• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

GTX 1070 Firmware Overwritten by Malware - Unable to Reset

Status
Not open for further replies.

MadBrit

New Member
Joined
May 17, 2018
Messages
6 (0.01/day)
System Name HomeBuild
Processor Intel i7-7700K
Motherboard ASUS Z270F
Cooling Corsair H55 Hydro Series
Memory 32GB G.Skill Ripjaws V (PC4 25600)
Video Card(s) ASUS STRIX-GTX 1070 8G Gaming
Storage Samsung 850 Pro x 3, Crucial M4 (spare boot)
Display(s) LG 34UC79-G
Case Thermaltake View 31
Audio Device(s) N/A
Power Supply Thermaltake Toughpower 850W
Mouse Logitec
Keyboard Logitec
Software Win 10 1803
Benchmark Scores With or without malware infection?
Hi,

Thanks in advance for any help...

Fresh Windows 10 1803
Home build w/ASUS STRIX Z270F MB, ASUS GTX 1070 8GB, i7-7700K, Samsung 850 Pro / Crucial M4

I have been fighting an infection with an extremely persistent malware that (after 8 weeks of analysis) is not detectable in user space by any AV. It has been sending me around in frustrating circles. I originally thought the malware was hiding in filesystem slack space, but it appears to be using a combination of evasion techniques that rewrite the HDD HPA/DCO, GPU Firmware (main infection source), SSD firmware (unable to BCDwipe certain sectors - multiple SSD's - unable to upgrade BIOS due to malware interference), and the motherboard BIOS (Blocks rescue disks). The malware blocks rescue CD's from running and locks the drive into hibernation to prevent offline scans. Reflashing the MB BIOS stops this for 1 boot, then the problem returns.

Once established, the malware silently downloads and replaces security related .EXE's (MBAM, Glasswire, Win Def, etc.) then starts on the system files. One by one, every 5-10 minutes from multiple CDN's that are not legit. All files are signed and pass VirusTotal. They are, however, WinPE versions of the files. The system then reboots and virtualizes itself, repartitioning a drive with free space to replicate and hide itself. It is *almost* invisible. Using MBR Filter helps and delays it enough to do some analysis, but then it starts imposing Group Policies to lock you out / flag legitimate apps as malware / changes hardware parameters (downgrades 7th Gen CPU to 6th Gen, etc.).

I know, crazy, right? I believe the origin of the malware is Chinese/Korean for a number of reasons that I won't go into here. On trying to upgrade the GTX 1070 firmware with the ASUS GPUUpdateBios.exe, I get a response "You no need update GPU Vbios!". I ran NVFlash with the latest firmware rev. but when I compare the bios to the .rom file, I get a number of mismatch inconsistencies in the InfoROM settings(InfoROM, Static (InfoROM Header - Timestamp), User Setting (OEM Information - Data), and Unallocated Space (size difference). Unallocated space is the source of the malware, i believe.

Long story short, I am unable to find any info on how to reset these parameters (or rest the card completely back to stock) and cannot find the relevant .IFR firmware mentioned in NVFlash to update this. On reboot, the malware takes the card back again and we're back to square one.

If there is a tool to completely reset all the card parameters to factory, or a hardware ninja method that provides similar results, I would very much appreciate some recommendations. If this malware resonates with anyone else, I would really like to know it's name as I have been unable to determine the strain.

Cheers!
 
Joined
Jan 31, 2010
Messages
4,053 (1.00/day)
Location
Gougeland (NZ)
System Name Cumquat 2000
Processor AMD RyZen R7 3700X
Motherboard Asus Strix x570-F Gaming
Cooling Cryorig R1 Universal
Memory 16GB GSkill TridentZ DR4-3200 16-18-18-38 1.35V
Video Card(s) Sapphire Nitro+ OC RX6800 16GB DDR6 1980Cclk / 2000Mclk
Storage 1x Adata SX8200PRO NVMe gen3 x4 1X Samsung 860 EVO 500GB, 12TB of HDD Storage
Display(s) ViewSonic VX2457 MHD 75Hz FreeSync 1920x1080p
Case SilverStone Raven RV02B-W + 3x SS AP181 + USB3.0 upgrade
Audio Device(s) RX6800 via HDMI + Pioneer VSX-531 amp Technics 100W 5.1 Speaker set
Power Supply Enermax RevolutionXT II 750W 80+ Gold
Mouse Logitech G502 Proteus Core
Keyboard Logitech G105
Software Windows 10 X64 PRO (build 2004)
Benchmark Scores it sucks even more less now ;)
The tool I think your looking for is called a hammer followed up with can of gas and lighter as that's some seriously bad crap you have going on there
 
Joined
Jul 19, 2006
Messages
43,101 (8.07/day)
Processor i7 8700K
Motherboard Asus Maximus Hero X WiFi
Cooling Deepcool 360 AIO, ID Cooling Frostflow 240
Memory 32GB G.Skill 3200Mhz CL14
Video Card(s) Zotac RTX 3070
Storage SSD's
Display(s) Nixeus EDG27
Case Lian Li PC 011 Dynamic
Audio Device(s) Yamaha AG03, Beyerdynamic DT990 Pro, ModMic
Power Supply Corsair H1000i
Mouse PCMR Model O
Keyboard GMMK
Software Windows 10 Enterprise
Isn't OP just explaining the Windows 10 update process?

If not...

Destroy the all drives. That is honestly what I would do if I were experiencing this.
 
Joined
Feb 18, 2012
Messages
2,206 (0.67/day)
System Name MSI GE75 Raider
Processor i9 9880h
Cooling 2 laptop fans
Memory 32gb of 3000mhz DDR4
Video Card(s) Nvidia 2080
Storage x2 2tb Intel 660p SSD nvme, WD Red SA500 2.5in 4TB
Display(s) 17.3" IPS 1920x1080 144Hz
Power Supply 280w laptop power supply
Mouse Logitech m705
Keyboard laptop keyboard
Software lots of movies and Windows 10 with win 7 shell
Benchmark Scores Good enough for me
Why not just do a fresh install of the OS to the HD or get a new HD.
 
Joined
Aug 20, 2007
Messages
14,165 (2.87/day)
System Name Pioneer
Processor Intel i9 9900k
Motherboard ASRock Z390 Taichi
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory G.SKILL Ripjaws V Series 64GB (4 x 16GB) DDR4-3200
Video Card(s) EVGA GeForce RTX 2080 SUPER XC ULTRA
Storage 2x Mushkin Pilot-E 2TB NVMe SSDs in bootable RAID0 by HIGHPOINT SSD7202
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) VGA HDMI->Panasonic SC-HTB20/Schiit Modi MB/Asgard 2 DAC/Amp to AKG Pro K7712 Headphones
Power Supply Seasonic Prime Titanium 750W
Mouse ROCCAT Kone EMP
Keyboard WASD CODE 104-Key w/ Cherry MX Green Keyswitches, Doubleshot Vortex PBT White Transluscent Keycaps
Software Windows 10 Enterprise (Product of work, yes it's legit)
Benchmark Scores www.3dmark.com/fs/23478641 www.3dmark.com/spy/13863605 www.3dmark.com/pr/306218
If this is real, a hardware programmer should fix it...

But I really doubt it's real... sorry. If it is, get in touch with an AV vendor to provide samples and they'll likely buy you new hardware just to get to study / try to block this new monstrosity.
 
Joined
Sep 10, 2016
Messages
681 (0.42/day)
Location
Riverwood, Skyrim
System Name Storm Wrought | Blackwood (HTPC)
Processor AMD Ryzen 7 3700x @stock ~4.25GHz boost speed | i7 2600k
Motherboard Gigabyte X570 Aorus Pro WIFI m-ITX | Some POS gigabyte board
Cooling BQ Dark Rock Slim, CM MF Pro 120 Air Balance, stock 180mm |BQ Shadow rock LP + 4x120mm Noctua redux
Memory G.Skill Trident 2x8GB 3600MHz 14-15-16-30 | 2x4GB 2000MHz @1866
Video Card(s) Gigabyte GTX 1080ti Aorus Xtreme Edition | MSI LP GT 1030
Storage SX8200 Pro 1TB, 850EVO 500GB, 2 & 8TB Seagate Barracuda, LG Blu-ray | 120GB Sandisk SSD, 4TB WD red
Display(s) Samsung UJ590UDE 32" UHD monitor | Sammy 1080p 55" TV
Case Silverstone TJ08B-E | Custom built wooden case (Aus native timbers)
Audio Device(s) Onboard, HD 599 cans | Logitech z163's
Power Supply Corsair RMx 550 | Corsair SF 450
Mouse GMMK w/ Zelio V2 62g (78g for spacebar) tactile switches & Glorious black keycaps| Some logitech one
Keyboard Rapoo v56 | Some logitech one
Software Win 10 Edu | Ubuntu 20.04
Benchmark Scores Look in the various benchmark threads
If this is legit, get in contact with a proper security company and get them to analyse this monster, as it sounds pretty insidious
 

the54thvoid

Moderator
Staff member
Joined
Dec 14, 2009
Messages
8,798 (2.15/day)
Location
Glasgow - home of formal profanity
System Name Newer Ho'Ryzen
Processor Ryzen 3700X
Motherboard Asus Crosshair VI Hero
Cooling TR Le Grand Macho
Memory 16Gb G.Skill 3200 RGB
Video Card(s) RTX 2080ti MSI Duke @2Ghz ish
Storage Samsumg 960 Pro m2. 512Gb
Display(s) LG 32" 165Hz 1440p GSYNC
Case Lian Li PC-V33WX
Audio Device(s) On Board
Power Supply Seasonic Prime TItanium 850
Software W10
Benchmark Scores Look, it's a Ryzen on air........ What's the point?
To be believed I think some would like to see this on a screenshot. What you have sounds too extreme for an ordinary PC, and the very odd message from your gfx firmware doesn't sound believable at all. But, a screenshot of this flash process would help.
 
Joined
Aug 20, 2007
Messages
14,165 (2.87/day)
System Name Pioneer
Processor Intel i9 9900k
Motherboard ASRock Z390 Taichi
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory G.SKILL Ripjaws V Series 64GB (4 x 16GB) DDR4-3200
Video Card(s) EVGA GeForce RTX 2080 SUPER XC ULTRA
Storage 2x Mushkin Pilot-E 2TB NVMe SSDs in bootable RAID0 by HIGHPOINT SSD7202
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) VGA HDMI->Panasonic SC-HTB20/Schiit Modi MB/Asgard 2 DAC/Amp to AKG Pro K7712 Headphones
Power Supply Seasonic Prime Titanium 750W
Mouse ROCCAT Kone EMP
Keyboard WASD CODE 104-Key w/ Cherry MX Green Keyswitches, Doubleshot Vortex PBT White Transluscent Keycaps
Software Windows 10 Enterprise (Product of work, yes it's legit)
Benchmark Scores www.3dmark.com/fs/23478641 www.3dmark.com/spy/13863605 www.3dmark.com/pr/306218
Those errors frankly sound more like a counterfeit 1070 gpu you are trying to flash with the wrong bios than a GPU that's "infected."

Post a GPU-Z.
 

eidairaman1

The Exiled Airman
Joined
Jul 2, 2007
Messages
30,442 (6.10/day)
Location
Republic of Texas (True Patriot)
System Name PCGOD
Processor AMD FX 8350@ 5.0GHz
Motherboard Asus TUF 990FX Sabertooth R2 2901 Bios
Cooling Scythe Ashura, 2×BitFenix 230mm Spectre Pro LED (Blue,Green), 2x BitFenix 140mm Spectre Pro LED
Memory 16 GB Gskill Ripjaws X 2133 (2400 OC, 10-10-12-20-20, 1T, 1.65V)
Video Card(s) AMD Radeon 290 Sapphire Vapor-X
Storage Samsung 840 Pro 256GB, WD Velociraptor 1TB
Display(s) NEC Multisync LCD 1700V (Display Port Adapter)
Case AeroCool Xpredator Evil Blue Edition
Audio Device(s) Creative Labs Sound Blaster ZxR
Power Supply Seasonic 1250 XM2 Series (XP3)
Mouse Roccat Kone XTD
Keyboard Roccat Ryos MK Pro
Software Windows 7 Pro 64
Those errors frankly sound more like a counterfeit 1070 gpu you are trying to flash with the wrong bios than a GPU that's "infected."

Post a GPU-Z.

It's a liar here, trying to hide what he is doing.

He needs to secure erase or format his hdd and reinstall the os for starters.
 

Knoxx29

The Power Of Intel
Joined
Feb 19, 2014
Messages
6,562 (2.56/day)
Location
Behind a VPN
System Name BlackWidow
Processor Intel i7 10700K
Motherboard Asus ROG Maximus XII Hero
Cooling Alphacool Eisbaer 360
Memory 32GB G.SKILL Trident Z RGB 3600Hz
Video Card(s) EVGA GEFORCE RTX 3080 XC3 Ultra
Storage Samsung 970 EVO PLUS 500GB - WD Blue SN550 1TB - 2 X WD Blue 1TB - 3 X WD Black 1TB
Display(s) Asus ROG PG278QR 2560x1440 144Hz (Overclocked 165Hz )/ Samsung
Case Corsair Obsidian 1000D
Audio Device(s) I prefer Gaming-Headset
Power Supply Enermax MaxTytan 1250W 80+ Titan
Mouse Logitech G502 spectrum
Keyboard Virtuis Advanced Gaming Keyboard
Software Windows 10 Enterprise
Benchmark Scores My PC runs FiFA
It's a liar here, trying to hide what he is doing.

Agree with you.

Maybe he was flashing the card things went wrong and now he es trying to tell us something different?
 

W1zzard

Administrator
Staff member
Joined
May 14, 2004
Messages
21,700 (3.54/day)
Processor Core i7-8700K
Memory 32 GB
Video Card(s) RTX 3080
Display(s) 30" 2560x1600 + 19" 1280x1024
Software Windows 10 64-bit
I ran NVFlash with the latest firmware rev. but when I compare the bios to the .rom file, I get a number of mismatch inconsistencies in the InfoROM settings(InfoROM, Static (InfoROM Header - Timestamp), User Setting (OEM Information - Data), and Unallocated Space (size difference). Unallocated space is the source of the malware, i believe.
Please post the BIOS you saved from your card and the one you are comparing to
 
Joined
May 13, 2010
Messages
5,265 (1.33/day)
System Name RemixedBeast-NX
Processor Intel Xeon E5-2650 @ 2.2Ghz (8C/16T)
Motherboard Dell Inc. 08HPGT (CPU 1)
Cooling Dell Standard
Memory 32GB ECC
Video Card(s) Gigabyte Nvidia RTX2060 6GB
Storage 2TB Samsung 860 EVO SSD//2TB WD Black HDD
Display(s) Samsung SyncMaster P2350 23in @ 1920x1080 + Dell E2013H 20 in @1600x900
Case Dell Precision T3600 Chassis
Audio Device(s) Beyerdynamic DT770 Pro 80 // Fiio E7 Amp/DAC
Power Supply 630w Dell T3600 PSU
Mouse Logitech G700s/G502
Keyboard Logitech K740
Software Linux Mint 19.3
Benchmark Scores Network: APs: Cisco Meraki MR32, Ubiquiti Unifi AP-AC-LR and Lite Router/Sw:Meraki MX64 MS220-8P
you caught an STD from the dark web?

Wireshark it and look for anything mucky.
 

dorsetknob

"YOUR RMA REQUEST IS CON-REFUSED"
Joined
Mar 17, 2005
Messages
8,817 (1.51/day)
Location
Dorset where else eh? >>> Thats ENGLAND<<<
Subbed for the Streisand troll lookalike
this sounds totally like Smelling the female troll knickers (fishy as hell do i smell Rock cod)
Please provide screenshots and
Please post the BIOS you saved from your card and the one you are comparing to
If you have what you say you have contact your AV Vendor and Microsoft
:) they might even Send a Specialist for a Site Vist as what you Describe is ...........................................unbelievable
 
Joined
Nov 30, 2007
Messages
177 (0.04/day)
Location
Croatia
System Name Cabal
Processor intel i9 9900k @ 5.0ghz 1.33v - cache @ 4.7ghz
Motherboard Asrock z370 fatal1ty gaming k6
Cooling Corsair H115i with 2x Corsair LL140mm rgb fans
Memory Corsair Dominator Platinum 32GB(4x8kit) ddr4 4000mhz@4100mhz
Video Card(s) Msi Gtx1080 Ti Gaming X Trio 11gb +100gpu/+700mem
Storage samsung evo 860 500gbx2, sandisk 3d ultra 500gbx2, kingston hyperX ssd 480gb, Seagate Barracuda3TB
Display(s) Asus ROG Swift pg278q G-Sync
Case Corsair 760t Graphite Series with 3x Corsair LL140mm fans
Audio Device(s) Sound Blaster X ae-5
Power Supply Corsair RM850i
Mouse Roccat Tyon
Keyboard Corsair RGB Strafe mechanical keyboard
Software win10pro 64bit
Joined
Sep 17, 2014
Messages
14,541 (6.17/day)
Location
The Washing Machine
Processor i7 8700k 4.7Ghz @ 1.26v
Motherboard AsRock Fatal1ty K6 Z370
Cooling beQuiet! Dark Rock Pro 3
Memory 16GB Corsair Vengeance LPX 3200/C16
Video Card(s) MSI GTX 1080 Gaming X @ 2100/5500
Storage Samsung 850 EVO 1TB + Samsung 830 256GB + Crucial BX100 250GB + Toshiba 1TB HDD
Display(s) Gigabyte G34QWC (34'' 3440x1440x)
Case Fractal Design Define C TG
Power Supply EVGA G2 750w
Mouse Logitech G502 Protheus Spectrum
Keyboard Sharkoon MK80 (Brown)
Software W10 x64
Somebody set us up the bomb.
 

qubit

Overclocked quantum bit
Joined
Dec 6, 2007
Messages
16,077 (3.33/day)
Location
Quantum Well UK
System Name Quantumville™
Processor Intel Core i7-2700K @ 4GHz
Motherboard Asus P8Z68-V PRO/GEN3
Cooling Noctua NH-D14
Memory 16GB (2 x 8GB Corsair Vengeance Black DDR3 PC3-12800 C9 1600MHz)
Video Card(s) MSI RTX 2080 SUPER Gaming X Trio
Storage Samsung 850 Pro 256GB | WD Black 4TB | WD Blue 6TB
Display(s) BenQ XL2720Z (144Hz, 3D Vision 2, 1080p) | Asus MG28UQ (4K, 60Hz, FreeSync compatible)
Case Cooler Master HAF 922
Audio Device(s) Creative Sound Blaster X-Fi Fatal1ty PCIe
Power Supply Corsair HX 850W v1
Mouse Microsoft Intellimouse Pro - Black Shadow
Keyboard Yes
Software Windows 10 Pro 64-bit
This doesn't quite sound for real. All this BIOS and VBIOS infection and flashing... really?

Anyway, the only way to be sure of getting rid of malware is to reformat and install Windows fresh. I'm talking about having only the system drive connected, then booting off a W10 DVD that was prepared on a different computer, formatting the drive and reinstalling it from scratch. Try that and I bet the infection goes away.

It's quite possible that any data drives are also infected, but that's another story.
 
Joined
Jun 15, 2016
Messages
1,041 (0.60/day)
Location
Pristina
System Name My PC
Processor 4670K@4.4GHz
Motherboard Gryphon Z87
Cooling CM 212
Memory 2x8GB+2x4GB @2400GHz
Video Card(s) XFX Radeon RX 580 GTS Black Edition 1425MHz OC+, 8GB
Storage Intel 530 SSD 480GB + Intel 510 SSD 120GB + 2x500GB hdd raid 1
Display(s) HP envy 32 1440p
Case CM Mastercase 5
Audio Device(s) Sbz ZXR
Power Supply Antec 620W
Mouse G502
Keyboard G910
Software Win 10 pro
One troll or deluded fuck making fun with all people here :)
 
D

Deleted member 163934

Guest
In theory such thing is not impossible. In practice there are an army of problems for someone that want to write such type of malware/virus like how on earth it can target each possible mb bios, gpu bios, hdd/ssd firmware because I doubt all of them share similar structure, then you have the limitations from the size of mb bios, gpu bios, hdd/ssd firmware size because you need to still have that pc working (it's just easier to write garbage on the mb bios, gpu bios, hdd/ssd firmware because you just don't care about having that pc still running) and then after you somehow managed to use the little free space you also need to actually have a running code there. A random hacker won't have the resources to actualy code something like this, you need proper funding for such thing and even with the money I doubt it can be done. Now if this was targeting only a particular platform yes that has happen in the past.
It will sound rude what I will write in the following line but it's a fact: if you are so important that someone will actually spend the money to make a malware/virus targeting you then you won't be asking for help here because due to the nature of your job you would be informing someone else about the situation.
Don't get me wrong but you kinda need access to the source code for an army of bioses/firmwares to have a chance to even write something like this else is just impossible and there are very few agencies that can actually have such a chance (even they will need to steal some source codes in some cases or reverse engineer it but this last case is not that easy to the point it might not even be viable).

If you assume your ssd/hdd is infected with something that no antivirus is capable to deal with just use another pc, download a linux distro that allow you to run a live sessing (ubuntu and derivates for example), write it on an cd/dvd/usb stick on the other pc (NOT on the infected one), boot from that usb stick (u put the usb stick in the infected pc with the pc powered off, and the first time you start the pc you boot from the usb stick else you can compromise the usb stick (like the malware/virus writing crap on the usb stick and make it not boot or run crap from bootloader)) and write zero/random stuff on the hdd using dd (
if you have only one hdd/ssd
sudo dd if=/dev/zero of=/dev/sda bs=4096 status=progress
if you have 2 hdd/ssd
sudo dd if=/dev/zero of=/dev/sda bs=4096 status=progress
and then after it's done
sudo dd if=/dev/zero of=/dev/sdb bs=4096 status=progress
if you have multiple hdd/ssd
sudo dd if=/dev/zero of=/dev/sdX bs=4096 status=progress
replace X with letters a,b,c, and so on
you can read more here: https://wiki.archlinux.org/index.php/Securely_wipe_disk)
Sure after zero-ing the hdd/ssd you lost all the data but the hdd/ssd should be clean. I wouldn't fully write with zero a ssd, I would write with zero only the section where the partition table is located (that should be enough; you didn't said if it's MBR or GPT).

Regarding the differences between the gpu bios (the one in the file and the dump after you flash it). How did you flashed the gpu bios? You did it in Windows (doing it in the infected WIndows is asking for trouble because that Windows can happy freeze in the middle of the flashing process... and this can happen in a clean Windows also, I know some amd drivers that will just messed up with the gpu flashing process)? If yes then there is no surprise for me that the one in the file and the dump after you flash it are not identical, I've done it several times in Windows and I didn't really got a match (usualy I was getting 1-5 differences but I saw no real problem). If I do it using a DOS usb stick I always got 100% match.

Trying to clean it by booting in the infected Windows connected to internet can easily prove a waste of time... There are several antivirus that will just make an bootable cd/dvd/usb stick and you will boot directly on that and try to clean it from a clean enviroment:
https://www.bitdefender.com/support/how-to-set-up-a-bitdefender-rescue-cd-1249.html
https://www.avira.com/en/download/product/avira-rescue-system (I had issues with avira when I tried to use it like it just froze and some %)
https://support.kaspersky.com/viruses/rescuedisk
just to give some example. Again you will need to write those things on a cd/dvd/usb stick on another pc (trying to do it on the infected pc can easily go wrong).

L.E.:

Once established, the malware silently downloads and replaces security related .EXE's (MBAM, Glasswire, Win Def, etc.) then starts on the system files. One by one, every 5-10 minutes from multiple CDN's that are not legit. All files are signed and pass VirusTotal. They are, however, WinPE versions of the files. The system then reboots and virtualizes itself, repartitioning a drive with free space to replicate and hide itself. It is *almost* invisible. Using MBR Filter helps and delays it enough to do some analysis, but then it starts imposing Group Policies to lock you out / flag legitimate apps as malware / changes hardware parameters (downgrades 7th Gen CPU to 6th Gen, etc.).

Post the VirusTotal links to the files you think are infected and you checked with VirusTotal. I'm asking for this because there are several checksums used by VirusTotal SHA-256 , MD5 and SHA-1 and I find it hard to believe that you can find a way to modify a file and fix all 3 checksums to look like the original file, you can probably fix one of them but all 3....

Windows 10 in normal conditions will happy update when it wants. So the fact that you see some Windows file getting changed is actually the normal way of Windows 10 doing the updates... If you want to change this behaviour you can happy google for the solution.

L.E. 2:

I don't really believe you are dealing with a malware/virus that has actually replaced the mb bios, gpu bios, hdd/ssd firmware.
Make an usb stick with a linux distro that can run a live session on another pc (if you don't have 2 pcs just ask a friend), disconnect the hdd/ssd (all of them, just unplug the power or sata cable) and boot from the linux usb stick. If at first boot things look ok reboot it, if at second boot again things are ok then you probably don't have any problems with the bioses (you might had messed up them when you flashed them...). If you have no problems while using the live linux session then reconnect the hdd/ssd cables and boot again from the linux usb stick and write zero on each of the hdd/ssd. Reboot and reinstall Windows without being connected to internet.
If what you are describing is correct (the behaviour of the malware/virus (looks like a joke to me to be honest, I wouldn't make it do anything like that) and the fact that nothing detects it) then well your only way is to fully wipe the ssd/hdd because else you will never know what is affected and what not (well u will first need something that detects it, then something that cleans it).

And sometime a reinstall on zero-ed hdd is just faster than trying to clean an infected hdd. I wasted 18 h on the laptop of a client because the client refused to understand that he needs a new hdd/ssd 6 bad sectors reported by smart and growing was 5 when the laptop got to me, increased to 6 while i tried to fix it; 90+ logical bad sectors on the OS partition, got fixed after I zero-ed it, I also had to backup the data from that OS partition because ofc the client wanted me to save his photos and silly cooking recipes (not to mention that the client fail to point to the directories where he had those things, I actually failed to find a single cooking recipe...) because I really had a working machine when the laptop end up to me, was taking 60 minutes to even finish the boot process and ofc the client didn't even wanted to pay how much I asked for my 18 hours of work... Next time he comes to me I will just say I want the money before I even look at his laptop else he can happy find someone else to fix his laptop.
 
Last edited by a moderator:
Joined
Oct 3, 2015
Messages
290 (0.15/day)
Processor Intel Core i5 9400f 2.9GHz/4.0 Turbo
Motherboard Gigabyte Z370M D3H rev. 1.0
Cooling An okayish Cooler but it is better than Intel's stock
Memory Corsair Red Line 8x2 16GB 3000MHz DDR4-3000 15-17-17-35 (CMK16GX4M2B3000C15R) V1.35 ver 4.24
Video Card(s) NVIDIA GeForce MSI 980 Ti Golden Edition | Spare: GTX 650 Ti 1 GB
Storage Samsun 860 EVO 1 TB | Spare: WDC Black 930 GiB WD1003FZEX
Display(s) Asus VG248QZ 1920x1080 144hz 24"
Case Corsair Air 540
Audio Device(s) Realtek ALC892
Power Supply Corsair 850W RMi power supply (Overkill I know -long story-)
Mouse Logitech M105
Keyboard Logitech K120
Software Windows 10 v2009 (20H2)
Is this a stolen computer that is protected by passwords or/and by encryption?
Notice he mentioned take over polices and that he is looking at the mysterious unallocated space.
 
Joined
May 18, 2009
Messages
1,475 (0.34/day)
Location
MN
System Name Personal / HTPC
Processor Ryzen 5900x / i5-4460
Motherboard Asrock x570 Phantom Gaming 4 /ASRock Z87 Extreme4
Cooling Hyper 212 Black / stock HSF
Memory 16GB DDR4 3200 / 8GB DDR3 1600
Video Card(s) Zotac GTX 980Ti AMP! Omega / Zotac GTX 980Ti AMP! Omega
Storage 500GB Samsung Pro 970, 250 GB Crucial SSD MX200, 1TB & 500GB Western Digital / 2x 4TB WD Red
Display(s) Dell - S3220DGF 32" LED Curved QHD FreeSync Monitor / 50" LCD TV
Case CoolerMaster XB Evo / CM HAF XB Evo
Power Supply 850W SeaSonic X Series / 750W SeaSonic X Series
Mouse Zephyr Gaming Mouse
Keyboard Microsoft Natural Elite Keyboard
Software Windows 10 Pro 64 / Windows 10 Home 64
I've seen some pretty nifty viruses at my last job go through some stores. Some sophisticated ones that stole credit card data to ones that simply renamed .exe to another file extension name or just designed to eat up hard drive space by filling out a .txt file with basic information it pulled from the computer - it would just write the info over and over and over again.

One of my more favorite ones took myself and another senior tech to track down the issues. Store called in, having a slew of issues on the server computer. A quick remote into the system made it painfully clear they some how infected the computer with a virus. We pulled the server from the network and had the store setup one of their registers to work as a temporary server to store sales and clock in/out data. We shipped out a new server computer and it would arrive NDA. The store was working, but they called in a few hours later saying their registers are having issues now. It seems the virus went through the network and infected the registers.....now the store was pretty much SOL. They had to close down for the rest of the day. We setup new HDDs for the registers to ship out NDA as well.

Next morning the store calls in and I get them all setup and working on new hardware. They're off and running now. They call back later that day with the same issues as before. Everything was infected again. In the end, it appears that the 512MB flash card on the cook display control boxes had just enough free space to allow this virus to install and infect them - once the new devices showed up on the network the virus would move to them. What a cluster....

As for the credit card stealing virus, we got to work with the FBI to help try and clean out the system and pinpoint where the virus was hiding and how it was constantly opening new ports to allow data in/out. They needed the ins/outs of the company's software and how everything talked and what ports it made use of. Once they figured they couldn't pinpoint the issue in a timely fashion and clean out the store without a proper new set of hardware, they pretty much took everything with them when they left and we don't know what ever happened after that. The poor lady that ran the franchise had 8 different stores and 6 out of 8 had this virus. She had to order new equipment for 6 stores - that's 6 server computers, at least 18-24 registers (3-4 registers per store) and 18 cook display control boxes (3 per store). She spent almost $30k on brand new hardware because of this virus.

Some folks out there can certainly design crazy ass viruses and malware - I wouldn't be surprised if there was a hint of truth to the OP's post. Then again, it sounds rather far fetched.
 
Joined
Oct 22, 2014
Messages
11,157 (4.80/day)
Location
Sunshine Coast
System Name Black Box
Processor Intel i5-9600KF
Motherboard NZXT N7 Z370 Black
Cooling Cooler Master 240 RGB AIO / Stock
Memory Thermaltake Toughram 16GB 4400MHz DDR4 or Gigabyte 16GB 3600MHz DDR4 or Adata 8GB 2133Mhz DDR4
Video Card(s) Asus Dual 1060 6GB
Storage Kingston A2000 512Gb NVME
Display(s) AOC 24" Freesync 1m.s. 75Hz
Case Corsair 450D High Air Flow.
Audio Device(s) No need.
Power Supply FSP Aurum 650W
Mouse Yes
Keyboard Of course
Software W10 Pro 64 bit
This doesn't quite sound for real. All this BIOS and VBIOS infection and flashing... really?

Anyway, the only way to be sure of getting rid of malware is to reformat and install Windows fresh. I'm talking about having only the system drive connected, then booting off a W10 DVD that was prepared on a different computer, formatting the drive and reinstalling it from scratch. Try that and I bet the infection goes away.

It's quite possible that any data drives are also infected, but that's another story.
It's also possible the BIOS can be infected as well as GPU Vram or Memory Dram, but that is a bit high tech for hacking a home system.
 

Solaris17

Dainty Moderator
Staff member
Joined
Aug 16, 2005
Messages
22,024 (3.88/day)
Location
Florida
System Name Venslar
Processor I9 7980XE
Motherboard MSI x299 Tomahawk Arctic
Cooling EK Custom
Memory 32GB Corsair DDR4 3000mhz
Video Card(s) Nvidia Titan RTX
Storage 1x 250GB 960 EVO | 1x 500gb Intel 720p | 32TB SAN
Display(s) 3x AOC Q2577PWQ (2k IPS)
Case Inwin 303 White (Thermaltake Ring 120mm Purple accent)
Audio Device(s) Schiit Fulla 3 on Beyerdynamic DT 990 Pros
Power Supply Seasonic 1050W Snow
Mouse Roccat Kone Aimo White
Keyboard Ducky Shine 6 Snow White
Software Windows 10 x64 Pro
IDK, I would need too see some samples before I believed any of this.
 

qubit

Overclocked quantum bit
Joined
Dec 6, 2007
Messages
16,077 (3.33/day)
Location
Quantum Well UK
System Name Quantumville™
Processor Intel Core i7-2700K @ 4GHz
Motherboard Asus P8Z68-V PRO/GEN3
Cooling Noctua NH-D14
Memory 16GB (2 x 8GB Corsair Vengeance Black DDR3 PC3-12800 C9 1600MHz)
Video Card(s) MSI RTX 2080 SUPER Gaming X Trio
Storage Samsung 850 Pro 256GB | WD Black 4TB | WD Blue 6TB
Display(s) BenQ XL2720Z (144Hz, 3D Vision 2, 1080p) | Asus MG28UQ (4K, 60Hz, FreeSync compatible)
Case Cooler Master HAF 922
Audio Device(s) Creative Sound Blaster X-Fi Fatal1ty PCIe
Power Supply Corsair HX 850W v1
Mouse Microsoft Intellimouse Pro - Black Shadow
Keyboard Yes
Software Windows 10 Pro 64-bit
It's also possible the BIOS can be infected as well as GPU Vram or Memory Dram, but that is a bit high tech for hacking a home system.
Yeah, possible, but unlikely, hence my skepticism. You can see from the incredulous responses from some of the others in this thread that I'm not the only one.
 
Status
Not open for further replies.
Top