Undetectable malware?

Discussion in 'Computer Software and Operating Systems' started by DismissedGuy, Oct 22, 2016.

  1. DismissedGuy
    OP

    DismissedGuy Advanced Member

    Newcomer
    62
    5
    Aug 15, 2016
    Netherlands
    Mercury
    Hi guys!
    I got a little problem with my laptop. Malware. Every time I put the charger in my laptop, 3 internet pages are popping up and they bring me to just normal sites, which have nothing to do with phishing, fake prizes etc. I did a search on the internet but didn't find ANYTHING about how to solve it. I tried so many virus and malware scanners/removers but no success. Avast! Does block the sites because of detected threads, but when I run a scan of my full pc nothing was found.

    By the use of Avast! Every time the pages popup the connection is reinitiated and I can see the URL that brings me to the sites:

    http://www.admedialimited.com/monitize2.php?srcd=REEDADCI

    I also did a search for admedia limited but the files that many sites advised me to delete, aren't on my pc.
    Is there anyone who has this problem too or knows how to delete it? Thanks!

    And no, I'm not that dumb to delete the system32 folder...:mellow:
     
  2. 8BitWonder

    8BitWonder Small Homebrew Dev

    Member
    748
    520
    Jan 23, 2016
    United States
    47 4F 54 20 45 45 4D
    What browser is it in?
     
  3. DismissedGuy
    OP

    DismissedGuy Advanced Member

    Newcomer
    62
    5
    Aug 15, 2016
    Netherlands
    Mercury
    Firefox
     
  4. 8BitWonder

    8BitWonder Small Homebrew Dev

    Member
    748
    520
    Jan 23, 2016
    United States
    47 4F 54 20 45 45 4D
    Last edited by 8BitWonder, Oct 22, 2016
  5. FAST6191

    FAST6191 Techromancer

    pip Reporter
    23,370
    9,170
    Nov 21, 2005
    Plugging it in is an odd one, I can see how it might happen (it is an event which can have a customised response so yeah) but it is new to me.

    Anyway I am sure I could paw through the power settings and services to see how it is triggered, however that usually involves knowing what to look for and not a simple checklist type approach. If you want another thing to try, though it is quite a brute force approach, then I quite like combofix
    http://www.bleepingcomputer.com/download/combofix/

    It occurred to me though that I did not know the specifics of what went here and going looking for windows 7 at least https://cwl.cc/2012/02/schedule-task-when-pc-switches-from.html http://superuser.com/questions/121045/is-there-a-way-to-execute-a-program-on-power-events says simple options for it might not exist and it requires something a bit extra. To that end a more traditional going through startup or attached processes approach (I like http://www.gmer.net/#files but it is very powerful so be careful with it) should have revealed something. Maybe that changed in newer versions, I have no idea at this point and going through windows 8/10 power API changes is not my idea of a good Saturday afternoon.
     
  6. Dominator211

    Dominator211 JFK's Jelly Donut

    Member
    569
    73
    Oct 15, 2016
    United States
    New York
    hey this is my specialty do a system restore when your system was working properly or if that doesn't work uninstall the browser.
     
  7. DismissedGuy
    OP

    DismissedGuy Advanced Member

    Newcomer
    62
    5
    Aug 15, 2016
    Netherlands
    Mercury
    Not needed, I did a look at combofix and I saw something about task scheduler and so I did a look at the registry files and task scheduler itself. Now, in task scheduler, there were 3 tasks, Ulta1, Ulta2 and Ulta3 which all had the task to open an internet page (the page I said) and they are triggered if: the power cable is plugged in, or if the pc is not in use for 1 hour (what I also experienced sometimes.) I restarted my laptop and now it isn't opening random pages anymore!:yay:
     
  8. FaTaL_ErRoR

    FaTaL_ErRoR AKA ŦƕƎ ƠṀƐƝ

    Member
    491
    346
    Mar 9, 2014
    United States
    My first question would have been is avast paid or free version?
    Most of the paid antivirus programs use adware to pay for the program they gave you for free and to make you feel like downloading was a good choice.
    When you plug in the laptop there is a setting that is different to the one when it is not. Somewhere in your performance settings you will find that.
    Probably they keyring for wake up as you are having this happen when coming back from idle.
    That is when the sites are opened and blocked by your antivirus. usually it's where they promt you to pay for the full version to get rid of this "horrible virus". I swear to you 90% of what you download has no virus or adware. Antivirus programs constantly push the unsafe world by injecting their own "virus" to make you think you must have one installed to be safe.
    Track down those three tasks and find out what program is triggering them. I will bet you will find that avast is the culprit.
    Simple logic if avast can detect those sites as not being good and blocking them then it can also detect the trigger.. That is unless it is coded to ignore it. Stop getting this crap av software that say they have free versions but also have paid versions.
    Go open source. (it even works for windows)
    http://www.clamav.net/
     
  9. DismissedGuy
    OP

    DismissedGuy Advanced Member

    Newcomer
    62
    5
    Aug 15, 2016
    Netherlands
    Mercury
    It was not avast, because I have the paid version (which has ended yesterday) btw in startup programs there was a program called chromium, a sort of beta-with-limited-functions google chrome. This is pretty weird, because I never heard from it. Also, the malware was alreadt there before installing avast a year ago, but last times they were not only popping up when I plug in the charger. And, because avast has ended (I didn't really liked it anyway) I think it's a good time for testing some open source stuff. I liked linux better then windows anyway, but the stability of linux was a little bit less for me (why I got dual-boot) anyway, the problem was solved, so I'll just continue my laptop fun ig...:mellow:
     
  10. xy2_

    xy2_ GBAtemp Regular

    Member
    256
    144
    Feb 4, 2016
    France
    Out of curiosity, what linux distribution?
     
  11. DismissedGuy
    OP

    DismissedGuy Advanced Member

    Newcomer
    62
    5
    Aug 15, 2016
    Netherlands
    Mercury
    That's why I said liked. I already deleted it because I'm a guy that rates a program on the lay-out, and the dual boot manager wasn't that beautiful... Anyway, I don't know which distribution it was.