• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

GTX 1070 Firmware Overwritten by Malware - Unable to Reset

Status
Not open for further replies.

MadBrit

New Member
Joined
May 17, 2018
Messages
6 (0.00/day)
System Name HomeBuild
Processor Intel i7-7700K
Motherboard ASUS Z270F
Cooling Corsair H55 Hydro Series
Memory 32GB G.Skill Ripjaws V (PC4 25600)
Video Card(s) ASUS STRIX-GTX 1070 8G Gaming
Storage Samsung 850 Pro x 3, Crucial M4 (spare boot)
Display(s) LG 34UC79-G
Case Thermaltake View 31
Audio Device(s) N/A
Power Supply Thermaltake Toughpower 850W
Mouse Logitec
Keyboard Logitec
Software Win 10 1803
Benchmark Scores With or without malware infection?
Hi,

Thanks in advance for any help...

Fresh Windows 10 1803
Home build w/ASUS STRIX Z270F MB, ASUS GTX 1070 8GB, i7-7700K, Samsung 850 Pro / Crucial M4

I have been fighting an infection with an extremely persistent malware that (after 8 weeks of analysis) is not detectable in user space by any AV. It has been sending me around in frustrating circles. I originally thought the malware was hiding in filesystem slack space, but it appears to be using a combination of evasion techniques that rewrite the HDD HPA/DCO, GPU Firmware (main infection source), SSD firmware (unable to BCDwipe certain sectors - multiple SSD's - unable to upgrade BIOS due to malware interference), and the motherboard BIOS (Blocks rescue disks). The malware blocks rescue CD's from running and locks the drive into hibernation to prevent offline scans. Reflashing the MB BIOS stops this for 1 boot, then the problem returns.

Once established, the malware silently downloads and replaces security related .EXE's (MBAM, Glasswire, Win Def, etc.) then starts on the system files. One by one, every 5-10 minutes from multiple CDN's that are not legit. All files are signed and pass VirusTotal. They are, however, WinPE versions of the files. The system then reboots and virtualizes itself, repartitioning a drive with free space to replicate and hide itself. It is *almost* invisible. Using MBR Filter helps and delays it enough to do some analysis, but then it starts imposing Group Policies to lock you out / flag legitimate apps as malware / changes hardware parameters (downgrades 7th Gen CPU to 6th Gen, etc.).

I know, crazy, right? I believe the origin of the malware is Chinese/Korean for a number of reasons that I won't go into here. On trying to upgrade the GTX 1070 firmware with the ASUS GPUUpdateBios.exe, I get a response "You no need update GPU Vbios!". I ran NVFlash with the latest firmware rev. but when I compare the bios to the .rom file, I get a number of mismatch inconsistencies in the InfoROM settings(InfoROM, Static (InfoROM Header - Timestamp), User Setting (OEM Information - Data), and Unallocated Space (size difference). Unallocated space is the source of the malware, i believe.

Long story short, I am unable to find any info on how to reset these parameters (or rest the card completely back to stock) and cannot find the relevant .IFR firmware mentioned in NVFlash to update this. On reboot, the malware takes the card back again and we're back to square one.

If there is a tool to completely reset all the card parameters to factory, or a hardware ninja method that provides similar results, I would very much appreciate some recommendations. If this malware resonates with anyone else, I would really like to know it's name as I have been unable to determine the strain.

Cheers!
 
Joined
Jan 31, 2010
Messages
5,360 (1.04/day)
Location
Gougeland (NZ)
System Name Cumquat 2021
Processor AMD RyZen R7 5800X @4750MHz 1.298V
Motherboard Asus Strix x570-F Gaming
Cooling Deep Cool LT720 + CM MasterGel Pro TP + Lian Li Uni Fan V2
Memory 16GB GSkill Ripjaws V Black 4000 MTs (2x8GB) @3866MT's
Video Card(s) Sapphire Nitro+ OC RX6800 16GB DDR6 2270Cclk / 2010Mclk
Storage 1x Adata SX8200PRO NVMe gen3 x4 1X Samsung 860 EVO 500GB, 12TB of HDD Storage
Display(s) AOC 24G2 IPS 144Hz FreeSync Premium 1920x1080p
Case Lian Li O11D XL ROG edition
Audio Device(s) RX6800 via HDMI + Pioneer VSX-531 amp Technics 100W 5.1 Speaker set
Power Supply EVGA 1000W G5 Gold
Mouse Logitech G502 Proteus Core
Keyboard Logitech G815
Software Windows 11 X64 PRO (build 22H2)
Benchmark Scores it sucks even more less now ;)
The tool I think your looking for is called a hammer followed up with can of gas and lighter as that's some seriously bad crap you have going on there
 
Joined
Jul 19, 2006
Messages
43,585 (6.75/day)
Processor AMD Ryzen 7 7800X3D
Motherboard ASUS TUF x670e
Cooling EK AIO 360. Phantek T30 fans.
Memory 32GB G.Skill 6000Mhz
Video Card(s) Asus RTX 4090
Storage WD m.2
Display(s) LG C2 Evo OLED 42"
Case Lian Li PC 011 Dynamic Evo
Audio Device(s) Topping E70 DAC, SMSL SP200 Headphone Amp.
Power Supply FSP Hydro Ti PRO 1000W
Mouse Razer Basilisk V3 Pro
Keyboard Tester84
Software Windows 11
Isn't OP just explaining the Windows 10 update process?

If not...

Destroy the all drives. That is honestly what I would do if I were experiencing this.
 
Joined
Feb 18, 2012
Messages
2,715 (0.62/day)
System Name MSI GP76
Processor intel i7 11800h
Cooling 2 laptop fans
Memory 32gb of 3000mhz DDR4
Video Card(s) Nvidia 3070
Storage x2 PNY 8tb cs2130 m.2 SSD--16tb of space
Display(s) 17.3" IPS 1920x1080 240Hz
Power Supply 280w laptop power supply
Mouse Logitech m705
Keyboard laptop keyboard
Software lots of movies and Windows 10 with win 7 shell
Benchmark Scores Good enough for me
Why not just do a fresh install of the OS to the HD or get a new HD.
 
Joined
Aug 20, 2007
Messages
20,674 (3.41/day)
System Name Pioneer
Processor Ryzen R9 7950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory 64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage 2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches
Software Windows 11 Enterprise (legit), Gentoo Linux x64
If this is real, a hardware programmer should fix it...

But I really doubt it's real... sorry. If it is, get in touch with an AV vendor to provide samples and they'll likely buy you new hardware just to get to study / try to block this new monstrosity.
 
Joined
Sep 10, 2016
Messages
805 (0.29/day)
Location
Riverwood, Skyrim
System Name Storm Wrought | Blackwood (HTPC)
Processor AMD Ryzen 9 5900x @stock | i7 2600k
Motherboard Gigabyte X570 Aorus Pro WIFI m-ITX | Some POS gigabyte board
Cooling Deepcool AK620, BQ shadow wings 3 High Spd, stock 180mm |BQ Shadow rock LP + 4x120mm Noctua redux
Memory G.Skill Ripjaws V 2x32GB 4000MHz | 2x4GB 2000MHz @1866
Video Card(s) Powercolor RX 6800XT Red Dragon | PNY a2000 6GB
Storage SX8200 Pro 1TB, 1TB KC3000, 850EVO 500GB, 2+8TB Seagate, LG Blu-ray | 120GB Sandisk SSD, 4TB WD red
Display(s) Samsung UJ590UDE 32" UHD monitor | LG CS 55" OLED
Case Silverstone TJ08B-E | Custom built wooden case (Aus native timbers)
Audio Device(s) Onboard, Sennheiser HD 599 cans / Logitech z163's | Edifier S2000 MKIII via toslink
Power Supply Corsair HX 750 | Corsair SF 450
Mouse Microsoft Pro Intellimouse| Some logitech one
Keyboard GMMK w/ Zelio V2 62g (78g for spacebar) tactile switches & Glorious black keycaps| Some logitech one
VR HMD HTC Vive
Software Win 10 Edu | Ubuntu 22.04
Benchmark Scores Look in the various benchmark threads
If this is legit, get in contact with a proper security company and get them to analyse this monster, as it sounds pretty insidious
 

the54thvoid

Intoxicated Moderator
Staff member
Joined
Dec 14, 2009
Messages
12,344 (2.37/day)
Location
Glasgow - home of formal profanity
Processor Ryzen 7800X3D
Motherboard MSI MAG Mortar B650 (wifi)
Cooling be quiet! Dark Rock Pro 4
Memory 32GB Kingston Fury
Video Card(s) Gainward RTX4070ti
Storage Seagate FireCuda 530 M.2 1TB / Samsumg 960 Pro M.2 512Gb
Display(s) LG 32" 165Hz 1440p GSYNC
Case Asus Prime AP201
Audio Device(s) On Board
Power Supply be quiet! Pure POwer M12 850w Gold (ATX3.0)
Software W10
To be believed I think some would like to see this on a screenshot. What you have sounds too extreme for an ordinary PC, and the very odd message from your gfx firmware doesn't sound believable at all. But, a screenshot of this flash process would help.
 
Joined
Aug 20, 2007
Messages
20,674 (3.41/day)
System Name Pioneer
Processor Ryzen R9 7950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory 64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage 2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches
Software Windows 11 Enterprise (legit), Gentoo Linux x64
Those errors frankly sound more like a counterfeit 1070 gpu you are trying to flash with the wrong bios than a GPU that's "infected."

Post a GPU-Z.
 

eidairaman1

The Exiled Airman
Joined
Jul 2, 2007
Messages
40,435 (6.62/day)
Location
Republic of Texas (True Patriot)
System Name PCGOD
Processor AMD FX 8350@ 5.0GHz
Motherboard Asus TUF 990FX Sabertooth R2 2901 Bios
Cooling Scythe Ashura, 2×BitFenix 230mm Spectre Pro LED (Blue,Green), 2x BitFenix 140mm Spectre Pro LED
Memory 16 GB Gskill Ripjaws X 2133 (2400 OC, 10-10-12-20-20, 1T, 1.65V)
Video Card(s) AMD Radeon 290 Sapphire Vapor-X
Storage Samsung 840 Pro 256GB, WD Velociraptor 1TB
Display(s) NEC Multisync LCD 1700V (Display Port Adapter)
Case AeroCool Xpredator Evil Blue Edition
Audio Device(s) Creative Labs Sound Blaster ZxR
Power Supply Seasonic 1250 XM2 Series (XP3)
Mouse Roccat Kone XTD
Keyboard Roccat Ryos MK Pro
Software Windows 7 Pro 64
Those errors frankly sound more like a counterfeit 1070 gpu you are trying to flash with the wrong bios than a GPU that's "infected."

Post a GPU-Z.

It's a liar here, trying to hide what he is doing.

He needs to secure erase or format his hdd and reinstall the os for starters.
 

FireFox

The Power Of Intel
Joined
Feb 19, 2014
Messages
7,507 (2.04/day)
Location
Germany
Processor Intel i7 10700K
Motherboard Asus ROG Maximus XII Hero
Cooling 2x Black Ice Nemesis GTX 480 - 1x Black Ice Nemesis GTX 420 - D5 VPP655P - 13x Corsair LL120 - LL140
Memory 32GB G.SKILL Trident Z RGB 3600Hz
Video Card(s) EVGA GEFORCE RTX 3080 XC3 Ultra
Storage Samsung 970 EVO PLUS 500GB/1TB - WD Blue SN550 1TB - 2 X WD Blue 1TB - 3 X WD Black 1TB
Display(s) Asus ROG PG278QR 2560x1440 144Hz (Overclocked 165Hz )/ Samsung
Case Corsair Obsidian 1000D
Audio Device(s) I prefer Gaming-Headset
Power Supply Enermax MaxTytan 1250W 80+ Titanium
Mouse Logitech G502 spectrum
Keyboard Virtuis Advanced Gaming Keyboard ( Batboard )
Software Windows 10 Enterprise/Windows 10 Pro/Windows 11 Pro
Benchmark Scores My PC runs FiFA
It's a liar here, trying to hide what he is doing.

Agree with you.

Maybe he was flashing the card things went wrong and now he es trying to tell us something different?
 

W1zzard

Administrator
Staff member
Joined
May 14, 2004
Messages
26,936 (3.72/day)
Processor Ryzen 7 5700X
Memory 48 GB
Video Card(s) RTX 4080
Storage 2x HDD RAID 1, 3x M.2 NVMe
Display(s) 30" 2560x1600 + 19" 1280x1024
Software Windows 10 64-bit
I ran NVFlash with the latest firmware rev. but when I compare the bios to the .rom file, I get a number of mismatch inconsistencies in the InfoROM settings(InfoROM, Static (InfoROM Header - Timestamp), User Setting (OEM Information - Data), and Unallocated Space (size difference). Unallocated space is the source of the malware, i believe.
Please post the BIOS you saved from your card and the one you are comparing to
 
Joined
May 13, 2010
Messages
5,616 (1.11/day)
System Name RemixedBeast-NX
Processor Intel Xeon E5-2690 @ 2.9Ghz (8C/16T)
Motherboard Dell Inc. 08HPGT (CPU 1)
Cooling Dell Standard
Memory 24GB ECC
Video Card(s) Gigabyte Nvidia RTX2060 6GB
Storage 2TB Samsung 860 EVO SSD//2TB WD Black HDD
Display(s) Samsung SyncMaster P2350 23in @ 1920x1080 + Dell E2013H 20 in @1600x900
Case Dell Precision T3600 Chassis
Audio Device(s) Beyerdynamic DT770 Pro 80 // Fiio E7 Amp/DAC
Power Supply 630w Dell T3600 PSU
Mouse Logitech G700s/G502
Keyboard Logitech K740
Software Linux Mint 20
Benchmark Scores Network: APs: Cisco Meraki MR32, Ubiquiti Unifi AP-AC-LR and Lite Router/Sw:Meraki MX64 MS220-8P
you caught an STD from the dark web?

Wireshark it and look for anything mucky.
 

dorsetknob

"YOUR RMA REQUEST IS CON-REFUSED"
Joined
Mar 17, 2005
Messages
9,105 (1.31/day)
Location
Dorset where else eh? >>> Thats ENGLAND<<<
Subbed for the Streisand troll lookalike
this sounds totally like Smelling the female troll knickers (fishy as hell do i smell Rock cod)
Please provide screenshots and
Please post the BIOS you saved from your card and the one you are comparing to
If you have what you say you have contact your AV Vendor and Microsoft
:) they might even Send a Specialist for a Site Vist as what you Describe is ...........................................unbelievable
 
Joined
Nov 30, 2007
Messages
215 (0.04/day)
Location
Croatia
System Name Cabal
Processor intel i9 9900k @ 5.0ghz 1.33v - cache @ 4.7ghz
Motherboard Asrock z370 fatal1ty gaming k6
Cooling Corsair H115i with 2x Corsair LL140mm rgb fans
Memory Corsair Dominator Platinum 32GB(4x8kit) ddr4 4000mhz@4100mhz
Video Card(s) Asus ROG Strix rtx3090 Gaming OC 24gb
Storage samsung evo 860 500gbx2, sandisk 3d ultra 500gbx2, kingston hyperX ssd 480gb, Seagate Barracuda3TB
Display(s) Asus ROG Swift pg278q G-Sync
Case Corsair 760t Graphite Series with 3x Corsair LL140mm fans
Audio Device(s) Sound Blaster X ae-5
Power Supply Corsair RM850i
Mouse Roccat Tyon
Keyboard Corsair RGB Strafe mechanical keyboard
Software win10pro 64bit
Joined
Sep 17, 2014
Messages
20,692 (5.96/day)
Location
The Washing Machine
Processor i7 8700k 4.6Ghz @ 1.24V
Motherboard AsRock Fatal1ty K6 Z370
Cooling beQuiet! Dark Rock Pro 3
Memory 16GB Corsair Vengeance LPX 3200/C16
Video Card(s) ASRock RX7900XT Phantom Gaming
Storage Samsung 850 EVO 1TB + Samsung 830 256GB + Crucial BX100 250GB + Toshiba 1TB HDD
Display(s) Gigabyte G34QWC (3440x1440)
Case Fractal Design Define R5
Audio Device(s) Harman Kardon AVR137 + 2.1
Power Supply EVGA Supernova G2 750W
Mouse XTRFY M42
Keyboard Lenovo Thinkpad Trackpoint II
Software W10 x64
Somebody set us up the bomb.
 

qubit

Overclocked quantum bit
Joined
Dec 6, 2007
Messages
17,866 (3.00/day)
Location
Quantum Well UK
System Name Quantumville™
Processor Intel Core i7-2700K @ 4GHz
Motherboard Asus P8Z68-V PRO/GEN3
Cooling Noctua NH-D14
Memory 16GB (2 x 8GB Corsair Vengeance Black DDR3 PC3-12800 C9 1600MHz)
Video Card(s) MSI RTX 2080 SUPER Gaming X Trio
Storage Samsung 850 Pro 256GB | WD Black 4TB | WD Blue 6TB
Display(s) ASUS ROG Strix XG27UQR (4K, 144Hz, G-SYNC compatible) | Asus MG28UQ (4K, 60Hz, FreeSync compatible)
Case Cooler Master HAF 922
Audio Device(s) Creative Sound Blaster X-Fi Fatal1ty PCIe
Power Supply Corsair AX1600i
Mouse Microsoft Intellimouse Pro - Black Shadow
Keyboard Yes
Software Windows 10 Pro 64-bit
This doesn't quite sound for real. All this BIOS and VBIOS infection and flashing... really?

Anyway, the only way to be sure of getting rid of malware is to reformat and install Windows fresh. I'm talking about having only the system drive connected, then booting off a W10 DVD that was prepared on a different computer, formatting the drive and reinstalling it from scratch. Try that and I bet the infection goes away.

It's quite possible that any data drives are also infected, but that's another story.
 
Joined
Jun 15, 2016
Messages
1,042 (0.37/day)
Location
Pristina
System Name My PC
Processor 4670K@4.4GHz
Motherboard Gryphon Z87
Cooling CM 212
Memory 2x8GB+2x4GB @2400GHz
Video Card(s) XFX Radeon RX 580 GTS Black Edition 1425MHz OC+, 8GB
Storage Intel 530 SSD 480GB + Intel 510 SSD 120GB + 2x500GB hdd raid 1
Display(s) HP envy 32 1440p
Case CM Mastercase 5
Audio Device(s) Sbz ZXR
Power Supply Antec 620W
Mouse G502
Keyboard G910
Software Win 10 pro
One troll or deluded fuck making fun with all people here :)
 
D

Deleted member 163934

Guest
In theory such thing is not impossible. In practice there are an army of problems for someone that want to write such type of malware/virus like how on earth it can target each possible mb bios, gpu bios, hdd/ssd firmware because I doubt all of them share similar structure, then you have the limitations from the size of mb bios, gpu bios, hdd/ssd firmware size because you need to still have that pc working (it's just easier to write garbage on the mb bios, gpu bios, hdd/ssd firmware because you just don't care about having that pc still running) and then after you somehow managed to use the little free space you also need to actually have a running code there. A random hacker won't have the resources to actualy code something like this, you need proper funding for such thing and even with the money I doubt it can be done. Now if this was targeting only a particular platform yes that has happen in the past.
It will sound rude what I will write in the following line but it's a fact: if you are so important that someone will actually spend the money to make a malware/virus targeting you then you won't be asking for help here because due to the nature of your job you would be informing someone else about the situation.
Don't get me wrong but you kinda need access to the source code for an army of bioses/firmwares to have a chance to even write something like this else is just impossible and there are very few agencies that can actually have such a chance (even they will need to steal some source codes in some cases or reverse engineer it but this last case is not that easy to the point it might not even be viable).

If you assume your ssd/hdd is infected with something that no antivirus is capable to deal with just use another pc, download a linux distro that allow you to run a live sessing (ubuntu and derivates for example), write it on an cd/dvd/usb stick on the other pc (NOT on the infected one), boot from that usb stick (u put the usb stick in the infected pc with the pc powered off, and the first time you start the pc you boot from the usb stick else you can compromise the usb stick (like the malware/virus writing crap on the usb stick and make it not boot or run crap from bootloader)) and write zero/random stuff on the hdd using dd (
if you have only one hdd/ssd
sudo dd if=/dev/zero of=/dev/sda bs=4096 status=progress
if you have 2 hdd/ssd
sudo dd if=/dev/zero of=/dev/sda bs=4096 status=progress
and then after it's done
sudo dd if=/dev/zero of=/dev/sdb bs=4096 status=progress
if you have multiple hdd/ssd
sudo dd if=/dev/zero of=/dev/sdX bs=4096 status=progress
replace X with letters a,b,c, and so on
you can read more here: https://wiki.archlinux.org/index.php/Securely_wipe_disk)
Sure after zero-ing the hdd/ssd you lost all the data but the hdd/ssd should be clean. I wouldn't fully write with zero a ssd, I would write with zero only the section where the partition table is located (that should be enough; you didn't said if it's MBR or GPT).

Regarding the differences between the gpu bios (the one in the file and the dump after you flash it). How did you flashed the gpu bios? You did it in Windows (doing it in the infected WIndows is asking for trouble because that Windows can happy freeze in the middle of the flashing process... and this can happen in a clean Windows also, I know some amd drivers that will just messed up with the gpu flashing process)? If yes then there is no surprise for me that the one in the file and the dump after you flash it are not identical, I've done it several times in Windows and I didn't really got a match (usualy I was getting 1-5 differences but I saw no real problem). If I do it using a DOS usb stick I always got 100% match.

Trying to clean it by booting in the infected Windows connected to internet can easily prove a waste of time... There are several antivirus that will just make an bootable cd/dvd/usb stick and you will boot directly on that and try to clean it from a clean enviroment:
https://www.bitdefender.com/support/how-to-set-up-a-bitdefender-rescue-cd-1249.html
https://www.avira.com/en/download/product/avira-rescue-system (I had issues with avira when I tried to use it like it just froze and some %)
https://support.kaspersky.com/viruses/rescuedisk
just to give some example. Again you will need to write those things on a cd/dvd/usb stick on another pc (trying to do it on the infected pc can easily go wrong).

L.E.:

Once established, the malware silently downloads and replaces security related .EXE's (MBAM, Glasswire, Win Def, etc.) then starts on the system files. One by one, every 5-10 minutes from multiple CDN's that are not legit. All files are signed and pass VirusTotal. They are, however, WinPE versions of the files. The system then reboots and virtualizes itself, repartitioning a drive with free space to replicate and hide itself. It is *almost* invisible. Using MBR Filter helps and delays it enough to do some analysis, but then it starts imposing Group Policies to lock you out / flag legitimate apps as malware / changes hardware parameters (downgrades 7th Gen CPU to 6th Gen, etc.).

Post the VirusTotal links to the files you think are infected and you checked with VirusTotal. I'm asking for this because there are several checksums used by VirusTotal SHA-256 , MD5 and SHA-1 and I find it hard to believe that you can find a way to modify a file and fix all 3 checksums to look like the original file, you can probably fix one of them but all 3....

Windows 10 in normal conditions will happy update when it wants. So the fact that you see some Windows file getting changed is actually the normal way of Windows 10 doing the updates... If you want to change this behaviour you can happy google for the solution.

L.E. 2:

I don't really believe you are dealing with a malware/virus that has actually replaced the mb bios, gpu bios, hdd/ssd firmware.
Make an usb stick with a linux distro that can run a live session on another pc (if you don't have 2 pcs just ask a friend), disconnect the hdd/ssd (all of them, just unplug the power or sata cable) and boot from the linux usb stick. If at first boot things look ok reboot it, if at second boot again things are ok then you probably don't have any problems with the bioses (you might had messed up them when you flashed them...). If you have no problems while using the live linux session then reconnect the hdd/ssd cables and boot again from the linux usb stick and write zero on each of the hdd/ssd. Reboot and reinstall Windows without being connected to internet.
If what you are describing is correct (the behaviour of the malware/virus (looks like a joke to me to be honest, I wouldn't make it do anything like that) and the fact that nothing detects it) then well your only way is to fully wipe the ssd/hdd because else you will never know what is affected and what not (well u will first need something that detects it, then something that cleans it).

And sometime a reinstall on zero-ed hdd is just faster than trying to clean an infected hdd. I wasted 18 h on the laptop of a client because the client refused to understand that he needs a new hdd/ssd 6 bad sectors reported by smart and growing was 5 when the laptop got to me, increased to 6 while i tried to fix it; 90+ logical bad sectors on the OS partition, got fixed after I zero-ed it, I also had to backup the data from that OS partition because ofc the client wanted me to save his photos and silly cooking recipes (not to mention that the client fail to point to the directories where he had those things, I actually failed to find a single cooking recipe...) because I really had a working machine when the laptop end up to me, was taking 60 minutes to even finish the boot process and ofc the client didn't even wanted to pay how much I asked for my 18 hours of work... Next time he comes to me I will just say I want the money before I even look at his laptop else he can happy find someone else to fix his laptop.
 
Last edited by a moderator:
Joined
Oct 3, 2015
Messages
447 (0.14/day)
System Name My system is my pet?
Processor Intel Core i5 9400f 2.9GHz/4.0 Turbo (NoOC)
Motherboard Gigabyte Z370M D3H rev. 1.0
Cooling An okayish Cooler but it is better than Intel's stock
Memory Corsair Red Line 8x2 16GB 3000MHz (NoOC) DDR4-3000 15-17-17-35 (CMK16GX4M2B3000C15R) V1.35 ver 4.24
Video Card(s) NVIDIA GeForce MSI 980 Ti Golden Edition (NoOC)| Spare: GTX 650 Ti 1 GB
Storage Samsun 860 EVO 1 TB | Spare: WDC Black 930 GiB WD1003FZEX
Display(s) Asus VG248QZ 1920x1080 144hz 24" (Current: 60hz, because Contrast is lowered with 60+ Hz)
Case Corsair Air 540
Audio Device(s) Realtek ALC892
Power Supply Corsair 850W RMi power supply (Overkill I know -long story-)
Mouse Logitech M187 wireless (First day of use 30-9-2021)
Keyboard Logitech K270 wireless
Software Windows 10 21H2 / Nobara Linux (Modified Fedora Linux)
Is this a stolen computer that is protected by passwords or/and by encryption?
Notice he mentioned take over polices and that he is looking at the mysterious unallocated space.
 
Joined
May 18, 2009
Messages
2,724 (0.50/day)
Location
MN
System Name Personal / HTPC
Processor Ryzen 5900x / i5-4460
Motherboard Asrock x570 Phantom Gaming 4 /ASRock Z87 Extreme4
Cooling Corsair H100i / stock HSF
Memory 32GB DDR4 3200 / 8GB DDR3 1600
Video Card(s) EVGA XC3 Ultra RTX 3080Ti / EVGA RTX 3060 XC
Storage 500GB Samsung Pro 970, 250 GB SSD, 1TB & 500GB Western Digital / 2x 4TB & 1x 8TB WD Red
Display(s) Dell - S3220DGF 32" LED Curved QHD FreeSync Monitor / 50" LCD TV
Case CoolerMaster HAF XB Evo / CM HAF XB Evo
Power Supply 850W SeaSonic X Series / 750W SeaSonic X Series
Mouse Logitech G502
Keyboard Black Microsoft Natural Elite Keyboard
Software Windows 10 Pro 64 / Windows 10 Home 64
I've seen some pretty nifty viruses at my last job go through some stores. Some sophisticated ones that stole credit card data to ones that simply renamed .exe to another file extension name or just designed to eat up hard drive space by filling out a .txt file with basic information it pulled from the computer - it would just write the info over and over and over again.

One of my more favorite ones took myself and another senior tech to track down the issues. Store called in, having a slew of issues on the server computer. A quick remote into the system made it painfully clear they some how infected the computer with a virus. We pulled the server from the network and had the store setup one of their registers to work as a temporary server to store sales and clock in/out data. We shipped out a new server computer and it would arrive NDA. The store was working, but they called in a few hours later saying their registers are having issues now. It seems the virus went through the network and infected the registers.....now the store was pretty much SOL. They had to close down for the rest of the day. We setup new HDDs for the registers to ship out NDA as well.

Next morning the store calls in and I get them all setup and working on new hardware. They're off and running now. They call back later that day with the same issues as before. Everything was infected again. In the end, it appears that the 512MB flash card on the cook display control boxes had just enough free space to allow this virus to install and infect them - once the new devices showed up on the network the virus would move to them. What a cluster....

As for the credit card stealing virus, we got to work with the FBI to help try and clean out the system and pinpoint where the virus was hiding and how it was constantly opening new ports to allow data in/out. They needed the ins/outs of the company's software and how everything talked and what ports it made use of. Once they figured they couldn't pinpoint the issue in a timely fashion and clean out the store without a proper new set of hardware, they pretty much took everything with them when they left and we don't know what ever happened after that. The poor lady that ran the franchise had 8 different stores and 6 out of 8 had this virus. She had to order new equipment for 6 stores - that's 6 server computers, at least 18-24 registers (3-4 registers per store) and 18 cook display control boxes (3 per store). She spent almost $30k on brand new hardware because of this virus.

Some folks out there can certainly design crazy ass viruses and malware - I wouldn't be surprised if there was a hint of truth to the OP's post. Then again, it sounds rather far fetched.
 
Joined
Oct 22, 2014
Messages
13,210 (3.84/day)
Location
Sunshine Coast
System Name Black Box
Processor Intel Xeon E3-1260L v5
Motherboard MSI E3 KRAIT Gaming v5
Cooling Tt tower + 120mm Tt fan
Memory G.Skill 16GB 3600 C18
Video Card(s) Asus GTX 970 Mini
Storage Kingston A2000 512Gb NVME
Display(s) AOC 24" Freesync 1m.s. 75Hz
Case Corsair 450D High Air Flow.
Audio Device(s) No need.
Power Supply FSP Aurum 650W
Mouse Yes
Keyboard Of course
Software W10 Pro 64 bit
This doesn't quite sound for real. All this BIOS and VBIOS infection and flashing... really?

Anyway, the only way to be sure of getting rid of malware is to reformat and install Windows fresh. I'm talking about having only the system drive connected, then booting off a W10 DVD that was prepared on a different computer, formatting the drive and reinstalling it from scratch. Try that and I bet the infection goes away.

It's quite possible that any data drives are also infected, but that's another story.
It's also possible the BIOS can be infected as well as GPU Vram or Memory Dram, but that is a bit high tech for hacking a home system.
 

Solaris17

Super Dainty Moderator
Staff member
Joined
Aug 16, 2005
Messages
25,743 (3.79/day)
Location
Alabama
System Name Rocinante
Processor I9 13900ks
Motherboard EVGA z690 Dark KINGPIN
Cooling EK-AIO Elite 360 D-RGB
Memory 64GB Gskill Trident Z5 DDR5 6000 @6400
Video Card(s) MSI SUPRIM Liquid X 4090
Storage 1x 500GB 980 Pro | 1x 1TB 980 Pro | 1x 8TB Corsair MP400
Display(s) Odyssey OLED G9 G95SC
Case Lian Li o11 Evo Dynamic White
Audio Device(s) Moondrop S8's on Schiit Hel 2e
Power Supply Bequiet! Power Pro 12 1500w
Mouse Lamzu Atlantis (White)
Keyboard Monsgeek M3 Lavender, Akko Crystal Blues
VR HMD Quest 3
Software Windows 11
Benchmark Scores I dont have time for that.
IDK, I would need too see some samples before I believed any of this.
 

qubit

Overclocked quantum bit
Joined
Dec 6, 2007
Messages
17,866 (3.00/day)
Location
Quantum Well UK
System Name Quantumville™
Processor Intel Core i7-2700K @ 4GHz
Motherboard Asus P8Z68-V PRO/GEN3
Cooling Noctua NH-D14
Memory 16GB (2 x 8GB Corsair Vengeance Black DDR3 PC3-12800 C9 1600MHz)
Video Card(s) MSI RTX 2080 SUPER Gaming X Trio
Storage Samsung 850 Pro 256GB | WD Black 4TB | WD Blue 6TB
Display(s) ASUS ROG Strix XG27UQR (4K, 144Hz, G-SYNC compatible) | Asus MG28UQ (4K, 60Hz, FreeSync compatible)
Case Cooler Master HAF 922
Audio Device(s) Creative Sound Blaster X-Fi Fatal1ty PCIe
Power Supply Corsair AX1600i
Mouse Microsoft Intellimouse Pro - Black Shadow
Keyboard Yes
Software Windows 10 Pro 64-bit
It's also possible the BIOS can be infected as well as GPU Vram or Memory Dram, but that is a bit high tech for hacking a home system.
Yeah, possible, but unlikely, hence my skepticism. You can see from the incredulous responses from some of the others in this thread that I'm not the only one.
 
Status
Not open for further replies.
Top