Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

frustrated and a little miffed


  • Please log in to reply
10 replies to this topic

#1 chrissyjones

chrissyjones

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cwmbran, S wales, WALES.
  • Local time:08:19 PM

Posted 06 August 2011 - 12:37 PM

This has been going on for quite some time, everytime i reformat my pc i clean the bios and clear all cmos settings and the dmi pool data.
But within a day or two i see the signs that something is going on still. i just know your thinking that its just me being paranoid but i know im not.
each time i use the UltimateBootCd to use the secure enhanced erase feature on the HDD tools section of the disc. (this is the ONLY program i could find that will do this)
This completely erases all data including the Host Protected Area, the HPA can be difficult to clean ( HDAT" or Enhanced secure erase for ssd'd)
I then clean the disks in diskpart before partitioning and formatting for ntfs, the disk is a genuine 64bit version of win 7, no cracks or p2p software AT ALL.
I do not use any cd/dvd's i think may have been on a compromised system on the new system, i only get my drivers from the relevent manufacturer website, always the latest versions.

Anyway today i started up my pc after a clean install last night including all service packs and KB fixes and after a period when my PC stalled for around a minute through my headphones i heard a eastern european accent say "No dont do tha" and was gone, i didnt imagine it, it happened, we have a 50meg/sec fibre optic broadband connection which for a lot of the time is only running at 20mb/s, after talking to our isp provider they assure me that there are no technical issues their end.
At times i do see 50mb/s, but for long periods the connection is not stable and is as if the bandwidth is being strangled by something.
This has been going on for sometime, in the house are four pc's running win 7 32/64 home premium no LAN networking allowed until i think everything is safe, i have a 64bit ultimate version i do not dare use because it would have more functionality and could make for more problems than i currently have.
I have downloaded the systernals toolsuite and wireshark to try and get a grip of what is happening, i have seen logs on my router where it has been port scanned by our isp's DNS server, i found an IP address of someone else on our isp in the wireshark logs and i did wonder if this is why the isp's DNS server was scanning us, because someone else on our ISP network portscanned my address going through our isp DNS server.

Any thoughts would be a great help im currently all out of ideas as to how thew infection could be sustaining itself through the format clean re-install cycle, i have got to the point now where the first time my suspicions are raised i just format and start again, sometimes this can be a few weeks sometimes 24hrs. i can do the process in around an hour now, except for the updates.

The thoughts i had was, if i am being attacked before the updates are applied, i have seen events that make me feel this sometimes is the case, like running wireshark to capture traffic to find wireshark is stopped for no good reason and the computer becomes "clunky" and then after a short while a running process suddenly noticeably starts using more memory in its process not a steady increase but a jump in usage normally explorer or winlogon, is there anyway i can capture the updates as a file so i can install them before i have to go online.

If anyone has any ideas please weigh in with them.

win 7 64, q8300 processor, 4gb ram, gigabyte ep41-ud3l rev 1 board. Ati 5770 gpu, two crucial s300 64gb ssd's.

When i install this is what i do.

first goto uninstall progs, to uninstall features, remote differential compression and everything else except, system search .net framework and Iexplorer.
Apply microsoft fixit to disable IPV6 except for loopback interface (loopback required to boot the computer)
registry HKLM/software/policies/microsoft/NT4....create key DNSClient and dword 32 EnableMulticast 0

Install motherboard drivers> restart.
Install firewall comodo with pro active defence.
winpcap.
wireshark.
peerblock 4 r484.
Ati driver.
sound driver.
advanced system care.
winzip 64.
restart.

Connect Eternet cable make static address config, untick everything except ipv4 and comodo security driver.

disable in services.
adaptive brightness
ALG
Bluetooth
Computer browser
Dhcp
Disk Defragmenter
Function discovery provider host.
Function discovery resource publication.
HOmegroup listener.
Homegroup Provider.
Internet connection sharing.
IP Helper.
Link Layer Topology discovery.
Netbios.
Net logon
Network access protection agent.
Parental controls.
PNRP.
Peer networking group.
Peer networking identity manager.
PNRP machine name publication.
Print spooler.
Remote access auto connection manager.
Remote access connection manager.
Remote desktop configurations.
Remote desktop services.
Remote procedure call locator.
Remote registry.
Routing and remote access.
Secondary Logon.
SSTP.
Server.
Smart card.
Smart card removal policy.
SNMP trap.
SSDP.
TCP/ip-NETBIOS helper.
Telephony.
Upnp device host.
Windows remote management.
Workstation.

Then restart, connect to microsoft update and begin the slog of updating.....i also put a password a good strong one on the net user administrator /active:yes account.


The router has 4 addresses in the dhcp pool each of the four computers on its LAN is static assigned an address.
There have been times when i have been unable to access the network due to someone else using my address and i have checked the other pc's to find their configs correct and they can connect, i was then able to connect after turning one of those machines off and assigning their ip address to my machine. this has happened more than once, my pc is on from early am to late pm everyday pretty much, in fact it can be relied on to be connected to the internet and available almost anytime. unlike the other pc's in the house.
At times it seems their ip addresses have been in use when they switch on and try to use their assigned static address.

I need to learn some new stuff i think, anybody that can help i will greatly appreciate it, like i say sometimes it can be a few weeks, sometimes a day, and getting your mail account hacked, having unexplained "you have been logged off by a remote user" messages, finding the registry going through unexplained and not initiated configuration runs after shut down, finding a desktop configuration file being written to every dvd or cd you make, unexplained voices in your ears, defense events being triggered, finding services being reconfigured and at times password protected files showing up when you show all hidden files, to be told you do not have the access rights to delete or look at them is annoying, and definitely not paranoia ;/) .

BC AdBot (Login to Remove)

 


#2 chrissyjones

chrissyjones
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cwmbran, S wales, WALES.
  • Local time:08:19 PM

Posted 07 August 2011 - 10:44 AM

Hi, after some looking around i have found the win7 sp1 iso yippeeee. i will format and reinstall, i will get back to you shortly to tell you if this has sorted the problem out, i will know in a pretty short period of time, i will make a note of the specifics of what i have seen that makes me think my pc is compromised, if it happens.
since writing this yesterday i have had my firewall disabled by something earlier today and a BSOD a while later and as i was trying to open the .XML file of the dump it was deleted or removed. (not by me).
The .dmp file i cannot get access to as i am not bright enough to achieve success with the sdk tools, lol.

For anyone else who might be having similar problems, you can get the win 7 sp1 iso from here. https://www.microsoft.com/download/en/details.aspx?displaylang=en&id=5842

If you cannot get access to the file SP1 you may have to go through the my windows is genuine routine.

Also some advice, if you cannot afford to buy a copy of win 7 do not use the torrented versions around and do not use any unknown boot loader, if you look at the MBR after installation something is written on the first seventeen sectors, especially if they will not release the code for inspection. use HDAT2 iso to inspect your drive contents before the MBR.


And Micro$oft why do you invalidate genuine copies of your OS after 5 installations you have no idea how much hastle this is causing me.


Here is a link to HDAT2 well worth the disk space to make an ISO, especially if you get a virus in the Host Protected Area of your disk, just be careful with it, you can also resize your HPA with it.

http://www.hdat2.com/

Here is a link to the Ultimate Boot CD everyone should have this around, there is a great ssd cleaner in the HDD tools section called HDD erase. also CMOS cleaner and Bios resettter.

http://www.ultimatebootcd.com/download.html

UBCD is Another iso that is worth a disk.

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,430 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:19 PM

Posted 07 August 2011 - 03:28 PM

Thank you for your update.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 HiroPro

HiroPro

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Gulf Islands of BC CANADA!
  • Local time:12:19 PM

Posted 07 August 2011 - 04:46 PM

WOW what a crazy story. You seem like you know what your doing chrissyjones. In my experience when people become infected shortly after OS installation it's due to the user installing software after initial install that's infected. This is generally done before the user installs AV software. Usually it's the user installing pirated software like Microsoft Office and/or Adobe's various software packages. What I would do is scan the software you install right after OS installation. Understand that certain packing techniques can hide malware inside installer CD cabs etc and depending on your AV software it might not scan enough archive nests. What the bad guys will do is pack the malware deep inside a cab and nest it 6 deep. This will cause your AV with an on-demand scan to not find the infection in your pirated Office or Adobe installer CD/DVD/ISO. The solution is to extract all the contents of the CD/DVD/ISO and scan them as unarch'd files.

Edited by HiroPro, 07 August 2011 - 05:15 PM.


#5 chrissyjones

chrissyjones
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cwmbran, S wales, WALES.
  • Local time:08:19 PM

Posted 08 August 2011 - 04:16 AM

Thanks for the help HiroPro, some good advice, thing is i go directly to the manufacturers website for the downloads, they must hate me because i d/l a fresh copy each time i reinstall.
I don't have a single piece of pirated software, and i use steam for gaming.
I also score 340/340 clt's firewall test, I understand now how to better setup and use the software to get the full score on the leaktest, i said earlier this has been going on for months, in fact it's nearly a year now, it takes time to self teach from your mistakes but there is no better way to learn, i also found a series of mail ports open, which i have removed from the firewall and rule set-ted.
Im not interested in any functionality until i know i can keep a lid on it in its most basic configuration, maybe then ill open myself up to the full grief the M$ o/s has to offer.

After doing some research on reasons why something like explorer may take a jump in memory i found metasploit, seems that depending on which exploit is being used you may see a slightly clunky slow response from your system and them a jump in the memory as they migrate the exploit to a stable process on your machine, is there anyway at all to tell if someone is using something like this to affect an entry?.
I have on more than one occasion seen the firewall stopped and at times i have had to restart it, could this explain the portscan from my isp, the wireshark failure and other assorted unwanted behaviour my system exhibits from time to time?..

If anyone knows of any tools that may give me an idea of what is going on when i see this odd stuff happening, please leave a reply.
I have dlllist, portmonitor, process explorer,process monitor, pipelist, from sysinternals, if i can gather information using these tools will someone help me go through it?, as im not sure what i would be looking for, or, if that maybe too time consuming if they could point me at some resources which could specifically help me identify what might be the relevant bits of information in the mass of data these tools produce, if someone is using exploits to gain entry, i would be grateful.

#6 HiroPro

HiroPro

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Gulf Islands of BC CANADA!
  • Local time:12:19 PM

Posted 08 August 2011 - 04:20 PM

You could setup a linux box with smoothwall to monitor the connection. You could use snort to check traffic. If you have a router with OpenWRT derivative etc you could use syslog, klog or SNMP with software logging daemons. Checkout Linklogger, WallWatcher and Kiwi logger software. If your concerned about services etc on your local machine then checkout processmonitor and processexplorer. Install a personal firewall with SPI and HIPS features. Use a "port to process mapper" to see what applications are doing on your network.

TCP View from Sysinternals/MS

TCPView

Edited by HiroPro, 08 August 2011 - 04:29 PM.


#7 chrissyjones

chrissyjones
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cwmbran, S wales, WALES.
  • Local time:08:19 PM

Posted 11 August 2011 - 04:41 AM

Ok i think i know what the problem is now, but i do not know how to repair it.
I know now how the virus is surviving the rewrite process, the virus is on the backup rom of my dual bios motherboard, grrrr!.
Everytime i was seeing the virus making connections through the ipv6 pipe and no matter what i did i could not locate it, other than to see netstat -bano showing a process that it was "unable to identify the ownership" of.

i disconnected the drives before instigating the backup bios rewrite to the main bios, the drives were then reconnected, so the only place it could have come from is the bios.


so everytime i was reflashing the bios from the backup i was allowing the virus back into the system, i do not know how the backup has become infected, i have never ever reflashed the backup.
This is why i didn't think it could be the backup, it most definitely is though.

I have tried to reflash the main bios using q-flash and a fat32 formatted usb drive with f5 ver. bios on it.
It appears as though something is interfering with the process, what should take a minute or two is happening in around 10-15 seconds, it asks me to press enter to reflash, i press enter, the erasing rewrite process happens in two very fast steps and the problem afterwards is not gone.
I have worked out how to reflash the backup, this is done after succesfully flashing the main bios on the next boot, during post press alt+f12 and it automatically takes you to a message that says press enter to reflash the backup.

im am happy that i know what the problem is now, but i have no idea how to fix it, if something is interfering with the reflashing what can i do?.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,430 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:19 PM

Posted 11 August 2011 - 06:27 PM

To check for and confirm an MBR (Master Boot Record) rootkit.


Please download mbr.exe and save it to the root directory, usually C:\ <- (Important!).
  • Go to Start > Run and type: cmd.exe
  • press Ok.
  • At the command prompt type: c:\mbr.exe >>"C:\mbr.log"
  • press Enter.
  • The process is automatic...a black DOS window will open and quickly disappear. This is normal.
  • A log file named mbr.log will be created and saved to the root of the system drive (usually C:\).
  • Copy and paste the results of the mbr.log in your next reply.
If you have a problem using the command prompt, you can just double-click on mbr.exe to run the tool.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 HiroPro

HiroPro

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Gulf Islands of BC CANADA!
  • Local time:12:19 PM

Posted 13 August 2011 - 12:53 AM

From Tom's a couple years ago...

Anibal L. Sacco and Alfredo A. Ortego of Core Security Technologies released a presentation detailing the exploit of this “persistent BIOS infection.”
 Through the use of a 100-line piece of code written in Python, a rootkit could be flashed into the BIOS and be run completely independent of the operating system.

"We tested the system on the most common types of Bios," said Ortega in a vunet story. "There is the possibility that newer types of Extensible Firmware Interface Bios may be resistant to the attack, but more testing is needed."

You should have created a bin file of the infected BIOS EEPROM so we could take a look at it! VERY SCARY, INTERESTING AND HOPEFULLY RARE!!!

Edited by HiroPro, 13 August 2011 - 01:00 AM.


#10 chrissyjones

chrissyjones
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cwmbran, S wales, WALES.
  • Local time:08:19 PM

Posted 13 August 2011 - 07:54 AM

OK, i ran MBR check, and all i got was this,

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7601

device: opened successfully
user: error reading MBR
error: Read The handle is invalid.
kernel: error reading MBR


thinking that my HIPS might be interfering i uninstalled the firewall completely, rebooted, tried again, then rebooted into safe mode with the highest admin account and tried again, same result every time.

#11 chrissyjones

chrissyjones
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cwmbran, S wales, WALES.
  • Local time:08:19 PM

Posted 13 August 2011 - 08:02 AM

From Tom's a couple years ago...

Anibal L. Sacco and Alfredo A. Ortego of Core Security Technologies released a presentation detailing the exploit of this “persistent BIOS infection.”
 Through the use of a 100-line piece of code written in Python, a rootkit could be flashed into the BIOS and be run completely independent of the operating system.

"We tested the system on the most common types of Bios," said Ortega in a vunet story. "There is the possibility that newer types of Extensible Firmware Interface Bios may be resistant to the attack, but more testing is needed."

You should have created a bin file of the infected BIOS EEPROM so we could take a look at it! VERY SCARY, INTERESTING AND HOPEFULLY RARE!!!



do you want me to dump the bios to usb and upload it here?, to be honest i cannot see anything else that could be the problem, everytime i use HDD erase i look at the content to see if anything is left over using HDAT2 on the SSD.
I also upgraded the firmware from v6 to 7.05 on the ssd's, as this performs a low level format as well as scrubbing them with the "secure enhanced erase" function of HDD erase.
(i bet i have taken a year off their useful lifespan)
ill drop you a PM if thats ok just to keep this thread for help and instruction, now that i am engaging with a helper.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users