Jump to content
nt1992

Boot sector virus, System wont boot. Windows Defender found Persistence!rfn

Recommended Posts

Hi all,

Last night a friend I thought I could trust when it comes to this stuff, shared a cracked program with me, telling me that it was safe. I scanned it with Malwarebytes Pro and it came back fine. I stupidly downloaded it and immediately realized the installer was doing something shady. I'm pretty sure it was attempting to make changes to my MBR. I was too late to stop it and although my computer did not show any signs of infection after the download, i decided to run a quick scan with Windows Defender. It found the trojan Win32/Persistence!rfn. I removed it with defender. I told my friend and asked where he got the program from, then looked up the site and first off, the site was blocked by my Malwarebytes, second, plenty of people have complained about the site hiding Cryptominers and Ransomwear in it's downloads. 

The next thing I did, which in hindsight might have been the wrong choice, was frantically attempt to use a backup of my system drive to attempt go restore to a clean version from earlier this week. The new problem is that after my computer restarted, it was unable to boot windows! I receive an error from my bootmanager stating:

\Windows\system32\winload.exe

0xc000000e

The selected entry could not be loaded because the application is missing or corrupted.

So, my computer is now seemingly out of commission and i'm very freaked out that there's something bad hiding in the bios and what not. I'm out of my element here and would appreciate some help. My first instinct is to repair windows using the Windows 7 Install disk and to use bootrec to repairmbr but I don't want to do more damage here. Even if I have to reformat and start with a fresh computer I'd just like to be sure I get rid of whatever this is. I know without me being able to send logs or info from the comp it may be hard to help but I appreciate any advice you have. Thank you!

Share this post


Link to post
Share on other sites

Hello @nt1992 and :welcome:

 

 

Please run the following steps and post back the logs as an attachment when ready.

STEP 01

  • If you're already running Malwarebytes then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • If you don't have Malwarebytes installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and select Scan and let it run.
  • Once the scan is completed click on the View Report button, then the Export button and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let me know in your next reply.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Right-click on the program and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan Now.
  • When finished, please click Clean & Repair.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Attach or Copy its content into your next reply.

 

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a checkmark here.
  • Please attach the Additions.txt log to your reply as well.

 

Thanks

Share this post


Link to post
Share on other sites

Thank you! So it turned out that the reason my system wouldn't boot is most likely due to an error in the recovery that I mentioned. I think there was an error and my system drive was just wiped without actually recovering to my backup, thus my issue. I've since reinstalled a fresh copy and windows but still ran the scans just as you asked, to be on the safe side. AdwCleaner didnt find anything except my Mobo's registration reminder. 

log.txt FRST.txt Addition.txt

Share this post


Link to post
Share on other sites

Great, glad you were able to resolve that issue. The Event Logs show that some Windows Updates did not install correctly. Not sure if they're still an issue or not.

System errors:
=============
Error: (03/23/2020 04:09:57 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Google Update Service (gupdate) service terminated unexpectedly.  It has done this 1 time(s).

Error: (03/23/2020 04:04:51 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x800705b4: Security Update for Windows 7 for x64-based Systems (KB3031432).

Error: (03/23/2020 04:04:46 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80242016: Security Update for Windows 7 for x64-based Systems (KB2698365).

Error: (03/23/2020 04:04:46 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80242016: Update for Microsoft .NET Framework 3.5.1 on Windows 7 and Windows Server 2008 R2 SP1 for x64-based Systems (KB2836943).

Error: (03/23/2020 04:04:46 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80242016: Security Update for Windows 7 for x64-based Systems (KB3045685).

Error: (03/23/2020 04:04:46 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80242016: Security Update for Windows 7 for x64-based Systems (KB2564958).

Error: (03/23/2020 04:04:46 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80242016: Security Update for Windows 7 for x64-based Systems (KB2813430).

Error: (03/23/2020 03:59:02 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: The following fatal alert was received: 40.

 

If still an issue with updates you might need to disable security software while doing updates or checks

If there is anything else we can do to assist please let me know

Cheers

 

Share this post


Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.