I was infected with what appeared to be a Redlof.A variant. I was chatting on a forum discussing digital audio, when I got a PM from someone who sent me all kinda of information on the binary format of a PCM wav file. Sure enough, the second I accepted the PM (I always yell at my Mom for this) my secondary Hard Disk unmounted itself and then remounted with a little surprise on it... a desktop.ini folder and a folder.htt folder hidden in the root of the drive, unclearable and linked to a network drive. Also a myspace window popped up with the title "WORM Audio." PCTools removed hidden files inside the folders but couldn't remove the folders themselves. However, my modem light would still blink occasionally for no reason (really quite often, every minute or so) and on startup and shutdown. Being that this is not normal ( I uses WEP encryption on my wireless, so no freeloaders), I then used UBCD4WIN to backup and reformat. Then I reinstalled XP using a full reformat of my system disk. Now when ever I startup windows my modem light flashes once (not normal) and then when I restart the computer hangs for a second and the modem light goes crazy ( I can only assume I am botted). I did get all windows updates, SP3 first, before touching anything else on my system. I have found a whole bunch of info about BIOS resident malware which can escape a reformat...and even realized that this thing could be living on my GPU BIOS, or my AC'97 chip...or even my now unsupported by the manufacturer SiS661FX chipset...whose driver is in the beta version, and so is the RAID controller.
Besides my modem light, the only indication of something wrong at this point is a random "Internet Explorer has encountered a problem and needs to close.." Dr.Watson error. Without crashing, IE8 reloads the tab with no error. I thought this was random and just a bug in IE8, then I realized...IT ONLY HAPPENS WHEN I VISIT A PAGE ABOUT BIOS MALWARE OR BIOS FLASHING! Obviously the guy who PM'd me this hack is a VERY experienced hacker (he has almost infinite knowledge of the VST and WAV, and streaming and performing algorithms on audio.) He claimed he couldn't program...should have been a red flag!!!!
Anyways, it appears the Redlof.A variant was just a decoy for some new horrible Chernobyl style virus from a disgruntled assembly programmer, or VST hacker.... anyways...I know exactly who loaded the thing on and when, and I suspect he is someone on the top of the music industry's most wanted list...
After you help me fix my computer, how do I turn that forum account over to authorities so they can coax another attack out of this bastard?!
PS: The only thing installed on my machine is windows!
Edited by Psykostx, 22 July 2009 - 05:15 PM.