Win64/Bootkit.VBR infection

[soccer97]

I will have to say I never expected an infection. I thought my User profile was corrupt. HitmanPro detected Win64/Bootkit.VBR along with many other suspicious files. All definitions are up to date (including aswMBR definitions). I am hoping it is a False Positive. The requested logs along with the HitmanPro log are attached.


The PC is my main concern. I will be in the hospital later this week.


I suppose I should call my banks and CC companies. I have been using online banking more :/.


Thanks in advance!


If it is relevant:
My university also contacted me and my Android device was detected by their IDS as having malware and thus blocked from the system. (It was adware - probably unrelated).

ET MALWARE Blank User-Agent (descriptor but no string) [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 164.111.195.71:49022 -> 74.125.21.114:80 ETPRO MALWARE Win32/BrowseFox.AF Checkin [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 164.111.195.71:62369 -> 97.67.101.88:80 ETPRO MALWARE Win32/BrowseFox.AF Checkin [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 164.111.195.71:62370 -> 97.67.101.88:80

They advised doing a factory reset on the android phone.

 

[TwinHeadedEagle]

Hello,



They call me TwinHeadedEagle around here, and I'll be working with you.



Before we start please read and note the following:

• At the top of your post, please click on the "Watch thread" button and make sure to check Watch this thread...and receive email notifications. This will send an email to you as soon as I reply to your topic, allowing me to solve your problem faster.
• Please do not install any new software during the cleaning process other than the tools I provide for you. This can hinder the cleaning process. Please do not perform System Restore or any other restore.
• Instructions I give to you are very simple and made for complete beginner to follow. That's why you need to read through my instructions carefully and completely before executing them.
• Please do not run any tools other than the ones I ask you to, when I ask you to. Some of these tools can be very dangerous if used improperly. Also, if you use a tool that I have not requested you use, it can cause false positives, thereby delaying the complete cleaning of your machine.
  
• All tools we use here are completely clean and do not contain any malware. If your antivirus detects them as malicious, please disable your antivirus and then continue.
• If during the process you run across anything that is not in my instructions, please stop and ask. If any tool is running too much time (few hours), please stop and inform me.
• I visit forum several times at day, making sure to respond to everyone's topic as fast as possible. But bear in mind that I have private life like everyone and I cannot be here 24/7. So please be patient with me. Also, some infections require less, and some more time to be removed completely, so bear this in mind and be patient.
• Please stay with me until the end of all steps and procedures and I declare your system clean. Just because there is a lack of symptoms does not indicate a clean machine. If you solved your problem yourself, set aside two minutes to let me know.
  
• Please attach all report using
  
  button below. Doing this, you make it easier for me to analyze and fix your problem.
  
• Do not ask for help for your business PC. Companies are making revenue via computers, so it is good thing to pay for the repair.
• If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.

Rules and policies

We won't support any piracy.
That being told, if any evidence of illegal OS, software, cracks/keygens or any other will be revealed, any further assistance will be suspended. If you are aware that there is this kind of stuff on your machine, remove it before proceeding!
The same applies to any use of P2P software: uTorrent, BitTorrent, Vuze, Kazaa, Ares... We don't provide any help for P2P, except for their removal. All P2P software has to be uninstalled or at least fully disabled before proceeding!

Failure to follow these guidelines will result with closing your topic and withdrawning any assistance.

Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Make sure that Addition option is checked.
• Press Scan button and wait.
• The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please include their content into your next reply.

 

[Deleted member 178]

the bootkit (Volume boot Record in HMP screenshot) is from Rollback RX, it's an False Positive, i thought HMP would whitelist it , it's being there since years... DO NOT delete it, if you do , your system will be unbootable !

 

[soccer97]

TwinHeadedEagle,

Attached are the requested logs (FRST and Addition).


Umbra. Thank you for the warning about the bootkit. That crossed my mind. A Google search hinted it may be Aleuron or a TDSS like virus. Thats why I posted here. Thank God I didn't delete it or I would be in trouble.

Thank you both for your replies.

 

[TwinHeadedEagle]

That is definitely FP. You can download TDSS Killer just to be sure, but I don't think it will find something.

 

[soccer97]

1.) So is my PC clean based on all of the logs?

2.) In regards to the android device, I wiped the cache twice and did a factory reset twice. I do have important files on the SD card. How can I prevent them from potentially infecting my PC when I try to move some of the files to my PC?

 

[Deleted member 178]

1- @TwinHeadedEagle will answer you for that , that is its field

2- install an AV like Avast Mobile, im using it.

 

[soccer97]

1- @TwinHeadedEagle will answer you for that , that is its field

2- install an AV like Avast Mobile, im using it.

I will look into Avast. I have a paid subscription for ESET Mobile Security for Android that is good for another year - but didn't detect the infection (that was available for a major discount on Black Friday I believe in 2014). I will look into it though. If anyone has a Galaxy S5, I manually checked and got a new Security Policy update today (NOT a new Firmware/OS release). You may want to look for that deal this Black Friday or around Thanksgiving.

 

[TwinHeadedEagle]

For USB spreading malware, you can use MCShield

MCShield ::Anti-Malware Tool::

Yes, your PC seems clean.