Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Virus/Trojan still there after resetting cmos and reinstalling windows


  • This topic is locked This topic is locked

#1
GaalDornick

GaalDornick

    New Member

  • Member
  • Pip
  • 5 posts

Hi, I have been hacked, I had things like blinking UI / windows (edges of window or scrollbar flickering at times when that window wasn't selected nor the mouse hovering over it) cmd windows popping up, windows moving, parts of UI freezing and more.

I had the firewall / network monitoring software, called GlassWire, but all my AppData files were deleted, so the network monitoring logs lost..
I am not totally sure but I think the event logs were also deleted.

Couldn't access safe mode, I tried reinstalling windows 10 but the virus/trojan was back.
I tried installing on a clean SSD drive, virus came back.

I reset the cmos and flashed the BIOS to the latest version, reinstalled windows, virus still there.

Also at some point my main windows SSD MBR got corrupted, I checked the partitions they changed to another format that's not supported by the BIOS/UEFI.
But, I have to say I am not sure it might be possible that I caused the MBR corruption while tweaking the bios settings, let me know if that's possible.

 

I am not sure how I got infected, could be social engineering or some other attack vector, though my router is pretty old (2016) and definitely can be exploited, in fact the default login password of the web configuration page changed from the default "password" to be the wifi's WPA2 key, this might have been a firmware update but it seemed strange especially since the router is so old and hasn't seen firmware updates for years, and then after doing a factory reset of the router and setting a new login password, then I couldn't login again, invalid password.

 

So all the reinstalling windows, it's far fetched... but could this be a bootkit? with the virus "installed" in the motherboard's flash memory for firmwares? or another component, I am worried the virus might be on the SSD MBR or it's firmware.


That's for my main PC, my android phone also got hacked.
Then I tried to rely on my laptop and the login password changed.
But anyways the main focus is my main PC and knowing if it's a firmware virus to know if I should throw away my PC, SSDs, usb flash drives etc

 

 

Thanks for your help.

Attached Files


Edited by GaalDornick, 29 May 2021 - 11:07 PM.

  • 0

Advertisements


#2
icotonev

icotonev

    Trusted Helper

  • Malware Removal
  • 235 posts

Hi , GaalDornick..! :)

 

Wow, you mention extremely severe infections .. Only the provided diaries do not show the presence of active infections ..! :)

 

 

Farbar Recovery Scan Tool Fix

 

  • Right click on the FRST icon and select Run as administrator
  • Highlight the below information then hit the Ctrl + C keys at the same time and the text will be copied
  • There is no need to paste the information anywhere, FRST will do it for you
Start::
CreateRestorePoint:
CloseProcesses:
cmd: ECHO Y|CHKDSK C: /F
CMD: DISM /Online /Cleanup-Image /RestoreHealth
CMD: sfc /scannow
EmptyTemp:
Reboot:
End::
  • Click Fix
  • When completed he tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.

  • 0

#3
GaalDornick

GaalDornick

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts

Thanks for the quick reply, here's the fix log.

Fix result of Farbar Recovery Scan Tool (x64) Version: 29-05-2021 01
Ran by Mike (30-05-2021 13:19:03) Run:1
Running from C:\Users\Vincent\Desktop
Loaded Profiles: Vincent
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
cmd: ECHO Y|CHKDSK C: /F
CMD: DISM /Online /Cleanup-Image /RestoreHealth
CMD: sfc /scannow
EmptyTemp:
Reboot:

*****************

Restore point was successfully created.
Processes closed successfully.

========= ECHO Y|CHKDSK C: /F =========

The type of the file system is NTFS.
Cannot lock current drive.

Chkdsk cannot run because the volume is in use by another
process.  Would you like to schedule this volume to be
checked the next time the system restarts? (Y/N) Y

This volume will be checked the next time the system restarts.

========= End of CMD: =========


========= DISM /Online /Cleanup-Image /RestoreHealth =========


Deployment Image Servicing and Management tool
Version: 10.0.19041.844

Image Version: 10.0.19041.985


[==                         3.8%                           ] 

[==                         4.7%                           ] 

[===                        5.6%                           ] 

[===                        6.6%                           ] 

[====                       7.5%                           ] 

[====                       8.5%                           ] 

[=====                      9.5%                           ] 

[=====                      10.2%                          ] 

[======                     11.2%                          ] 

[=======                    12.2%                          ] 

[=======                    13.1%                          ] 

[========                   14.1%                          ] 

[========                   15.1%                          ] 

[=========                  16.1%                          ] 

[=========                  17.1%                          ] 

[==========                 17.8%                          ] 

[==========                 18.3%                          ] 

[==========                 18.9%                          ] 

[===========                19.1%                          ] 

[===========                19.3%                          ] 

[===========                20.3%                          ] 

[============               21.3%                          ] 

[============               22.3%                          ] 

[=============              23.2%                          ] 

[=============              24.0%                          ] 

[==============             25.0%                          ] 

[===============            26.0%                          ] 

[===============            26.9%                          ] 

[================           27.9%                          ] 

[================           28.9%                          ] 

[=================          29.4%                          ] 

[=================          30.4%                          ] 

[=================          30.9%                          ] 

[==================         31.9%                          ] 

[==================         32.2%                          ] 

[===================        33.0%                          ] 

[===================        33.3%                          ] 

[===================        34.0%                          ] 

[====================       34.9%                          ] 

[====================       35.1%                          ] 

[====================       35.9%                          ] 

[=====================      36.7%                          ] 

[=====================      37.6%                          ] 

[======================     38.3%                          ] 

[======================     38.9%                          ] 

[======================     39.6%                          ] 

[=======================    39.9%                          ] 

[=======================    40.8%                          ] 

[========================   41.6%                          ] 

[========================   42.6%                          ] 

[=========================  43.5%                          ] 

[=========================  44.5%                          ] 

[========================== 45.5%                          ] 

[========================== 46.5%                          ] 

[===========================47.5%                          ] 

[===========================48.5%                          ] 

[===========================49.4%                          ] 

[===========================50.4%                          ] 

[===========================51.2%                          ] 

[===========================51.3%                          ] 

[===========================51.5%                          ] 

[===========================51.6%                          ] 

[===========================51.7%                          ] 

[===========================51.8%                          ] 

[===========================51.8%                          ] 

[===========================51.8%                          ] 

[===========================51.9%                          ] 

[===========================51.9%                          ] 

[===========================52.0%                          ] 

[===========================52.1%                          ] 

[===========================52.2%                          ] 

[===========================52.2%                          ] 

[===========================52.2%                          ] 

[===========================52.3%                          ] 

[===========================52.5%                          ] 

[===========================52.5%                          ] 

[===========================52.8%                          ] 

[===========================53.0%                          ] 

[===========================53.1%                          ] 

[===========================53.1%                          ] 

[===========================53.1%                          ] 

[===========================53.2%                          ] 

[===========================53.3%                          ] 

[===========================53.4%                          ] 

[===========================53.4%                          ] 

[===========================53.4%                          ] 

[===========================53.4%                          ] 

[===========================53.5%                          ] 

[===========================53.5%                          ] 

[===========================53.6%                          ] 

[===========================53.7%                          ] 

[===========================53.7%                          ] 

[===========================53.7%                          ] 

[===========================53.7%                          ] 

[===========================53.8%                          ] 

[===========================53.9%                          ] 

[===========================54.0%                          ] 

[===========================54.1%                          ] 

[===========================54.3%                          ] 

[===========================54.6%                          ] 

[===========================54.7%                          ] 

[===========================54.8%                          ] 

[===========================54.9%                          ] 

[===========================54.9%                          ] 

[===========================55.1%                          ] 

[===========================55.2%                          ] 

[===========================55.3%                          ] 

[===========================55.4%                          ] 

[===========================56.2%                          ] 

[===========================56.5%                          ] 

[===========================57.4%=                         ] 

[===========================58.4%=                         ] 

[===========================59.4%==                        ] 

[===========================60.4%===                       ] 

[===========================62.3%====                      ] 

[===========================84.9%=================         ] 

[==========================100.0%==========================] 
The restore operation completed successfully.
The operation completed successfully.

========= End of CMD: =========


========= sfc /scannow =========



Beginning system scan.  This process will take some time.



Beginning verification phase of system scan.


Verification 0% complete.
Verification 1% complete.
Verification 1% complete.
Verification 2% complete.
Verification 2% complete.
Verification 3% complete.
Verification 3% complete.
Verification 4% complete.
Verification 4% complete.
Verification 5% complete.
Verification 5% complete.
Verification 6% complete.
Verification 6% complete.
Verification 7% complete.
Verification 7% complete.
Verification 8% complete.
Verification 8% complete.
Verification 9% complete.
Verification 9% complete.
Verification 10% complete.
Verification 10% complete.
Verification 11% complete.
Verification 11% complete.
Verification 12% complete.
Verification 12% complete.
Verification 13% complete.
Verification 13% complete.
Verification 14% complete.
Verification 15% complete.
Verification 15% complete.
Verification 16% complete.
Verification 16% complete.
Verification 17% complete.
Verification 17% complete.
Verification 18% complete.
Verification 18% complete.
Verification 19% complete.
Verification 19% complete.
Verification 20% complete.
Verification 20% complete.
Verification 21% complete.
Verification 21% complete.
Verification 22% complete.
Verification 22% complete.
Verification 23% complete.
Verification 23% complete.
Verification 24% complete.
Verification 24% complete.
Verification 25% complete.
Verification 25% complete.
Verification 26% complete.
Verification 26% complete.
Verification 27% complete.
Verification 27% complete.
Verification 28% complete.
Verification 29% complete.
Verification 29% complete.
Verification 30% complete.
Verification 30% complete.
Verification 31% complete.
Verification 31% complete.
Verification 32% complete.
Verification 32% complete.
Verification 33% complete.
Verification 33% complete.
Verification 34% complete.
Verification 34% complete.
Verification 35% complete.
Verification 35% complete.
Verification 36% complete.
Verification 36% complete.
Verification 37% complete.
Verification 37% complete.
Verification 38% complete.
Verification 38% complete.
Verification 39% complete.
Verification 39% complete.
Verification 40% complete.
Verification 40% complete.
Verification 41% complete.
Verification 41% complete.
Verification 42% complete.
Verification 43% complete.
Verification 43% complete.
Verification 44% complete.
Verification 44% complete.
Verification 45% complete.
Verification 45% complete.
Verification 46% complete.
Verification 46% complete.
Verification 47% complete.
Verification 47% complete.
Verification 48% complete.
Verification 48% complete.
Verification 49% complete.
Verification 49% complete.
Verification 50% complete.
Verification 50% complete.
Verification 51% complete.
Verification 51% complete.
Verification 52% complete.
Verification 52% complete.
Verification 53% complete.
Verification 53% complete.
Verification 54% complete.
Verification 54% complete.
Verification 55% complete.
Verification 55% complete.
Verification 56% complete.
Verification 57% complete.
Verification 57% complete.
Verification 58% complete.
Verification 58% complete.
Verification 59% complete.
Verification 59% complete.
Verification 60% complete.
Verification 60% complete.
Verification 61% complete.
Verification 61% complete.
Verification 62% complete.
Verification 62% complete.
Verification 63% complete.
Verification 63% complete.
Verification 64% complete.
Verification 64% complete.
Verification 65% complete.
Verification 65% complete.
Verification 66% complete.
Verification 66% complete.
Verification 67% complete.
Verification 67% complete.
Verification 68% complete.
Verification 68% complete.
Verification 69% complete.
Verification 69% complete.
Verification 70% complete.
Verification 71% complete.
Verification 71% complete.
Verification 72% complete.
Verification 72% complete.
Verification 73% complete.
Verification 73% complete.
Verification 74% complete.
Verification 74% complete.
Verification 75% complete.
Verification 75% complete.
Verification 76% complete.
Verification 76% complete.
Verification 77% complete.
Verification 77% complete.
Verification 78% complete.
Verification 78% complete.
Verification 79% complete.
Verification 79% complete.
Verification 80% complete.
Verification 80% complete.
Verification 81% complete.
Verification 81% complete.
Verification 82% complete.
Verification 82% complete.
Verification 83% complete.
Verification 83% complete.
Verification 84% complete.
Verification 85% complete.
Verification 85% complete.
Verification 86% complete.
Verification 86% complete.
Verification 87% complete.
Verification 87% complete.
Verification 88% complete.
Verification 88% complete.
Verification 89% complete.
Verification 89% complete.
Verification 90% complete.
Verification 90% complete.
Verification 91% complete.
Verification 91% complete.
Verification 92% complete.
Verification 92% complete.
Verification 93% complete.
Verification 93% complete.
Verification 94% complete.
Verification 94% complete.
Verification 95% complete.
Verification 95% complete.
Verification 96% complete.
Verification 96% complete.
Verification 97% complete.
Verification 97% complete.
Verification 98% complete.
Verification 99% complete.
Verification 99% complete.
Verification 100% complete.


Windows Resource Protection did not find any integrity violations.


========= End of CMD: =========


=========== EmptyTemp: ==========

BITS transfer queue => 7888896 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 63729975 B
Java, Flash, Steam htmlcache => 343 B
Windows/system/drivers => 44843724 B
Edge => 174802 B
Firefox => 1201972078 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 0 B
NetworkService => 40596 B
Mike => 4277495930 B

RecycleBin => 7363467786 B
EmptyTemp: => 12.1 GB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 13:23:41 ====

Edited by GaalDornick, 30 May 2021 - 05:30 AM.

  • 0

#4
icotonev

icotonev

    Trusted Helper

  • Malware Removal
  • 235 posts

Тhanks..! :)  So far, everything looks fine ..! Let's do more checks ..!

 

 

Malwarebytes Anti-Malware

 

  • If you already have Malwarebytes installed then open Malwarebytes and click on the Scan button. It will automatically check for updates and run a Threat Scan.
  • If you don't have Malwarebytes installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and select Scan and let it run.
  • Once the scan is completed make sure you have it quarantine any detections it finds.
  • If no detections were found click on the Save results drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If there were detections then once the quarantine has completed click on the View report button, Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If the computer restarted to quarantine you can access the logs from the Detection History, then the History tab. Highlight the most recent scan and double-click to open it. Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let me know in your next reply that the scanner would not run.

 

 

Run AdwCleaner (Scan mode)


Download AdwCleaner and save it to your desktop.

  • Double click AdwCleaner.exe to run it.
  • Click Scan Now.
    • When the scan has finished, a Scan Results window will open.
    • Click Cancel (at this point do not attempt to Quarantine anything that is found)
  • Now click the Log Filestab.
    • Double click on the latest scan log (Scan logs have a [S0*] suffix, where * is replaced by a number. The latest scan will have the largest number)
    • A Notepad file will open containing the results of the scan.
    • Please post the contents of the file in your next reply.

 

 

Microsoft Safety Scanner

 

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system.

  • The download links & the how-to-run-the tool are at this link at Microsoft:

 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

  • Please let me know the results of this scan.
  • The log is named MSERT.log
  • the log will be at  %SYSTEMROOT%\debug\msert.log   which in most cases is C:\Windows\debug\msert.log
  • Please attach that log with your next reply.

 

 
 


  • 0

#5
GaalDornick

GaalDornick

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts

Here are the logs, though for Microsoft Safety Scanner while it was around 90% done scanning it seemed to complete without that 10% of the progress bar(well might be normal) it was showing 16 infected files at that point, but the logs show nothing of those files, is that normal? there was just the name of the malware (VirTool:Win32/DefenderTamperingRestore), see the attached image.

Thanks for your time and help.

Attached Thumbnails

  • ms_safetyscanner-results.jpg

Attached Files


  • 0

#6
icotonev

icotonev

    Trusted Helper

  • Malware Removal
  • 235 posts

Here are the logs, though for Microsoft Safety Scanner while it was around 90% done scanning it seemed to complete without that 10% of the progress bar(well might be normal) it was showing 16 infected files at that point, but the logs show nothing of those files, is that normal? there was just the name of the malware (VirTool:Win32/DefenderTamperingRestore), see the attached image.

Thanks for your time and help.

 
Hi, GaalDornick ..! I don't know what happened during the scan. The end result is important to me ...! They show and confirm that your system is clean ..! Last scan and we orient ourselves to the final:
 
 

Scanning with SecurityCheck by glax24

  • Download SecurityCheck by glax24 from here and remember the tool on the desktop.
  • Run the program right-click the administrator name
  • Wait for the scan to finish. It will open in a text file named SecurityType.txt. Copy the contents of this file to your next post
  • You can find this file in the root of the system disk in a folder called SecurityCheck, C: \\ SecurityCheck \\ SecurityCheck.txt

  • 0

#7
GaalDornick

GaalDornick

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts

 

Hi, GaalDornick ..! I don't know what happened during the scan. The end result is important to me ...!

Sorry and of course, I restarted the scan, but it takes around four or five hours so I'll post it asap.

Thanks

 

SecurityCheck by glax24 & Severnyj v.1.4.0.53 [27.10.17]
WebSite: www.safezone.cc
DateLog: 30.05.2021 19:30:54
Path starting: C:\Users\Vinncent\AppData\Local\Temp\SecurityCheck\SecurityCheck.exe
Log directory: C:\SecurityCheck\
IsAdmin: True
User: Vinncent
VersionXML: 8.80is-19.05.2021
___________________________________________________________________________

Windows 10(6.3.19041) (x64) Professional Release: 2004 Lang: French(040C)
Installation date OS: 05.05.2021 19:28:01
LicenseStatus: Windows(R), Professional edition The machine is permanently activated.
Boot Mode: Normal
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
SystemDrive: C: FS: [NTFS] Capacity: [465.1 Gb] Used: [225.5 Gb] Free: [239.6 Gb]
------------------------------- [ Windows ] -------------------------------
Internet Explorer 11.789.19041.0
User Account Control [b]enabled[/b] (Level 3)
Security Center (wscsvc) - The service is running
Remote Registry (RemoteRegistry) - The service has stopped
SSDP Discovery (SSDPSRV) - The service is running
Remote Desktop Services (TermService) - The service is running
Windows Remote Management (WS-Management) (WinRM) - The service has stopped
---------------------------- [ Antivirus_WMI ] ----------------------------
Windows Defender (disabled and up to date)
Malwarebytes (enabled and up to date)
--------------------------- [ FirewallWindows ] ---------------------------
Windows Defender Firewall (mpssvc) - The service is running
---------------------- [ AntiVirusFirewallInstall ] -----------------------
Malwarebytes version 4.4.0.117 v.4.4.0.117 [b][+][/b]
--------------------------- [ OtherUtilities ] ----------------------------
NVIDIA GeForce Experience 3.22.0.32 v.3.22.0.32
Microsoft OneDrive v.21.073.0411.0002 [color=red][b]Warning! [url=https://go.microsoft.com/fwlink/?linkid=860984]Download Update[/url][/b][/color]
Notepad++ (32-bit x86) v.7.9.5
------------------------------ [ ArchAndFM ] ------------------------------
7-Zip 21.02 alpha (x64) v.21.02 alpha [b][color=red]Warning! This software is no longer supported.[/color] Uninstall old version, [url=https://www.7-zip.org/download.html]download[/url] and install new one.[/b]
------------------------------- [ Imaging ] -------------------------------
Blender v.2.92.0
-------------------------- [ IMAndCollaborate ] ---------------------------
Discord v.1.0.9001 [b][+][/b]
---------------------------- [ ProxyAndVPNs ] -----------------------------
NordVPN v.6.37.2.0
-------------------------------- [ Media ] --------------------------------
VLC media player v.3.0.14
--------------------------- [ AdobeProduction ] ---------------------------
Adobe Creative Cloud v.5.4.5.550
------------------------------- [ Browser ] -------------------------------
Mozilla Firefox 88.0.1 (x64 en-US) v.88.0.1
Microsoft Edge v.91.0.864.37 [b][+][/b]
------------------ [ AntivirusFirewallProcessServices ] -------------------
C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe v.4.0.0.997
Malwarebytes Service (MBAMService) - The service is running
C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe v.3.2.0.970
Microsoft Defender Antivirus Service (WinDefend) - The service has stopped
Microsoft Defender Antivirus Network Inspection Service (WdNisSvc) - The service has stopped
----------------------------- [ End of Log ] ------------------------------

 


  • 0

#8
icotonev

icotonev

    Trusted Helper

  • Malware Removal
  • 235 posts

7-Zip 21.02 alpha (x64) v.21.02 alpha Warning! This software is no longer supported. Uninstall old version, download and install new one.

 

Microsoft OneDrive v.21.073.0411.0002 Warning! Download Update
 

 

 

Please update the software from the box ..!  Тhanks..! :)

 


  • 0

#9
GaalDornick

GaalDornick

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts

Thanks, though for 7-zip, am I missing something or the latest version does seem to be 21.02 alpha?


  • 0

#10
icotonev

icotonev

    Trusted Helper

  • Malware Removal
  • 235 posts

Thanks, though for 7-zip, am I missing something or the latest version does seem to be 21.02 alpha?

 

Yes, things are really fine here. But why does the SecurityCheck program detect it as not updated .. !!! I will submit a report to the author of the program ..!


  • 0

#11
icotonev

icotonev

    Trusted Helper

  • Malware Removal
  • 235 posts

 

 

Sorry and of course, I restarted the scan, but it takes around four or five hours so I'll post it asap.

 

Let's wait for the repeated results ..!?!


  • 0

#12
icotonev

icotonev

    Trusted Helper

  • Malware Removal
  • 235 posts

Are you still with us..? 


  • 0

#13
icotonev

icotonev

    Trusted Helper

  • Malware Removal
  • 235 posts

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP