Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Am I the worst malware fighter in history or Completely Insane?


  • Please log in to reply
1 reply to this topic

#1 nihilzero8

nihilzero8

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:46 AM

Posted 19 August 2017 - 08:47 AM

I have mostly resigned to my harsh reality of living with my malware infection. It has been 12 weeks. I believe that I've had something similar/the same as this fella:

 

https://www.bleepingcomputer.com/forums/t/654412/hidden-rootkit-bootkit-in-bios-or-boot-help/

 

on all my machines for the last 12 weeks. I bought new hard drives and USB sticks, re-installed everything from the BIOS to the OS downloaded fresh from Microsoft. This malware creates a new and infected MBR on each drive that it comes into contact with, as well as any CD or USB device. IT IS NOT HELD WITHIN THE BIOS nor do I believe that it is in the firmware/cache of the hardware--I have concluded that is definitely too far-fetched.  It is radically pernicious and ANY media that touches it should be considered infected---and it is righteously difficult to clean USBs/Harddrives with an infected machine. Also, when the infection is in its final stages, it seems to "process" downloaded program installers to inject them with code (yasm, I believe is the compiler). The infection also spreads through cloud accounts (Dropbox, Google Drive, Google Chrome Login, One Drive, etc--I even found that my LASTPASS account had extra spying javascript injected into the browser add-on) which is why I have been thus far unable to avoid re-infection. Ladies and Gentlemen, the cloud has officially failed.

 

Only when I do a recovery boot CD of Hiren's Boot CD or a Linux Live CD can I scan the hard drives where I found evidence of TR/Crypt.XPACK.Gen2 - Gen 3.  It seems like there would be ransomware, but the request for ransom never appears.  The first machine that was infected had the mobo MSI X99A Gaming 7....this mobo has 8 RAM slots and is likely seen as a small webserver from a hacker-targeting point of view....or it could be the source of the issue with the new Windows Creator's update.  When the infection seems to "kick on" it adds 11-12 new users to the security accounts (mostly remote users) and downgrades my user and Windows Image from Admin on a Home Win 10 PC to that of a Windows Terminal Server Client with Terminal User privileges (REMOTE users have effectively more privileges than I do).  Since then, the issue has infected 3 computers at my home, 1 laptop, 7 computers at my office, and strangely enough, I think my Android Mobile Phone for awhile (it didn't seem like the same infection, just the timing was too close to be coincidental). Infected devices that I've owned "reach out" to find other devices by means of Bluetooth, NFC, WiFi Direct, even Miracast...I presume that it is trying to infect new devices, but have no proof---only that I explicitly turn off those radios on my desktop computers and mobile phones only to find them automatically switched back on as soon as they are idle.  I have been searching for MONTHS for someone to address this problem, but all of the threads I find that may be similar infections remain unanswered or are abandoned.

 

I would love to have some insight on this new strain of wee-beast so that I can once again have a normal computing life. Thank you all for your marvelous public service.


Edited by hamluis, 19 August 2017 - 09:15 AM.
Moved from MRL to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:46 AM

Posted 20 August 2017 - 09:20 PM

Hello we need a deeper look. Repost this info in a new topic with the FRST LOG in this guide. Start at step 6.

Please follow this Preparation Guide and post in a new topic.
Let me know if all went well..
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users