Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Impossible Rootkit. Hardware on life support.

  • Please log in to reply
No replies to this topic

#1 GlassPassenger11


  • Members
  • 7 posts
  • Local time:02:05 AM

Posted 31 July 2013 - 01:54 AM

Hey all. Been reading the forums here for a few weeks while trying to get a handle on the malware situation I've got going on. It's been helpful and everyone here seems quite knowledgeable, so I'm finally going to just ask for help and hope someone thinks they may be able to do something to assist. I build my own systems and have probably done a hundred or more Windows installs and nearly as many (K/X/L)ubuntu setups, and this is the first time I've ever felt like what I'm trying to troubleshoot is far above my pay grade. 
All six of the PC's in my home are down for the count right now. Whatever I have going on either spread via USB device prior to showing its teeth, or via the home network. I've established this thing is hardware-resident and I just want avoid abandoning six high-end machines for trash. I've been working between Windows 7 and Xubuntu in attempts to pin down the chain of re infection, and will do a clean windows 7 install to run diagnostics from. I have to physically pull my wireless card to stop from dialing out in the background and randomly killing tasks, so please forgive that I intent to post this and then go back and download/run the normal diagnostics to update it with. 
So, here is what I know:
-Started out as unexplained high GPU temps. Unexplained meaning incredibly high temps with no actual load on the GPU per GPU-Z tool. Found this to hold true for both my AMD and Nvidia cards, meaning it is not a bad card/driver or even isolated to one set of drivers being infected. 
-Noticed BIOS splash screen had been altered, and menu options had vanished from the UEFI interface. Next tried flashing BIOS and found it was flashing either incredibly slow (2-3 minutes instead of 30 seconds) or impossibly fast (5 seconds or less). Observed after each flash or CMOS reset, board cycles through POST tests TWICE prior to showing anything on the monitor. Just this past week found method to indeed show double splash screens with the altered one following the legitimate one, and having different selections in the second dump me off inside of the first interface. BIOS is being virtualized somewhere. If I flash the BIOS with the system off, it will be fine without the GPU present it seems. The firmware for the graphics cards looks to be harboring the anchor here. There is no onboard for the machine, so this is a hurdle
-Windows symptoms include having folders locked, moved around, and created. Lots of network traffic when connected to the internet even without ever installing update services, no browsers open and task manager cleared to be sure. Sweeps tend to turn up clean of anything known, until at some point a trojan or rootkit is let in that is recognized. ZeroAccess was the most recent found infesting a machine that had just been cleanly installed the same day. Often, it seems as though someone has to be acting with conscious reasoning to counter whatever it is I am doing. An example would be downloading Jarte word processor and Avira at the same time, saving them both as random file names and having Avira be locked as unauthorized when I attempt to open the file, with Jarte being just fine. 
-Linux is inaccessible unless selecting noacpi nolapci prior to install, then hoping to disrupt the command lines that load prior to the splash screen with random keystrokes before it's too late. All network devices are hidden or non-functional and disks are not able to be mounted or often even acknowledged as connected.  
-Has spread either itself or a secondary infection to my android where it's masking itself as the android keyboard and stealing copies of all saved data and keystrokes and is not removable by hard reset and factory restore. Also got into my Roku via USB drive early in the process and has that acting jenky for the first time in two years of use. Took over my PS3 when I tried using that for a temporary email platform while battling this mess and rendered that unstable. 
-Have found autorun items in hidden EFI partition of system drives when viewing them from the only way I've managed, which is the bios flash update utility at startup. Cannot edit from there unfortunately. 
What I've done that failed:
-Flash BIOS, boot to format SSD with Killdisk/Gparted live CD, reinstall from retail media. Symptoms persist. 
-Flash BIOS, remove all SATA devices except for DVD drive, boot from Xubuntu live disc. Mixed results with unpredictable behavior and malicious behavior from unknown tasks. 
-Drain CMOS jumper overnight with CMOS battery out, removed memory and then flashed without starting up first. Changed GPU's to one I had thought was clean. Booted from live disc. Same story. 
-Updated firmware on router after hard resetting both it and my modem. Modem is being replaced tomorrow since firmware update on older model is a nightmare. Doesn't seem to have been changed by actions here so far. 
I just am hoping that somehow, despite my lack of confidence that there is anyone other than the author who could scrub this thing from my hardware, that I can find a path to save even one machine. Data is all on drives that were removed early in this mess, and I don't care if I have to do multiple more OS installs. Just need to find a way to maybe have a PC at home again. Right now would hesitate to even buy all new hardware/peripherals and start over for fear of it taking victim #7. Help! 


BC AdBot (Login to Remove)


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users