Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Persistent Rootkit. Appears after formats, new ram, new hdd, and mb flash.


  • This topic is locked This topic is locked
4 replies to this topic

#1 A7 Entertainment

A7 Entertainment

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:33 PM

Posted 01 December 2014 - 10:16 PM

Good evening. And please help! I have been battling something of the likes I have never seen before. I do not claim to be an malware specialist but a am extremely tech savvy and have built and repaired hundreds of computers. I just can't seem to isolate what is going on with my computers and it is causing Havok in my world. I've been looking on this site and many others for a couple months now looking for comparable infections. And I finally found one, but it has not been solved. I figured I would start my own thread as it is quite possibly something completely different. I want to give a link to the other gentleman's post cause he nailed the description on what I am facing. I think my problem possibly stemmed from a USB autorun infection, but can't be sure. I had mcafee installed at the time. Here we go.

 

http://www.bleepingcomputer.com/forums/t/556871/persistent-biosfirmware-virus-help-appreciated/

 

Newgonwhitz wrote:

Hi Everyone,

 

I have been battling a virus for quite some time, it has infected every PC I own (11) and I cannot for the life of me remove it. I am passed the polnt of recovering personal data, I would just like access to my computers and use them without being monitored. I believe that this is an above normal grade rootkit that cannot be removed by simple measures and I am at a loss of what to try next. I have spent hundreds of hours trying to get this removed and still it remains. I will save you from an ehaustive explanation of how I came to my conclusions and try to keep this brief as not to waste your time or send you down the wrong path. I think I am dealing with a persistant multi-payload rootkit that hypervises my PC's. One would think this would only affect one PC due to hardware limitations but this is not the case. Here is what I have attempted in order to remove the virus.

 

Last resorts:

(anything imaginable in windows)

-Removed CMOS/RAM/Power allowed to sit a week (was traveling for work)

-Flashed BIOS (ROG flashback button, fresh USB, CAB file loaded by clean PC)

-Replaced RAM (new ram)

-Replaced HD (new HD)

-All other drives removed

-Installed windows from new DVD drive using OEM WIN 8 DVD (offline)

-Installed with Secure Boot/TPM/NX enabled

 

Diagnostics:

-Dumped memory

-GMER detects kernel modification

-Dumped ROM/BIN from BIOS

-Examined BIOS (RWPortable)

-Hirens BCD (every tool possible)

-Ubuntu (clamAV)

-Network sniffing/capture

-Most AV's do not detect any signs (with the exception that the more I install they start detecting each other as Trojans/becoming infected/stop running)

-Installed Devices

 

 

What I have learned (or think I have)

-People who experience similar issues are quickly deemed crazy or lack knowledge to understand these may be normal functions of a computer, I do not claim to be an expert, I just really like computers. I could be crazy and infact would be very happy if I was.

-Executes mirco code at boot (AHCI/SMBUS/RAM memory locking) diagnosed via BIOS/Several dos tools (coreboot?)

-I believe it PXE/Sea boots although unsure

-All BIOS versions on all PC's show up as UNKNOWN through any BIOS tool

-If a hard drive is formatted/Zero'd it always fails, I believe this is because of the way they write to the drive, hidding boot sectors in unreadable/locked data

-Lots of Junctions/Symlinks between folders (to retain integrity)

-PE boots PC when re-installing windows (if drive not properly formatted)

-Tons of virtual adapters/hosts

-When running system information tools on all of my PC's they all identify a seperate PC and it is always a Pentium III (VM host?)

-Remote data base endpoints located in all volume information directories

-VMsphere/VHD files installed in hidden directory

-Tons of .SYS file extensions/Python scripts/Assembly/Jar files

-Extended BIOS tables, flashing only writes to the BIOS and misses these tables

-I can see all the devices, locked memory ranges etc but unsure how to edit/remove these correctly without damaging the firmware/Bios

-Any usb device I insert will originally be installed with it's factory name (LEXAR 16GB DISK), upon the next insertion the driver/device will be named "GENERIC MULTIPLE CARD READER" on all devices. Several of my devices no longer function and am guessing this is because I removed them while the firmware was being flashed.

-Certain tasks/applications in DOS cause a KERNEL PANIC and this is the last error I see as my screen locks up, hard reset is required.

-All devices are forced to an S3 power state with remote power management

-Everything in DOS is locked down, FDISK/CHKDISK/DISKPART have INI files that lock/restrict commands/options/stop from detecting drive partitions. Memory cannot be unlocked, files cannot be deleted, symbolic links cannot be deleted and certain items cannot be accessed. I have also attempted in MiniXP/Linux recovery/Ubuntu/every boot rescue disc imagineable. I cannot take permission/change any of these items.

-Much more that I am most likely forgetting.

 

 

In order to remove this I believe I would  have to offline flash all my firmware somehow, this is out of my scope of knowledge, I am guessing I could make an ISO that boots in to DOS and runs each EXE file. Meanwhile I would have to edit the extended BIOS tables to stop the code from executing. Enabling NX/secure boot/changing SMbus/USB etc in the BIOS makes zero difference, it seems to be able to manipulate these or reflash the BIOS prior to going back in to windows, this still occurs with no physical drives attached and booting only from CD. I am not holding on to the idea that this is the case, this far exceeds my level of knowledge and I personally would love to be wrong. Sorry for any grammatical errors, I am exhausted and just desperately need some assistance, once fixed I will ensure to enable the hardware lock on my BIOS. I have never before been concerned about virus' as I can low level the drive and re-install. Lesson learned.

Thank you for your help in advance and please let me know what information/tools/logs you would like me to provide.

 

-----------------------------
so I have done pretty much the same thing trying to battle this. I have ran every rootkit and malware scanner in the world. Gmer, dds, rkill, otl, kaspersky, malwarebytes, frst, tddskillr, rouge killer, msse, eset online, combo fix. Clamav and rkhunter in Linux. Nothing detects it. Here are some more specifics:
 
After trying dos reformats, new ram, new hdds, new cd drives, bios flashing, it is still persistent.
i can run a minixp installation with hirens boot cd with no hdd drive in the tower, with no wireless card installed and LAN unplugged disabled in the bios, essentially air gapped, with only on stick of ram, and when I open the process monitor I instantly am seeing buffer overflows leading to registry and permission modifications. After it Instantly modifies the control sets. After that the default file type executions are modified to run and hide and launch other instances. I can't seem to isolate where the initial hook is happening. I think once it takes foot in the computer and actually ever does get online it is utilizing the wmi protocol and wmeb. Also there is something going on with all the virtual host bridges and drivers. I believe it to be some kind of shell extension masking and encrypted ram drive over multiple addresse constantly moving possiably in an encrypted ram drive. Speculation of corse.
it's affecting mostly run32dll csrss dwm conhost wininit. Also hiding files in the recycling bins and desktop.ini files. Possiable the page.sys. Anytime I try to get a dump file from lsass I get a blue screen of death with a ntfs.sys error. I also think that it has taken control of the miniport bypassing any kind of security of firewall I have in place for the internet giving them free reign. I could go on and on and ... But I think this gets the point across, plus I literally had to just rewrite this whole thing cause my ipad died on the last sentence.. help! Please. This site has always been great and now I unfortunately have found myself at the mercy of you the malware masters. Thanks anyone and everyone in advance for the help. Soooo appreciated.
best-
rue
 


BC AdBot (Login to Remove)

 


#2 A7 Entertainment

A7 Entertainment
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:33 PM

Posted 01 December 2014 - 10:23 PM

Quick spec rundown:

I'm running bare bones right now trying to troubleshoot.

Gigabyte x58a udr3 rev2 motherboard

i7 920 intel

1 8gig corsair DDR stick

nvidia gtx260

LG USB BR DVDR

award bios 6.0 with the gigabyte fh rom.

logitech wirless mouse and keyboard.

 

when everything is running optimally I normally run

1 more gtx 260 in sli

300 wd raptor for os.

1 more 8 gig corsair ram and 4 more 4gig supertalents for a total of 24 gig.

plus 6 more wd black 1tb hd in raid. I do a lot of video and music production. 



#3 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,761 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:33 AM

Posted 06 December 2014 - 10:20 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/558324 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,430 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:33 AM

Posted 23 December 2014 - 01:31 AM

Hello, and my apologies for the delay.

You haven't received a reply yet because you didn't provide the requested logs.

 

Nevertheless, you say:

I have been battling a virus for quite some time, it has infected every PC I own (11) and I cannot for the life of me remove it.

 

I see an awful amount of information about steps you did, but none that describes the problems this malware causes and why you think your computers are infected in the first place. What symptoms do all these computers have?


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,430 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:33 AM

Posted 15 March 2015 - 01:45 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users