Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible bios infection, need assistance please!


  • This topic is locked This topic is locked
37 replies to this topic

#1 BOV72

BOV72

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, United States
  • Local time:12:32 AM

Posted 30 September 2016 - 05:28 PM

Hello- I am a longtime follower, second time poster. I was referred to this thread by The Codesee. I seem to have a major problem with my brothers laptop. It was heavily infected and cleaning did not help. I have spent a good amount of time trying to clean laptop. I have reinstalled win 7 4 times, every time I reinstall, the viruses come right back. This last time, I formatted the drive, reinstalled win7, and upgraded to win10. Once I installed the nvidia drivers, there were 9 infections. They were as follows: Gen. Variant. Strictor ( multiples), Gen. Variant. Graftor (multiples) and Gen. Varient. Symmi (multiples). I ran Bitdefender rescue but it could not delete them. I used grant perms to unlock the files and manually deleted. The cpu still was very funny acting. Reran bd rescue, had two more infections.

Ok- here is what I know, I just ran Bitdefender rescue disk and was infected with 2 more instances of gen.variant.graftor. Not sure if the numbers at the end are are relevant but they are .1229 and .188351 respectively. The reason I believe bd keeps getting infected is that every time it is installed, the infection seems to alter the bit wallet function. I have also found numerous altered registry files as well as I eventually get locked down (grayed out). Same for malwarebytes rogue k, just about your entire arsenal. I recently ran aswmbr, signatures downloaded but fixmbr errored every time. This leads me to believe I have an infected bios, which would be above my pay grade. I'm an architect not a programmer. I made some alterations this morning that I can reverse, hope it doesn't throw you a curve.

Found this, thought it may be my problem, any thoughts are greatly appreciated.

I have been battling with this since Dec 3 2012, These guys use win server 2 & UNIX to take total control of your PC. NO anti virus picks it up, Nothing seems to eradicate the hold they have, Last Night July 13, 2013, was the first time I had a normal BOOT since Dec. 2012.
They use the registry & built in windows tools to do whatever they want so the machine "looks" clean to anti-virus software.
They have already managed to repeatedly turn off windows defender, disable downloads, redirect IE8, and since they do their "big" projects at re-boot, I'm afraid to turn off my machine, oh, yes, they also bypass and defeat TPM.
When you try to find a cure from a search engine, all you get are tons of instructions on HOW to subvert windows! Nothing on stopping it!
I can't seem to get help anywhere, I have tried, reflashing the BIOS, wiping the CMOS, Clearing the DRAMM, Disconnecting the internet, and installing a new HDD. Reinstalling my original factory setup disk (Vista SP1) Problem still there! Waas running 7 pro, and purchased Win8 pro, no help! Destroyed one New HDD already and is damaging the new replacement, (Advanced Format) Western Digital WDC7500BVT, apparently, it runs 4096 kb clusters but reports 512 to the OS, So, it needs to boot from hex 80, these guy's boot from 63, which eventually destroys the drive.
Can some one PLEASE! help? *** Email address is removed for privacy ***, *** Email address is removed for privacy ***, *** Email address is removed for privacy ***, <deleted> (ask for Ray, I include this as quite a bit of time I cannot go online!
PLEASE, PLEASE, PLEASE!!!!!!!
Could someone at Microsoft tell me what to do? Why isn't there a simple switch that turns from "Private - PC to Terminal client" to prevent this? How do I get ALL of this out? they have written "hidden partitions" to my hard drive equalling about 50 Gb's

FYI: Latest infections were "Windows.ui.creddialogcontroller.dll
The former infections:

Graftor.7541- Pla.dll
Graftor.12239- Windows.ui.creddialogcontroller.dll
Strictor.58214- Bthudtask.exe
Symmi.58329- Gamepanelexternalhook.dll

The bthudtask.exe allows the virus to expand through Bluetooth I think. Any help is greatly appreciated.

BC AdBot (Login to Remove)

 


#2 BOV72

BOV72
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, United States
  • Local time:12:32 AM

Posted 30 September 2016 - 08:00 PM

I would like to add that, I believe some of the infections are using a BVTBin file. I found it in multiple registry keys, Bitdefender being one of them. The last one was located here: HKLM\system\control\session manager\environment c:\bvtbin\tests\installpackage\csilogfile.log. One more note, the ehome folder in Windows was imo infected.

#3 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:32 AM

Posted 02 October 2016 - 10:40 AM

Hi BOV72 :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.
  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens;
  • As long as I'm assisting you on BleepingComputer, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you;
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system;
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!;
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced;
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against BleepingComputer's rules;
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process;
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone;
    This being said, I have a full time job, and I also have night classes on Mondays and Wednesdays, which means that if you reply during these two days, it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread;
This being said, it's time to clean-up some malware, so let's get started, shall we? :)

Once I installed the nvidia drivers, there were 9 infections. They were as follows: Gen. Variant. Strictor ( multiples), Gen. Variant. Graftor (multiples) and Gen. Varient. Symmi (multiples). I ran Bitdefender rescue but it could not delete them. I used grant perms to unlock the files and manually deleted. The cpu still was very funny acting. Reran bd rescue, had two more infections.


These looks like false positives to me (and these can happen quite often). Are you able to provide me the logs where these detections occurred?

the infection seems to alter the bit wallet function.


What bitwallet function? How is it changed?

This leads me to believe I have an infected bios, which would be above my pay grade.


There has only been one BIOS infection in the wild, mebromi, and it only targets Award BIOS. Even there, it is from 2011, so I really doubt it's still around. Plus, when you're infected with it, flashing and/or updating the BIOS will remove the infection, so it's quite easy to take care of.

I have been battling with this since Dec 3 2012, These guys use win server 2 & UNIX to take total control of your PC. NO anti virus picks it up, Nothing seems to eradicate the hold they have, Last Night July 13, 2013, was the first time I had a normal BOOT since Dec. 2012.


So you've been experiencing issues on your system since December 3rd 2012? How do you know that they are using Windows Server and UNIX to take control of your computer?

they also bypass and defeat TPM.


How do you know that?

When you try to find a cure from a search engine, all you get are tons of instructions on HOW to subvert windows! Nothing on stopping it!


Because that case is unusual, and so I doubt there would be a lot of relevant information about it on Google.

I can't seem to get help anywhere, I have tried, reflashing the BIOS, wiping the CMOS,


So if you were indeed infected with a BIOS malware, it would be gone already following what you did.

Could someone at Microsoft tell me what to do? Why isn't there a simple switch that turns from "Private - PC to Terminal client" to prevent this?


We don't have any Microsoft employee here. You would have to contact Microsoft directly if you wish to speak with them.

they have written "hidden partitions" to my hard drive equalling about 50 Gb's


Can you provide proofs of that? A screenshot of your Disk Management utility so I can see?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#4 BOV72

BOV72
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, United States
  • Local time:12:32 AM

Posted 03 October 2016 - 05:35 PM

Hello, and thank you for your assistance. Let me give you a little more information as I have made changes since my post.

#5 BOV72

BOV72
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, United States
  • Local time:12:32 AM

Posted 03 October 2016 - 06:00 PM

Sorry, I accidentally posted that. Here are the details. I was having major issues with Windows 7, I absolutely was infected. I don't know the particular infections, but they rendered my security software useless. The main culprit, I believe, is the bthudtask.exe file. After researching the file, I found that it works through the Bluetooth function in Windows. It rapidiy infects various .exe files, like bdefender, ccleaner, my nvidia executables, and so on. The reason I believe it's in the bios , is because I have multiple times formatted and clean installed Windows, and it comes right back. It somehow works through the windows media, altering the ehome folder, as well as changing a ton of registry keys. It adds them as well. My Windows firewall shows open traffic through media center extenders, remote registry, network discovery, remote assistance, etc. this traffic is happening even though I've turned off wifi. At one time, there was a hidden partition that I deleted though cmd diskpart. The files causing the traffic are raserver.exe, Msra, vds, vdsldr, snmptrap, unsecapp, mstdc, and net project.exe. There are 4 unknown users that I cannot delete or rename through ResEdit. They are s-1-5-18, s-1-5-19, s-1-5-32, and s-1-5-32-556. They are accessing using Icmpv6 on router not pv4. I have ran Bitdefender rescue which has tons of I/O errors, and shows me the access denied folders. The code is Linux based I think, and I am not familiar at all with either Linux nor UNIX. Oh, the service that I believe is a source of trouble is the RcpSs. I have a ton more information, just tell me what you need. Sorry for being long winded, and thank you again for your assistance.

#6 BOV72

BOV72
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, United States
  • Local time:12:32 AM

Posted 03 October 2016 - 06:17 PM

By the way, the cpu is an Asus n80vm. American megatrends bios.

#7 BOV72

BOV72
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, United States
  • Local time:12:32 AM

Posted 03 October 2016 - 06:35 PM

Here are a few screen shot examples.Attached File  image.png   1.93MB   2 downloadsAttached File  image.png   1.93MB   2 downloadsAttached File  image.png   2.21MB   1 downloads

#8 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:32 AM

Posted 03 October 2016 - 06:45 PM

The main culprit, I believe, is the bthudtask.exe file. After researching the file, I found that it works through the Bluetooth function in Windows.


bthudtask.exe is legitimate Microsoft Windows file. You think it was hijacked?

https://support.microsoft.com/en-ca/kb/939039
http://www.freefixer.com/library/file/BthUdTask.exe-110779/

It rapidiy infects various .exe files, like bdefender, ccleaner, my nvidia executables, and so on.


How do you know the executables were infected?

The reason I believe it's in the bios , is because I have multiple times formatted and clean installed Windows, and it comes right back.
...
By the way, the cpu is an Asus n80vm. American megatrends bios.


There's currently no BIOS malware in the wild that infect American Megatrends BIOS. Since you flashed/updated/etc. the BIOS, assuming you were infected with a BIOS malware (I doubt), it would be long gone by now.

It somehow works through the windows media, altering the ehome folder, as well as changing a ton of registry keys. It adds them as well.


Can you give me proofs of that? Logs, screenshots, anything? What changes are made? What keys are being added? What keys are being modified?

My Windows firewall shows open traffic through media center extenders, remote registry, network discovery, remote assistance, etc. this traffic is happening even though I've turned off wifi.


Even if your network is disabled, services will still attempt to contact the host they've been programmed to contact. Also, where is that traffic heading? What host, what IP address, what port?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#9 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:32 AM

Posted 03 October 2016 - 06:46 PM

At one time, there was a hidden partition that I deleted though cmd diskpart.


How big was the hidden partition? Did you mount it to check its content? Did it have a name?

The files causing the traffic are raserver.exe, Msra, vds, vdsldr, snmptrap, unsecapp, mstdc, and net project.exe.


As far as I'm concerned, all these executables are legitimate. The only one I cannot find information on is "net project.exe". Where is it located?

Edited by Aura, 03 October 2016 - 06:46 PM.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#10 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:32 AM

Posted 03 October 2016 - 06:46 PM

There are 4 unknown users that I cannot delete or rename through ResEdit. They are s-1-5-18, s-1-5-19, s-1-5-32, and s-1-5-32-556.


Do you mean, users like these?
t7Ar3Ra.png

I have ran Bitdefender rescue which has tons of I/O errors, and shows me the access denied folders.


Can you show me that log?

The code is Linux based I think, and I am not familiar at all with either Linux nor UNIX.


How did you come to this conclusion? Linux code won't run on Windows. Unless you have special libraries, environment, etc. installed like Cygwin.

Oh, the service that I believe is a source of trouble is the RcpSs.


Also a legitimate Microsoft Windows file.

I have a ton more information, just tell me what you need. Sorry for being long winded, and thank you again for your assistance.


For now, I would like you to answer my questions and give me as much logs as you can. Mostly the ones where you mention noticing strange results, connections, etc.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#11 BOV72

BOV72
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, United States
  • Local time:12:32 AM

Posted 03 October 2016 - 07:08 PM

The Bthudtask.exe was pulled by Bitdefender rescue as gen.variant.strictor. Give me a minute, I have screen shots. The partition was 5.6gb and it was locked. It was not an OEM or recover.

#12 BOV72

BOV72
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, United States
  • Local time:12:32 AM

Posted 03 October 2016 - 07:28 PM

Attached File  image.png   1.61MB   0 downloads

#13 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:32 AM

Posted 03 October 2016 - 08:08 PM

The files detected were warez for Kaspersky. I cannot say for sure that these are clean or not. Also, BleepingComputer doesn't condone piracy, so we will not push the investigation further to see if these files were really infected or not. Downloading illegal copies of software is one of the best way to get infected.

As for the Bthudtask.exe detection, it was probably a false positive from Bitdefender, but without the original file, I cannot check it out.

Edited by Aura, 03 October 2016 - 08:08 PM.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#14 BOV72

BOV72
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, United States
  • Local time:12:32 AM

Posted 03 October 2016 - 08:09 PM

Tell you what I'm going to do. I'm setting it up with the software it previously had installed. Then you can have me run your software, and we'll see what the logs say. I hope you are correct, and I'm just paranoid. Thx for being patient.

#15 BOV72

BOV72
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, United States
  • Local time:12:32 AM

Posted 03 October 2016 - 08:16 PM

There is no pirated software that I know of. Can you tell to what you are referring? I will immediately remove it, the HDR has been formatted




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users