Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My PC is infected with government sponsored malware


  • This topic is locked This topic is locked
5 replies to this topic

#1 RussellMania

RussellMania

  • Members
  • 9 posts
  • OFFLINE
  •  

Posted 29 December 2016 - 03:19 AM

The firmware in my PC is infected. I have tried everything to clean my PC, but the malware keeps coming back. I have used Gparted along with MS DOS command prompt to wipe all partions. I tried reflashing the BIOS and the malware still survives. Some of my USB ports have been reprogrammed. I am using spyshelter as my firewall, and Hitman Pro alert as my antivirus. The USB in my mouse is also infected. I have taken many pictures with my phone. After doing a clean install, DLL code injections infects everything. If I install an Antivirus, it gets infected. I also have malware that is embedding.
http://www.pcthreat.com/parasitebyid-7548en.html

Attached Files



BC AdBot (Login to Remove)

 


#2 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:10:22 PM

Posted 30 December 2016 - 02:28 PM

Hi RussellMania and welcome to BC.
 

I am using spyshelter as my firewall

You do realise this is an application intended for advanced users.
If you don't have a functional knowledge of keylogging software, it's best to find another program so you can understand it without doing hours of research.

When first installed, it uses an extremely heavy hand flagging many safe operations as potentially dangerous... even when they are not.
You have to dig deep into the program's settings to correct this problem.
So unless you have set this up correctly, I would be wary of some of the things it tells you.

Unfortunately what you are telling us isn't really anything we can determine a cause from.
We need to see for ourselves what is happening with the system.
You don't even say what OS you are running, looking at the pics I'd guess at Win7 and possibly a 64bit.
We need the reports as requested in the 'Prep guide'.

Btw:
That link you posted..... my system won't let me access it, it throws up warnings.
So don't even go there.

Note:
There are both 32-bit and 64-bit versions of Farbar Recovery Scan Tool available. Please pick the version that matches your operating system's bit type.

If you are unsure what you're system bit type is..... click Here for help.

For x32 bit systems download Farbar Recovery Scan Tool and save it to your Desktop.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to your Desktop.
  • Double-click the downloaded icon to run the tool. Vista/Windows 7/8 users right-click and select Run As Administrator

    frsticon_zpsdc3cbdc3.png
  • When the tool opens click Yes to disclaimer.

    frstdis_zps7f598f12.png
  • Make sure that Addition.txt is selected at the bottom
  • Press Scan button.

    newfrst_zpsa63ffa3d.png
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please copy and paste it to your reply also.
In your next reply, please submit:
Both reports from FRST


Thanks.

Edited by Starbuck, 30 December 2016 - 03:02 PM.

BBPP6nz.png


#3 RussellMania

RussellMania
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  

Posted 04 January 2017 - 05:53 AM

I have all the logs. My internet connection keeps dropping out, so I will have to burn them to a cd.

I am running windows 7 pro-64
Custom build:
Asus H170 Pro
Intel I3-6100
PNY-240GB SDD
Segate-4TB
Geforce GT 740
8GB dual channel ram DDR4
LG Blueray burner

It appears as if someone is controlling my PC remotely even without internet (Air Gap malware). I then went to safe mode (without networking) and went to device manager. When I selected hidden devices, I noticed something really odd. I had 2 shadow volume drives and 8 network adapters. After I disabled all the network adapters, and uninstalled a few drivers that looked like malware a new network adapter appeared (Microsoft ISATAP network adapter). When I deleted 1 a second one appeared and when I deleted the second adapter a third one appeared. When I tried to delete the third adapter, my mouse started acting funny like if someone was controlling. I was using the old PS/2 mouse. I finally was able to disable that network adapter. I'm not sure how the hacker was able to access my PC when I was in safe mode (No Networking). Perhaps the hacker is using my phone or some other device in my house to remotely control my PC. I believe the infection came with the mouse I bought. The USB receiver firmware was corrupt (Bad USB) Stuxnet worm. I also have most of the symptoms of (Bad BIOS malware). Is something like this fixable, or do I just throw the PC away. I ran across a forum a while back of people that experienced the same type of Malware. They said that if you get this type of malware then that means you are the proud owner of cutting edge malware. They said that once you get it, its very hard if not impossible to get rid of. They recommended not only throwing the PC away, but throw everything that came in contact (example: CD's, DVD's, flash drives, removable media. That also includes throwing away all USB cords that you plugged into the machine, USB chargers. If you plugged your phone into PC or infected USB, then your phone or tablet will infected with a rootkit.

https://nakedsecurity.sophos.com/2013/11/01/the-badbios-virus-that-jumps-airgaps-and-takes-over-your-firmware-whats-the-story/

Stuxnet worm: https://www.codeproject.com/articles/246545/stuxnet-malware-analysis-paper
Flame: http://www.rferl.org/a/flame-computer-virus-iran-explainer/24597042.html

https://www.blackhat.com/docs/eu-16/materials/eu-16-Abbasi-Ghost-In-The-PLC-Designing-An-Undetectable-Programmable-Logic-Controller-Rootkit-wp.pdf

#4 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:10:22 PM

Posted 04 January 2017 - 01:38 PM

Hi RussellMania

To be honest I'm still debating whether you are extremely paranoid or are just wasting our time.

I have all the logs. My internet connection keeps dropping out, so I will have to burn them to a cd.

Not sure what that's going to achieve.
You need to use the internet connection to post them here.
If you can reply to my previous post... you could have posted the logs.

After I disabled all the network adapters, and uninstalled a few drivers that looked like malware a new network adapter appeared (Microsoft ISATAP network adapter).
When I deleted 1 a second one appeared and when I deleted the second adapter a third one appeared.

and you wonder why your internet connection isn't stable.
You uninstalled a few drivers because they looked like malware!!
The Microsoft ISATAP network adapter is a legit MS adapter.... if you uninstall it , it will reinstall itself.

Please.... don't delete or uninstall anything.
You only complicate things for yourself and for me.

It appears as if someone is controlling my PC remotely even without internet (Air Gap malware).

The techniques that go into employing air-gap malware are complex and can only be orchestrated by a very skilled hacker.
They would also have a very specific reason for doing this.
They wouldn't go to these lengths for the likes of you or me.

I ran across a forum a while back of people that experienced the same type of Malware.
They said that if you get this type of malware then that means you are the proud owner of cutting edge malware.
They said that once you get it, its very hard if not impossible to get rid of.
They recommended not only throwing the PC away, but throw everything that came in contact (example: CD's, DVD's, flash drives, removable media.
That also includes throwing away all USB cords that you plugged into the machine, USB chargers.

Sorry, but if you believe that you'll believe anything.
Probably kids making out they know what they're talking about.

I also have most of the symptoms of (Bad BIOS malware).

Something you have read?
BadBIOS is an alleged advanced persistent threat.
To date, there have been no proven occurrences of this malware and is considered a hoax.

Why the link to 'Flame virus', I have no idea.
Did you actually read it?
The program is being used for targeted cyber espionage in Middle Eastern countries.

The USB receiver firmware was corrupt (Bad USB) Stuxnet worm


If you have half of these so called malware items then it's no use trying to sort things out with our tools.

or do I just throw the PC away.

I've never said this before.... but yes I think that's your best bet.
There would be no point in trying to clean the system.
Anyone going to those lengths would only come back and do it again.

BBPP6nz.png


#5 RussellMania

RussellMania
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  

Posted 08 January 2017 - 02:17 AM

OK, I guess you can close the thread. I talked to a few Tech experts and they said that their was nothing I can do.

#6 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:10:22 PM

Posted 08 January 2017 - 02:45 AM

As per your instructions this thread will now be closed.

BBPP6nz.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users