Neee help - bootkit/bios/mbr infection?

[Salonoi]

Hi guys, I had some behaviour on pc that I could not explain, and I just want to make sure that I do not have mbr/bios virus. Does malwarebytes anti malware,malwarebytes anti rootkit, eset online scanner,roguekiller scan boot sector as well? Also, are there any programs that scan for bootkits? I searched on google and found mswbar,gmer and tdss killer that supposedly could find them and erase them,is it true? Could scanning with them get rid of the potential virus? I tried mswbar and it at first scan froze,second scan worked normally and it reported unknown mbr code being there,i then tried mbrfix and it reported error. next time I booted i could get in with temporary profile.

thanks. 

[kevinf80]

Hello Salonoi and welcome to Malwarebytes, My screen name is kevinf80, i`m here to help clean up your system. Make sure to run all scans from accounts with Administrator status, continue as follows please: Anyone other than the original starter of this thread please DO NOT follow the instructions and advice posted as replies here, my help and advice is NOT related to your system and will probably cause more harm than good... Change the download folder setting in the Default Browser only. so all of the tools we may use are saved to the Desktop: Google Chrome - Click the "Customize and control Google Chrome" button in the upper right-corner of the browser. Choose Settings. at the bottom of the screen click the "Show advanced settings..." link. Scroll down to find the Downloads section and click the Change... button. Select your desktop and click OK. Mozilla Firefox - Click the "Open Menu" button in the upper right-corner of the browser. Choose Options. In the downloads section, click the Browse button, click on the Desktop folder and the click the "Select Folder" button. Click OK to get out of the Options menu. Internet Explorer - Click the Tools menu in the upper right-corner of the browser. Select View downloads. Select the Options link in the lower left of the window. Click Browse and select the Desktop and then choose the Select Folder button. Click OK to get out of the download options screen and then click Close to get out of the View Downloads screen. NOTE: IE8 Does not support changing download locations in this manner. You will need to download the tool(s) to the default folder, usually Downloads, then copy them to the desktop. Change default download folder location in Edge -Boot to a user account with admin status, select start > file explorer > right click on "Downloads" folder and select "Properties" In the new window select "Location" tab > clear the text field box and type in or copy/paste %userprofile%\Desktop > select "Apply" then "OK" Be aware you are not changing the Browser download folder location, you are changing the user’s download directory location..... Next, Follow the instructions in the following link to show hidden files: http://www.howtogeek.com/howto/windows-vista/show-hidden-files-and-folders-in-windows-vista/ Next, Download and save RogueKiller to your Desktop from this link: https://www.fosshub.com/RogueKiller.html/setup.exe Right click setup.exe and select Run as Administrator to start installing RogueKiller. At the next window Checkmark "Install 32 and 64 bit versions, then select "Next" In the next window skip Licence I.D. and Licence Key, select "Next" In the next window make no changes and select "Next" In the next window leave both "Additional Shortcuts" checkmarked, then select "Next" In the next window make no changes and select "Install" RogueKiller will extract and complete installation, in the new window leave "Launch Roguekiller" checkmarked, then select finish. RogueKiller will launch. Accept UAC, then read and accept "User Agreements" In the new window the "Home" tab should already be selected, Change by selecting "Scan" tab, then select "Start Scan" When the scan completes select "Open Report" In the new Window select "Export text" name that file RK.txt, save to your Desktop and attach to your reply Next, Download Farbar Recovery Scan Tool and save it to your desktop. Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way... Be aware FRST must be run from an account with Administrator status...   Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.) Make sure Addition.txt is checkmarked under "Optional scans" Press Scan button to run the tool.... It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply. The tool will also make a log named (Addition.txt) Please attach that log to your reply. Let me see those logs... Thank you, Kevin..

[Salonoi]

sure, here they are.

rk.txt

Addition.txt

FRST.txt

[kevinf80]

One more scan...

Go here and click 'SCAN NOW' under 'ESET Online Scanner' save to your Desktop. Turn off the real-time scanner of any existing antivirus program before performing the online scan. Here's how Right click on and select "Run as Administrator" In the new Window accept the terms of service In the new Window select "Enable detection of potentially unwanted applictions" then expand "Advanced Settings" In the new Window checkmark (tick) the entries as shown, make sure "Clean threats automatically" is not checkmarked. Now select "Scan" In the new Window new virus database signatures will download, Do Not Select Stop The Window will progress showing the scan in action.... In the new Window if no threats are found, select "Delete applications data on close" then select "Finish" no log is produced, confirm that in your reply... If threats are found the following Window will open: Click on "Select All" then "Save to Text file" name and save that file, attach to your reply. Now select "Do not clean" and then close out....

[Salonoi]

eset online scanner found nothing.

is MBR partition and bios safe then as well? Or should I use another scan as well?

thank you

[kevinf80]

I see nothing wrong with your system, if ESET is clean that also confirms clea system. What makes you believe your sytem is infected...?

[Salonoi]

Just now, kevinf80 said:

I see nothing wrong with your system, if ESET is clean that also confirms clea system. What makes you believe your sytem is infected...?

I had a suspicion because my bios had fourth bootable device - network adapter turned on.

I know I did not mess with it and after googling I found it is not usually turned on by default. my friend though installed windows first time on my pc 2 years ago and messed little bit with booting order in bios,but he said he did not touch that one. He may have, just not remember.

I reinstall my os from time to time, yesterday after finding that out I reinstalled it again, and tried scans with things I mentioned in first post.

mbar after update was not able to to start, it threw error with driver being encrypted or something, and aswbar afterwarda froze. I had to reboot.

after rebooting windows logged me with temp profile.

i tried mbar,it worked and also aswbar again, it worked as well,but I tried mbrfix in aswbar after its scan and it just threw me error. I was not able to do it for some reason.

i reinstalled it windows again, just to be sure.

Is there anything suspicious please or would you be able to detect something bad from my scans, even if it was outside of hdd basic partitions? 

 

[kevinf80]

RogueKiller would have flagged any issues with the MBR, even hidden partitions....

Quote

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST1000LM024 HN-M101MBB +++++
--- User ---
[MBR] cb763b48839e604865784c691228baa8
[BSP] 256d26ffe6f38b5b2a06bf90cfb91982 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 350 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 718848 | Size: 300519 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 616181760 | Size: 652998 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

Your RK log is clean, I see nothing wrong with your system..... Did you use GMER, can I see the produced log..?

[Salonoi]

32 minutes ago, kevinf80 said:

RogueKiller would have flagged any issues with the MBR, even hidden partitions....

Your RK log is clean, I see nothing wrong with your system..... Did you use GMER, can I see the produced log..?

I tried it now, downloaded it from one known site (not sure if posting names is allowed here), it has many tools. Not sure if it is the most current version, but hope it is.

Here is the log. It found quite a lot of things, but I do not know if they are false positives or actually important. I had ADS turned on and both drives picked and had antivirus on.

I did not get any warning message or anything though.

gmer.log

Edited March 2, 2017 by Salonoi

[kevinf80]

GMER log is clean, if no more issues or concerns we can clean up tools etc..

Uninstall RogueKiller via programs and features...

Next,

Download "Delfix by Xplode" and save it to your desktop. Or use the following if first link is down: "Delfix link mirror" If your security program alerts to Delfix either, accept the alert or turn your security off. Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator Make Sure the following items are checked:   Remove disinfection tools <----- this will remove tools we have used. Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created. Reset system settings <--- this will reset any system settings back to default that were changed either by us during cleansing or malware/infection Now click on "Run" and wait patiently until the tool has completed. The tool will create a log when it has completed. We don't need you to post this. Any remnant files/logs from tools we have used can be deleted… Next, Read the following links to fully understand PC Security and Best Practices, you may find them useful.... Answers to Common Security Questions and best Practices Do I need a Registry Cleaner? Take care and surf safe Kevin...

 

[Salonoi]

so it is safe to say that everything is all right even outside of basic partitions. great

 

thank you very much for your help :).

[kevinf80]

You`re very welcome, comeback anytime...

Regards,

Kevin...

[AdvancedSetup]

Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!