Bought a laptop which had preinstalled malware in it. Wiped it clean and installed Windows 7 from scratch. No signs of malware anymore, but I'm thinking the UEFI might be flashed with malicious software.

I just have started experimenting with Wireshark to see if I have browsers closed and so on, will the system connect anywhere. It seems to connect to Amazon IP in the US (I'm located in Europe), and therefore I'm really concerned about the security of this system. I have booted it in Windows 7 compatibility mode, have ran Avast, MBAM and MBAR, MBAR in compatibility mode too. In the startup it says it has found a possibly rootkit activity; appinit_dlls -folder. I found in regedit that there are a few of them there, other is in win.ini -subfolder and other seems to be an nVidia file.

I have tried to get some clue about the wireshark, but it seems like I'm too much of a newbie to find anything out without help. There are lots of UDP protocol based connections, a few TCP, ARP, SSDP and a few HTTP's as well. Also NBNS and IGMPv2.

Is there any possible way of really finding out if my system is still infected? I thought that if I use CCleaner to clean up the system of any cookies or so, I woudl see better if they have anything to do with connecting randomly to some IP but don't even know if that's possible.

I'm willing to find out and can do things as directed, so any help is appreciated.I doubt there is anything to worry about, its totally normal to see network connections going out from a PC, it's most likely things checking for updates, weather apps updating, software checking its activation status and so on.

Loads of companies rent space on Amazon's servers through Amazon Web Services so it's common to see connections to Amazon IP addresses from software doing as I described above.

Also bear in mind that wireshark SHOWS every packet going in and out of the system, so while you may be seeing data flying by when you do a capture, it probably isn't as much data as it looks.  One update for a piece of software running in the background could result in hundreds of packets appearing in Wireshark.I had to make another account as I forgot the password and used an anonymous email which had similar password and forgot that too...  Anyhow. How about finding out if the UEFI is secure? I really wouldn't want to have my personal info and/or files (especially credit card info) to be available to someone who could have infected the system. How can I check the security of UEFI and the system, that there is only tiny tiny tiny chance of it having anything infected?"but I'm thinking the UEFI might be flashed with malicious software."
It isn't. You know enough to poke around in REGISTRY editor and snoop with wireshark, but not enough- by your own admission - to know what you are looking at.For a laugh I just ran Wireshark on a Windows 7 machine of my own.  This machine is a laptop that I use exclusively as a radio receiver and it therefore has very little software installed on it, nothing apart from Windows and the Antivirus (Microsoft Security Essentials) runs in the background.  To be clear this laptop is a ThinkPad T400 from 2008 and therefore has nothing that remotely resembles a UEFI.  As soon as I started the capture, just like you found, there was hundreds of packets being captured.  These ranged from TCP connections to Microsoft and AKAMAI IPs which appeared to be serving Windows updates, a bunch of IPv6 addresses I couldn't be bothered to look up, SSDP packets coming from another Windows 10 PC on my network, ICMP packets coming from my router and ARP packets coming from my Samsung Smart TV.



I agree with BC, your UEFI is almost certainly fine - To attack a UEFI you would effectively need to build a virus to attack every specific model of laptop, they would all need to be treated differently, this is totally impractical.  While UEFI attacks are certainly possible, I have never heard of any of them being discovered in the wild, it's a classic case of something that can be done, but isn't easy or useful enough for someone to have any reason to do it.It's fundamentally the same as "BIOS Viruses". It's something that can be done but for which it simply isn't worth doing. Even if you infect the system at that level- both the BIOS and UEFI stop having any control over the system after the boot, so any "infection" that takes place would be effectively the use of the low-level infection to infect the higher level OS. The problem, then, is that there simply isn't room for it- the "malware" would need to effectively replace significant portions of the BIOS firmware as a data storage location for OS-targeted malware, in addition to the NEW logic to try to detect what is on the HDD to infect it properly. It would be difficult to keep the system functioning after stripping out that much, let alone make it look and function similarly during boot.

it's simply not worth the trouble when you can send a spam e-mail with a download link and infect a significant number of systems.Thank you both for quick and relieving answers. I'm quite COMFORTED now as what comes to the probability of the malicious file, so I think I'll just keep the *censored* thing. Hopefully this ain't the wrong decision. All further info towards this matter is still welcome though.