Jump to content

Possible HDD firmware virus


Recommended Posts

Hey,my pc is infected with some kind of virus who remotely can control it.

The problem is that it's not detected by any antivirus/antispyware software i have used.

I've had the same infection before and i was tryed to format the HDD and flash my BIOS. (unsuccessfully of course)

So I had bought a new HDD and replaced it.

And the infection was just gone.

It's a little complicated to explain,but now my all devices are infected with this malware.(even my Android box)

Now somehow the infection is back (somebody is hacked me with network attack i think).

I can't afford to bought a new hard disk again.

And i'm starting to think that my HDD have firmware virus.

So what to do guys?

Thanks in advance. :)

 

Link to post
Share on other sites

Hello @Rapture and :welcome:

While you are waiting for the next qualified/approved malware removal expert helper to weigh-in on your topic, please carefully follow the instructions within the following Malwarebytes support article:

Run the Farbar Recovery Scan Tool to gather logs

Please attach (not Cut & Paste) both the FRST.txt and Addition.txt report files in your next reply to this topic.

Thank you.

Link to post
Share on other sites

  • Root Admin

The computer looks to be having some possible hardware or driver issues that need correcting.

My suggestion would be to uninstall Kaspersky Security Cloud and restart the computer.

Then run the following and let us know why you think you're infected. What are you seeing or experiencing?

 

 

 

Microsoft Safety Scanner

Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.   
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well
 

STEP 1

Please set File Explorer to SHOW ALL folders, all files, including hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

STEP 2

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run.
  • The scan will take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware.)

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

Thank you

 

Link to post
Share on other sites

I removed Kaspersky cloud and then restarted the computer.

My pc is doing strange things like example and i think somebody is playing with it :

-hide tray icons

-close processes

-some passwords of my accounts were just changed

-eject my dvd writer

-my pc and internet sometimes are very slooooow

-sometimes my internet just stops unexpectedly

-my mouse is moving when i play games

-etc etc

 

Here is the log : 

---------------------------------------------------------------------------------------
Microsoft Safety Scanner v1.367, (build 1.367.1091.0)
Started On Mon Jun  6 14:51:07 2022

Engine: 1.1.19200.7
Signatures: 1.367.1091.0
MpGear: 1.1.16330.1
Run Mode: Interactive Graphical Mode

Results Summary:
----------------
No infection found.
Failed to submit MAPS report: 0x80072EE7
Successfully Submitted Heartbeat Report
Microsoft Safety Scanner Finished On Mon Jun  6 15:31:05 2022


Return code: 0 (0x0)

 

Link to post
Share on other sites

  • Root Admin

What you describe does not sound like malware, but we'll do some more scans and checks.

 

Let me have you run a different scanner to double-check. I don't expect it to find anything, but no harm in checking.

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

  • It will start a download of "esetonlinescanner.exe"
  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started. 
  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes 
  • When prompted for scan type, Click on Full scan 
  • Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on the Start scan button.
  • Have patience.  The entire process may take an hour or more. There is an initial update download.
  • There is a progress window display.
  • You should ignore all prompts to get the ESET antivirus software program.   ( e.g. their standard program).   You do not need to buy or get or install anything else.
  • When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
  • Click The blue “Save scan log” to save the log.
  • If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at the bottom).
  • Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

Note: If you do need to do a File Restore from ESET please follow the directions below

[KB2915] Restore files quarantined by the ESET Online Scanner version 3

https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner

 

Link to post
Share on other sites

  • Root Admin

Please download the following tool

Farbar Service Scanner and run it on the computer with the issue
http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/

 

Make sure the following options are checked:

  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center/Action Center
  • Windows Update
  • Windows Defender

Click "Scan"

It will create a log (FSS.txt) in the same directory the tool is run.
Please attach the log to your next reply.

 

Link to post
Share on other sites

  • Root Admin

That looks good too.

 

Create an Autoruns Log:

  • Please download Sysinternals Autoruns from here:   https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
  • Save Autoruns.zip to your computer. Then locate it and extract it to a new folder where you can find and run it.
  • Once it starts you may not be able to easily stop the scan but you can try to press the Escape key on your keyboard.
  • Once scanning is stopped, click on the Options menu at the top of the program and select Scan Options... 
  • Then place a check mark on the following items Verify Code Signatures, Check VirusTotal.com, and Submit Unknown Images
  • Then click the Rescan button. Agree to the VirusTotal EULA
  • Once the new scan has been completed, please click on the File button at the top of the program and select Save, or use the Save icon, and save the Autoruns.arn file to your desktop and close Autoruns.
  • Right-click on the Autoruns.arn file (it will typically be the name of your computer) on your desktop or where you save it, and hover your mouse over Send To and select Compressed (zipped) Folder
  • Attach the Autoruns.zip folder (your computer name.zip) you just created to your next reply.

 

 

image.png

 

Thank you

 

 

Link to post
Share on other sites

  • Root Admin

Thanks, that log does not show any real issues either.

Let me have you run the following

 

Please download and run the following Kaspersky Virus Removal Tool 2020 and save it to your Desktop.

(Kaspersky Virus Removal Tool version 20.0.10.0 was released on November 9, 2021)

Download: Kaspersky Virus Removal Tool

How to run a scan with Kaspersky Virus Removal Tool 2020
https://support.kaspersky.com/15674

How to run Kaspersky Virus Removal Tool 2020 in the advanced mode
https://support.kaspersky.com/15680

How to restore a file removed during Kaspersky Virus Removal Tool 2020 scan
https://support.kaspersky.com/15681

 


Select the  image.png  Windows Key and R Key together, the "Run" box should open.

user posted image

Drag and Drop KVRT.exe into the Run Box.

user posted image

C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box.

image.png

add -dontencrypt   Note the space between KVRT.exe and -dontencrypt

C:\Users\{your user name}\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box.
 
image.png


That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file.

Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20210123_113021.klr
Right-click direct onto that report, select > open with > Notepad. Save that file and attach it to your reply.

To start the scan select OK in the "Run" box.

A EULA window will open, tick all confirmation boxes then select "Accept"

image.png

In the new window select "Change Parameters"

image.png

In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start...

user posted image

When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue"

user posted image

When complete, or if nothing was found select "Close"

image.png

Attach the report information as previously instructed...
 
Thank you
 
 

 

 

Link to post
Share on other sites

  • Root Admin

You can reset your router if you own it. The logs are not showing an indication though of any remote access.

 

 

Please ensure that you have the user manual for your router. Then perform a factory reset.

How To Reset Your Router
https://setuprouter.com/networking/how-to-reset-your-router/

 

Depending on one's preferences and the Router's capabilities please consider the following.

  • Disable acceptance of ICMP Pings
  • Change the Default Router password using a Strong Password
  • Use a Strong WiFi password on WPA2  using AES encryption or Enable WPA3 if it is an option.
  • Disable Remote Management
  • Create separate WiFi networks for groups of devices with similar purposes to prevent an entire network of devices from being compromised if a malicious actor is able to gain unauthorized access to one device or network. Example: Keep IoT devices on one network and mobile devices on another.
  • Change the network name (SSID).  Do not use your; Name, Postal address, or other personal information.  Make it unique or whimsical and known to your family/group.
  • Is the Router Firmware up-to-date?  Updating the firmware mitigates exploitable vulnerabilities.
  • Specifically set Firewall rules to BLOCK;   TCP and UDP ports 135 ~ 139, 445, 1234, 3389 and 5555
  • Document passwords created and store them in a safe but accessible location.

 

 

Link to post
Share on other sites

  • Root Admin

You can copy and paste the following into NOTEPAD and then do a File Save-As and save it as a batch file to run it. You must put the name of the file you save as in "  " quotes

Example:  "SetCustomFirewallRules.bat"  Then save it to your system. Find the batch file and right-click over it and choose "Run as administrator" and this will create some custom rules in your firewall to help block unwanted items.

 

@echo off
:: Delete all custom Firewall rules
netsh advfirewall firewall delete rule name="1Custom Block all inbound TCP port 135"
netsh advfirewall firewall delete rule name="1Custom Block all outbound TCP port 135"
netsh advfirewall firewall delete rule name="1Custom Block all inbound UDP port 135"
netsh advfirewall firewall delete rule name="1Custom Block all outbound UDP port 135"
netsh advfirewall firewall delete rule name="1Custom Block all inbound TCP port 137"
netsh advfirewall firewall delete rule name="1Custom Block all outbound TCP port 137"
netsh advfirewall firewall delete rule name="1Custom Block all inbound UDP port 137"
netsh advfirewall firewall delete rule name="1Custom Block all outbound UDP port 137"
netsh advfirewall firewall delete rule name="1Custom Block all inbound TCP port 138"
netsh advfirewall firewall delete rule name="1Custom Block all outbound TCP port 138"
netsh advfirewall firewall delete rule name="1Custom Block all inbound UDP port 138"
netsh advfirewall firewall delete rule name="1Custom Block all outbound UDP port 138"
netsh advfirewall firewall delete rule name="1Custom Block all inbound TCP port 139"
netsh advfirewall firewall delete rule name="1Custom Block all outbound TCP port 139"
netsh advfirewall firewall delete rule name="1Custom Block all inbound UDP port 139"
netsh advfirewall firewall delete rule name="1Custom Block all outbound UDP port 139"
netsh advfirewall firewall delete rule name="1Custom Block all inbound TCP SMB 445"
netsh advfirewall firewall delete rule name="1Custom Block all outbound TCP SMB 445"
netsh advfirewall firewall delete rule name="1Custom Block all inbound UDP SMB 445"
netsh advfirewall firewall delete rule name="1Custom Block all outbound UDP SMB 445"
netsh advfirewall firewall delete rule name="1Custom Block all inbound TCP port 3389"
netsh advfirewall firewall delete rule name="1Custom Block all outbound TCP port 3389"
netsh advfirewall firewall delete rule name="1Custom Block all inbound UDP port 3389"
netsh advfirewall firewall delete rule name="1Custom Block all outbound UDP port 3389"
netsh advfirewall firewall delete rule name="1Custom Block WScript 32-bit"
netsh advfirewall firewall delete rule name="1Custom Block WScript 64-bit"
netsh advfirewall firewall delete rule name="1Custom Block CScript 32-bit"
netsh advfirewall firewall delete rule name="1Custom Block CScript 64-bit"
netsh advfirewall firewall delete rule name="1Custom Block Type 13 ICMP V4"

:: Create all custom Firewall rules
netsh advfirewall firewall add rule name="1Custom Block all inbound TCP port 135" protocol=TCP dir=in localport=135 action=block enable=yes
netsh advfirewall firewall add rule name="1Custom Block all outbound TCP port 135" protocol=TCP dir=out localport=135 action=block enable=yes
netsh advfirewall firewall add rule name="1Custom Block all inbound UDP port 135" protocol=UDP dir=in localport=135 action=block enable=yes
netsh advfirewall firewall add rule name="1Custom Block all outbound UDP port 135" protocol=UDP dir=out localport=135 action=block enable=yes
netsh advfirewall firewall add rule name="1Custom Block all inbound TCP port 137" protocol=TCP dir=in localport=137 action=block enable=yes
netsh advfirewall firewall add rule name="1Custom Block all outbound TCP port 137" protocol=TCP dir=out localport=137 action=block enable=yes
netsh advfirewall firewall add rule name="1Custom Block all inbound UDP port 137" protocol=UDP dir=in localport=137 action=block enable=yes
netsh advfirewall firewall add rule name="1Custom Block all outbound UDP port 137" protocol=UDP dir=out localport=137 action=block enable=yes
netsh advfirewall firewall add rule name="1Custom Block all inbound TCP port 138" protocol=TCP dir=in localport=138 action=block enable=yes
netsh advfirewall firewall add rule name="1Custom Block all outbound TCP port 138" protocol=TCP dir=out localport=138 action=block enable=yes
netsh advfirewall firewall add rule name="1Custom Block all inbound UDP port 138" protocol=UDP dir=in localport=138 action=block enable=yes
netsh advfirewall firewall add rule name="1Custom Block all outbound UDP port 138" protocol=UDP dir=out localport=138 action=block enable=yes
netsh advfirewall firewall add rule name="1Custom Block all inbound TCP port 139" protocol=TCP dir=in localport=139 action=block enable=yes
netsh advfirewall firewall add rule name="1Custom Block all outbound TCP port 139" protocol=TCP dir=out localport=139 action=block enable=yes
netsh advfirewall firewall add rule name="1Custom Block all inbound UDP port 139" protocol=UDP dir=in localport=139 action=block enable=yes
netsh advfirewall firewall add rule name="1Custom Block all outbound UDP port 139" protocol=UDP dir=out localport=139 action=block enable=yes
netsh advfirewall firewall add rule name="1Custom Block all inbound TCP SMB 445" protocol=TCP dir=in localport=445 action=block enable=yes
netsh advfirewall firewall add rule name="1Custom Block all outbound TCP SMB 445" protocol=TCP dir=out localport=445 action=block enable=yes
netsh advfirewall firewall add rule name="1Custom Block all inbound UDP SMB 445" protocol=UDP dir=in localport=445 action=block enable=yes
netsh advfirewall firewall add rule name="1Custom Block all outbound UDP SMB 445" protocol=UDP dir=out localport=445 action=block enable=yes
netsh advfirewall firewall add rule name="1Custom Block all inbound TCP port 3389" protocol=TCP dir=in localport=3389 action=block enable=yes
netsh advfirewall firewall add rule name="1Custom Block all outbound TCP port 3389" protocol=TCP dir=out localport=3389 action=block enable=yes
netsh advfirewall firewall add rule name="1Custom Block all inbound UDP port 3389" protocol=UDP dir=in localport=3389 action=block enable=yes
netsh advfirewall firewall add rule name="1Custom Block all outbound UDP port 3389" protocol=UDP dir=out localport=3389 action=block enable=yes
netsh advfirewall firewall add rule name="1Custom Block WScript 32-bit" dir=out action=block program="c:\windows\system32\wscript.exe" enable=yes
netsh advfirewall firewall add rule name="1Custom Block WScript 64-bit" dir=out action=block program="C:\Windows\SysWOW64\wscript.exe" enable=yes
netsh advfirewall firewall add rule name="1Custom Block CScript 32-bit" dir=out action=block program="c:\windows\system32\cscript.exe" enable=yes
netsh advfirewall firewall add rule name="1Custom Block CScript 64-bit" dir=out action=block program="C:\Windows\SysWOW64\cscript.exe" enable=yes
netsh advfirewall firewall add rule name="1Custom Block Type 13 ICMP V4" protocol=icmpv4:13,any dir=in action=block

pause

 

 

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.