Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Avast detects Defo@boot bootkit virus, but I can't remove it- help?


  • Please log in to reply
3 replies to this topic

#1 Bellanzarite

Bellanzarite

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 07 August 2013 - 04:04 AM

Hi there,

 

Bought a new PC, W7 ultimate, 64 bit yesterday. Before you say that the chances of my computer being infected after one day are slim, I should add that I live in Thailand and that buying a computer here with anything pre-installed- say Windows- means there's a 50% chance of there being a virus onboard as well. I spent most of yesterday clearing out the crapware that came with it and chucked on basics- Avast antivirus, Comodo firewall, etc.

 

However, almost immediately, Avast detected a "Defo@boot" virus, which if you don't know is found in the MBR. This makes it particularly annoying to remove... Avast tried to delete it, but was unable. It prompted to restart in order to do a boot scan, which I did, but said boot scan did nothing as Avast still tells me the virus is on my PC. 

 

I was following the instructions on this website here, however upon running Kapersky TSSKiller, nothing was found. I tried scanning twice and with every option for scanning selected on, but nada. Same with ZeroAccess.

 

I'm at a loss as to how to remove this now. As it's in the MBR, if I understand it correctly your run-of-the-mill high-level format or killdisk won't remove the virus... Help?

 

I'm willing to completely wipe the drive if necessary, I can reinstall Windows and in any case it came with so much crapware that I'd almost prefer having a cleaner start to it, I'm not sure if I got it all.


Edited by hamluis, 07 August 2013 - 06:51 AM.
Moved from Win 7 to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 Sirawit

Sirawit

    Bleepin' Brony


  • Malware Response Team
  • 4,161 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:09:23 AM

Posted 07 August 2013 - 07:34 AM

:step1: Please download SecurityCheck from here: http://www.bleepingcomputer.com/download/securitycheck/ and save to the desktop.

 

Please run it and it will provide you with a log, post it in your next reply.

 

:step2: Please download Minitoolbox from here : http://www.bleepingcomputer.com/download/minitoolbox/ and save to your desktop.

 

Run it and check following options:

  • List 1o last log viewer errors
  • List Installed programs
  • List Users, Partitions and Memory size
  • List Minidump files

It will provide you with a log, post it next to security check report.

 

Thank you.


If I don't reply back to you in 2 days, feel free to send me a PM.

 

“You’re lying… just like you were lying to me before. You have to hate me. I’ve been the worst daughter in the world… you should hate me.”

“But I don’t, Nyx. Because, Nyx, I’m your mother, and a mother will always love her daughter, no matter what.” -Past sins by Pen stroke.


#3 Bellanzarite

Bellanzarite
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 07 August 2013 - 11:19 AM

SecurityCheck log:
 

 

 Results of screen317's Security Check version 0.99.71  
 Windows 7  x64 (UAC is disabled!)  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Disabled!  
avast! Antivirus   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:````````` 
 Google Chrome 10.0.648.127  
````````Process Check: objlist.exe by Laurent````````  
 Comodo Firewall cmdagent.exe 
 AVAST Software Avast AvastSvc.exe  
 AVAST Software Avast AvastUI.exe  
 AVAST Software Avast setup avast.setup 
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C: 2% 
````````````````````End of Log`````````````````````` 
 

 

Minitoolbox log:

 

 

MiniToolBox by Farbar  Version: 13-07-2013
Ran by pc (administrator) on 07-08-2013 at 23:17:15
Running from "C:\Users\pc\Desktop"
Microsoft Windows 7 Ultimate   (X64)
Boot Mode: Normal
***************************************************************************
 
========================= Event log errors: ===============================
 
Application errors:
==================
Error: (08/08/2013 00:03:11 AM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.
 
Error: (08/08/2013 00:03:11 AM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.
 
Error: (08/07/2013 11:57:34 PM) (Source: ESENT) (User: )
Description: wuaueng.dll (1144) SUS20ClientDataStore: Unable to read the header of logfile C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log. Error -546.
 
Error: (08/07/2013 11:57:34 PM) (Source: ESENT) (User: )
Description: wuaueng.dll (1144) SUS20ClientDataStore: Unable to read the header of logfile C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log. Error -546.
 
Error: (08/07/2013 11:57:34 PM) (Source: ESENT) (User: )
Description: wuaueng.dll (1144) SUS20ClientDataStore: Unable to read the header of logfile C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log. Error -546.
 
Error: (08/07/2013 11:57:34 PM) (Source: ESENT) (User: )
Description: wuaueng.dll (1144) SUS20ClientDataStore: Unable to read the header of logfile C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log. Error -546.
 
Error: (08/07/2013 11:57:34 PM) (Source: ESENT) (User: )
Description: wuaueng.dll (1144) SUS20ClientDataStore: Unable to read the header of logfile C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log. Error -546.
 
Error: (08/07/2013 11:57:34 PM) (Source: ESENT) (User: )
Description: wuaueng.dll (1144) SUS20ClientDataStore: Unable to read the header of logfile C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log. Error -546.
 
Error: (08/07/2013 11:57:33 PM) (Source: ESENT) (User: )
Description: wuaueng.dll (1144) SUS20ClientDataStore: Unable to read the header of logfile C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log. Error -546.
 
Error: (08/07/2013 11:57:33 PM) (Source: ESENT) (User: )
Description: wuaueng.dll (1144) SUS20ClientDataStore: Unable to read the header of logfile C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log. Error -546.
 
 
System errors:
=============
Error: (08/08/2013 00:00:20 AM) (Source: Service Control Manager) (User: )
Description: The ANIWConn Service service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.
 
Error: (08/08/2013 00:00:09 AM) (Source: Service Control Manager) (User: )
Description: The ANIWZCSd Service service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.
 
Error: (08/07/2013 04:41:30 PM) (Source: Service Control Manager) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: 
%%1068
 
Error: (08/07/2013 04:41:30 PM) (Source: Service Control Manager) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: 
%%1068
 
Error: (08/07/2013 04:41:30 PM) (Source: Service Control Manager) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: 
%%1068
 
Error: (08/07/2013 04:41:30 PM) (Source: Service Control Manager) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: 
%%1068
 
Error: (08/07/2013 04:41:30 PM) (Source: Service Control Manager) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: 
%%1068
 
Error: (08/07/2013 04:41:30 PM) (Source: Service Control Manager) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: 
%%1068
 
Error: (08/07/2013 04:41:28 PM) (Source: Service Control Manager) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: 
%%1068
 
Error: (08/07/2013 04:41:27 PM) (Source: Service Control Manager) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: 
%%1068
 
 
Microsoft Office Sessions:
=========================
 
=========================== Installed Programs ============================
 
Adobe Acrobat X Pro - English, Fran็ais, Deutsch (Version: 10.0.0)
Adobe Flash Player 11 ActiveX (Version: 11.3.300.271)
AMD APP SDK Runtime (Version: 10.0.938.2)
AMD Catalyst Install Manager (Version: 8.0.881.0)
AMD Drag and Drop Transcoding (Version: 2.00.0000)
AMD Media Foundation Decoders (Version: 1.0.70727.2220)
ANIWZCS2 Service
Apple Application Support (Version: 2.1.7)
Apple Mobile Device Support (Version: 5.1.1.4)
Apple Software Update (Version: 2.1.3.127)
Atheros Communications Inc.® AR81Family Gigabit/Fast Ethernet Driver (Version: 2.1.0.7)
avast! Free Antivirus (Version: 8.0.1489.0)
Bonjour (Version: 3.0.0.10)
Catalyst Control Center - Branding (Version: 1.00.0000)
Catalyst Control Center (Version: 2012.0806.1213.19931)
Catalyst Control Center Graphics Previews Common (Version: 2012.0806.1213.19931)
Catalyst Control Center InstallProxy (Version: 2012.0806.1213.19931)
Catalyst Control Center Localization All (Version: 2012.0806.1213.19931)
CCC Help Chinese Standard (Version: 2012.0806.1212.19931)
CCC Help Chinese Traditional (Version: 2012.0806.1212.19931)
CCC Help Czech (Version: 2012.0806.1212.19931)
CCC Help Danish (Version: 2012.0806.1212.19931)
CCC Help Dutch (Version: 2012.0806.1212.19931)
CCC Help English (Version: 2012.0806.1212.19931)
CCC Help Finnish (Version: 2012.0806.1212.19931)
CCC Help French (Version: 2012.0806.1212.19931)
CCC Help German (Version: 2012.0806.1212.19931)
CCC Help Greek (Version: 2012.0806.1212.19931)
CCC Help Hungarian (Version: 2012.0806.1212.19931)
CCC Help Italian (Version: 2012.0806.1212.19931)
CCC Help Japanese (Version: 2012.0806.1212.19931)
CCC Help Korean (Version: 2012.0806.1212.19931)
CCC Help Norwegian (Version: 2012.0806.1212.19931)
CCC Help Polish (Version: 2012.0806.1212.19931)
CCC Help Portuguese (Version: 2012.0806.1212.19931)
CCC Help Russian (Version: 2012.0806.1212.19931)
CCC Help Spanish (Version: 2012.0806.1212.19931)
CCC Help Swedish (Version: 2012.0806.1212.19931)
CCC Help Thai (Version: 2012.0806.1212.19931)
CCC Help Turkish (Version: 2012.0806.1212.19931)
ccc-utility64 (Version: 2012.0806.1213.19931)
CCleaner (Version: 4.04)
Comodo Dragon (Version: 27.0.4.0)
COMODO Firewall (Version: 6.2.20728.2847)
D3DX10 (Version: 15.4.2368.0902)
D-Link Wireless 150 USB Adapter DWA-125 (Version: 1.00.0000)
GeekBuddy (Version: 4.7.55)
Google Chrome (Version: 10.0.648.127)
Intel® Management Engine Components (Version: 8.1.0.1252)
Intel® USB 3.0 eXtensible Host Controller Driver (Version: 1.0.5.235)
Intel? Trusted Connect Service Client (Version: 1.24.388.1)
iTunes (Version: 10.6.1.7)
Junk Mail filter update (Version: 15.4.3502.0922)
Mesh Runtime (Version: 15.4.5722.2)
Messenger Companion (Version: 15.4.3502.0922)
Microsoft Application Error Reporting (Version: 12.0.6015.5000)
Microsoft Office Access MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Access Setup Metadata MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Enterprise 2007 (Version: 12.0.4518.1014)
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Groove MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Groove Setup Metadata MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office InfoPath MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Office 64-bit Components 2007 (Version: 12.0.4518.1014)
Microsoft Office OneNote MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Outlook MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proof (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proof (French) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Publisher MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Shared 64-bit MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Word MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Silverlight (Version: 4.0.50401.0)
Microsoft SQL Server 2005 Compact Edition [ENU] (Version: 3.1.0000)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.56336)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (Version: 10.0.40219)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (Version: 10.0.40219)
MSVCRT (Version: 15.4.2862.0708)
MSVCRT_amd64 (Version: 15.4.2862.0708)
Platform (Version: 1.39)
VIA Platform Device Manager (Version: 1.39)
VLC media player 1.2.0-pre3 (Version: 1.2.0-pre3)
Winamp (Version: 5.581 )
Winamp Detector Plug-in (Version: 1.0.0.1)
Windows Live Communications Platform (Version: 15.4.3502.0922)
Windows Live Essentials (Version: 15.4.3502.0922)
Windows Live Essentials (Version: 15.4.3555.0308)
Windows Live Family Safety (Version: 15.4.3555.0308)
Windows Live ID Sign-in Assistant (Version: 7.250.4232.0)
Windows Live Installer (Version: 15.4.3502.0922)
Windows Live Language Selector (Version: 15.4.3555.0308)
Windows Live Mail (Version: 15.4.3502.0922)
Windows Live Mesh (Version: 15.4.3502.0922)
Windows Live Mesh ActiveX Control for Remote Connections (Version: 15.4.5722.2)
Windows Live Messenger (Version: 15.4.3538.0513)
Windows Live Messenger Companion Core (Version: 15.4.3502.0922)
Windows Live MIME IFilter (Version: 15.4.3502.0922)
Windows Live Movie Maker (Version: 15.4.3502.0922)
Windows Live Photo Common (Version: 15.4.3502.0922)
Windows Live Photo Gallery (Version: 15.4.3502.0922)
Windows Live PIMT Platform (Version: 15.4.3508.1109)
Windows Live Remote Client (Version: 15.4.5722.2)
Windows Live Remote Client Resources (Version: 15.4.5722.2)
Windows Live Remote Service (Version: 15.4.5722.2)
Windows Live Remote Service Resources (Version: 15.4.5722.2)
Windows Live SOXE (Version: 15.4.3502.0922)
Windows Live SOXE Definitions (Version: 15.4.3502.0922)
Windows Live UX Platform (Version: 15.4.3502.0922)
Windows Live UX Platform Language Pack (Version: 15.4.3508.1109)
Windows Live Writer (Version: 15.4.3502.0922)
Windows Live Writer Resources (Version: 15.4.3502.0922)
WinRAR archiver
 
========================= Memory info: ===================================
 
Percentage of memory in use: 20%
Total physical RAM: 8147.52 MB
Available physical RAM: 6457.43 MB
Total Pagefile: 16293.18 MB
Available Pagefile: 14347 MB
Total Virtual: 4095.88 MB
Available Virtual: 3961.29 MB
 
========================= Partitions: =====================================
 
1 Drive c: (OEM-7) (Fixed) (Total:195.08 GB) (Free:164.65 GB) NTFS
2 Drive d: (DATA) (Fixed) (Total:736.08 GB) (Free:735.05 GB) NTFS
3 Drive e: (DWA-125) (CDROM) (Total:0.05 GB) (Free:0 GB) CDFS
4 Drive f: (BELLA 8GB) (Removable) (Total:7.44 GB) (Free:7.44 GB) FAT32
 
========================= Users: ========================================
 
User accounts for \\PC-PC
 
Administrator            Guest                    pc                       
 
========================= Minidump Files ==================================
 
No minidump file found
 
 
**** End of log ****
 

 

 

Thanks for the help!



#4 Bellanzarite

Bellanzarite
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 10 August 2013 - 09:48 AM

Thank you for the help, but the problem is now solved.

As I know how infuriating that is for those who may be googling to solve this problem themselves, the solution was to wipe the hard drive and repair the MBR using I believe a Windows disk (I wasn't present). Had to reinstall Windows. Not sure if repairing the MBR is possible without wiping data, although I would assume it is. 

Other alternative to using Windows to wipe is Dban. (Doesn't usually work for RAID arrayed hard drives.)






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users