," or reformat my computer, or use "autoruns." or do what i did already.

 

[lonewolfmage]

Joshuacm~

I'll take a bit of a stab at this ... I'm sure others will chime in with their suggestions they WILL be just as valid ...

I'll try to help as best I can from my experiences...

Some things I have noticed from what you have relayed in this post ...(in no particular order)

1) POTENTIAL multiple security or antivirus software running or installed AT THE SAME TIME ...

You DO NOT want to do this .. haveing them installed and RUNNING ... meaning real-time scanning can and will cause issues as they can and may cause conflicts with each other ... choose ONE to install and to actively scan as you are operating/using your computer is your best bet ... NORMALLY all things working correctly .. windows defender will and should 'deactivate' itself if it detects that you are running a different security or antivirus software...

MOST Antivirus software will ALSO offer to be able to scan the files you download ... BEFORE you run or open them ... I would suggest you use this option rather than scanning when downloading...it saves system resources ...if system resources are not an issue then you CAN keep scanning going ... MOST (not all) viruses won't 'activate' themselves until you run or open a program or file...

2) When you get ANY SOFTWARE .. be it security or antivirus ... or ANY SOFTWARE ... get it DIRECTLY from the SOURCE OR DEVELOPER that makes the software.... a majority of the time getting the programs may desire when gotten DIRECTLY from the developer will be safe .

3) Potential 'false positives' .... this goes hand in hand with #2 above ... if you KNOW the source of the program or file is good and safe ... you're safe... and can potentially safely ignore the warning you might receive from your security software about it being potentially infected.

4) Battery Icon is not correct ... from what I have read there IS an issue with SOME computers and a recent windows update that causes this... I'm not 100% sure which update (it 'seems' to be a Windows 11 update issue) or why this is caused but I have also read that a 'fix' is in the works ...I PERSONALLY don't have nor have I seen this issue on my personal laptop ... or a few other laptops I have serviced that are running the most recent full update for Windows 10 all of which have the FULL update to Version 21H2 of Windows 10.

Hope my advice helps. As I mentioned I'm sure others will potentially chime in here and their suggestions WILL be just as valid as mine so just keep an eye on this thread for other possible suggestions
Good Luck.
~LoneWolf

 

[windows user]

Change the password just incase uninstall all security (not defender) software except one and then scan with what ever you choose preferably Malwarebytes then have you ever had an email sent to you with a game or anything that has a script of code that is executable?

 

[Joshuacm]

i understand what the first person said, but i know that the false positives are exactly that. the windows 10 update does appear to have made the battery percentage wrong. I did not receive any executable files in an e-mail. I once thought a consumer reports e-mail may have taken me to an imitation site to unsubscribe, but the site looked legitimate. other potential sites may have had an ad or popup site, but I am not sure. I know that those times in the past did not bring any hacking or sign of files being opened at the time that it started, and I did not visit any sites with popups since then. I recall that after my Windows Profile was repaired, zone alarm had to be reinstalled, and probably avast was reactivated. Sometime around that time, I clicked on the unsubscribe link in that e-mail. Then I quarantined a virus after the initial activity. But I did not find anything when the activity happened again. I do not know what happened. This computer system is really only 5 years old.

 

[windows user]

well run Malware bytes then it may also be that your computer may have problems so in an admin power shell run the following command and tell me what comes even if your computer is not damaged do this and tell me what comes up: sfc /scannow
After that finishes run DISM.exe /Online /Cleanup-image /Restorehealth
Also run Microsoft defender offline scan. check your C drive for any unknown folders
AND look in the users folder for any mysterious folders.

 

[Joshuacm]

somehow the admin privileges have been revoked mostly from this profile (though it was there originally). i can update malwarebytes, then run it in safe mode again. i can try to run power shell in admin option. . what does the second command do? I think I read that for some reason Defender will not run without some specific settings, but I can try. I had downloaded it for offline use. How do I determine if there are unknown folders? I think that I may have checked for unknown installed programs. But I know I wouldn't recognize all windows folders.

 

[windows user]

Have you thought about a clean install because whether or not there is a virus it sounds like your computer is messed up.

 

[Joshuacm]

Somebody suggested this, but the battery may not be fully functional due to windows shutting down when it is saying it is almost fully charged, and loading back up at 8%. It seems logical to try to find what is wrong instead of investing more in this computer so I can put everything on the laptop I bought in August, which can no longer be returned. Windows updates keeps erasing drivers and files from the old laptop. I think there must be some resource to solve this. In vista, I had used the solution about reinstalling windows when systems were infected but they keyboard function stayed problematic, and we had to just restore files and, and then put security programs to try to protect against viruses. This doesn’t actually solve the problem, but just tries to help take care of the system and is a partial solution. I do not want to just use the old one temporarily until the power runs out, nor transfer a hidden virus to the new laptop.

 

[windows user]

Get a repair disk and repair it and if that does not work use a installation disk and when you have booted to installation disk select repair my computer after you select the language. Also try and create an admin account using information found here.

 

[Joshuacm]

Someone once said to try to use a USB bootable media when the profile was corrupted to repair windows. There is a 50% possibility that when it was repaired that that contributed to how this virus got on my computer, since that time the firewall was uninstalled, and the antivirus was likely disabled. I do not really know. How would I get a repair disc or installation disc? I do not have access to DVD-Rs where I am at. I do have two admin accounts, and only one I have a password to, as one I forgot the password. The current user account was previously an admin account, but I don't know how to restore the administrator privileges. I am wondering how to keep all important files. Many people say to back them up, then scan the external drive, but the fact that software is not finding where the infection is is not helping at all. It seems clear that it is unknown what kind of virus this is (whether it is an executable file, or some kind of script, etc). I am also aware that it is pretty hard to get ahold of Microsoft support these days.

 

[Bighorn]

I ran across a PUP/PUA infection the other day on a client's computer that took awhile to clear, it was in the System Volume Information file which is usually Hidden. Windows Defender finally got it quarantined, had to do with the Ask.com toolbar.

 

[windows user]

Create a windows to go flash drive or preferably ask a friend to do it on there computer (I can supply the details) Then boot to it. It will be like booting to a brand new system set it up then use it ONLY to scan your drive for viruses BUT MAKE SURE YOUR FILES ARE BACKED UP FIRST I DONT KNOW WHAT REMOVING A VIRUS COULD DO TO YOUR HARDRIVE IT WILL PROBABLY SURVIVE BUT I DON'T know. Anyway use the custom scan on microsoft defender to scan your pc harddrive.

If none of that is possible at the moment Then could you please login to your full admin account uninstall all other security software and do a microsoft defender offline scan. If that does not work than reset your pc via settings.

By the way how do you know that you have a virus honestly it sounds like your pc is in very bad shape.

Also I would not suggest this but maybe you should have someone work on your pc remotely (like maybe me but that would only work if you trusted me but I can do that if necessary).

 

[Joshuacm]

I really understand some of what you are saying, but i am really skeptical of backing up everything from a potentially infected system before removing the virus. i have a lot of stuff backed up already, but not everything. Some things needed to be downloaded before it became clear that this was infected. It looked like a hacker to me initially. The only Microsoft Defender that seems useful potentially is the offline scan since the other one seems like it does not find anything. It seems like there was something that i read about that before though that seems like it might be problematic to do that. I do know that I have an administrator account that i have a password to (assuming you don't mean the built in one). I still do not know why the infected one has the privileges removed). I would use the phrase that if it walks like a duck, it must be a duck. files and programs don't open by themselves with the cursor (even in airplane mode), and then the cursor doesn't do that in airplane mode by itself, then also the cursor wouldn't constantly move vertically in the login screen by itself. That is very odd behavior. I had seen the command prompt window open constantly as well, and lagging of the keyboard as well, but that could be a separate issue. At one point, I thought it may not involve a hacker at all, but something like some sort of macro virus, that moves the cursor in a pattern offline in a clicking pattern, as I had used macros in online gaming before, but it wasn't a virus. But the fact that it seemed like potentially it moved to reconnect to wifi within the airplane mode, I am not sure. I know that before quarantining some trojans, I found a URL opened in my browser to a specific website that was not a popup, and it showed coordinates that was clearly tracking some location. That does not happen anymore, but I know this thing opens programs in the taskbar, then files on my desktop, and also opens HP support center, as well as some program that shows Microsoft accounts that I didn't know existed. It has seemed to move certain windows down to the bottom of the screen when I try to figure out what is running in the background at times. I think there is probably a virus that allows a hacker to do things that is undetected, and not just something that allows some kind of cursor/clicking macro. It may have reprogrammed airplane mode, but I am not sure. I really would like to make sure that no file is infected before moving them to the external hard drive. I know that many files are backed up, but I probably need to check and make sure that they are. Something that i need to do is sync my phone with itunes correctly since my phone is not properly synced. That is another problem. I really need to remove the virus, and not just erase my computer. It would help if i can do that, then move everything since this system has become more incompatible due to windows updates.

 

[windows user]

I think this may sound silly but have you thought about the fact that the virus is programmed to reveal itself to you and dare you to remove (its funny I know but its But thats just a suggestion You must follow previous instructions and do exactly as i said Run the offline scan for defender and try searching your drive for any unknown files but whatever you do you must run the offline scan before you answer and tell me what happens

 

[Joshuacm]

i have this link for offline scanner: All i see is these instructions. Yours says remote access or flash drive. Their link seems to say in Windows 10 it doesn't need a flash drive. I do not have some large amount of space for running it. Which is needed? Regular Windows Defender does not need some external thing. Is it supposed to be disconnected from the internet? The instructions do not say that. It just says to run the program.

 

[ubuysa]

i have this link for offline scanner: All i see is these instructions. Yours says remote access or flash drive. Their link seems to say in Windows 10 it doesn't need a flash drive. I do not have some large amount of space for running it. Which is needed? Regular Windows Defender does not need some external thing. Is it supposed to be disconnected from the internet? The instructions do not say that. It just says to run the program.

I'm not 100% convinced that you have a malware infection at all, but a messed up system. It is well known that running more than one real-time anti-virus engine can cause all manner of strange issues. This is an absolute no-no.

Usually, with problems such as yours, it's quicker and way more reliable to clean install Windows, deleting all existing boot partitions. You can backup everything to external media first and then run a number of on-demand anti malware scanners on that external media after you have clean installed Windows and before you copy your data back. IMO trying to locate and clean what you think is a malware infection on your existing system is going to take far longer and be considerably less reliable.

 

[Joshuacm]

I’m wondering why you don’t think it wouldn’t be a virus. I agree that certain security programs conflict with each other(as some of them have prompts that say that), as well as I’ve seen windows updates delete things and cause hardware conflicts. However, those things do not cause the cursor to navigate by itself and open and close things and type urls with tracking coordinates or go to network settings while offline to connect to the internet, or move the cursor to open things while in airplane mode or move it up and down in the login screen in a specific pattern. I even saw I. Zone alarm that there was hacking attempts. My email account showed people tried to login and failed, but that can be a separate issue. The fact that things were opened many times on my computer, tabs were closed, and the cursor moved around when I was not touching anything, shows that either something is programmed to do something, hacking, or both. Due to the fact that nobody on my WiFi network at my home has had this activity, and only since my system was repaired, it is highly likely that someone accidentally installed a virus, or somehow I got a virus installed that allows for an intrusion. I do not think that conflicting software is causing the cursor to open things, move around, and close things. It even happens at random times and on random days. This suggests somebody is using some exploit to intrude on their free time. I would like to know if I need to use a flash drive, disc or not. That link I sent said I just click the button and it runs from the recovery area. I just don’t want it to delete necessary stuff. I also don’t like the idea of backing up stuff while it may be infected. That could move stuff to another location while it is infected and infect something else. I think people don’t believe it is a virus or malware due to not having this experience. But I know that there are types of programs that can be installed on previous versions of Windows disguised as other files to allow hackers to do things on people’s computers, so that means they can be more advanced now. If you research Trojans, rats, root kits, etc, you will find there are a lot of malicious kinds of viruses. An earlier post suggested someone might have made a virus that exposed itself but did something else.

 

[Joshuacm]

Somebody also suggested this could be a keylogger. Is this possible?

 

[BigFeet]

In any case, if any of my PC's became infected, I would reinstall Windows immediately. For one the, a virus can do damage to your Windows install (which looks to be the case to me). Also, even the best anti virus programs can't catch 100% of viruses, and definitely can't fix the damage they do. If it was me, it would be a very easy decision. The longer you wait, the more damage it can do. Good luck with whichever route you decide to go.

 

[Joshuacm]

i really would like to know about running Defender offline. The page says i need administrator rights. but the current profile had those removed somehow, and I think that it was there when the profile was repaired, but I am not sure. Do you know that if I used another profile if it would scan the whole pc? Because I do not know how to restore the privileges. Is it possible to go to the other profile, and restore the privileges, then go back to the main one, and run defender offline? Then if i do, will it erase important files? As I said, I do not really want to risk infecting other things, and I want to be able to back up things that i don't have backed up. I also want to be able to restore things to my iphone, as the previously corrupted profile probably messed up the sync.