Re: Acronis AntiMalware Boot CD-ISO Free Download
Niki Wienberg
My main PC wouldn't boot, and the windows recovery couldn't help at all (mainly because I have found out its a fake version of the recovery enviroment provided by the virus / bootkit / rootkit), and it just destroyed my installation further.
Trying to boot up rescue CD's is useless as the main HDD isn't recognised, and even if they do boot up they are in Linux mode (seems to be controlled by the bootkit). Although..... I did manage to hotplug my HDD half way through booting Bitdefender's rescue CD and it somehow recognised it - I ran a scan and it found trojans and removed them - but the virus definitions are out of date as I cannot get online to update them.
I looked in the BIOS tools on Hiren's boot cd (I can only seem to get boot Cd's to load when using legacy mode and not UEFI mode - probably so that I cannot see the HDD and try to clean them using these tools) and it mentioned a plug and play BIOS being in use.
Everything is locked down if I boot using the Linux tool Parted Magic (I think?) from Hiren's CD - root is controlling everything. I have tried to change permissions but no-matter what I try root is king.
It has spread to two Windows 10 laptops doing the exact same thing. And worryingly the 127.0.0.1 IP address is showing on my iphone as a discoverable network - it's been acting very strange and I'm worried it may have a jailbroken iOS installed on it via this whole virus hell which is within our home network. My iphone has these ports open after scanning localhost with Fing 1080 socks, 1083 anasoft licence manager, 8021 ftp-proxy.
PLEASE PLEASE can someone help. I have no idea what to do from here. Is it time for a new motherboard? Can this virus exist in the firmware of other PCI devices too? I'm so lost I have no idea what to do.
EDIT - The owner of all files is also LSASETUPDOMAIN ADMIN under windows xp mini, and I noticed before my windows 10 install died that a load of registry entries had been setup for new users {S0-xxxxxxx etc.
All were running windows 10. The two laptops I have managed to clear the hard drives (I think) but the virus still seems to be controlling the machine from the BIOS. I dont know if the scans will tell you anything useful (named FRST15.txt and FRST17.txt)
EDIT - i forgot to mention my PC machine has 4 HDD in a RAID array which I cannot setup until I have access to windows. Im worried these HDD's may have viruses on them too as the temp folder for windows was set to use this RAID......and bitdefender did detect a virus in the temp folder before all the hell broke loose.
The drives have probably been formatted during my aim to get rid of the virus.
Even though the drives may be fornatted, the virus seems to still exits in the boot up sequence controlling the majority of the operations. Does that make sense?
I would concentrate on your main PC, boot to the Recovery Environment, from the Choose an Option window select "Troubleshoot" from that window select "Reset this PC" follow the prompts from there, I would go for full reset and save nothing...
I think some MBR work is needed.
seeing as I can get into command root can I not run a specific root/boot kit virus scanner via command line? Will something like that pick up viruses in the BIOS etc? I tried TDS killer cmd but it needs a licence lol. Any other suggestions on a decent cmd line scanner ?
My plex account was also mentioned for the media server running on my NAS box - this used netbios over tcp/ip and smb- both of which I think are old and very vulnerable.
I noticed that my windows install started acting weird. Security centre would hang frequently when trying to change important settings. Trying to change settings would take me to Microsoft login in edge with a long and strange looking url.
My Microsoft account showed unsuccessful sync attempts from China but I changed my password just in case and locked down most of the security settings. I think it was too late even at this point and someone was slowly building up their very clever and patient hacking method.
Back to the laptop - managed to get into acronis rescue cd - clean drive and set new partition. Installed windows again - within 30 mins the system was compromised because the malware in the UEFI still exists.
Though there are some known BIOS attacks and a single known UEFI attack (it was from a UEFI firmware back in 2008, no one would be using a computer with that old of a firmware today) - A BIOS or UEFI attack is extremely unlikely unless you were possibly a State level target in which case you wouldn't be here looking for help. So, let's rule those out as an issue and look at other things more likely and in the realm of reality.
There are reasons to run RAID at home but as I think you're finding out there are also severe drawbacks. RAID can run disk based IO tasks much faster than single drive. It can also recover (if implemented correctly) from a failed or failing drive from the volume thus preventing data loss due to a drive failure.
That is the good part. The bad part is that anytime something breaks that has to do with drive geometry, or firmware, hardware settings it can be extremely difficult to impossible to recover data. Unless you have a high level of experience with setting up and recovering from various issues then using RAID at home would not be something I would not recommend. Keeping your data safely backed up at all times is the key to surviving hardware, software, or other threats to your data.
There are some bootkit, MBR (master boot record) infections, some just rewrite it, some delete it, and some encrypt it. If you were using a single disk (non RAID) you could probably do at least some data recovery as long as there was no physical hardware failure going on. In your case though by using RAID it makes any type of recovery aside from hardware failure much more difficult.
Before we go on to try and fix your system please answer my questions about your setup and use of RAID. In many cases unless this is setup in hardware then booting to a CD/DVD/USB media will not recognize the hard drive as a valid medium to mount and use.
when you say is it software based or hardware based are you referring to the RAID? it runs on a separate (old and not updated) Marvell chipset which I have no idea how I got to run on windows 10 - I just remember it was A Very fiddly job to get it working when I upgraded to windows 10
My point is that if the data was encrypted then until you detect which actual infection it is there is no way to recover the data. If you have your data backed up as in image that you can mount and extract or copy the data from then my advice would be to just break the RAID volume, pick one of the drives and format it and install Windows again from scratch using one disk only and not using RAID.
You can download and build a Windows 10 USB disk image that can be used to explore the disk if it mounts, but again - it is unlikely that the RAID volume will be recognized and accessible outside of the real Windows installation.
when I plugged in my spare vista drive the other day to try and boot into vista all that was plugged in to the motherboard was the CD drive, memory, psu, usb 3 connector slots. The vista install was compromised - so it suggests this virus is living in either one of those peripheral / internal devices, or the motherboard / BIOS / UEFI Rom?
Burn to your USB thumb drive. Then boot from that thumb drive on the affected computer. Check your computer vendor website for which hot keys or BIOS settings to use. If unsure let me know the name of the computer manufacturer, if laptop or desktop, and model number and I'll check for you.
The next step to start on would be getting all your ISOs and CDs ready to transfer to the flash drive. As I mentioned earlier one of my main intentions of creating this drive was so I could get rid of my bulky CD case I seemed to be carrying everywhere. Using a software such as ImgBurn (free) you can create ISO files directly from CDs. HowToGeek has a good tutorial on how to this here. I saved all of these to a folder on my desktop named ISOs for easy organization.
7fc3f7cf58