Jump to content

Infected boot sector


Go to solution Solved by AdvancedSetup,

Recommended Posts

Hello,

My first time having an issue I was unable to fix myself. I could write a short novel regarding my experiences, computer symptoms, and what I've tried. Attached FRST logs, was unable to get a MBAM scan because my machine is trying to send info over the internet and I am keeping ethernet unplugged, no way to update. Attached windows meta data logs from a fresh install OS on a fresh brand new SSD 1tb samsung SATA. I have always used free MBAM and love your support and product. I am interested in upgrading to premium but want to make sure this issue can be fixed. Hopefully there is a way to install full MBAM via usb or external without internet. If there is any additional information needed please let me know.

META logs: 

https://www.mediafire.com/folder/ye98kclya20r7/LocaleMetaData

 

Thank you

FRST.txt Addition.txt

Edited by AdvancedSetup
Disabled hyperlink
Link to post
Share on other sites

  • Root Admin

Hello  and  :welcome:    @Blink_Dad

 

My screen name is AdvancedSetup and I will assist you with your system issues.
 

Let's keep these principles as we proceed. Make sure to read the entire post below first.

  • Please follow all steps in the provided order and post back all requested logs
  • Please attach all log files to your post, unless otherwise requested
  • Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans have been completed.
  • Temporarily disable Microsoft SmartScreen to download the software below if needed. Make sure to turn it back on once the scans are completed.
  • Searching, detecting, and removing malware isn't instantaneous and there is no guarantee to repair every system.
  • Before we start, please make sure that you have an external backup, not connected to this system, of all private data.
  • Do not run online games while the case is ongoing. Do not do any free-wheeling or risky web-surfing.
  • Only run the tools I guide you to use. Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Cracked, Hacked, or Pirated programs are not only illegal but also can make a computer a malware victim.
  • Having such programs installed is the easiest way to get infected. It is the leading cause of ransomware encryption. It is at times also a big source of current Trojan infections.
  • If there are any on the system you should uninstall them before we proceed.
  • Please be patient and stick with me until I give you the "all clear". We don't want to waste your time, please don't waste ours.
  • If your system is running Discord, please be sure to Exit it while this case is ongoing.

 

Please run the following

Dr.Web CureIt!

Please download the Dr.Web CureIt! anti-virus utility
https://free.drweb.com/

 

You will need to send them an email to obtain a link to download the scanner, please do so

  • The downloaded file will normally have a unique name such as:  q7a9tr4p.exe
  • Close all open applications and locate the downloaded file and double-click to run it
  • The program will take a moment to launch and bring up the License and Update screen
  • Place a check mark to agree to the terms and then click on the Continue button
  • Click the underlined link Select objects for scanning
  • On the top left click the Scanning objects that should automatically check all objects
  • Click the small wrench and make sure there is a check on Automatically apply actions to threats
  • Then click the large button on bottom right Start scanning
  • Once the scan has completed there will be a link named Open report click that and a log named cureit.log should open in Notepad
  • The log is saved in the folder named Doctor Web in the top of your user profile folders
  • Please attach that log on your next reply

 

 

 

Link to post
Share on other sites

  • Root Admin

If there is data there you need, then yes, you can add the drive.

Be careful though and don't let it auto launch anything.

Then do a Full scan on it too with Dr Web CureIt!

You may also want to use Kasperksy to scan it

 

 

Please download and run the following Kaspersky Virus Removal Tool 2020 and save it to your Desktop.

(Kaspersky Virus Removal Tool version 20.0.10.0 was released on November 9, 2021)

Download: Kaspersky Virus Removal Tool

https://devbuilds.s.kaspersky-labs.com/devbuilds/KVRT/latest/full/KVRT.exe

How to run a scan with Kaspersky Virus Removal Tool 2020
https://support.kaspersky.com/15674

How to run Kaspersky Virus Removal Tool 2020 in the advanced mode
https://support.kaspersky.com/15680

How to restore a file removed during Kaspersky Virus Removal Tool 2020 scan
https://support.kaspersky.com/15681

 


Select the  image.png  Windows Key and R Key together, the "Run" box should open.

user posted image

Drag and Drop KVRT.exe into the Run Box.

user posted image

C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box.

image.png

add -dontencrypt   Note the space between KVRT.exe and -dontencrypt

C:\Users\{your user name}\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box.
 
image.png


That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file.

Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20210123_113021.klr
Right-click direct onto that report, select > open with > Notepad. Save that file and attach it to your reply.

To start the scan select OK in the "Run" box.

A EULA window will open, tick all confirmation boxes then select "Accept"

image.png

In the new window select "Change Parameters"

image.png

In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start...

user posted image

When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue"

user posted image

When complete, or if nothing was found select "Close"

image.png

Attach the report information as previously instructed...
 
Thank you
 
 

 

 

Link to post
Share on other sites

  • Root Admin
  • Solution

These are all valid and normal partitions for a hard drive that has had Windows installed on it.

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    System             100 MB  1024 KB
  Partition 2    Reserved            16 MB   101 MB
  Partition 3    Primary            930 GB   117 MB
  Partition 4    Recovery           530 MB   930 GB

 

So, disk 1 and disk 2 appear to not being setup or used at this time.

    Disk 0 : SSD. It has 4 partition(s). Model: Samsung SSD 860 EVO 1TB
    Disk 1 : SSD. It has 0 partition(s). Model: WD_BLACK SN750 SE 1TB
    Disk 2 : SSD. It has 0 partition(s). Model: WD_BLACK SN750 SE 1TB
    Disk 3 : USB. It has 1 partition(s). Model: Kingston CG_DataTraveler  

 

Disk 0 is the driver with Windows installed

Disk 0 : SSD. It has 4 partition(s). Model: Samsung SSD 860 EVO 1TB

These are the Volumes (not partitions) of the drive

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
  Volume 0     C                NTFS   Partition    930 GB  Healthy    Boot    
  Volume 1                      FAT32  Partition    100 MB  Healthy    System  
  Volume 2                      NTFS   Partition    530 MB  Healthy    Hidden 

 

and these are the partitions (again, these are normal)

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    System             100 MB  1024 KB
  Partition 2    Reserved            16 MB   101 MB
  Partition 3    Primary            930 GB   117 MB
  Partition 4    Recovery           530 MB   930 GB

 

 

It is kind of odd to have a disk in Offline mode but not a sign of malware

 Disk 2    Offline         931 GB   931 GB 

 

 

 

Why do you believe there is something wrong on the partition and which one?

 

 

  • Thanks 1
Link to post
Share on other sites

I switched that disk drive to offline trying to find info in disk management. The problem is there is no hard drive. I have never owned a m.2 hard drive and do not own any WD_1TB_Black m.2 hard drives. Both slots in mobo are empty. BIOS shows both these drives upon start up no matter what I try. Flashed bios on USB. I was able to un plug all hard drives from system, and OS still came up. Was able to install fresh windows 10 onto infected computer with no hard drives installed. I dont know where it is saving these false drives and running the OS. The boot logs i saved from the fresh install on fresh hard drive have so many red flags but I do not know how to understand them. I noticed alot of the windows drives had dates like 2006 and very old drivers which was suspicious.

Link to post
Share on other sites

  • Root Admin

I have seen reports of WD_BLACK on systems before without such drives as you say. Not sure of the exact cause as I didn't really dig into it. The customer moved on.

Please run the following

 

Please download HWiNFO the Professional System Information and Diagnostics program.
HWiNFO Portable for Windows

Unzip the program to its own folder such as: C:\HWiNFO
Go to the new folder and locate the file C:\HWiNFO\HWiNFO64.exe and double-click to run it.
Click the RUN button.
Ignore the update, click close.
Click on Save Report and choose HTML and click Next, then Finish
By default, it will create a new report named COMPUTER.HTM in the same folder as the program. C:\HWiNFO
Please zip that file and attach it to your next reply

Thank you

Link to post
Share on other sites

  • Root Admin

It is seen in Hardware Scan - that's for sure.

 

WD_BLACK SN750 SE 1TB
     
[General Information]
Drive Controller:    NVMe (PCIe 4x 16.0 GT/s)
Host Controller:    Sandisk, Device ID: 501E
Drive Model:    WD_BLACK SN750 SE 1TB
Drive Serial Number:    21313R800719
Drive Firmware Revision:    711130WD
NVMe Version Supported:    v1.4
Drive Capacity:    953,869 MBytes (1000 GB)
Drive Capacity [MB]:    953869
         
[Capabilities]
Volatile Write Cache:    Present
Compare Command:    Supported
Write Uncorrectable Command:    Supported
Dataset Management:    Supported
Write Zeroes:    Supported
Save field set to a non-zero value:    Supported
Reservations:    Not Supported
Timestamp:    Supported
Autonomous Power State Transitions:    Supported

 

 

 

 

Try shutting down the computer and go into the BIOS / UEFI

Take a few pictures with your phone for any possible custom changes.

Then shut the computer down.

Pull the power plug and turn the switch on the power supply off.

Then unplug the memory one at a time and plug it back into the same slot

Then do the same with the two NVMe drives

 

Then pull the CMOS battery out of the computer and let it sit for about 5 minutes

Then put the CMOS battery back in.

Then turn the power supply switch back on and plug the computer back in.

Then power it up and go into the BIOS / UEFI and only change things that might be necessary like date or time or possibly boot order

Then see if you can find those WD_BLACK anywhere in the UEFI settings still and take a picture

 

Link to post
Share on other sites

Some random notes that may or may not be relevant: I have tried almost everything suggested. I have found no changes in BIOS that my amatuer eye can spot, but the NVME drives are always there. I went on a deep dive thinking it was somehow firmware specific targeting recovery BIOS but found that not possible. Fresh installed OS 3 times with old hard drives and then no hard drive, flashed BIOS to stable, every time on startup bios would show 2 1TB WD_Black m.2 NVME drives that dont exist. Lastly I took out the video card and unplugged it, switched a switch on it (RTX 3070ti) I am still not sure what does, plugged it back in, decided to risk another brand new 1tb SSD 860 EVO SATA and when I started the machine to BIOS before it got to Win 10 disk USB it did not show the m.2 hard drives and the boot options were I believe normal:

1. Boot Manager (AMD-RAID)

2. Sandisk USB (Win 10 disk image)

3. Samsung EVO 860 1tb SATA SSD

Is it possible boot manager installs the corrupted files? I booted to Win 10 USB and when it showed partitions it showed all the false hard drives as well as regular 4 or 5 partitions. I deleted all partitions I could on that install screen (which I had done before and still later found all my files on drives intact). That was the only time I could get it to not show the false hard drives in m.2 slots. I checked the event logs from fresh install and downloaded them and the META data. 

I have noticed the Sytem time has consistently been just around but not exact an hour slow. Changed it manually this last time after taking pictures.

Linking pictures of BIOS, note I have tried the extended Controller and NameSpace device test in BIOS and both false hard drives pass everything, every time.

New notes while taking pictures. Secure boot was set to custom as seen on picture 7. Boot manager did not show false WD_Black NVMe drives as bootable as it usually does. After factory key reset drives still came up in configuration.

After this I will disassemble all devices from PC except CPU (unless you think necessary) and reset CMOS battery for 20+ mins (which I have tried already once). Note there are no NVMe drives to remove and I dont think there is an option to disable them in BIOS.

Then I will take more pictures of BIOS before windows boots. Do you want me to keep the 1 SSD SATA plugged in or remove it? I am certain windows will run either way it seems to run from image somewhere not on hard drives. If there is any specific pictures you need me to take upon fresh reboot I will wait to hear from you after reassembly until I fresh reboot. This issue has plagued me and I sincerely appreciate your help.

BIOS Pictures - Google drive

Link to post
Share on other sites

  • Root Admin

Your link requires a login for Google.

You can post images directly here

 

Have you inquired with Gigabyte Support about this?

BIOS: American Megatrends International, LLC. F16e 07/18/2023
Motherboard: Gigabyte Technology Co., Ltd. B550 AORUS PRO AC

Of have you tried checking their support forums? Perhaps you're not alone?

 

Link to post
Share on other sites

  • Root Admin

In images 6 and 12 I would show that to Gigabyte support. Also open the case up and take pictures showing ALL the NVMe slots so they can see they're empty and ask them what's up.

BIOS / UEFI does not obtain information based on what OS you have installed. The OS obtains data from what the BIOS / UEFI present to it as available hardware.

So the issue (in my opinion) is at the hardware detection level.

 

Link to post
Share on other sites

  • 1 month later...
  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.