Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Long time coming here first time posting, need HELP!!!!

  • This topic is locked This topic is locked
2 replies to this topic

#1 sh1zz


  • Members
  • 1 posts
  • Local time:03:37 AM

Posted 13 July 2012 - 11:13 PM

I'll start by providing a little background. I have been coming here for quite some time and have always been able to resolve my issues without posting until now... I am dealing with a trojan / I don't know WTF this thing is. It started at work on 2 lenovo think pads. Their bios uses the ATMEL 24RF08 has finger print scanning, and if you forget your password you are screwed. The thinkpad t60 is my primary work machine and I was running windows 7 ultimate 64 with a fedora moonshine vitualbox install. I used open vpn for remote desktop between work and home as well as for server access. The first thing I noticed wasn't right was google chrome said it was using a proxy. After some looking into it, sure enough everything was being filtered through a localhost proxy (virtial dns/filter). Well, I stopped using the machine right then and there. I pulled the HD and flashed the bios (with all bios options but usb disabled) to the latest and did a fresh install of windows 7 64 on a complete format. I re-istalled my programs and thought I was out of trouble... little did I know it was only beginning. What ever the virus/trojan is does not seem to concerned with being malicious and is content to do it's thing until it knows it has been found.

Well my boss thought I was loosing my mind and gave me a new thinkpad (t61) this time with a fresh bios, fresh xp32 bit install. I didn't even have administrator privilege... Well, after using it for about an hour, same thing happened to this one. Worse yet, my home desktop is infected as well. Long story short this thing takes over anything on the local network using dhcp (and as far as I can tell static ip/dns). I have a total of 5 infected machines total and I am posting this from my home machine with a puppy linux live boot cd. Thing has even infected the ancient imac at the office. My home machine is a custom build msi790fx-gd70... This board has a clear cmos and reset button that I have used regularly, with the cmos battery removed. I am confident the bios is square on this machine. I have not reconnected any of the hard drives after the issues with other machines.

So back to the frest thinkpad t61 xp machine. I have been trying every utility I can find to no avail, I have shut down the bios, nothing but sata and usb and they still get infected. Only today did I realize that the xp 32 bit would not start to safe mode with the f8 key. So I used msconfig and rebooted. Well I was trying to run combofix and it kept dying. I thought what the hell and tried to run it from the command line only I could not start the command line as admin. Well after a lot of igoring error prompts I got to a point where I COULD SEE that there was a virtual machine running for every tool I was using. Really, Another computer complete with it's own c: drive and windows dir. After I turned off virtualization in the bios it started getting more and more sluggish the more I tried to do.

So this "what ever it is" fires at post, virtualizes/shadows the whole machine, bios included and stops you from getting to the true mbr record. I found this out in puppy linux after reformatting a drive with gparted and trying to install grub, I kept getting "not a linux partition" errors. It seems to nuke any grub for dos install as well. So there is this virtual machine that fires before I can get to any "TRUE" bios settings. It runs what ever you do in a virtual machine so you can't kill it. I have tried using the boot and nuke but it only nukes the vm, not the true mbr. I have tried using puppy linux installed on a partition of the drive with the dd command to kill the mbr. I have tried using the bad blocks command. I can't touch this mbr no matter what I do. I have tried disguising boot and nuke as a live cd... I have tried everything. This thing puts anything you run in a virtual environment and is untouchable. If you do get rid of it, there is something else on the network that will infect you as soon as you start using any windows install. If you pay close attention you can see a "flash" on the screen when the vm starts and until that point no key combinations are actually controlling the "true" bios/mbr.

I am out of options and have tried everything I know, I am really starting to wonder about any wifi, bluetooth, rfid, hell anything that can transmit data wirelessly. It sure seems like the flame virus because certificates are compromised. Or maybe some acpi table boot/rootkit. I simply don't know how the hell this thing is infecting every machine I touch before I even get finished doing a fresh re install of ANY OS. Has anyone dealt with anything like this? I have a plain jane lg300g phone and a public transit card that has RFID. No matter where I reformat, re flash, wipe a machine... It is infected in no time... I am seriously wondering if this thing compromises DNS/DHCP.

Has anyone seen anything like this and if so what did you do? Any antivirus or utility is ran in a virtual machine so it never finds anything... I need something that will corrupt/kill a MBR/bootsector on POST. I don't care if I brick a machine at this point. If I can get one that is clean I might be able to do something with the rest. Any input would be appreciated. I am confident it is a hidden mbr/boot sector that is the issue but am wondering how the hell I can sanitize a machine when I can't even determine what the hell is compromising it. Nothing can touch this damn thing. I will gladly run any linux command,script,iso,etc command as root if anyone has one. Never seen anything like this.

BC AdBot (Login to Remove)


#2 HelpBot


    Bleepin' Binary Bot

  • Bots
  • 12,741 posts
  • Gender:Male
  • Local time:04:37 AM

Posted 18 July 2012 - 11:15 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:


Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/460597 <<< CLICK THIS LINK

If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.


Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.


We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows, you should not bother creating a GMER log.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 HelpBot


    Bleepin' Binary Bot

  • Bots
  • 12,741 posts
  • Gender:Male
  • Local time:04:37 AM

Posted 23 July 2012 - 11:20 PM

Hello again!

I haven't heard from you in 5 days. Therefore, I am going to assume that you no longer need our help, and close this topic.

If you do still need help, please send a Private Message to any Moderator within the next five days. Be sure to include a link to your topic in your Private Message.

Thank you for using Bleeping Computer, and have a great day!

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users