Believe to have Bios Rootkit

[Teej96]

Have good reason to believe that current laptop is infected, my phone and other laptop have been infected and I have had to send the other laptop to repair, and my phone to be flashed. 

Current laptop is windows 8 Lenovo z50, have done Lenovo reset from the Lenovo button, when running the laptop a large amount of GB is already used, battery life is terrible and does not charge past 58%, and then drops to 5% in a few minutes after unplugging (however the laptop is 3 years old), I have tried installing Mbam anti Rootkit, it installed successfully but doesn’t update (failed to resolve host) and the internet connection is working. 

Have also installed GMER and it starts to scan, but then crashes.

I would just like help in detecting if there is a Rootkit, and possible ways to remove it or would I have to get the bios flashed?

Any help would be greatly appreciated! Thank you.

[MAM]

Hello, and welcome to our community.

Please make this, for the First Steps.

---->

MAM

[David H. Lipman]

Rechargeable Lithium Ion batteries may hold a charge for a long time but when used, they don't have a long life.

Replace the battery.  Capability of a battery charge is not the same as that of a Smart Phone and is NOT indicative of malware.  It is indicative of it being time to replace the battery.

There are no BIOS infecting RootKit in the wild.  It's too complicated.  One would have to be a High Value Target ( HVT ) for someone to go through that level of trouble and a high expense to specifically target the model of notebook used by the HVT and then have physical access to the platform and overcome the TPM.

Lenovo z50 battery at Newegg - $29

 

 

Edited March 3, 2018 by David H. Lipman
Spelling, Grammar and Clarification

[Teej96]

Hi David, 

Thank you I will look to replacing the battery.

Is it possible for a Rootkit to survive a Lenovo reset? Could you please also assist why mbam anti Rootkit won’t update and why there’s almost 200gb missing after the reset. I just want to be sure that the laptop is clean because I believe I am being specifically targeted. 

 

[David H. Lipman]

Define a " Lenovo reset? "

As in restore it to the condition as it was delivered from the factory ?

If you are specifically using the the stand-alone MBAR, it is best to ask questions about it in;  Malwarebytes Anti-Rootkit BETA Support

[Teej96]

It has a small button on the side, which can be pressed and it will load recovery menu. From this point I select restore from initial point. Everything on their is deleted, yet there is almost 190gb of storage missing. 

[David H. Lipman]

The Lenovo Reset button clears the CMOS.  The CMOS and the BIOS are not the same.  The BIOS is the hardware level Firmware that makes the hardware work with a series of input and Output routines and is stored in EEPROM.  It acts as middleware between the hardware and any given OS.  The BIOS is non-volatile memory.  On the other hand the CMOS ( which is the name of the actual circuit technology and not functionality ) is volatile memory.  That being when a DC current is removed volatile memory loses it memory state.  Thus CMOS is backed by a small Lithium battery.  Often a CR-2032.  The CMOS is a RAM scratchpad that stores variables related to the BIOS and its settings that any OS can read accordingly.  The button is used to wipe the CMOS and reset the hardware settings to factory defaults. 

If you choose another Lenovo function and Restore a Factory Image, it will DELETE data and bring the notebook back to a state where it was shipped from the factory.

 

[Teej96]

Is there a way to check for any hidden partitions or something like that? As there is a lot of GB missing from the laptop. Thank you for your help so far, I am sorry to be a pain, I just want to be a 100% certain. 

[David H. Lipman]

Easeus Partition Manager.

http://download.easeus.com/free/epm.exe

[Teej96]

 Hi David, please see attached photo, I would’ve taken a screenshot but can’t really access internet on the laptop. 

How can I tell what is legitimate and what isn’t?

[David H. Lipman]

I certainly don't see " 200gb missing " being unallocated. ( BTW:  I think you mean GB not gb as in GigaByte.  Nomenclature is important ).

I do see Lenovo related partitions.\

RE:  https://forums.lenovo.com/t5/Lenovo-P-Y-and-Z-series/Can-you-tell-me-what-partitions-these-are/m-p/1201540#M65417

Choose the "Spoiler".

[David H. Lipman]

Teej96, are you still with me ?

[AdvancedSetup]

The possible battery or other hardware issues aside, please run the following to get some logs so we can see what might be going on with the computer. Use a USB stick if needed to copy/post back to a computer that can access the Internet. If you don't have then you'll need to send this one to the computer shop as well.

 

Please run the following steps and post back the logs as an attachment when ready.

STEP 01

• If you're already running Malwarebytes 3 then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
• If you don't have Malwarebytes 3 installed yet please download it from here and install it.
• Once installed then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
• Once the scan is completed click on the Export Summary button and save the file as a Text file to your desktop or other location you can find, and attach that log on your next reply.
• If Malwarebytes won't run then please skip to the next step and let me know on your next reply.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

• Right-click on the program and select Run as Administrator to start the tool.
• Accept the Terms of use.
• Wait until the database is updated.
• Click Scan.
• When finished, please click Clean.
• Your PC should reboot now if any items were found.
• After reboot, a log file will be opened. Copy its content into your next reply.

 

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

• Double-click to run it. When the tool opens, click Yes to disclaimer.
• Press the Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
• The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
• Please attach the Additions.txt log to your reply as well.

 

Thanks

Ron

 

[Teej96]

Hi still here, just had a busy day but will do all the steps tonight.

[Teej96]

Hi, have done all three steps. However (not sure if it matters) the log file on the second step did not open when rebooted, so I manually found it.

Logs.zip

Edited March 7, 2018 by Teej96
Forgot to attach logs :P

[AdvancedSetup]

AV: McAfee Anti-Virus and Anti-Spyware

Failed to access process -> smss.exe
Failed to access process -> csrss.exe
Failed to access process -> wininit.exe
Failed to access process -> csrss.exe
Failed to access process -> services.exe

 

You need to 100% fully disable McAfee antivirus when you run FRST as it's blocking it from scanning your system.

Thanks

 

[Teej96]

What do you mean by fully disable? Just disable real-time protection? Or is there more to disable?

[David H. Lipman]

I just wanted to note that I am taking a back seat as Ron goes through this Log Process with you.

 

[AdvancedSetup]

McAfee sometimes does not fully disable itself when you turn off real time protection. Please give it a try and run a new FRST scan. Then look at the log and see if those same errors come up in the new log.

Failed to access process ->

In most cases (unless you have some unexpected rootkit) it is being blocked by your antivirus.

We need a set of clean FRST logs without that: Failed to access process ->  issue.

Thanks

 

[Teej96]

Hi, I have uninstalled McAfee (will reinstall later) just to be sure it is disabled, quit mbam, and here are logs attached. It is still failing to access process. 

FRST.txt

Addition.txt

[AdvancedSetup]

Doh... Looks like I missed this.

Ran by Tj (ATTENTION: The user is not administrator) on LELNO (12-03-2018 17:06:55)

 

Please run this with another user account that has Admin rights. 

 

[David H. Lipman]

Teej96:

Are you still with us ?

[AdvancedSetup]

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks