Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows 8.1 MBAM Crash, Possible Boot Sector Infection, Infected ISO?


  • Please log in to reply
3 replies to this topic

#1 Bladed

Bladed

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:17 PM

Posted 04 June 2014 - 12:47 PM

Hello, I think I may be infected with a pretty nasty RootKit that may have affected my Master Boot Record and other stuff. Thanks in advance for any help at all.

TLDR: I think I have a Rootkit that shuts down my PC whenever I run MBAM. I think it's hiding in memory or a bootsector (Maybe even Firmware) and may have hidden itself when I was running Win 7. PC has been getting worse with BSOD, seems like its infecting .DLL files. Even crashed a VM.

Is there a tool or something I can boot off a disc or flash drive to scan for malware? Also, is there anyway to scan for firmware / Bios malware?

Backstory:
I upgraded to Windows 8.1 from Windows 7 Ultimate 8 days ago. Did a quick format using the Windows 8.1 installer and fresh installed Windows 8.1 to my Raid 0 SSD setup. (2x Samsung 840's using Intels Raid Manager). First thing I did was install all the Windows updates. Next I installed Softperfects RAMDisk and allocated 7GB to a Ramdisk, change the path of the TEMP folders to the RAMDisk. Then I installed all the driver updates for my GPU, Intel Chipset, Intel NIC (on motherboard), every driver I could think of. Then I installed AVG Free edition and updated that. Next I downloaded the latest Firefox, installed/ updated Java, and installed some software that came with my motherboard (Asus Fan controller, Digi+, Charge+, and cfosspeed packet manager). I flashed my BIOS with the lastest version downloaded from Asus' website (Using a USB drive and the utility built into the Asus Motherboard Bios) Lastly I downloaded Steam, uPlay, and Watch_Dogs. Everything was running well, did the AVG tool to fix what they found were registry issues and broken links, ect. Their optimization thing. Also did 2 full PC scans and AVG didn't pick up anything. Computer was still stable and fine. It ran perfectly until.....

 

First Issue:

Everything was still fine until I decided to try to run MBAM Anti-Malware. I downloaded the Free version and decided to try out the Premium for 14 days. The first scan I did, I checked the "Scan for Rootkit" box and had it scan every drive in my computer (C Drive is the SSD Raid array, T:\ was a 1 Terrabyte HDD, R:\ was my 7GB Ramdisk). My PC shutdown without any warnings or hiccups about 25 seconds into the scan. I thought that it may have been an issue with AVG and the Ramdisk, So I disabled the RAMDisk and AVG. It still crashed. Next I uninstaled AVG and ran MBAM again and it continued to crash. I uninstalled MBAM with the mbam-clean.exe tool, reinstalled AVG, and put my PC to Sleep. I came back about 3 hours later and tried to wake it from sleep and PC screen was black. Kept turning it off and back on and couldn't get anything to appear on the screen, not even the Bios Logo or anything.

I thought it was a hardware issue since the MB was giving error code 55, which after researching I found is related to RAM issues. I found a fix which required me to clear the CMOS, reseat the RAM modules, and hit the mem-okay button. After getting it to display the logo screen, I ran MEMTest86 and tested my RAM. No errors were found. Booted back into Windows and everything seemed fine.

Second Time:
I decided to try the MBAM Anti-Rootkit Beta and the same thing happened. After 25 seconds, PC shut down instantly, booted back up and restarted about 3 times before it took me to the login screen of Windows. Tried uninstalling it with mbam-clean.exe and reinstalling it, same thing happened. This time I had to clear CMOS, reseat RAM modules, and hit the mem-okay button again. Uninstalled again with mbam-clean.exe. The logs didn't show anything unusual, guess it shut down before it could write what happened.

Third Time (Virtual Box): This time I decided to install Windows 8.1 in a VM using the same disc I used for my Host OS. It installed to the VM fine, and I decided to run MBAM Anti-Rootkit without downloading anything at all. no updates, programs, anything. It was a fresh installs, only minutes old. MBAM was running fine for about 5 minutes (Longest amount of time I've gotten MBAM to run), finished scanning the first 2 tests, but when it got to the registry it froze for about 15 seconds, then my entire PC shut down. Not just the VM software, but the whole system. To get it to boot, I had to do the same process of clearing CMOS, reinstalling the RAM Modules, ect. I thought it was very odd that a VM could cause that kind of issue.

Continued Issues: I was just going to accept the fact that I had some Malware on my desktop and continue playing Watch_Dogs are worry about removal later. PC was still working fine, until last night when I tried to wake it up from sleep again. It woke up, then Windows BSOD. Repeatedly.

The first error when it came back on was "System_thread_exception_not_handled". Windows said it was gathering info but remained at 0% for 20 mins so I just held down the power button. When I tried to boot it back up, Windows did its repair thing, with the windows logo, and kept restarting.

The 2nd error that showed up when it finally blue screened again was NDIS.SYS. I let windows finish compiling that report (took about 35 seconds) then it restarted. When it came back on I got....

The 3rd error. After the intel page showing the raid drives, and the ASUS bootlogo, instead of going to Windows a black screen appared with "Bootsector not found or Damaged, Unable to Boot" or something similar to that language. I turned it off and back on again and Windows said it needed to repair stuff, but couldn't. Restarted it and hit the trouble shoot option and hit repair, it seemed like it fixed it. I was able to boot into Wndows, login, and I let it idle for about 5 minutes on the Desktop. Then it crashed again,

4th error was something about Network.dll or something to that effect. I forgot to write down the exact .dll file name but after googling it, it was definitely related to NIC drivers.

5th error was something about MBR, disappeared too fast for me to write it all down. This apparead on a black screen before windows booted.

6th error was "System_thread_exception_not_handled (cfosspeed)" Which I believe is the packet shapping software. I think the malware was trying to infect the network.dll files but since they weren't a typical configuration it was having trouble.

I decided to just unplug the desktop and work on it today. I just tried turning it on and first the PC freezes when it should boot into windows. Right after the Motherboard manufacture's logo where it says "press F2 or Del for setup", the "press F2 or Del" disappear but the logo stays on the screen and freezes. Powering off and on the PC got it to the Blue Windows logo, but there are a few screen flashes afterwards that are too quick to read then it freezes. Restarted it again and nothing is displayed. Not the Boot logo or intel RAID screen. Takes about 20 seconds for the keyboard and mouse (USB) to even get power and the monitor to get a signal, but the screen is was still black. Turned it off and back on again and it got to the Windows logo that said "Automatic repair", then it blue screened. Retsarted itself then blue screened again too fast for me to see what the error was, now it tried to boot again and got the following error:
"
The operating system couldn't be loaded becuse the kernel is missing or contains errors.

File:\windows\system32\ntoskrnl.exe
Error Code: 0xc0000221

One thing to note, when I was running Windows 7, I was watching videos on Crunchy Roll using Chrome when all of a sudden my PC started downloading and running files (The old school gray windows box with the blue squares for progress popped up). it was a bunch of small files it seemed since they finished Downloading/ installing quickly so I unplugged the PC after about 8 seconds. I had to repair my Raid Array but it seemed fined after that. Ran MBAM and got rid of a few files so I thought I was safe. This was about 75 days ago.

Sorry for the extra long post, tried to be as detailed as possible.

 



BC AdBot (Login to Remove)

 


#2 Bladed

Bladed
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:17 PM

Posted 12 June 2014 - 10:26 PM

Just an update. It looks like whatever I had did indeed infect the Bios. I used Parted Magic to delete the MBR and GPT, then did an Internal Secure erase on both SSDs. When installing Windows 8, on the first reboot after unpacking the files to the SSD it started getting errors first on TCPIP.sys then fvevol.sys. So it was attacking my install before I even had Windows fully installed. The pattern I noticed is that it usually always starts attacking some network protocol, then my filesystem / MBR / Bootsector, then it would go after my VGA or any display adapters.

I think Windows 8 installs or modifies the Bios in some way since its UEFI. It must have loaded itself on my SSDs MBR when I had windows 7, then when I upgraded to Windows 8 injected itself in the Bios.

To get rid of it, I had to clear the CMOS, flash the Bios in stand-by power mode (One benefit of using an Asus ROG Motherboard), then booted up in Parted magic again and clear the drives. Now I'm safely booted into Windows 8.1 Enterprise again :)

To be safe, I'll flash my GPU Bios, the firmware in my NIC, PCI Bus, and Intel management engine. Windows updates are taking much longer than they use to so I'm kind of suspicious...



#3 Bladed

Bladed
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:17 PM

Posted 16 June 2014 - 11:13 AM

2nd Update. Looks like the malware is back. I did another clean install, deleted GPT and MBR and secure erased both SSDs, Flashed the bios as well as the intel engine management modules and Intel NIC rom.  I did a scan with Malwarebytes anti-malware and it showed that windows was clean without any malware.

Next day, boot up windows and when the login screen comesup, it flashes black for a second. Did an AVG scan with their root kit detection and nothing came up. Ran MBAM again and it shuts off in the middle of the scan. Logged back into windows and downloaed TDSSKiller and enabled all the parameters (Loaded Modules, Verify signatures, and Dtect TDLFS file system) which required a reboot.

Upon rebooting I can an error message with the cmd window open and everything was black. Error was: "Windows cannot find (798667CD-CEC2-4AF9-A02F-D6194364040E.exe). Make sure you typed the name correctly and then try again" No idea what that is.

I ran the TDSSKiller scan anyway and it didn't detect anything. Ran MBAM in safe mode and it didn't detect anything nor did it crash. Not sure what else I can do. I guess monitor network traffic and don't put sensitive information on this computer?



#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:17 PM

Posted 16 June 2014 - 02:04 PM

Hi .. due to all the replies it looks like you have help..

This will require a deeper look to fix.

Please follow this Preparation Guide, do steps 6,7 and 8 and post in a new topic.
Let me know if all went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users