No Reply Virus in Windows boot partition ?

The author of this help request did not reply to the thread in at least 5 days. Therefore, we are going to assume that he does no longer need our help, and close this support request.
If you are the author and still need help, please send a Private Message to any staff member within the next five days. Be sure to include a link to your thread in your private message.
Status
Not open for further replies.
H

Hohoho

New Member
Thread author
May 17, 2023
3
Hello. I accidentally (when booting liveUSB Linux) found very strange file in Windows 7 boot partition.
It is called KWEGD , with no extension. Sha256 checksum is a199cb65b19f2385f9afa97622d78fb7d0f2d5f8018c5de96b0df50c5bc39655
Virustotal found nothing but detect it as DOS executable (COM)

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com

But when I upload it to run HybridAnalysis (also with bootmgr) it's sandbox described it as malicious

Free Automated Malware Analysis Service - powered by Falcon Sandbox

Submit malware for free analysis with Falcon Sandbox and Hybrid Analysis technology. Hybrid Analysis develops and licenses analysis tools to fight malware.
www.hybrid-analysis.com www.hybrid-analysis.com

I zipped boot partition. Can I upload it here? Not supported extension.

What it is? What should I do?
 
icotonev

icotonev

Moderator
Verified
Staff Member
Mar 9, 2017
529
Hello..! :) Excuse me for the delay..! Please do the following and provide me the results for analysis..:

Step 1:

Kaspersky Virus Removal Tool
  • Download Kaspersky Virus Removal Tool and save it to your Desktop
  • Hit the Windows Key + R at the same time
  • Drag and drop the KVRT icon on your Desktop into the Run box to the right of Open:
  • Add -dontencrypt so that it looks like C:\Users\**Your User Name***\Desktop\KVRT.exe -dontencrypt (with a space between .exe and "-")
  • Click OK
  • Review and place check marks in all 3 I confirm boxes then click Accept
  • Click Change parameters
  • Place check marks in the following categories:
Code: 
System memory
Startup objects
Boot sectors
System drive
  • Click OK
  • Click Start scan
  • When completed click Continue
  • Close the program
  • Hit the Windows Key + E at the same time
  • Navigate to the C:\KVRT2020_Data\Reports folder
  • Right click on KLR File which looks similar to report_2022.09.12_06.27.09 and select Open
  • Please attach the contents of the log in your next reply.

Step 2:

Malwarebytes Anti-Rootkit - Scan Only

  • Download Malwarebytes Anti-Rootkit and save it to your Desktop
  • Right click the mbar icon and select Run as administrator
  • Click OK to install it on your desktop
  • Click Next on the following screen
  • On the Update Database: screen click Update to download the latest definition updates then click Next
  • Click Scan and allow the process to complete
  • Click the Exit button not Cleanup
  • A system-log report will be created in the mbar folder placed on your Desktop. Please attach the contents of the log in your next reply.

Step 3:

Download Farbar Recovery Scan Tool and save it to your desktop. --> IMPORTANT

If your antivirus software detects the tool as malicious, it’s safe to allow FRST to run. It is a false-positive detection.
If English is not your primary language, right click on FRST.exe/FRST64.exe and rename to FRSTEnglish.exe/FRST64English.exe

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Double-click the FRST icon to run the tool. When the tool opens click Yes to disclaimer.
  • Press Scan button and wait for a while.
  • The scanner will produced two logs on your Desktop: FRST.txt and Addition.txt.
  • Please attach the content of these two logs in your next reply.
---------------------------------------------------

In your next reply, please include:
  • Kaspersky report
  • MBAR report
  • FRST.txt
  • Addition.txt
 
Last edited:
icotonev

icotonev

Moderator
Verified
Staff Member
Mar 9, 2017
529
Due to lack of activity, this topic is now closed.
If you still need help, open a new topic, and wait for a new helper.
 
  • Like
Reactions: upnorth
Status
Not open for further replies.

Similar threads

L
    • Like
    • +Reputation
Malware Analysis Tricky adware or malicious ?
Replies
10
Views
922
Malware Analysis
likeastar20
L
Anthony Qian
    • +Reputation
    • Like
    • Thanks
New Update Avira expands its APC to support script malware
Replies
4
Views
1,261
Avira
Anthony Qian
Anthony Qian
Lymphocyte
    • Like
    • +Reputation
Security News ESET repports that OilRig’s persistent attacks using cloud service-powered downloaders
Replies
0
Views
1,904
Security News
Lymphocyte
Lymphocyte

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top