Jump to content

Recommended Posts

Hi

tried SysRescue live cd, clicked boot but am unshure if it checked the Uefi bios for rootkits.

How to scan the UEFI Bios?

Thanks

Share this post


Link to post
Share on other sites

It's not possible. ESET for Linux does not scan UEFI.

Share this post


Link to post
Share on other sites

So how to do that? On my new laptop I have win10 but with mcaffee trial.

Share this post


Link to post
Share on other sites
Posted (edited)

I am not sure SysRescue will scan the UEFI. According to this: https://support.eset.com/kb3509/?locale=en_US&viewlocale=en_US , it only scans boot sectors. Appears to me you will have to use an Eset installed product to scan UEFI.

-EDIT- You can give Eset's Online Scanner- installed version, a shot and see it has a setting to scan the UEFI: https://support.eset.com/kb2921/?locale=en_US&viewlocale=en_US

Edited by itman

Share this post


Link to post
Share on other sites

Thanks but for not messing up also my harddisk I have not connected any hd. Tried the online scanner but seems not to scan uefi bios but am sure to have such a bios trojan on my pc. Why? Because I don't have any hd connected but get Errors even virus found with hiren's boot cd. on  ubuntu i get 2 files in ~.gnupg which is not normal but used to encrypted download of trojan later on.

anything else to do but to return the asus motherboard? already did that twice. Where else could be the Problem?

Share this post


Link to post
Share on other sites
4 hours ago, mike4 said:

Where else could be the Problem?

It is not unheard of for anything firmware related to be possibly infected. For example, any add-on PC Express bus cards such as a network adapter card, etc.. As far as motherboard chipsets go, JMicron ones have long been suspected.

Are  your memory chip card/s from a reliable vendor? 

Share this post


Link to post
Share on other sites

I don't have any network Cards only a ASUS ROG Strix Z390-F Gaming Motherboard 

but I'll return also my Nvidia graphics Card and the ddr4 memory modules as I suspect the memory to be corrupted by the virus. Hopefully that should fix it finally, or could I miss something else?

Share this post


Link to post
Share on other sites

I really think you're being a bit "paranoid" on this issue. If you really believe you have  firmware related malware and you have shown no proof of this, you should have you device checked out by a competent security professional.

Share this post


Link to post
Share on other sites

im not paranoid I'm simply running out of ideas after resending to asus warranty twice the Motherboard.

Share this post


Link to post
Share on other sites
31 minutes ago, mike4 said:

im not paranoid I'm simply running out of ideas after resending to asus warranty twice the Motherboard.

If you are really worried , you could flash your BIOS again with the latest BIOS update from ASUS , Format your PC and reinstall your Windows and see if there is any differences .

Share this post


Link to post
Share on other sites
Posted (edited)
On ‎3‎/‎19‎/‎2019 at 6:20 AM, mike4 said:

So how to do that? On my new laptop I have win10 but with mcaffee trial.

Let's back up to this posting.

I don't know how good McAfee is at detecting UEFI/BIOS malware. However, I do know Eset's AV scanner can detect the same. I suggest you uninstall McAfee. Reboot and install either NOD32 or Eset Internet Security in 30 day trial mode. Either one as part of the installation process with run an in-depth scan on all connected SDDs/HDDs; see below screen shot. This in-depth scan will include an UEFI/BIOS scan.

Ref.: https://www.eset.com/int/home/free-trial/

Eset_Scan.png.e68d0a06bf6a683007ab84a2069ffe77.png

 

Edited by itman

Share this post


Link to post
Share on other sites
Posted (edited)

Thanks I intend to move to eset when McAfee trial ends also because I use both Win10 and Ubuntu. Is there a product line for both os?

Bios flash I did many times, foremost with my old pc before trashing it.

So I'm fed up with Asus and will ask for a refund and buy a similar Motherboard maybe msi etc. Thanks itman for the link.

Last question, should I return today also the RAM memory and Nvidia graphics or is this paranoid?

Thanks again

Edited by mike4

Share this post


Link to post
Share on other sites
6 hours ago, mike4 said:

Last question, should I return today also the RAM memory and Nvidia graphics or is this paranoid?

I would say its paranoid,

The only memory attack I know of is row hammer and it applies to ECC memory which most users don't purchase due to its higher cost: https://www.wired.com/story/rowhammer-ecc-memory-data-hack/ .

As far as a nVidia firmware hack, I never have heard of one.

Share this post


Link to post
Share on other sites
Posted (edited)

ok so i've returned my graphicscard, asus Motherboard and ram. Motherboard is now msi. installed, booted from cd and get on win a trojan downloader, on ubuntu two files in .gnupg. Exactly like before.- So where could the virus hide? in the monitor? Motherboard and ram seem new, graphicscard might have been returned untested for virus?

What do do? I'm asking my shop to take back all including monitor.

 

Edited by mike4

Share this post


Link to post
Share on other sites
On 5/25/2019 at 9:37 AM, mike4 said:

ok so i've returned my graphicscard, asus Motherboard and ram. Motherboard is now msi. installed, booted from cd and get on win a trojan downloader, on ubuntu two files in .gnupg. Exactly like before.- So where could the virus hide? in the monitor? Motherboard and ram seem new, graphicscard might have been returned untested for virus?

What do do? I'm asking my shop to take back all including monitor.

 

I'm a little confused. What evidence do you have that you have a trojan?

Share this post


Link to post
Share on other sites
Posted (edited)

With Hiren's boot cd antivirus it finds a trjoan downloader in Windows\system32

also on ubuntu live cd those 2 files are used for encrypted downloads.

I have no HD connected nor internet Connection

ps: sorry for not being clear. my laptop with McAfee is ok but only my pc has above Problems since 6 months

 

Edited by mike4

Share this post


Link to post
Share on other sites
1 hour ago, mike4 said:

With Hiren's boot cd antivirus it finds a trjoan downloader in Windows\system32

What AV do you have loaded on the Hiren's boot CD? It could very well be giving you a false positive detection. It also appears that it is incapable of removing whatever it is detecting; most likely since it is in the System32 directory. 

Do this. Note the name of the file the AV is detecting in the System32 directory. Boot into Windows. Then submit that file to VirusTotal here: https://www.virustotal.com/#/home/upload for a scan by the various AV engines it uses. If none or only one or two of the engines flag the file as malware, assume the Hiren's boot CD AV detection is a false positive.

Share this post


Link to post
Share on other sites
3 hours ago, mike4 said:

With Hiren's boot cd antivirus it finds a trjoan downloader in Windows\system32

also on ubuntu live cd those 2 files are used for encrypted downloads.

I have no HD connected nor internet Connection

ps: sorry for not being clear. my laptop with McAfee is ok but only my pc has above Problems since 6 months

 

Im confused about the hd part. No hard drive? If so how are you doing anything or do you mean external.

Like itman said could be a false positive any info on what it found? Can it be uploaded to total virus?

Also what made you run hirens boot cd. Did you see something suspicious? 

Share this post


Link to post
Share on other sites
Posted (edited)

Based on what is shown here: https://www.hirensbootcd.org/download/ , what is loaded on the Hirens Boot CD are old versions of MalwareBytes and Eset's on-line scanner. The current ver. of Eset's on-line scanner is 3.0.17.0. For MalwareBytes, the current ver. is 3.7.1.2839. As such, I would be skeptical of any detections by either.

Edited by itman

Share this post


Link to post
Share on other sites
Posted (edited)

OK. I am getting up their in age and as such you have slow days. So let's take this "from the top" again.

You stated that you are receiving malware detections from the security software loaded on the Hiren's boot CD even with your hard drive not connected. The detections are coming from the System32 directory. This can only mean that the Win PE version loaded from the Hiren's boot CD is getting infected. So let's go through the possible scenarios on how this could happen.

1. I believe the Hiren's boot CD is delivered as an .iso file and all you do is create bootable media using the .iso file. The first possible source of malware could have been on the device you created the bootable media from. For example, the software you used to create the bootable media could have contained malware and it infected one of the files needed for booting from the CD. Also the above would be applicable for the original Eset SysRescue media you created.

2. The Hiren's .iso file file you downloaded contains malware. I don't know where you downloaded it from.

3. I believe the WIN PE version used does establish a network connection. So it is possible, something was downloaded from the Internet while Win PE was running and in turn dropped malware into its System 32 directory. This would be more likely if there was malware preloaded into the .iso file that established a connection to a malicious C&C server. Or your router is compromised to the point it is allowing unsolicited inbound connections, etc. etc..

In any case at this point. all we known is that Win PE version you are running is getting infected with malware originating from the Hiren's boot CD.

If you have reason to beleive that the PC you noted is getting infected, you would have to post details on what malware is being detected on that. At this point and based on the limited data provided, I would suspect your router is compromised in some way. Although you did state that your notebook is OK and I assume it is also connecting through the same router.

Finally, remember this is a web site forum for Eset users and I believe you haven't purchased an Eset license yet. As such, any malware assistance will be very limited in nature. 

Edited by itman

Share this post


Link to post
Share on other sites
Posted (edited)

Just downloaded, burned and scanned a new Hiren boot cd. Booting the pc now shows a Bluescreen "a device Needs to be repaired"

I've only used my laptop in the last months so the cd must be clean.

--------

-where to disable spelling correction on Windows?

-can i install eset trial on multiple devices and os? (laptop now as mcaffee expired, later pc and linux)?

Thanks

 

Edited by mike4

Share this post


Link to post
Share on other sites
Posted (edited)

Again without you posting specifics on malware being detected, no one can really help on this issue.

4 hours ago, mike4 said:

-can i install eset trial on multiple devices and os? (laptop now as mcaffee expired, later pc and linux)?

Yes as far as I am aware of. But you would have to download and install Eset in trial mode on each device.

Edited by itman

Share this post


Link to post
Share on other sites

took my old cd and it booted...

to screenshot. any ideas on those?

 

IMAG0014.JPG

IMAG0016.JPG

Share this post


Link to post
Share on other sites
Posted (edited)
2 hours ago, mike4 said:

took my old cd and it booted...

Wind.exe is a PUA: https://www.bleepingcomputer.com/startups/wind.exe-6367.html

My best guess is it was preloaded in the Hiren's boot cd .iso file in one of the included programs/utilities.

-EDIT- I am assuming that your hard drive was disconnected when this scan was run?

Edited by itman

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...