Jump to content

I believe I have been infected with a BIOS rootkit

SadlyInfected
 Share
Go to solution Solved by AdvancedSetup,

Recommended Posts

SadlyInfected

SadlyInfected

Posted
Posted

I believe i am infected with a BIOS rootkit. allow me to explain why

1) I downloaded some files off of github and didnt check them (stupid i know) and when i ran them nothing happened ... or so it seemed.

2) So i went to delete the folder since it seemed useless at that point, and it said it was in use by another program.

3) I went ahead and opened task manager and saw some processes using fake windows host names running on my pc on startup.

4) i launched in safe mode and ran 13 different antivirus and rootkit removal tools, they all had 50+ detections and removed everything giving my pc a clean bill of health

5) restart pc. same files are loading on my system. I am sure they are malicious at this point because they are blocking me from accessing my windows update settings.

6) back to safe mode to download windows iso creator and flash that to my usb. its blocked. all AV websites are also blocked.

7) use my laptop to create windows install media, return to pc and boot from usb through bios, never once allowing windows to load

8) when i get into the windows installation media, it says i dont have any drives connected. panic is starting to set in.

9) after some research i determine i have a bios rootkit, and decide to reflash my bios

10) tried reflashing bios, invalid file.

11) reboot from a different USB that has flash programming tool installed to be able to freely reflash my bios and be safe and secure once again

12) FPT says i have no drives connected, not even the one i booted from.

I am desparate at this point, and panicing pretty hard because I am getting every couple of hours an email saying a different account of mine has been compromised, so the rootkit is clearly loading malware. I cannot attach any pictures in this second because i am writing this from the laptop, but I would really appreciate it if someone smarter than me could please help me save my pc. I spen $8000 building it and I really cant handle watching it be murdered in front of me

Link to post
Share on other sites
1PW

1PW

Posted
Posted

Hello @SadlyInfected and :welcome::

While you are waiting for the next qualified/approved malware removal expert helper to weigh in on your topic, and even though you may have run the following Malwarebytes utility, or its subsets, please carefully follow these instructions:

  1. Download the Malwarebytes Support Tool.
  2. In your Downloads folder, open the mb-support-x.x.x.xxx.exe file.
  3. In the User Account Control (UAC) pop-up window, click Yes to continue the installation.
  4. Run the MBST Support Tool.
  5. In the left navigation pane of the Malwarebytes Support Tool, click Advanced.
  6. In the Advanced Options, click only Gather Logs. A status diagram displays the tool is Getting logs from your computer.
  7. A zip file named mbst-grab-results.zip will be saved to the Public desktop, please attach that file in your next reply to this topic. Please do NOT copy and paste.

For the short time between when you post the diagnostic logs, and when your helper weighs in, please take no further self-directed remedial actions that will invalidate the diagnostic logs you will have sent.

Thank you.

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

It's up to you how you resolve it. If you truly have a BIOS / UEFI rootkit or bootkit then you may want to take the computer to a local computer security store and have them assist you.

If you wish to be a bit more reasonable and not panicking, we can probably help you scan and clean the computer. Start by posting back the requested logs by @1PW above.

 

Thank you

 

 

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

Thank you

 

 

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

What is this file? Windows Defender does not like it

C:\Users\Jx\Desktop\Libs\HF-Loader20220630.vbs

What are these for?

HKU\S-1-5-21-3573729017-3518492245-1848384055-1001\...\Run: [AltServer] => D:\AltServer\AltServer.exe (No File)
HKU\S-1-5-21-3573729017-3518492245-1848384055-1001\...\Run: [Sideloadly Daemon] => C:\Users\Jx\Sideloadly\sideloadlydaemon.exe [42854400 2023-05-02] () [File not signed]

 

 

Link to post
Share on other sites
  • Root Admin
  • Solution
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
  • Solution
Posted

Please run the following fix

NOTE: Please read all of the information below before running this fix.

  • NOTICE: This script was written specifically for this user, for use on this particular machine.
  • Running this on another machine may cause damage to your operating system that cannot be undone.

Once the fix has been completed, please attach the file FIXLOG.TXT to your next reply

Farbar program:   FRSTEnglish.exe

Save the attached file:  FIXLIST.TXT to this folder C:\Users\Jx\Downloads\

NOTE. It's important that both files, FRSTEnglish.exe, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

 

 

Run the Farbar program with Admin rights and press the Fix button just once and wait.

The fix may possibly take up to 60 minutes to complete

If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log named Fixlog.txt in the same folder you ran the Farbar program from. Please attach that log on your next reply.

 

  1. NOTE:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity.
  2. NOTE: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications may be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed in most, but not all cases.
  3. NOTE: As part of this fix, it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Discord cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites
SadlyInfected

SadlyInfected

Posted
  • Author
Posted

My apologies for the laate response, ive been away from home. I ran the script and the computer appears to be as normal. You cannot believe my relief. Thank you all so very, very much.

edit: I ran an antivirus scan using malwarebytes and it found two, although its possible those could be for a c++ project im testing

there is also a process running still called Windows host process (Rundll32) that i am not sure is legitimate

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Please post back the FIXLOG.TXT file @SadlyInfected

Then run the following as well

 

 

SecurityCheck by glax24              

I would like you to run a tool named SecurityCheck to inquire about the current security update status of some applications.

  • Download SecurityCheck by glax24: https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
  • If Microsoft SmartScreen blocks the download, click through to save the file
  • This tool is safe.   Smartscreen is overly sensitive.
  • If SmartScreen blocks the file from running click on More info and Run anyway
  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"  and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file.  Attach it with your next reply.
  • You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

image.png

image.png

image.png

 

Thank you

 

 

Link to post
Share on other sites
SadlyInfected

SadlyInfected

Posted
  • Author
Posted

Today is my birthday so i will not be able to do it until tomorrow, but i will update as soon as im finished

 

I also noticed this morning my email was mass emailing random people in italian sending them a scam phishing link. is this because they still have access to my pc? or would they have gotten access to my account previously? I just want to make sure im safe

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted (edited)

Happy Birthday

 

animated-happy-birthday-image-0018.gif

 

They probably have access to your email at some point. Please see if  you're able to change the password on the account to a strong, secure password.

https://1password.com/password-generator/

 

Edited by AdvancedSetup
Updated information
Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Please uninstall, update, or otherwise address the following as appropriate for your system


---------------------------- [ UnwantedApps ] -----------------------------
Bonjour v.3.1.0.1 Warning! Application is distributed through the partnership programs and bundle assemblies. Uninstallation recommended. Possible you became a victim of fraud or social engineering.
----------------------------- [ End of Log ] ------------------------------

 

Then restart the computer and check for Windows Updates and install any updates found.

 

 

The act of torrenting itself is not illegal. However, downloading and sharing unsanctioned copyrighted material is illegal, and there is always a chance of prosecution if caught by the authorities.
Torrenting non-copyrighted material is perfectly fine and is allowed. However, be aware that we have seen increased malware bundled with software downloads over P2P.

Recent Ransomware infections have been seen to encrypt user data so that no one can decrypt the data without the private key.
When sharing files, please keep in mind that you're increasing your system's attack surface area, which can increase the risk of infection.

Scan all files before running them. https://www.virustotal.com

If you don't need or use the P2P software, you should uninstall it.

Risks of File-Sharing Technology by the Cybersecurity & Infrastructure Security Agency
https://www.cisa.gov/uscert/ncas/tips/ST05-007

Hidden risks in pirated software https://news.microsoft.com/apac/2019/01/08/hidden-risks-in-pirated-software/ Why You Shouldn't Use Pirated Software (But Why People Still Do) https://www.computer.org/publications/tech-news/trends/why-you-shouldnt-use-pirated-software

 

 

Next, please run the following

 

Please download the following tool

Farbar Service Scanner and run it on the computer with the issue
http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/

 

Make sure the following options are checked:

  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center/Action Center
  • Windows Update
  • Windows Defender

Click "Scan"

It will create a log (FSS.txt) in the same directory the tool is run.
Please attach the log to your next reply.

 

 

Next, please run the following

Microsoft Safety Scanner

Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.   
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well
 

STEP 1

Please set File Explorer to SHOW ALL folders, all files, including hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

STEP 2

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run.
  • The scan will take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware.)

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

It is normal for the Microsoft Safety Scanner to show detections during the scan process.

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Then it writes into the log on your computer what it found.

 

Thank you

 

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

It's up to you. Doing a clean install of Windows would certainly put the system into a much safer and better running state.

If you do want to do so, here are some instructions to help

Clean Install Windows 10 & 11 (2023)
https://answers.microsoft.com/en-us/windows/forum/all/clean-install-windows-10-11-2023/1c426bdf-79b1-4d42-be93-17378d93e587

 

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Windows Updates and Windows Defender both have broken services that need to be repaired

At the moment Windows cannot update itself and Windows Defender cannot protect security

We can fix them but if you're going to do a clean install then no since in taking the time to write up a fix

 

Link to post
Share on other sites
SadlyInfected

SadlyInfected

Posted
  • Author
Posted

Which option do you think would serve me better? using your script to fix (which these have been working wonders btw i cant thank you enough), or going with the full reinstall? My C drive is running out of space so a reinstall might help with that too, but idk if i want to lose all my data just because of a *****er who wanted to ruin my pc and steal all my info

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.