• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

GTX 1070 Firmware Overwritten by Malware - Unable to Reset

MadBrit

New Member
Joined
May 17, 2018
Messages
6 (0.67/day)
Likes
20
System Name HomeBuild
Processor Intel i7-7700K
Motherboard ASUS Z270F
Cooling Corsair H55 Hydro Series
Memory 32GB G.Skill Ripjaws V (PC4 25600)
Video Card(s) ASUS STRIX-GTX 1070 8G Gaming
Storage Samsung 850 Pro x 3, Crucial M4 (spare boot)
Display(s) LG 34UC79-G
Case Thermaltake View 31
Audio Device(s) N/A
Power Supply Thermaltake Toughpower 850W
Mouse Logitec
Keyboard Logitec
Software Win 10 1803
Benchmark Scores With or without malware infection?
#1
Hi,

Thanks in advance for any help...

Fresh Windows 10 1803
Home build w/ASUS STRIX Z270F MB, ASUS GTX 1070 8GB, i7-7700K, Samsung 850 Pro / Crucial M4

I have been fighting an infection with an extremely persistent malware that (after 8 weeks of analysis) is not detectable in user space by any AV. It has been sending me around in frustrating circles. I originally thought the malware was hiding in filesystem slack space, but it appears to be using a combination of evasion techniques that rewrite the HDD HPA/DCO, GPU Firmware (main infection source), SSD firmware (unable to BCDwipe certain sectors - multiple SSD's - unable to upgrade BIOS due to malware interference), and the motherboard BIOS (Blocks rescue disks). The malware blocks rescue CD's from running and locks the drive into hibernation to prevent offline scans. Reflashing the MB BIOS stops this for 1 boot, then the problem returns.

Once established, the malware silently downloads and replaces security related .EXE's (MBAM, Glasswire, Win Def, etc.) then starts on the system files. One by one, every 5-10 minutes from multiple CDN's that are not legit. All files are signed and pass VirusTotal. They are, however, WinPE versions of the files. The system then reboots and virtualizes itself, repartitioning a drive with free space to replicate and hide itself. It is *almost* invisible. Using MBR Filter helps and delays it enough to do some analysis, but then it starts imposing Group Policies to lock you out / flag legitimate apps as malware / changes hardware parameters (downgrades 7th Gen CPU to 6th Gen, etc.).

I know, crazy, right? I believe the origin of the malware is Chinese/Korean for a number of reasons that I won't go into here. On trying to upgrade the GTX 1070 firmware with the ASUS GPUUpdateBios.exe, I get a response "You no need update GPU Vbios!". I ran NVFlash with the latest firmware rev. but when I compare the bios to the .rom file, I get a number of mismatch inconsistencies in the InfoROM settings(InfoROM, Static (InfoROM Header - Timestamp), User Setting (OEM Information - Data), and Unallocated Space (size difference). Unallocated space is the source of the malware, i believe.

Long story short, I am unable to find any info on how to reset these parameters (or rest the card completely back to stock) and cannot find the relevant .IFR firmware mentioned in NVFlash to update this. On reboot, the malware takes the card back again and we're back to square one.

If there is a tool to completely reset all the card parameters to factory, or a hardware ninja method that provides similar results, I would very much appreciate some recommendations. If this malware resonates with anyone else, I would really like to know it's name as I have been unable to determine the strain.

Cheers!
 
Joined
Jan 31, 2010
Messages
2,611 (0.86/day)
Likes
870
System Name Xtreme PC's AMDx8
Processor AMD FX8320 @ 4.0GHz NB/HT @ 2.6GHz
Motherboard Asus Crosshair V Formula
Cooling ThermoLab Baram 2x 120mm Gentle Typhoons 1850rpm
Memory 8GB (2x4GB) Mushkin Blackline DDR3 2400MHz 11/13/13/34/1T 1.65V
Video Card(s) Sapphire Nitro+ RX580 8GB OC 1342/2000 (Core/Mem) BIOS Modded
Storage 2x Kingston V300 120GB SSD's Raid0: 1x Sandisk 128GB SSD 1xWD 2TB red, 1xWD 1TB black 1xWD 2TB nas
Display(s) ViewSonic VX2457 75Hz FreeSync 1920x1080p
Case SilverStone Raven RV02B-W + 3x SS AP181 + USB3.0 upgrade
Audio Device(s) Creative SB X-Fi Xtreme PCIe + Pioneer VSX-D457 amp Technics Speaker set
Power Supply SilverStone ST75F-P Modular 750W
Mouse Logitech G402 Hyperion Fury
Keyboard Logitech G105
Software Windows 10 X64 PRO (build 1607)
Benchmark Scores it sucks even less much now ;)
#2
The tool I think your looking for is called a hammer followed up with can of gas and lighter as that's some seriously bad crap you have going on there
 
Joined
Oct 17, 2014
Messages
1,034 (0.79/day)
Likes
460
Location
Indiana USA and Ireland
Processor i7-8700k @ 4.7 no down-clocking 55 Celsius max temp
Motherboard MSI Z370 SLI Plus
Cooling NH-D14, Conductonaut IHS
Memory 16(2x8GB) 3200 13-14-14-31 1T + 1.390v
Video Card(s) MSI 1080 Ti The Duke @ 2050 + Kryonaut
Display(s) Freesync2 HDR400 Certified Zero-G 35" Curved 3440x1440 120hz
Power Supply Seasonic Focus+ 850w Gold
#3
How does one get malware of this level on their PC? were you looking at something you shouldn't have been? :p
 

erocker

Senior Moderator
Staff member
Joined
Jul 19, 2006
Messages
42,775 (9.88/day)
Likes
18,669
Processor i7 8700K
Motherboard Asus Maximus Hero X WiFi
Cooling Water
Memory 16GB G.Skill 3200Mhz CL14
Video Card(s) GTX 1080
Storage SSD's
Display(s) Nixeus EDG27
Case Thermaltake Core X5
Audio Device(s) Soundblaster Zx
Power Supply Corsair H1000i
Mouse Zowie EC1-B
#5
Isn't OP just explaining the Windows 10 update process?

If not...

Destroy the all drives. That is honestly what I would do if I were experiencing this.
 
Joined
Feb 18, 2012
Messages
1,285 (0.56/day)
Likes
1,064
System Name Eurocom Tornado F5 laptop
Processor i7 7700k at 4.6ghz
Cooling 2 laptop fans
Memory 16gb of 2400mhz DDR4
Video Card(s) Nvidia 1070
Storage 2tb 2.5 inch HD, 1tb SSD m.2
Display(s) 15.6inch 120hz screen
Power Supply 230w power supply
Mouse Logitech m705
Keyboard laptop keyboard
Software lots of movies and Windows 10 Pro with win 7 shell
Benchmark Scores Very high for a laptop with 1070 and desktop cpu
#6
Why not just do a fresh install of the OS to the HD or get a new HD.
 
Joined
Aug 20, 2007
Messages
8,714 (2.22/day)
Likes
7,860
System Name Pioneer
Processor Intel i7 8700k @ 5.0 GHz All-Core + Uncore & AVX Offset @ 0
Motherboard ASRock Z370 Taichi
Cooling Noctua NH-U14S + A whole lotta Sunon and Corsair Maglev blower fans...
Memory G.SKILL TridentZ Series 32GB (4 x 8GB) DDR4-3200 @ DDR4-3333 14-14-14-34-2T
Video Card(s) NVIDIA Titan XP Star Wars Collectors Edition (Galactic Empire)
Storage HGST UltraStar 7K6000 3.5" HDD 2TB 7200 RPM (w/128MBs of Cache)
Display(s) BenQ BL3200PT (a 1440p VA Panel with decent latency)
Case Thermaltake Core X31
Audio Device(s) Onboard Toslink to Schiit Modi Multibit to Asgard 2 Amp to AKG K7XX Ruby Red Massdrop Headphones
Power Supply Seasonic PRIME 750W 80Plus Titanium
Mouse ROCCAT Kone EMP
Keyboard WASD CODE 104-Key w/ Cherry MX Green Keyswitches, Doubleshot Vortex PBT White Keycaps, Blue legends
Software Windows 10 Enterprise 2016 LTSB (From former workplace, yay no telemetry)
Benchmark Scores FSExt/TS: FSExt 14625:https://www.3dmark.com/fs/15253894 TS 10496:https://www.3dmark.com/spy/3557134
#7
If this is real, a hardware programmer should fix it...

But I really doubt it's real... sorry. If it is, get in touch with an AV vendor to provide samples and they'll likely buy you new hardware just to get to study / try to block this new monstrosity.
 
Joined
Sep 10, 2016
Messages
384 (0.62/day)
Likes
325
Location
Riverwood, Skyrim
System Name I haven't decided yet
Processor Intel i5 6500
Motherboard ASRock H170M-ITX/AC
Cooling Stock cooler
Memory G.Skill Aegis 1x16GB 2133MHz
Video Card(s) Sapphire RX480 Nitro+ 4GB
Storage Samsung 850EVO 500GB, 2TB Seagate Barracuda
Display(s) 32' Sony TV
Case Cooler Master Elite 130
Audio Device(s) Onboard, HD 599 cans
Power Supply Antec High Current Gamer HCG-520M (520W)
Mouse Rapoo (can't remember the model number)
Keyboard Rapoo v56
Benchmark Scores Look in the various benchmark threads
#8
If this is legit, get in contact with a proper security company and get them to analyse this monster, as it sounds pretty insidious
 
Joined
Dec 14, 2009
Messages
6,850 (2.22/day)
Likes
6,236
Location
Glasgow - home of formal profanity
System Name New Ho'Ryzen
Processor Ryzen 1700X @ 3.82Ghz
Motherboard Asus Crosshair VI Hero
Cooling TR Le Grand Macho & custom GPU loop
Memory 16Gb G.Skill 3200 RGB
Video Card(s) GTX1080ti (Heatkiller WB) @ 2Ghz core/1.5(12)Ghz mem
Storage Samsumg 960 Pro m2. 512Gb
Display(s) Dell Ultrasharp 27" (2560x1440)
Case Lian Li PC-V33WX
Audio Device(s) On Board
Power Supply Seasonic Prime TItanium 850
Software W10
Benchmark Scores Look, it's a Ryzen on air........ What's the point?
#9
To be believed I think some would like to see this on a screenshot. What you have sounds too extreme for an ordinary PC, and the very odd message from your gfx firmware doesn't sound believable at all. But, a screenshot of this flash process would help.
 
Joined
Aug 20, 2007
Messages
8,714 (2.22/day)
Likes
7,860
System Name Pioneer
Processor Intel i7 8700k @ 5.0 GHz All-Core + Uncore & AVX Offset @ 0
Motherboard ASRock Z370 Taichi
Cooling Noctua NH-U14S + A whole lotta Sunon and Corsair Maglev blower fans...
Memory G.SKILL TridentZ Series 32GB (4 x 8GB) DDR4-3200 @ DDR4-3333 14-14-14-34-2T
Video Card(s) NVIDIA Titan XP Star Wars Collectors Edition (Galactic Empire)
Storage HGST UltraStar 7K6000 3.5" HDD 2TB 7200 RPM (w/128MBs of Cache)
Display(s) BenQ BL3200PT (a 1440p VA Panel with decent latency)
Case Thermaltake Core X31
Audio Device(s) Onboard Toslink to Schiit Modi Multibit to Asgard 2 Amp to AKG K7XX Ruby Red Massdrop Headphones
Power Supply Seasonic PRIME 750W 80Plus Titanium
Mouse ROCCAT Kone EMP
Keyboard WASD CODE 104-Key w/ Cherry MX Green Keyswitches, Doubleshot Vortex PBT White Keycaps, Blue legends
Software Windows 10 Enterprise 2016 LTSB (From former workplace, yay no telemetry)
Benchmark Scores FSExt/TS: FSExt 14625:https://www.3dmark.com/fs/15253894 TS 10496:https://www.3dmark.com/spy/3557134
#10
Those errors frankly sound more like a counterfeit 1070 gpu you are trying to flash with the wrong bios than a GPU that's "infected."

Post a GPU-Z.
 

eidairaman1

The Exiled Airman
Joined
Jul 2, 2007
Messages
21,487 (5.40/day)
Likes
6,200
System Name PCGOD
Processor AMD FX 8350@ 5.0GHz
Motherboard Asus TUF 990FX Sabertooth R2 2901 Bios
Cooling Scythe Ashura, 2×BitFenix 230mm Spectre Pro LED (Blue,Green), 2x BitFenix 140mm Spectre Pro LED
Memory 16 GB Gskill Ripjaws X 2133 (2400 OC, 10-10-12-20-20, 1T, 1.65V)
Video Card(s) AMD Radeon 290 Sapphire Vapor-X
Storage Samsung 840 Pro 256GB, WD Velociraptor 1TB
Display(s) NEC Multisync LCD 1700V (Display Port Adapter)
Case AeroCool Xpredator Evil Blue Edition
Audio Device(s) Creative Labs Sound Blaster ZxR
Power Supply Seasonic 1250 XM2 Series (XP3)
Mouse Roccat Kone XTD
Keyboard Roccat Ryos MK Pro
Software Windows 7 Pro 64
#11
Those errors frankly sound more like a counterfeit 1070 gpu you are trying to flash with the wrong bios than a GPU that's "infected."

Post a GPU-Z.
It's a liar here, trying to hide what he is doing.

He needs to secure erase or format his hdd and reinstall the os for starters.
 

Knoxx29

Xeon Owners Club
Joined
Feb 19, 2014
Messages
5,283 (3.40/day)
Likes
3,771
Location
Behind a VPN
System Name Black Widow/Red Queen X3
Processor i7 8700K 5.0GHz 1.296V/ Xeon X5690 4.5 GHz 1.377
Motherboard Asus Rog Maximus X Hero / Evga X58 Classified 3
Cooling WaterChiller - both Machines looped
Memory G.SKILL Ripjaws V 3000MHz 32GB/ G.SKILL RIPJAWSX 2133Hz 12GB
Video Card(s) EVGA GEFORCE GTX 1080 CLASSIFIED/ Zotac 210
Storage Samsung 960 EVO - Samsung 850 EVO 250GB - WD Blue 1TB - WD Black 1TB/ Samsung EVO 250GB
Display(s) Asus PG278Q ROG/ Samsung
Case Cougar Panzer Max/ Lian Li
Audio Device(s) On Board
Power Supply Enermax Platimax 1000W 80plus platinum Super Overclock Edition ATX2
Mouse Logitech G502 spectrum
Keyboard Virtuis Advanced Gaming Keyboard
Software Windows 10 Pro.
#12
It's a liar here, trying to hide what he is doing.
Agree with you.

Maybe he was flashing the card things went wrong and now he es trying to tell us something different?
 

W1zzard

Administrator
Staff member
Joined
May 14, 2004
Messages
17,660 (3.45/day)
Likes
19,188
Processor Core i7-4790K
Memory 16 GB
Video Card(s) GTX 1080
Display(s) 30" 2560x1600 + 19" 1280x1024
Software Windows 7
#13
I ran NVFlash with the latest firmware rev. but when I compare the bios to the .rom file, I get a number of mismatch inconsistencies in the InfoROM settings(InfoROM, Static (InfoROM Header - Timestamp), User Setting (OEM Information - Data), and Unallocated Space (size difference). Unallocated space is the source of the malware, i believe.
Please post the BIOS you saved from your card and the one you are comparing to
 
Joined
May 13, 2010
Messages
4,503 (1.53/day)
Likes
1,781
System Name RemixedBeast
Processor Intel i5 3570K @ 3.4Ghz
Motherboard ASRock Z77 Pro3
Cooling Coolermaster Hyper 212 Evo
Memory 16GB Corsair XMS3
Video Card(s) EVGA Nvidia GTX 650 Ti SSC 1GB
Storage 1.5TB Seagate/128GB Samsung 840
Display(s) Samsung SyncMaster P2350 23in @ 1920x1080 + LG Flatron 19in Widescreen 1440x900
Case Antec Three Hundred Two
Audio Device(s) Beyerdynamic DT770 Pro 80 // Fiio E7 Amp/DAC
Power Supply 620w Antec High Current Gamer HCG-620M
Mouse Logitech G700s/G502
Keyboard Logitech K740
Software Windows Server 2012 x64 Standard
Benchmark Scores Network: APs: Cisco Meraki MR32, Ubiquiti Unifi AP-AC-LR and Lite, Ligowave NFT-3AC
#14
you caught an STD from the dark web?

Wireshark it and look for anything mucky.
 

dorsetknob

"YOUR RMA REQUEST IS CON-REFUSED"
Joined
Mar 17, 2005
Messages
6,995 (1.45/day)
Likes
8,903
Location
Dorset where else eh? >>> Thats ENGLAND<<<
#15
Subbed for the Streisand troll lookalike
this sounds totally like Smelling the female troll knickers (fishy as hell do i smell Rock cod)
Please provide screenshots and
Please post the BIOS you saved from your card and the one you are comparing to
If you have what you say you have contact your AV Vendor and Microsoft
:) they might even Send a Specialist for a Site Vist as what you Describe is ...........................................unbelievable
 
Joined
Nov 30, 2007
Messages
118 (0.03/day)
Likes
42
Location
Croatia
System Name Cabal
Processor intel corei7 8700k
Motherboard Asrock z370 fatal1ty gaming
Cooling Corsair H115i
Memory Corsair Dominator Platinum 32GB(4x8kit) ddr4 4000mhz
Video Card(s) Msi Gtx1080 Gaming X 8gb
Storage kingston hyperX SSD 240gbx1, 120gbx2, WD black Caviar 1TB, Seagate Barracuda 3TB
Display(s) Asus ROG Swift pg278q G-Sync
Case Corsair 760t Graphite Series
Audio Device(s) Sound Blaster X ae-5
Power Supply Corsair RM850i
Mouse Roccat Tyon
Keyboard Corsair RGB Strafe mechanical keyboard
Software Win7 64bit ultimate, win10pro 64bit (dual boot)
#16
F.U.B.A.R. o_O
 
Joined
Sep 17, 2014
Messages
4,804 (3.57/day)
Likes
3,851
Location
Duiven, Netherlands
Processor i7 8700k 4.8Ghz @ 1.31v
Motherboard AsRock Fatal1ty K6 Z370
Cooling beQuiet! Dark Rock Pro 3
Memory 16GB Corsair Vengeance LPX 3200/C16
Video Card(s) MSI GTX 1080 Gaming X @ 2100/5500
Storage Samsung 850 EVO 1TB + Samsung 830 256GB + Crucial BX100 250GB + Toshiba 1TB HDD
Display(s) Eizo Foris FG2421
Case Fractal Design Define C TG
Power Supply EVGA G2 750w
Mouse Logitech G502 Protheus Spectrum
Keyboard Sharkoon MK80 (Brown)
Software W10 x64

qubit

Overclocked quantum bit
Joined
Dec 6, 2007
Messages
15,039 (3.93/day)
Likes
8,677
Location
Quantum Well UK
System Name Quantumville™
Processor Intel Core i7-2700K at stock (hits 5 gees+ easily)
Motherboard Asus P8Z68-V PRO/GEN3
Cooling Noctua NH-D14
Memory 16GB (4 x 4GB Corsair Vengeance DDR3 PC3-12800 C9 1600MHz)
Video Card(s) Zotac GTX 1080 AMP! Extreme Edition
Storage Samsung 850 Pro 256GB | WD Green 4TB
Display(s) BenQ XL2720Z | Asus VG278HE (both 27", 144Hz, 3D Vision 2, 1080p)
Case Cooler Master HAF 922
Audio Device(s) Creative Sound Blaster X-Fi Fatal1ty PCIe
Power Supply Corsair HX 850W v1
Software Windows 10 Pro 64-bit
#18
This doesn't quite sound for real. All this BIOS and VBIOS infection and flashing... really?

Anyway, the only way to be sure of getting rid of malware is to reformat and install Windows fresh. I'm talking about having only the system drive connected, then booting off a W10 DVD that was prepared on a different computer, formatting the drive and reinstalling it from scratch. Try that and I bet the infection goes away.

It's quite possible that any data drives are also infected, but that's another story.
 
Joined
Apr 4, 2016
Messages
43 (0.05/day)
Likes
21
Processor Intel Pentium G3260
Motherboard AsRock B85M Pro3
Memory 4x 2GB DDR3 1333Mhz Kingmax
Video Card(s) MSI GeForce GT 1030 2GH OC
Storage WD Blue 1TB WD10EZEX
Display(s) LG 22M38D-B
Case Segotep AND Black-Red
Audio Device(s) C-Media CM108 USB
Power Supply Seasonic S12II-380 Bronze 380W
Mouse A4Tech Bloody V7M Black
Keyboard A4Tech X7 G300
Software Win 7 X64
#20
In theory such thing is not impossible. In practice there are an army of problems for someone that want to write such type of malware/virus like how on earth it can target each possible mb bios, gpu bios, hdd/ssd firmware because I doubt all of them share similar structure, then you have the limitations from the size of mb bios, gpu bios, hdd/ssd firmware size because you need to still have that pc working (it's just easier to write garbage on the mb bios, gpu bios, hdd/ssd firmware because you just don't care about having that pc still running) and then after you somehow managed to use the little free space you also need to actually have a running code there. A random hacker won't have the resources to actualy code something like this, you need proper funding for such thing and even with the money I doubt it can be done. Now if this was targeting only a particular platform yes that has happen in the past.
It will sound rude what I will write in the following line but it's a fact: if you are so important that someone will actually spend the money to make a malware/virus targeting you then you won't be asking for help here because due to the nature of your job you would be informing someone else about the situation.
Don't get me wrong but you kinda need access to the source code for an army of bioses/firmwares to have a chance to even write something like this else is just impossible and there are very few agencies that can actually have such a chance (even they will need to steal some source codes in some cases or reverse engineer it but this last case is not that easy to the point it might not even be viable).

If you assume your ssd/hdd is infected with something that no antivirus is capable to deal with just use another pc, download a linux distro that allow you to run a live sessing (ubuntu and derivates for example), write it on an cd/dvd/usb stick on the other pc (NOT on the infected one), boot from that usb stick (u put the usb stick in the infected pc with the pc powered off, and the first time you start the pc you boot from the usb stick else you can compromise the usb stick (like the malware/virus writing crap on the usb stick and make it not boot or run crap from bootloader)) and write zero/random stuff on the hdd using dd (
if you have only one hdd/ssd
sudo dd if=/dev/zero of=/dev/sda bs=4096 status=progress
if you have 2 hdd/ssd
sudo dd if=/dev/zero of=/dev/sda bs=4096 status=progress
and then after it's done
sudo dd if=/dev/zero of=/dev/sdb bs=4096 status=progress
if you have multiple hdd/ssd
sudo dd if=/dev/zero of=/dev/sdX bs=4096 status=progress
replace X with letters a,b,c, and so on
you can read more here: https://wiki.archlinux.org/index.php/Securely_wipe_disk)
Sure after zero-ing the hdd/ssd you lost all the data but the hdd/ssd should be clean. I wouldn't fully write with zero a ssd, I would write with zero only the section where the partition table is located (that should be enough; you didn't said if it's MBR or GPT).

Regarding the differences between the gpu bios (the one in the file and the dump after you flash it). How did you flashed the gpu bios? You did it in Windows (doing it in the infected WIndows is asking for trouble because that Windows can happy freeze in the middle of the flashing process... and this can happen in a clean Windows also, I know some amd drivers that will just messed up with the gpu flashing process)? If yes then there is no surprise for me that the one in the file and the dump after you flash it are not identical, I've done it several times in Windows and I didn't really got a match (usualy I was getting 1-5 differences but I saw no real problem). If I do it using a DOS usb stick I always got 100% match.

Trying to clean it by booting in the infected Windows connected to internet can easily prove a waste of time... There are several antivirus that will just make an bootable cd/dvd/usb stick and you will boot directly on that and try to clean it from a clean enviroment:
https://www.bitdefender.com/support/how-to-set-up-a-bitdefender-rescue-cd-1249.html
https://www.avira.com/en/download/product/avira-rescue-system (I had issues with avira when I tried to use it like it just froze and some %)
https://support.kaspersky.com/viruses/rescuedisk
just to give some example. Again you will need to write those things on a cd/dvd/usb stick on another pc (trying to do it on the infected pc can easily go wrong).

L.E.:

Once established, the malware silently downloads and replaces security related .EXE's (MBAM, Glasswire, Win Def, etc.) then starts on the system files. One by one, every 5-10 minutes from multiple CDN's that are not legit. All files are signed and pass VirusTotal. They are, however, WinPE versions of the files. The system then reboots and virtualizes itself, repartitioning a drive with free space to replicate and hide itself. It is *almost* invisible. Using MBR Filter helps and delays it enough to do some analysis, but then it starts imposing Group Policies to lock you out / flag legitimate apps as malware / changes hardware parameters (downgrades 7th Gen CPU to 6th Gen, etc.).
Post the VirusTotal links to the files you think are infected and you checked with VirusTotal. I'm asking for this because there are several checksums used by VirusTotal SHA-256 , MD5 and SHA-1 and I find it hard to believe that you can find a way to modify a file and fix all 3 checksums to look like the original file, you can probably fix one of them but all 3....

Windows 10 in normal conditions will happy update when it wants. So the fact that you see some Windows file getting changed is actually the normal way of Windows 10 doing the updates... If you want to change this behaviour you can happy google for the solution.

L.E. 2:

I don't really believe you are dealing with a malware/virus that has actually replaced the mb bios, gpu bios, hdd/ssd firmware.
Make an usb stick with a linux distro that can run a live session on another pc (if you don't have 2 pcs just ask a friend), disconnect the hdd/ssd (all of them, just unplug the power or sata cable) and boot from the linux usb stick. If at first boot things look ok reboot it, if at second boot again things are ok then you probably don't have any problems with the bioses (you might had messed up them when you flashed them...). If you have no problems while using the live linux session then reconnect the hdd/ssd cables and boot again from the linux usb stick and write zero on each of the hdd/ssd. Reboot and reinstall Windows without being connected to internet.
If what you are describing is correct (the behaviour of the malware/virus (looks like a joke to me to be honest, I wouldn't make it do anything like that) and the fact that nothing detects it) then well your only way is to fully wipe the ssd/hdd because else you will never know what is affected and what not (well u will first need something that detects it, then something that cleans it).

And sometime a reinstall on zero-ed hdd is just faster than trying to clean an infected hdd. I wasted 18 h on the laptop of a client because the client refused to understand that he needs a new hdd/ssd 6 bad sectors reported by smart and growing was 5 when the laptop got to me, increased to 6 while i tried to fix it; 90+ logical bad sectors on the OS partition, got fixed after I zero-ed it, I also had to backup the data from that OS partition because ofc the client wanted me to save his photos and silly cooking recipes (not to mention that the client fail to point to the directories where he had those things, I actually failed to find a single cooking recipe...) because I really had a working machine when the laptop end up to me, was taking 60 minutes to even finish the boot process and ofc the client didn't even wanted to pay how much I asked for my 18 hours of work... Next time he comes to me I will just say I want the money before I even look at his laptop else he can happy find someone else to fix his laptop.
 
Last edited:
Joined
Oct 3, 2015
Messages
153 (0.16/day)
Likes
105
System Name HP Pavilion Elite HPE-130me Desktop PC
Processor Intel i7-860 2.80 GHz
Motherboard "OEM" MSI MS-7613 (IONA-GL8E) mATX
Cooling Regular one
Memory Hyundai Electronics 2x4 8GB DDR3 @1333mhz
Video Card(s) OEM NVIDIA GeForce GTX 650 ti @GC:928/MC:1350 VRAM: 1GB
Storage WDC Blue 465.76 GiB WD5000AAKS
Display(s) HP 2310i 1920x1080 60hz 23"
Case A Cheap OEM HP Case
Audio Device(s) Realtek
Power Supply OEM Delta 460W power supply
Mouse Logitech M185
Keyboard Logitech K120
Software Windows 7 SP1 (with latest updates)
#21
Is this a stolen computer that is protected by passwords or/and by encryption?
Notice he mentioned take over polices and that he is looking at the mysterious unallocated space.
 
Joined
May 18, 2009
Messages
788 (0.24/day)
Likes
885
Location
MN
System Name Personal / HTPC
Processor i5-4670k / i5-4460
Motherboard ASUS z97-AR /ASRock Z87 Extreme4
Cooling Corsair H100i / stock HSF
Memory 16GB DDR3 1600 / 8GB DDR3 1600
Video Card(s) Zotac GTX 980Ti AMP! Omega / Zotac GTX 980Ti AMP! Omega
Storage 250 GB Crucial SSD MX200, 1TB & 500GB Western Digital / 2x 4TB WD Red in RAID 1
Display(s) 3x 24" Asus Ve248H LED (5760x1080) / 50" LCD TV
Case Fractal Design Arc XL / CM Haf XB Evo
Power Supply 850W SeaSonic X Series X-850 / 750W SeaSonic X Series
Mouse Logitech G502
Keyboard Microsoft Natural Elite Keyboard
Software Windows 7 Home 64 / Windows 10 Home 64
#22
I've seen some pretty nifty viruses at my last job go through some stores. Some sophisticated ones that stole credit card data to ones that simply renamed .exe to another file extension name or just designed to eat up hard drive space by filling out a .txt file with basic information it pulled from the computer - it would just write the info over and over and over again.

One of my more favorite ones took myself and another senior tech to track down the issues. Store called in, having a slew of issues on the server computer. A quick remote into the system made it painfully clear they some how infected the computer with a virus. We pulled the server from the network and had the store setup one of their registers to work as a temporary server to store sales and clock in/out data. We shipped out a new server computer and it would arrive NDA. The store was working, but they called in a few hours later saying their registers are having issues now. It seems the virus went through the network and infected the registers.....now the store was pretty much SOL. They had to close down for the rest of the day. We setup new HDDs for the registers to ship out NDA as well.

Next morning the store calls in and I get them all setup and working on new hardware. They're off and running now. They call back later that day with the same issues as before. Everything was infected again. In the end, it appears that the 512MB flash card on the cook display control boxes had just enough free space to allow this virus to install and infect them - once the new devices showed up on the network the virus would move to them. What a cluster....

As for the credit card stealing virus, we got to work with the FBI to help try and clean out the system and pinpoint where the virus was hiding and how it was constantly opening new ports to allow data in/out. They needed the ins/outs of the company's software and how everything talked and what ports it made use of. Once they figured they couldn't pinpoint the issue in a timely fashion and clean out the store without a proper new set of hardware, they pretty much took everything with them when they left and we don't know what ever happened after that. The poor lady that ran the franchise had 8 different stores and 6 out of 8 had this virus. She had to order new equipment for 6 stores - that's 6 server computers, at least 18-24 registers (3-4 registers per store) and 18 cook display control boxes (3 per store). She spent almost $30k on brand new hardware because of this virus.

Some folks out there can certainly design crazy ass viruses and malware - I wouldn't be surprised if there was a hint of truth to the OP's post. Then again, it sounds rather far fetched.
 
Joined
Oct 22, 2014
Messages
5,546 (4.23/day)
Likes
3,339
Location
Sunshine Coast
System Name Black Box
Processor Intel Xeon E5-2650 8c/16t @ 2.0GHz
Motherboard Cheap Chinese X 79
Cooling Coolermaster 240 RGB A.I.O.
Memory Geil 8Gb (2x4Gb) 1600Mhz
Video Card(s) iGPU, Nvidia GTX 710.
Storage Sandisk X 400 256Gb
Display(s) AOC 22" Freesync 1m.s. 75Hz
Case Coolermaster Mastercase 5 RGB.
Audio Device(s) No need.
Power Supply FSP Aurum
Software W10 Home Premium 64 bit
#23
This doesn't quite sound for real. All this BIOS and VBIOS infection and flashing... really?

Anyway, the only way to be sure of getting rid of malware is to reformat and install Windows fresh. I'm talking about having only the system drive connected, then booting off a W10 DVD that was prepared on a different computer, formatting the drive and reinstalling it from scratch. Try that and I bet the infection goes away.

It's quite possible that any data drives are also infected, but that's another story.
It's also possible the BIOS can be infected as well as GPU Vram or Memory Dram, but that is a bit high tech for hacking a home system.
 

Solaris17

Creator Solaris Utility DVD
Joined
Aug 16, 2005
Messages
19,543 (4.19/day)
Likes
6,474
Location
Florida
System Name Venslar
Processor I9 7980XE
Motherboard MSI x299 Tomahawk Arctic
Cooling EKWB L360 R2.0
Memory 32GB Corsair DDR4 3000mhz
Video Card(s) Gigabyte 1080TI
Storage 2x 2TB Micron SSDs | 1x ADATA 128SSD (Cache) | 1x Drevo 256SSD | 1x 1TB 850 EVO | 1x 250GB 960 EVO
Display(s) 3x AOC Q2577PWQ (2k IPS)
Case Inwin 303 White (Thermaltake Ring 120mm Purple accent)
Audio Device(s) Realtek ALC 1220 on Audio-Technica ATH-AG1
Power Supply Seasonic 1050W Snow
Mouse Roccat Tyon White
Keyboard Ducky Shine 6 Snow White
Software Windows 10 x64 Pro
#24
IDK, I would need too see some samples before I believed any of this.
 

qubit

Overclocked quantum bit
Joined
Dec 6, 2007
Messages
15,039 (3.93/day)
Likes
8,677
Location
Quantum Well UK
System Name Quantumville™
Processor Intel Core i7-2700K at stock (hits 5 gees+ easily)
Motherboard Asus P8Z68-V PRO/GEN3
Cooling Noctua NH-D14
Memory 16GB (4 x 4GB Corsair Vengeance DDR3 PC3-12800 C9 1600MHz)
Video Card(s) Zotac GTX 1080 AMP! Extreme Edition
Storage Samsung 850 Pro 256GB | WD Green 4TB
Display(s) BenQ XL2720Z | Asus VG278HE (both 27", 144Hz, 3D Vision 2, 1080p)
Case Cooler Master HAF 922
Audio Device(s) Creative Sound Blaster X-Fi Fatal1ty PCIe
Power Supply Corsair HX 850W v1
Software Windows 10 Pro 64-bit
#25
It's also possible the BIOS can be infected as well as GPU Vram or Memory Dram, but that is a bit high tech for hacking a home system.
Yeah, possible, but unlikely, hence my skepticism. You can see from the incredulous responses from some of the others in this thread that I'm not the only one.
 
Top