• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

GTX 1070 Firmware Overwritten by Malware - Unable to Reset

MadBrit

New Member
Joined
May 17, 2018
Messages
6 (0.01/day)
System Name HomeBuild
Processor Intel i7-7700K
Motherboard ASUS Z270F
Cooling Corsair H55 Hydro Series
Memory 32GB G.Skill Ripjaws V (PC4 25600)
Video Card(s) ASUS STRIX-GTX 1070 8G Gaming
Storage Samsung 850 Pro x 3, Crucial M4 (spare boot)
Display(s) LG 34UC79-G
Case Thermaltake View 31
Audio Device(s) N/A
Power Supply Thermaltake Toughpower 850W
Mouse Logitec
Keyboard Logitec
Software Win 10 1803
Benchmark Scores With or without malware infection?
My situation is sad, but true. I have attached requested evidence / screenshots below. Please be very, very careful with the .rom file though. I do not want to be responsible for spreading whatever *that* is any further.

GPU-Z was blank when I first ran it - and thought it was a bug. I have flashed MB Bios's for years - this is my second or third GPU flash ever.

Background: My first post many weeks ago before Symantec got involved.

<Bleeping Computer Link>
https://www.bleepingcomputer.com/forums/t/673759/chinese-malware-infecting-bios-hidden-on-hdd/

After a few weeks of trying to fix this myself, I got Symantec involved. Symantec couldn't find anything (paid for their cleaning service) with their forensic tool and gave up after a few days. I offered to personally drive one of the SSD's down to MountainView and put it in the hands of a virus researcher, but the support people were in India / Philippians and probably don't know where MV is. Their level 3 support was atrocious and they believed *something was there* but couldn't say what. Friend at Cylance's response was the same. They are too busy...however, many of these GPU findings were made today - as were the SSD firmware mods - but I had my suspicions.

The GPU screenshots are after the first flash. Luckily, I saved the rom before flashing.

I believe it may have used Spectre or Meltdown for the inital infiltration / exploit. The main payload came in via email. It was a spear phishing email. EaseUS is involved in this somehow. I saw the email notification and Norton jumped into Heuristics mode then died. Also had malwarebytes installed...nada. Nothing else (other than a 2012 version of SuperantiSpyware I had on an old USB stick) could detect anything. SAS detected Rouge.Agent.Gen Nullo (BIN) but I think it was a FPositive. Dr. Web caught some obscure userblocker and Winlogon was modified in the reg.

"Why not just do a fresh install of the OS to the HD or get a new HD.??"

You didn't read the post properly. It is embedded in the system GPU / SSD / MB firmware BIOS. Not making this up. IT is not detectable in user space. I have reinstalled / LL formatted over 20 times in the last few months. Same thing every time.

My wife told me to go get a new laptop so that I can continue my business, but I objected as I couldn't find the infection source. I lost that fight and I now have a bricked ASUS laptop sitting here as a doorstop. Right now, I don't trust anything on the network.

For all you neighsayers out there - rather than taking pot shots at my request for help and accusing me of *whatever*, please try and make a positive suggestion that does not involve torching the box...although, it may just come to that.

Cheers!

Here are the supporting files. Have other screens to substantiate my claims....

Rom Files / IFR Dump
 

Attachments

Joined
Sep 17, 2014
Messages
10,100 (5.43/day)
Location
Mars
Processor i7 8700k 4.7Ghz @ 1.26v
Motherboard AsRock Fatal1ty K6 Z370
Cooling beQuiet! Dark Rock Pro 3
Memory 16GB Corsair Vengeance LPX 3200/C16
Video Card(s) MSI GTX 1080 Gaming X @ 2100/5500
Storage Samsung 850 EVO 1TB + Samsung 830 256GB + Crucial BX100 250GB + Toshiba 1TB HDD
Display(s) Eizo Foris FG2421
Case Fractal Design Define C TG
Power Supply EVGA G2 750w
Mouse Logitech G502 Protheus Spectrum
Keyboard Sharkoon MK80 (Brown)
Software W10 x64
Well, my solution would most certainly be to torch this machine, or sell it off to someone you REALLY hate.

At the very least get some fun out of it. And remember: time is money, too.

I'm not even joking, I would be at a complete loss if you cannot localize this AND it keeps replicating across firmwares and BIOS.

Or: take it apart entirely, and power drain every component - remove CMOS battery, unplug, let it sit there for a week, hold power button and then disassemble > reassemble. When you reassemble only use single stick of RAM, no GPU, and a new storage medium starting from scratch.
 
Joined
Aug 20, 2007
Messages
11,648 (2.62/day)
System Name Pioneer
Processor Intel i9 9900k @ Stock
Motherboard ASRock Z390 Taichi
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory G.SKILL TridentZ Series 32GB (4 x 8GB) DDR4-3200 @ DDR4-3400 14-14-14-34-2T
Video Card(s) EVGA GTX 1080 FTW2
Storage HGST UltraStar 7K6000 3.5" HDD 2TB 7200 RPM (w/128MBs of Cache)
Display(s) LG 32GK850G-B 1440p 32" AMVA Panel G-Sync 144hz Display
Case Thermaltake Core X31
Audio Device(s) USB Schiit Modi Multibit to Asgard 2 Amp to AKG K7XX Ruby Red Massdrop Headphones
Power Supply Seasonic PRIME 750W 80Plus Titanium
Mouse ROCCAT Kone EMP
Keyboard WASD CODE 104-Key w/ Cherry MX Green Keyswitches, Doubleshot Vortex PBT White Transluscent Keycaps
Software Windows 10 x64 Enterprise... yes, it's legit.
please try and make a positive suggestion that does not involve torching the box.
If true, I appologize for my skepticism. A hardware programmer is indeed the answer then. Is this a desktop? If so, please send a quick photo of the gpu-pcb. I may be able to advise what you need to order.

Alternatively, I would be willing to flash it for you with my hardware programmer. It would cost about $30.00. I would reccomend sending the mobo as well, and replacing the hdd(s) and any other drives entirely(no easy way to hardware flash them).
 
Last edited:
Joined
Feb 2, 2015
Messages
2,707 (1.57/day)
Location
On The Highway To Hell \m/
Nope. Still not buying it. HUGE gaping holes to be filled with REAL evidence. Of which none has yet been provided(nor ever will be). Just the pseudo-intelligent ramblings of some poor fellow in dire need of psychiatric help. Oh it's true alright. And sad as well. Best wishes my friend.

PS, I'm mentally ill myself. I've been hospitalized for it on numerous occasions in the last 25 years. And been through years and years of psychotherapy. Many of my family members are crazy too, with all manner of differing mental disorders(everybody on my mom's side has something or another, or a bunch of things). I've seen more than enough crazy in my life to know it when I see/hear it. I know it front/back, top/bottom, inside/out. I've seen things you wouldn't even believe if I told you. Experience has taught me...if there's one thing I know...it's crazy.
 
Joined
Aug 20, 2007
Messages
11,648 (2.62/day)
System Name Pioneer
Processor Intel i9 9900k @ Stock
Motherboard ASRock Z390 Taichi
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory G.SKILL TridentZ Series 32GB (4 x 8GB) DDR4-3200 @ DDR4-3400 14-14-14-34-2T
Video Card(s) EVGA GTX 1080 FTW2
Storage HGST UltraStar 7K6000 3.5" HDD 2TB 7200 RPM (w/128MBs of Cache)
Display(s) LG 32GK850G-B 1440p 32" AMVA Panel G-Sync 144hz Display
Case Thermaltake Core X31
Audio Device(s) USB Schiit Modi Multibit to Asgard 2 Amp to AKG K7XX Ruby Red Massdrop Headphones
Power Supply Seasonic PRIME 750W 80Plus Titanium
Mouse ROCCAT Kone EMP
Keyboard WASD CODE 104-Key w/ Cherry MX Green Keyswitches, Doubleshot Vortex PBT White Transluscent Keycaps
Software Windows 10 x64 Enterprise... yes, it's legit.
Nope. Still not buying it. HUGE gaping holes to be filled with REAL evidence. Of which none has yet been provided(nor ever will be). Just the pseudo-intelligent ramblings of some poor fellow in dire need of psychiatric help. Oh it's true alright. And sad as well. Best wishes my friend.
When I get home, I'll analyze his bios dump and know for certain.

There were some anonymous groups working on this in 2015, and if true, the code is almost certainly similar:

https://arstechnica.com/information-technology/2015/05/gpu-based-rootkit-and-keylogger-offer-superior-stealth-and-computing-power/

Experience has taught me...if there's one thing I know...it's crazy.
You know then you can be crazy and still be correct at times. ;)

EDIT: All I can say right now is that is certainly an odd bios.

I will report more when I get home, android hex editors suck, but, sir, you have my interest... Can we get your likely infected motherboard bios as well?
 
Last edited:

MadBrit

New Member
Joined
May 17, 2018
Messages
6 (0.01/day)
System Name HomeBuild
Processor Intel i7-7700K
Motherboard ASUS Z270F
Cooling Corsair H55 Hydro Series
Memory 32GB G.Skill Ripjaws V (PC4 25600)
Video Card(s) ASUS STRIX-GTX 1070 8G Gaming
Storage Samsung 850 Pro x 3, Crucial M4 (spare boot)
Display(s) LG 34UC79-G
Case Thermaltake View 31
Audio Device(s) N/A
Power Supply Thermaltake Toughpower 850W
Mouse Logitec
Keyboard Logitec
Software Win 10 1803
Benchmark Scores With or without malware infection?
@R-T-B ; I would appreciate any feedback or response you have. Thanks for taking the time. It is a desktop. Image attached...

@Mr Genius ; What other proof would you like? I can provide anything (logs, screenshots). Either that, or you're deliberately distracting and probably a malware guy yourself. If not, perhaps you should read up on malware research as I have done. All of the techniques used in this infection have been researched in the past and have validated proof of concepts - from many years ago (BHat 2012 for GPU malware, etc.). But I agree it's redic to see it in the wild - however, I am not the only one...these guy's have something similar.

https://forums.malwarebytes.com/topic/213254-malwarerootkit-survives-disk-wipes-and-hijacks-any-new-os-installs/

@Vayra86; Agree with you 100%. At this point, pouring gas on it and lighting a match may provide a lot of satisfaction - if nothing else. However, if I'm not crazy and this thing is real, we are all in a world of hurt. Hate for anyone else to go through what I am going through. If I didn't see Norton barf, I would never have known that I was infected. I rarely look at the hardware specs of a system other than during the build, but this may be a good way of profiling the malware - analyzing hardware specs, expected performance, and comparing .ROM dumps to known good versions.

I had another thought...it may not be infecting the MB Bios - but if the GPU is the culprit, it can affect screen output in some way. For example, on using a bottdisk for BCDWipe to clean the HPA / DCO, the GPU restarts and the screen goes blank when searching for drives...then nothing. There's nothing else to do but reboot. When I used the onboard (MB) HDMI port, it works fine (as I just found out). This has been an ongoing battle with rescue disks either dropping to GRUB or just not loading at all - making it appear like a MB UEFI infection when it's probably only the GPU and SSD firmware infected.

At this point I am willing to drop ship this bloody system to any AV company that wants it if they pay for the cost of the hardware.

Any other suggestions?
 

Attachments

Solaris17

Dainty Moderator
Staff member
Joined
Aug 16, 2005
Messages
20,885 (4.03/day)
Location
Florida
System Name Venslar
Processor I9 7980XE
Motherboard MSI x299 Tomahawk Arctic
Cooling EK Custom
Memory 32GB Corsair DDR4 3000mhz
Video Card(s) Nvidia Titan RTX
Storage 2x 2TB Micron SSDs | 1x ADATA 128SSD | 1x Drevo 256SSD | 1x 1TB 850 EVO | 1x 250GB 960 EVO
Display(s) 3x AOC Q2577PWQ (2k IPS)
Case Inwin 303 White (Thermaltake Ring 120mm Purple accent)
Audio Device(s) Realtek ALC 1220 on Audio-Technica ATH-AG1
Power Supply Seasonic 1050W Snow
Mouse Roccat Kone Aimo White
Keyboard Ducky Shine 6 Snow White
Software Windows 10 x64 Pro
When I get home, I'll analyze his bios dump and know for certain.

There were some anonymous groups working on this in 2015, and if true, the code is almost certainly similar:

https://arstechnica.com/information-technology/2015/05/gpu-based-rootkit-and-keylogger-offer-superior-stealth-and-computing-power/



You know then you can be crazy and still be correct at times. ;)

EDIT: All I can say right now is that is certainly an odd bios.

I will report more when I get home, android hex editors suck, but, sir, you have my interest... Can we get your likely infected motherboard bios as well?
Same
 
Joined
Aug 20, 2007
Messages
11,648 (2.62/day)
System Name Pioneer
Processor Intel i9 9900k @ Stock
Motherboard ASRock Z390 Taichi
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory G.SKILL TridentZ Series 32GB (4 x 8GB) DDR4-3200 @ DDR4-3400 14-14-14-34-2T
Video Card(s) EVGA GTX 1080 FTW2
Storage HGST UltraStar 7K6000 3.5" HDD 2TB 7200 RPM (w/128MBs of Cache)
Display(s) LG 32GK850G-B 1440p 32" AMVA Panel G-Sync 144hz Display
Case Thermaltake Core X31
Audio Device(s) USB Schiit Modi Multibit to Asgard 2 Amp to AKG K7XX Ruby Red Massdrop Headphones
Power Supply Seasonic PRIME 750W 80Plus Titanium
Mouse ROCCAT Kone EMP
Keyboard WASD CODE 104-Key w/ Cherry MX Green Keyswitches, Doubleshot Vortex PBT White Transluscent Keycaps
Software Windows 10 x64 Enterprise... yes, it's legit.
Worse yet is his malware bios seems to have a valid signature as best I can tell via his nvflash logs... meaning it's flashable and is perhaps even factory signed. So either it's not a malware bios and I'm barking up the wrong tree, or they found a way to fool falcon inside the firmware image, or a factory actually fricking signed a malware bios.

I think it goes without saying that you SHOULD NOT flash that bios. There are at least 8kbs of code inserted in it that I have no idea what they do vs the one on the database.
 

W1zzard

Administrator
Staff member
Joined
May 14, 2004
Messages
19,626 (3.48/day)
Processor Core i7-4790K
Memory 16 GB
Video Card(s) GTX 1080
Display(s) 30" 2560x1600 + 19" 1280x1024
Software Windows 7
So I looked at your BIOS and compared against https://www.techpowerup.com/vgabios/187068/asus-gtx1070-8192-161020-1 which is for the same card, nearly identical BIOS version.

The BIOSes are pretty much identical. The differences are just some serial numbers and the associated housekeeping stuff like different checksums due to slightly different contents

 
Joined
Aug 20, 2007
Messages
11,648 (2.62/day)
System Name Pioneer
Processor Intel i9 9900k @ Stock
Motherboard ASRock Z390 Taichi
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory G.SKILL TridentZ Series 32GB (4 x 8GB) DDR4-3200 @ DDR4-3400 14-14-14-34-2T
Video Card(s) EVGA GTX 1080 FTW2
Storage HGST UltraStar 7K6000 3.5" HDD 2TB 7200 RPM (w/128MBs of Cache)
Display(s) LG 32GK850G-B 1440p 32" AMVA Panel G-Sync 144hz Display
Case Thermaltake Core X31
Audio Device(s) USB Schiit Modi Multibit to Asgard 2 Amp to AKG K7XX Ruby Red Massdrop Headphones
Power Supply Seasonic PRIME 750W 80Plus Titanium
Mouse ROCCAT Kone EMP
Keyboard WASD CODE 104-Key w/ Cherry MX Green Keyswitches, Doubleshot Vortex PBT White Transluscent Keycaps
Software Windows 10 x64 Enterprise... yes, it's legit.
So I looked at your BIOS and compared against https://www.techpowerup.com/vgabios/187068/asus-gtx1070-8192-161020-1 which is for the same card, nearly identical BIOS version.

The BIOSes are pretty much identical. The differences are just some serial numbers and the associated housekeeping stuff like different checksums due to slightly different contents

OH! I downloaded the nearly identical one without the -1 on the end. That explains the massive differences.

Yeah, this looks like just Info rom differences honestly. I still would like to look at your mobo bios though.
 
Joined
Mar 29, 2018
Messages
590 (1.03/day)
thing is GPU-z will not read the card info fully under basic default standard vga driver that a safe mode driver built in to windows . once you install the NVidia full driver for the card all that info will be displayed correctly and fully

from his gpu-z results screenshot he posted [windows basic display adaptor ] not a full NVidia driver . install the driver from NVidia
 

qubit

Overclocked quantum bit
Joined
Dec 6, 2007
Messages
15,925 (3.67/day)
Location
Quantum Well UK
System Name Quantumville™
Processor Intel Core i7-2700K at stock (hits 5 gees+ easily)
Motherboard Asus P8Z68-V PRO/GEN3
Cooling Noctua NH-D14
Memory 16GB (4 x 4GB Corsair Vengeance DDR3 PC3-12800 C9 1600MHz)
Video Card(s) Zotac GTX 1080 AMP! Extreme Edition
Storage Samsung 850 Pro 256GB | WD Green 4TB
Display(s) BenQ XL2720Z | Asus VG278HE (both 27", 144Hz, 3D Vision 2, 1080p)
Case Cooler Master HAF 922
Audio Device(s) Creative Sound Blaster X-Fi Fatal1ty PCIe
Power Supply Corsair HX 850W v1
Software Windows 10 Pro 64-bit
@MadBrit It does look like maybe you're really unlucky with this and have been nailed with a BIOS level malware. I'm still not completely convinced that it's not something else, but I'll go with it for now since you've said that you've done clean Windows installs several times now.

Since the others on here reckon that your graphics card BIOS isn't infected after the hex dump comparison, I suggest flashing your mobo BIOS from a command line level flasher if you can. In other words, boot from USB or CD, not the Windows installation. I would then do that fresh install (yes, this again sorry! :) ) with that clean W10 DVD and hope that the problem has gone away. Before doing so, save that current mobo BIOS.

Is it possible that there's another infected computer on your network that keeps nailing this one?
 
Joined
Aug 20, 2007
Messages
11,648 (2.62/day)
System Name Pioneer
Processor Intel i9 9900k @ Stock
Motherboard ASRock Z390 Taichi
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory G.SKILL TridentZ Series 32GB (4 x 8GB) DDR4-3200 @ DDR4-3400 14-14-14-34-2T
Video Card(s) EVGA GTX 1080 FTW2
Storage HGST UltraStar 7K6000 3.5" HDD 2TB 7200 RPM (w/128MBs of Cache)
Display(s) LG 32GK850G-B 1440p 32" AMVA Panel G-Sync 144hz Display
Case Thermaltake Core X31
Audio Device(s) USB Schiit Modi Multibit to Asgard 2 Amp to AKG K7XX Ruby Red Massdrop Headphones
Power Supply Seasonic PRIME 750W 80Plus Titanium
Mouse ROCCAT Kone EMP
Keyboard WASD CODE 104-Key w/ Cherry MX Green Keyswitches, Doubleshot Vortex PBT White Transluscent Keycaps
Software Windows 10 x64 Enterprise... yes, it's legit.
What's the URLs? Who's digital signature is used?
Working with him to get his mobo bios now in a private chat. HIs mobo bios is a 16MB rom with a lot of free space. If this is really a firmware infection, it's living there not in his GPU I think. I'll search it for strings and see if I can't get him to tell us more details about the CDN part too.
 

qubit

Overclocked quantum bit
Joined
Dec 6, 2007
Messages
15,925 (3.67/day)
Location
Quantum Well UK
System Name Quantumville™
Processor Intel Core i7-2700K at stock (hits 5 gees+ easily)
Motherboard Asus P8Z68-V PRO/GEN3
Cooling Noctua NH-D14
Memory 16GB (4 x 4GB Corsair Vengeance DDR3 PC3-12800 C9 1600MHz)
Video Card(s) Zotac GTX 1080 AMP! Extreme Edition
Storage Samsung 850 Pro 256GB | WD Green 4TB
Display(s) BenQ XL2720Z | Asus VG278HE (both 27", 144Hz, 3D Vision 2, 1080p)
Case Cooler Master HAF 922
Audio Device(s) Creative Sound Blaster X-Fi Fatal1ty PCIe
Power Supply Corsair HX 850W v1
Software Windows 10 Pro 64-bit
Working with him to get his mobo bios now in a private chat. HIs mobo bios is a 16MB rom with a lot of free space. If this is really a firmware infection, it's living there not in his GPU I think. I'll search it for strings and see if I can't get him to tell us more details about the CDN part too.
You da man for going the extra mile. Respect. :cool:
 
Joined
Aug 20, 2007
Messages
11,648 (2.62/day)
System Name Pioneer
Processor Intel i9 9900k @ Stock
Motherboard ASRock Z390 Taichi
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory G.SKILL TridentZ Series 32GB (4 x 8GB) DDR4-3200 @ DDR4-3400 14-14-14-34-2T
Video Card(s) EVGA GTX 1080 FTW2
Storage HGST UltraStar 7K6000 3.5" HDD 2TB 7200 RPM (w/128MBs of Cache)
Display(s) LG 32GK850G-B 1440p 32" AMVA Panel G-Sync 144hz Display
Case Thermaltake Core X31
Audio Device(s) USB Schiit Modi Multibit to Asgard 2 Amp to AKG K7XX Ruby Red Massdrop Headphones
Power Supply Seasonic PRIME 750W 80Plus Titanium
Mouse ROCCAT Kone EMP
Keyboard WASD CODE 104-Key w/ Cherry MX Green Keyswitches, Doubleshot Vortex PBT White Transluscent Keycaps
Software Windows 10 x64 Enterprise... yes, it's legit.
The certs I think are a false root authority (they identify as "Microsoft" and such but are clearly infected). Asking him about IPs for the cdns now. I'm afraid to remote into the "rancid" machine myself, despite his offer to let me. ;)
 
Joined
Oct 17, 2012
Messages
9,203 (3.59/day)
Location
Massachusetts
System Name Americas cure is the death of Social Justice & Political Correctness
Processor i5 8600k
Motherboard Asrock Z370 Extreme 4
Cooling Corsair H-110i GTX
Memory 2x 4Gb Crucial Sport LT
Video Card(s) MSI GTX 980 Gaming
Storage Samsung 850 evo 250Gb
Display(s) Dell Ultra Sharp Widescreen 24" 1200P
Case Fractal Design Meshify-C
Power Supply Seasonic Focus+ 750 Gold
Mouse Logitech G502 spectrum
Keyboard AZIO MGK-1 RGB (Kaith Blue)
Software Win 10 Professional 64 bit
I think no one is doubting the possibility of an invasive piece of software installing itself in bios memory , or anywhere writable storage exists, imo, what seems far more likely to be the reason people question this op's post, is the level of sophistication in something like this ,simply to access some dude's computer. This is some definite high-level malicious software (if it is indeed what's happening), and I just can't see someone pulling an "Ocean's Eleven", just to steal eight dollars out of a nine-year-old's piggy bank , so to speak. That is what i feel the questionable part is. Not the existence, rather the likeliness. certainly no offense intended to OP
 
Joined
Nov 1, 2017
Messages
358 (0.50/day)
Location
Canada, Quebec
System Name Macbook Air 2014
Processor Intel Core i5 1.3Ghz
Memory 8GB 1600Mhz DDR3
Video Card(s) Intel HD Graphics 5000 1536MB
Storage 256GB SSD
Display(s) 13.3" 1440x900
It's so interesting. I'm here just to see the updates about this story. I can't believe there's some malware like that in the wild.
 
Joined
Aug 20, 2007
Messages
11,648 (2.62/day)
System Name Pioneer
Processor Intel i9 9900k @ Stock
Motherboard ASRock Z390 Taichi
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory G.SKILL TridentZ Series 32GB (4 x 8GB) DDR4-3200 @ DDR4-3400 14-14-14-34-2T
Video Card(s) EVGA GTX 1080 FTW2
Storage HGST UltraStar 7K6000 3.5" HDD 2TB 7200 RPM (w/128MBs of Cache)
Display(s) LG 32GK850G-B 1440p 32" AMVA Panel G-Sync 144hz Display
Case Thermaltake Core X31
Audio Device(s) USB Schiit Modi Multibit to Asgard 2 Amp to AKG K7XX Ruby Red Massdrop Headphones
Power Supply Seasonic PRIME 750W 80Plus Titanium
Mouse ROCCAT Kone EMP
Keyboard WASD CODE 104-Key w/ Cherry MX Green Keyswitches, Doubleshot Vortex PBT White Transluscent Keycaps
Software Windows 10 x64 Enterprise... yes, it's legit.
His bios is chock full of extra modules from stock:

1526590785721.png
 
Last edited by a moderator:

eidairaman1

The Exiled Airman
Joined
Jul 2, 2007
Messages
27,501 (6.12/day)
Location
Republic of Texas (True Patriot)
System Name PCGOD
Processor AMD FX 8350@ 5.0GHz
Motherboard Asus TUF 990FX Sabertooth R2 2901 Bios
Cooling Scythe Ashura, 2×BitFenix 230mm Spectre Pro LED (Blue,Green), 2x BitFenix 140mm Spectre Pro LED
Memory 16 GB Gskill Ripjaws X 2133 (2400 OC, 10-10-12-20-20, 1T, 1.65V)
Video Card(s) AMD Radeon 290 Sapphire Vapor-X
Storage Samsung 840 Pro 256GB, WD Velociraptor 1TB
Display(s) NEC Multisync LCD 1700V (Display Port Adapter)
Case AeroCool Xpredator Evil Blue Edition
Audio Device(s) Creative Labs Sound Blaster ZxR
Power Supply Seasonic 1250 XM2 Series (XP3)
Mouse Roccat Kone XTD
Keyboard Roccat Ryos MK Pro
Software Windows 7 Pro 64
His bios is chock full of extra modules from stock:

View attachment 101178
So from your analysis he needs to just go ahead and buy a new bios eeprom right? Or do you think a SPI or flash Cat might be able to completely erase his existing ee prom to replace it with the correct stock bios?
 

Knoxx29

The Power Of Intel
Joined
Feb 19, 2014
Messages
6,218 (3.00/day)
Location
Behind a VPN
System Name Black Widow/Red Queen X3
Processor i7 8086K 5.3GHz 1.36V/ Xeon X5690 4.5 GHz 1.377
Motherboard Asus Rog Maximus XI Extreme/ Evga X58 Classified 3
Cooling WaterChiller - both Machines looped
Memory G.SKILL Trident Z 3866MHz @4000MHz - G.SKILL RIPJAWSX V 3000MHz 32GB - G.SKILL RIPJAWSX 2133MHz 12GB
Video Card(s) EVGA GEFORCE GTX 1080 Ti/ EVGA 1080 CLASSIFIED
Storage Samsung 970/960/850/840 EVO 250GB - WD Blue 1TB - WD Black 1TB/ Samsung EVO 250GB
Display(s) Asus PG278Q ROG/ Samsung
Case Lian Li PC-V3000/Cougar Panzer MaxLian Li
Audio Device(s) On Board
Power Supply Enermax Platimax 1000W 80plus platinum Super Overclock Edition ATX2
Mouse Logitech G502 spectrum
Keyboard Virtuis Advanced Gaming Keyboard
Software Windows 10 Pro.
Benchmark Scores My PC runs FiFA
It's so interesting. I'm here just to see the updates about this story. I can't believe there's some malware like that in the wild.
There is even worse, what i don't understand is why the target is a single person, those kind of Viruses/Malware or however you want to call it you just get/find it in places/website where you have nothing to do there.
 
Joined
Aug 20, 2007
Messages
11,648 (2.62/day)
System Name Pioneer
Processor Intel i9 9900k @ Stock
Motherboard ASRock Z390 Taichi
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory G.SKILL TridentZ Series 32GB (4 x 8GB) DDR4-3200 @ DDR4-3400 14-14-14-34-2T
Video Card(s) EVGA GTX 1080 FTW2
Storage HGST UltraStar 7K6000 3.5" HDD 2TB 7200 RPM (w/128MBs of Cache)
Display(s) LG 32GK850G-B 1440p 32" AMVA Panel G-Sync 144hz Display
Case Thermaltake Core X31
Audio Device(s) USB Schiit Modi Multibit to Asgard 2 Amp to AKG K7XX Ruby Red Massdrop Headphones
Power Supply Seasonic PRIME 750W 80Plus Titanium
Mouse ROCCAT Kone EMP
Keyboard WASD CODE 104-Key w/ Cherry MX Green Keyswitches, Doubleshot Vortex PBT White Transluscent Keycaps
Software Windows 10 x64 Enterprise... yes, it's legit.
So from your analysis he needs to just go ahead and buy a new bios eeprom right? Or do you think a SPI or flash Cat might be able to completely erase his existing ee prom to replace it with the correct stock bios?
I'm trying to scrub the bios now of malware and force flash it with a dos tool in hopes it won't reload itself.

All his storage devices are infected, like Kaspersky labs reports. His SSD doesn't even identify as genuine anymore. I told him to flash in dos, chuck them, and see if he can boot a clean usb.

There is even worse, what i don't understand is why the target is a single person, those kind of Viruses/Malware or however you want to call it you just get/find it in places/website where you have nothing to do there.
It's targeted, we don't know why. These modules in the bios? A lot of them are tailored to his setup as far as I can tell (ASUS Fanboy malware package, basically)
 

eidairaman1

The Exiled Airman
Joined
Jul 2, 2007
Messages
27,501 (6.12/day)
Location
Republic of Texas (True Patriot)
System Name PCGOD
Processor AMD FX 8350@ 5.0GHz
Motherboard Asus TUF 990FX Sabertooth R2 2901 Bios
Cooling Scythe Ashura, 2×BitFenix 230mm Spectre Pro LED (Blue,Green), 2x BitFenix 140mm Spectre Pro LED
Memory 16 GB Gskill Ripjaws X 2133 (2400 OC, 10-10-12-20-20, 1T, 1.65V)
Video Card(s) AMD Radeon 290 Sapphire Vapor-X
Storage Samsung 840 Pro 256GB, WD Velociraptor 1TB
Display(s) NEC Multisync LCD 1700V (Display Port Adapter)
Case AeroCool Xpredator Evil Blue Edition
Audio Device(s) Creative Labs Sound Blaster ZxR
Power Supply Seasonic 1250 XM2 Series (XP3)
Mouse Roccat Kone XTD
Keyboard Roccat Ryos MK Pro
Software Windows 7 Pro 64
There is even worse, what i don't understand is why the target is a single person, those kind of Viruses/Malware or however you want to call it you just get/find it in places/website where you have nothing to do there.
That or he ticked someone off

I'm trying to scrub the bios now of malware and force flash it with a dos tool in hopes it won't reload itself.

All his storage devices are infected, like Kaspersky labs reports. His SSD doesn't even identify as genuine anymore. I told him to flash in dos, chuck them, and see if he can boot a clean usb.



It's targeted, we don't know why. These modules in the bios? A lot of them are tailored to his setup as far as I can tell (ASUS Fanboy malware package, basically)
for that kind of infection it sounds like he pissed someone off
 
Joined
Aug 20, 2007
Messages
11,648 (2.62/day)
System Name Pioneer
Processor Intel i9 9900k @ Stock
Motherboard ASRock Z390 Taichi
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory G.SKILL TridentZ Series 32GB (4 x 8GB) DDR4-3200 @ DDR4-3400 14-14-14-34-2T
Video Card(s) EVGA GTX 1080 FTW2
Storage HGST UltraStar 7K6000 3.5" HDD 2TB 7200 RPM (w/128MBs of Cache)
Display(s) LG 32GK850G-B 1440p 32" AMVA Panel G-Sync 144hz Display
Case Thermaltake Core X31
Audio Device(s) USB Schiit Modi Multibit to Asgard 2 Amp to AKG K7XX Ruby Red Massdrop Headphones
Power Supply Seasonic PRIME 750W 80Plus Titanium
Mouse ROCCAT Kone EMP
Keyboard WASD CODE 104-Key w/ Cherry MX Green Keyswitches, Doubleshot Vortex PBT White Transluscent Keycaps
Software Windows 10 x64 Enterprise... yes, it's legit.
I kind of gleaned why someone would want to target him in discussions, I won't say more than that. I will say it's a legit job he works, and not something sketchy or weird, but lucrative to infect.
 

eidairaman1

The Exiled Airman
Joined
Jul 2, 2007
Messages
27,501 (6.12/day)
Location
Republic of Texas (True Patriot)
System Name PCGOD
Processor AMD FX 8350@ 5.0GHz
Motherboard Asus TUF 990FX Sabertooth R2 2901 Bios
Cooling Scythe Ashura, 2×BitFenix 230mm Spectre Pro LED (Blue,Green), 2x BitFenix 140mm Spectre Pro LED
Memory 16 GB Gskill Ripjaws X 2133 (2400 OC, 10-10-12-20-20, 1T, 1.65V)
Video Card(s) AMD Radeon 290 Sapphire Vapor-X
Storage Samsung 840 Pro 256GB, WD Velociraptor 1TB
Display(s) NEC Multisync LCD 1700V (Display Port Adapter)
Case AeroCool Xpredator Evil Blue Edition
Audio Device(s) Creative Labs Sound Blaster ZxR
Power Supply Seasonic 1250 XM2 Series (XP3)
Mouse Roccat Kone XTD
Keyboard Roccat Ryos MK Pro
Software Windows 7 Pro 64
I kind of gleaned why someone would want to target him in discussions, I won't say more than that. I will say it's a legit job he works, and not something sketchy or weird, but lucrative to infect.
If you say squirrel i understand lol

He might want to check for ID theft too
 
Top