infections which can survive a reinstall of Windows


That's bull. The reality and practice of safe computing is the same, it does not change whether there is firmware malware or not.

Dead wrong.

You can do minimal scanning, heavy scanning, scanning for multiple types of infections (and that is where knowing how an infection works, and what are the vectors for getting said infection), and so much more.

I didn't mention the multi-tiered approach just for the hell of it - it's a very real thing. And if you're more than just lackadaisical about protecting your system(s) you need to know this and employ the appropriate measures on multiple levels if you're serious about giving yourself the best overall protection short of going off-grid and offline.

Some people scan some things and not others. Not understanding why it is important to scan everything (or take other steps to mitigate infection susceptibility) can and will get you in trouble.

And, no, it's not just Stay away from bad sites and you'll be fine either.

It's not

the lofty and empty hoopla

By any means.
 

My Computers

System One System Two

  • OS
    Windows 11 23H2 Current build
    Computer type
    PC/Desktop
    Manufacturer/Model
    HomeBrew
    CPU
    AMD Ryzen 9 3950X
    Motherboard
    MSI MEG X570 GODLIKE
    Memory
    4 * 32 GB - Corsair Vengeance 3600 MHz
    Graphics Card(s)
    EVGA GeForce RTX 3080 Ti XC3 ULTRA GAMING (12G-P5-3955-KR)
    Sound Card
    Realtek® ALC1220 Codec
    Monitor(s) Displays
    2x Eve Spectrum ES07D03 4K Gaming Monitor (Matte) | Eve Spectrum ES07DC9 4K Gaming Monitor (Glossy)
    Screen Resolution
    3x 3840 x 2160
    Hard Drives
    3x Samsung 980 Pro NVMe PCIe 4 M.2 2 TB SSD (MZ-V8P2T0B/AM) } 3x Sabrent Rocket NVMe 4.0 1 TB SSD (USB)
    PSU
    PC Power & Cooling’s Silencer Series 1050 Watt, 80 Plus Platinum
    Case
    Fractal Design Define 7 XL Dark ATX Full Tower Case
    Cooling
    NZXT KRAKEN Z73 73.11 CFM Liquid CPU Cooler (3x 120 mm push top) + Air 3x 140mm case fans (pull front) + 1x 120 mm (push back) and 1 x 120 mm (pull bottom)
    Keyboard
    SteelSeries Apex Pro Wired Gaming Keyboard
    Mouse
    Logitech MX Master 3S | MX Master 3 for Business
    Internet Speed
    AT&T LightSpeed Gigabit Duplex Ftth
    Browser
    Nightly (default) + Firefox (stable), Chrome, Edge
    Antivirus
    Defender + MB 5 Beta
  • Operating System
    ChromeOS Flex Dev Channel (current)
    Computer type
    Laptop
    Manufacturer/Model
    Dell Latitude E5470
    CPU
    Intel(R) Core(TM) i5-6300U CPU @ 2.40GHz, 2501 Mhz, 2 Core(s), 4 Logical Processor(s)
    Motherboard
    Dell
    Memory
    16 GB
    Graphics card(s)
    Intel(R) HD Graphics 520
    Sound Card
    Intel(R) HD Graphics 520 + RealTek Audio
    Monitor(s) Displays
    Dell laptop display 15"
    Screen Resolution
    1920 * 1080
    Hard Drives
    Toshiba 128GB M.2 22300 drive
    INTEL Cherryville 520 Series SSDSC2CW180A 180 GB SATA III SSD
    PSU
    Dell
    Case
    Dell
    Cooling
    Dell
    Mouse
    Logitech MX Master 3S (shared w. Sys 1) | Dell TouchPad
    Keyboard
    Dell
    Internet Speed
    AT&T LightSpeed Gigabit Duplex Ftth
I've been following this thread with interest. @merlin02131 I have to say, I am confused about your situation, exactly how it came to be, and what your indication was that an infection exists in all these secondary computers in the first place . My head can't wrap around all the troubleshooting you've attempted either.
If I am understanding even a little of it correctly, I would think that a hacker would need direct access to a system to wreck such havoc OR one of the downstream computers has to download an infected file.

Sorry to be obtuse, but I am a simple person who needs simple explanations. Can you layout the chain of events how:
1. this infection came about on the primary system (what is this club you belong to) you say someone clicked on it and sent it over the network. How? Are you referring to file sharing here? Is it from a torrent site?
2. how it was then transmitted to others. Are you saying all one had to do to get the infection was to visit this site, or does one have to download the infected file
3. what indications are there on these other secondary systems and what effects it has on these systems.
4. Then, are you saying once the secondary systems are infected, this malware is being transmitted to other computers on one's home network without anyone ever accessing the infected file.

I don't need all your troubleshooting steps. Just clarification.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 23H2 22631.3296
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 7080
    CPU
    i9-10900 10 core 20 threads
    Motherboard
    DELL 0J37VM
    Memory
    32 gb
    Graphics Card(s)
    none-Intel UHD Graphics 630
    Sound Card
    Integrated Realtek
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    1tb Solidigm m.2 +256gb ssd+512 gb usb m.2 sata
    PSU
    500w
    Case
    MT
    Cooling
    Dell Premium
    Keyboard
    Logitech wired
    Mouse
    Logitech wireless
    Internet Speed
    so slow I'm too embarrassed to tell
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
  • Operating System
    Windows 10 Pro 22H2 19045.3930
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 9020
    CPU
    i7-4770
    Memory
    24 gb
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    256 gb Toshiba BG4 M.2 NVE SSB and 1 tb hdd
    PSU
    500w
    Case
    MT
    Cooling
    Dell factory
    Mouse
    Logitech wireless
    Keyboard
    Logitech wired
    Internet Speed
    still not telling
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
@johnlgalt I thought you agreed to disagree?

Anyway, you don't seem to know that firmware malware cannot be detected by any scanning tools and methods available to malware professionals in the field. You would need the tools and methods only available in special labs.

And yes, safe computing can be simple.

Well enough said.
 

My Computer

System One

  • OS
    Windows 10 Pro
@Haydon, i have my doubts about this virus existing, i have never run upon one that has the ability to hide like this one ! JMO
 

My Computer

System One

  • OS
    Windows11 23H2 (OS Build 22631.2428)
    Computer type
    PC/Desktop
    Manufacturer/Model
    HP HP ENVY TE01
    CPU
    2.90 gigahertz Intel Core i7-10700
    Motherboard
    Board: HP 8767 A (SMVB)
    Memory
    16214 Megabytes Usable Installed Memor
    Hard Drives
    1511.52 Gigabytes Usable Hard Drive Capacity
    1418.15 Gigabytes Hard Drive Free Space
    Keyboard
    Logitech wireless
    Mouse
    M 185 wireless
    Internet Speed
    12 ms Jitter 8 ms Download 10.5 Mbps Upload 1.7
    Browser
    Edge & FF
    Antivirus
    Windows Defender
@flashh4 I am pretty sure that the 'virus' tossed up is not a firmware virus which acts in stealthy ways, it would not behave as described at all.

And I have my doubts too about the nature of the 'virus' tossed up. Well, @glasskuter asked questions, let's see if she gets a straight answer.
 

My Computer

System One

  • OS
    Windows 10 Pro
@johnlgalt I thought you agreed to disagree?

Anyway, you don't seem to know that firmware malware cannot be detected by any scanning tools and methods available to malware professionals in the field. You would need the tools and methods only available in special labs.

And yes, safe computing can be simple.

Well enough said.

I agreed to disagree. And I continue to disagree with what you're saying.

No hard feelings, man, but in this case you have your opinions and I have mine, and I'm gonna defend mine. I have nothing against you at all, just this one set of opinions you hold.

My entire post was me doing just that - disagreeing with your opinions.
 

My Computers

System One System Two

  • OS
    Windows 11 23H2 Current build
    Computer type
    PC/Desktop
    Manufacturer/Model
    HomeBrew
    CPU
    AMD Ryzen 9 3950X
    Motherboard
    MSI MEG X570 GODLIKE
    Memory
    4 * 32 GB - Corsair Vengeance 3600 MHz
    Graphics Card(s)
    EVGA GeForce RTX 3080 Ti XC3 ULTRA GAMING (12G-P5-3955-KR)
    Sound Card
    Realtek® ALC1220 Codec
    Monitor(s) Displays
    2x Eve Spectrum ES07D03 4K Gaming Monitor (Matte) | Eve Spectrum ES07DC9 4K Gaming Monitor (Glossy)
    Screen Resolution
    3x 3840 x 2160
    Hard Drives
    3x Samsung 980 Pro NVMe PCIe 4 M.2 2 TB SSD (MZ-V8P2T0B/AM) } 3x Sabrent Rocket NVMe 4.0 1 TB SSD (USB)
    PSU
    PC Power & Cooling’s Silencer Series 1050 Watt, 80 Plus Platinum
    Case
    Fractal Design Define 7 XL Dark ATX Full Tower Case
    Cooling
    NZXT KRAKEN Z73 73.11 CFM Liquid CPU Cooler (3x 120 mm push top) + Air 3x 140mm case fans (pull front) + 1x 120 mm (push back) and 1 x 120 mm (pull bottom)
    Keyboard
    SteelSeries Apex Pro Wired Gaming Keyboard
    Mouse
    Logitech MX Master 3S | MX Master 3 for Business
    Internet Speed
    AT&T LightSpeed Gigabit Duplex Ftth
    Browser
    Nightly (default) + Firefox (stable), Chrome, Edge
    Antivirus
    Defender + MB 5 Beta
  • Operating System
    ChromeOS Flex Dev Channel (current)
    Computer type
    Laptop
    Manufacturer/Model
    Dell Latitude E5470
    CPU
    Intel(R) Core(TM) i5-6300U CPU @ 2.40GHz, 2501 Mhz, 2 Core(s), 4 Logical Processor(s)
    Motherboard
    Dell
    Memory
    16 GB
    Graphics card(s)
    Intel(R) HD Graphics 520
    Sound Card
    Intel(R) HD Graphics 520 + RealTek Audio
    Monitor(s) Displays
    Dell laptop display 15"
    Screen Resolution
    1920 * 1080
    Hard Drives
    Toshiba 128GB M.2 22300 drive
    INTEL Cherryville 520 Series SSDSC2CW180A 180 GB SATA III SSD
    PSU
    Dell
    Case
    Dell
    Cooling
    Dell
    Mouse
    Logitech MX Master 3S (shared w. Sys 1) | Dell TouchPad
    Keyboard
    Dell
    Internet Speed
    AT&T LightSpeed Gigabit Duplex Ftth
BIOS, UEFI or Firmware infection are usually highly unlikely - because the attacker needs a tool specifically designed for the targeted machine/s - more exactly - a specific version "which has a vulnerability (if patched - it won't work - obviously)" on a specific model (for example - Dell XPS 15 9520 BIOS v1.8.1 NA revision). Furthermore - the gains of such attack are questionable - "when it comes to a personal computer" - since they're quite limiting - mostly annoying (messing with the fans or peripherals) or destructive (forcing the system in a reboot loop - whenever or as long as it's powered). Since you can't access the Operating System or its data - within BIOS - only the boot info (where again - you can mess with the boot parameters). For that reason - it's more likely for attackers - to target the vulnerabilities "of so called securities apps" - like TPM or SGX (Intel's Software Guard Extensions). That being said - this actually how a machine is securised - how most professionals deal with Firmware, BIOS or EUFI security related issues. Most common scanning tool is even Free/Open Source - tho, not meant for an average Windows user. As in...


"CHIPSEC is a framework for analyzing the security of PC platforms including hardware, system firmware (BIOS/UEFI), and platform components. It includes a security test suite, tools for accessing various low-level interfaces, and forensic capabilities. It can be run on Windows, Linux, Mac OS X, and UEFI shell."

Well, for specific vulnerabilities - more exactly - tied to IME (Intel Management Engine) - there is a Windows tool for scanning the IME firmware for vulnerabilities - which even the average user can use:


I do recommenced it (doing a scan) - especially if your system was not recently bought. Point being OEM upper management is usually handled by psychopaths - whom, despite of running a billions $ company - they rarely go beyond the minimum staff requirement - for handling product software updates. Thus, it's quite common for older machines (even 2 years old) - to be disregarded in terms of current/future updates - including security patches. Unless it's a major public fiasco - as was the case with Meltdown & Spectre vulnerability - which compelled the OEM to patch even older machines. So, hey - if you ran the tool and it detects your firmware as vulnerable - you could check the site for an update - but if nobody reported it - you might have to contact the OEM (Dell, HP, MSI, Acer, Lenovo,etc) for a patch.
 

My Computer

System One

  • OS
    Windows 7 SP 16 (or Windows 11 SP 2 or Sun Valley 2)
    Computer type
    Laptop
    CPU
    Intel & AMD
    Memory
    SO-DIMM SK Hynix 15.8 GB Dual-Channel DDR4-2666 (2 x 8 GB) 1329MHz (19-19-19-43)
    Graphics Card(s)
    nVidia RTX 2060 6GB Mobile GPU (TU106M)
    Sound Card
    Onbord Realtek ALC1220
    Screen Resolution
    1920 x 1080
    Hard Drives
    1x Samsung PM981 NVMe PCIe M.2 512GB / 1x Seagate Expansion ST1000LM035 1TB
I've been following this thread with interest. @merlin02131 I have to say, I am confused about your situation, exactly how it came to be, and what your indication was that an infection exists in all these secondary computers in the first place . My head can't wrap around all the troubleshooting you've attempted either.
If I am understanding even a little of it correctly, I would think that a hacker would need direct access to a system to wreck such havoc OR one of the downstream computers has to download an infected file.

Sorry to be obtuse, but I am a simple person who needs simple explanations. Can you layout the chain of events how:
1. this infection came about on the primary system (what is this club you belong to) you say someone clicked on it and sent it over the network. How? Are you referring to file sharing here? Is it from a torrent site?
2. how it was then transmitted to others. Are you saying all one had to do to get the infection was to visit this site, or does one have to download the infected file
3. what indications are there on these other secondary systems and what effects it has on these systems.
4. Then, are you saying once the secondary systems are infected, this malware is being transmitted to other computers on one's home network without anyone ever accessing the infected file.

I don't need all your troubleshooting steps. Just clarification

Hi Glasskuter
Apologies as I missed this and been very busy !
Brief and detailed as possible :

1. this infection came about on the primary system (what is this club you belong to) you say someone clicked on it and sent it over the network. How? Are you referring to file sharing here? Is it from a torrent site?

A local sportsman's club

Our network has ethernet and wireless connections and some members/officers had access to the admin vlan
They use their cell phones IPads and Laptops

We suspect a phishing episode but will truly never know
Yes file sharing is part of this as We found remnants of files from other pc's on the infected pc
Credential Stealing is also prevailant as the Credential Manager had been read and compromised
I am going back this Saturday to do some work for clean up review and check the rest of the pc's more thoroughly from whatg I have identified at my home
One strange thing I first saw was the PC had a ton of black and white boxes all over the monitor when I first noticed the infection on the Club PC as I have never saw anything like that !

2. how it was then transmitted to others. Are you saying all one had to do to get the infection was to visit this site, or does one have to download the infected file .

We did not visit any sites so again not sure how it got in and not exactly sure how the download(s) happened but it looks like only Windows PC's are infected .
It definitely loaded itself as no doubt it came from the Security PC at the club
I had established a vpn to 2 sites - My club and my Church on a Sunday morning as all 3 sites showed the same symptoms later of access and file sharing . Note 5 PC's in my house have shown signs of infections
It IS def a Command and control type of infection as it calls out versus calling in and VERY hard to track ! I pulled the ethernet cable on my pc a few Saturdays ago testing and it used my wifi connection to call home as We saw it in the trace .
We firewalled the IP address but it changed IP addresses after this

3. what indications are there on these other secondary systems and what effects it has on these systems

At least 8 pc's in all 3 locations have possibly been proven to be infected . More work to do here .
A clear giveaway is the SAM key in the registry has been compromised as access has been removed for the pc admin user .
Next on Saturdays you can use TCPview and PROCmon and see PowerShell being used but unable to track the ip associated mix of IP V6 which I am trying to filter out
Credential Manager shows being read and used - No PC has any info as we stripped it all out
Azure and One Drive seem to have had something to do with this as evidence of uploading to OneDrive - shut access down
I am tracking this : Wireshark showed Azure packets and Azure phone conversation states they WERE hacked as We have an Azure account / Go Daddy but only a Microsoft account at the pc at the club
Been working only on my home pc and 3 laptops testing and troubleshooting and was able to build a hardening scheme to block powershell / terminal server / remote everything/ Windows defender blocking ports etc. Seems to be effective
LOTS of false positives as I have chased so many ghosts also
I am heading to my club this weekend to work on restoring the Security pc as I now know more about this and hardening principles and what to look for

4. Then, are you saying once the secondary systems are infected, this malware is being transmitted to other computers on one's home network without anyone ever accessing the infected file.

Yes

After the vpn infection I shut down all vpn access in and out to other sites . Not sure what it is as I suspect fileless malware .
My last test today I rebuilt my laptop with a windows 11 pro laptop with a disk and will use this to see if the rebuild cleans out the partitions

Note : Network traces show traffic to bad guy IP addresses emanate form the host infected pc outbound to rogue known ip addresses
(Source of bad IP Addresses : AbuseIPDB - IP address abuse reports - Making the Internet safer, one IP at a time and watching wireshark traffic patterns )
 

My Computer

System One

  • OS
    windows 11 pro
Thank you @merlin02131. Well, that is one bad boy for sure. I'm no specialist but have dealt with a few infections, though nothing of this magnitude. As I said earlier, I am a simple person and my approach to dealing with NORMAL infections is no different. Due to the rarity of firmware infections one has to go in presuming it is confined to the hard drive. I have 8 or so offline tools on a usb stick. If none of them clean the machine, I go right into low level formatting of the hard drive followed by a clean install of windows. (My preference is to beat the drive with a sledge hammer and start with a new drive but folks are not always agreeable to that. If the owner demands that their files be recovered after I advise against it since any file could start the infection all over again, I'll boot the machine to one of the live Linux distros and copy their files to a usb stick, but I will not put the files back on their hard drive. If they choose to do so it is at their own risk. )

Question for all you hardware guys...I'm wondering something. (again, remember these are simple thoughts from a simple person here) If you were to boot from a live Linux distro and everything was normal, would this not be proof that all firmware chips (except for hard drive) were clean? Seems to me this would be a quick test.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 23H2 22631.3296
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 7080
    CPU
    i9-10900 10 core 20 threads
    Motherboard
    DELL 0J37VM
    Memory
    32 gb
    Graphics Card(s)
    none-Intel UHD Graphics 630
    Sound Card
    Integrated Realtek
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    1tb Solidigm m.2 +256gb ssd+512 gb usb m.2 sata
    PSU
    500w
    Case
    MT
    Cooling
    Dell Premium
    Keyboard
    Logitech wired
    Mouse
    Logitech wireless
    Internet Speed
    so slow I'm too embarrassed to tell
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
  • Operating System
    Windows 10 Pro 22H2 19045.3930
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 9020
    CPU
    i7-4770
    Memory
    24 gb
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    256 gb Toshiba BG4 M.2 NVE SSB and 1 tb hdd
    PSU
    500w
    Case
    MT
    Cooling
    Dell factory
    Mouse
    Logitech wireless
    Keyboard
    Logitech wired
    Internet Speed
    still not telling
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
(My preference is to beat the drive with a sledge hammer and start with a new drive but folks are not always agreeable to that. If the owner demands that their files be recovered after I advise against it since any file could start the infection all over again, I'll boot the machine to one of the live Linux distros and copy their files to a usb stick, but I will not put the files back on their hard drive. If they choose to do so it is at their own risk. )

Good ideas.

At a university whose IT dept I used to work in, we used a drill press to drill straight through mechanical HDDs in 3 points, too.

I've actually taken many of the ones I've worked on that were no longer salvageable and removed the platters from, and kept them around to demonstrate in certification classes what the platters actually look and feel like - and kept one drive intact, except for the cover, to show the mechanisms inside, as well as just how really, really close the drive heads are in relation to the platters.

And that USB full of off-line scanning tools (bootable I assume) is also a good idea.

Wish more people were this diligent about it....
 

My Computers

System One System Two

  • OS
    Windows 11 23H2 Current build
    Computer type
    PC/Desktop
    Manufacturer/Model
    HomeBrew
    CPU
    AMD Ryzen 9 3950X
    Motherboard
    MSI MEG X570 GODLIKE
    Memory
    4 * 32 GB - Corsair Vengeance 3600 MHz
    Graphics Card(s)
    EVGA GeForce RTX 3080 Ti XC3 ULTRA GAMING (12G-P5-3955-KR)
    Sound Card
    Realtek® ALC1220 Codec
    Monitor(s) Displays
    2x Eve Spectrum ES07D03 4K Gaming Monitor (Matte) | Eve Spectrum ES07DC9 4K Gaming Monitor (Glossy)
    Screen Resolution
    3x 3840 x 2160
    Hard Drives
    3x Samsung 980 Pro NVMe PCIe 4 M.2 2 TB SSD (MZ-V8P2T0B/AM) } 3x Sabrent Rocket NVMe 4.0 1 TB SSD (USB)
    PSU
    PC Power & Cooling’s Silencer Series 1050 Watt, 80 Plus Platinum
    Case
    Fractal Design Define 7 XL Dark ATX Full Tower Case
    Cooling
    NZXT KRAKEN Z73 73.11 CFM Liquid CPU Cooler (3x 120 mm push top) + Air 3x 140mm case fans (pull front) + 1x 120 mm (push back) and 1 x 120 mm (pull bottom)
    Keyboard
    SteelSeries Apex Pro Wired Gaming Keyboard
    Mouse
    Logitech MX Master 3S | MX Master 3 for Business
    Internet Speed
    AT&T LightSpeed Gigabit Duplex Ftth
    Browser
    Nightly (default) + Firefox (stable), Chrome, Edge
    Antivirus
    Defender + MB 5 Beta
  • Operating System
    ChromeOS Flex Dev Channel (current)
    Computer type
    Laptop
    Manufacturer/Model
    Dell Latitude E5470
    CPU
    Intel(R) Core(TM) i5-6300U CPU @ 2.40GHz, 2501 Mhz, 2 Core(s), 4 Logical Processor(s)
    Motherboard
    Dell
    Memory
    16 GB
    Graphics card(s)
    Intel(R) HD Graphics 520
    Sound Card
    Intel(R) HD Graphics 520 + RealTek Audio
    Monitor(s) Displays
    Dell laptop display 15"
    Screen Resolution
    1920 * 1080
    Hard Drives
    Toshiba 128GB M.2 22300 drive
    INTEL Cherryville 520 Series SSDSC2CW180A 180 GB SATA III SSD
    PSU
    Dell
    Case
    Dell
    Cooling
    Dell
    Mouse
    Logitech MX Master 3S (shared w. Sys 1) | Dell TouchPad
    Keyboard
    Dell
    Internet Speed
    AT&T LightSpeed Gigabit Duplex Ftth
I am not a hardware guy but i can tell you that when it comes to Malware or Viruses nothing is ever normal with them. What works cleaning one infection may not work on another ! It's a wacky world but since Windows 10 came out there is not as many infections going around !
 

My Computer

System One

  • OS
    Windows11 23H2 (OS Build 22631.2428)
    Computer type
    PC/Desktop
    Manufacturer/Model
    HP HP ENVY TE01
    CPU
    2.90 gigahertz Intel Core i7-10700
    Motherboard
    Board: HP 8767 A (SMVB)
    Memory
    16214 Megabytes Usable Installed Memor
    Hard Drives
    1511.52 Gigabytes Usable Hard Drive Capacity
    1418.15 Gigabytes Hard Drive Free Space
    Keyboard
    Logitech wireless
    Mouse
    M 185 wireless
    Internet Speed
    12 ms Jitter 8 ms Download 10.5 Mbps Upload 1.7
    Browser
    Edge & FF
    Antivirus
    Windows Defender
What works cleaning one infection may not work on another ! I
Exactly why I don't waste hours and hours trying to clean one.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 23H2 22631.3296
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 7080
    CPU
    i9-10900 10 core 20 threads
    Motherboard
    DELL 0J37VM
    Memory
    32 gb
    Graphics Card(s)
    none-Intel UHD Graphics 630
    Sound Card
    Integrated Realtek
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    1tb Solidigm m.2 +256gb ssd+512 gb usb m.2 sata
    PSU
    500w
    Case
    MT
    Cooling
    Dell Premium
    Keyboard
    Logitech wired
    Mouse
    Logitech wireless
    Internet Speed
    so slow I'm too embarrassed to tell
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
  • Operating System
    Windows 10 Pro 22H2 19045.3930
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 9020
    CPU
    i7-4770
    Memory
    24 gb
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    256 gb Toshiba BG4 M.2 NVE SSB and 1 tb hdd
    PSU
    500w
    Case
    MT
    Cooling
    Dell factory
    Mouse
    Logitech wireless
    Keyboard
    Logitech wired
    Internet Speed
    still not telling
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
Thank you @merlin02131. Well, that is one bad boy for sure. I'm no specialist but have dealt with a few infections, though nothing of this magnitude. As I said earlier, I am a simple person and my approach to dealing with NORMAL infections is no different. Due to the rarity of firmware infections one has to go in presuming it is confined to the hard drive. I have 8 or so offline tools on a usb stick. If none of them clean the machine, I go right into low level formatting of the hard drive followed by a clean install of windows. (My preference is to beat the drive with a sledge hammer and start with a new drive but folks are not always agreeable to that. If the owner demands that their files be recovered after I advise against it since any file could start the infection all over again, I'll boot the machine to one of the live Linux distros and copy their files to a usb stick, but I will not put the files back on their hard drive. If they choose to do so it is at their own risk. )

Question for all you hardware guys...I'm wondering something. (again, remember these are simple thoughts from a simple person here) If you were to boot from a live Linux distro and everything was normal, would this not be proof that all firmware chips (except for hard drive) were clean? Seems to me this would be a quick test.
Good Morning

Thx for the ear to listen ! My task today is simple as I get an early start ! Resolve my Windows licensing issues on my test rebuild ( Laptop first ) !
Tomorrow ( Saturday ) I will go back to my Club and start the process over to see
Again the false positives are killing as they make you chase ghosts !
I might add that external tracing is/was difficult as this infection .
Again false positives as it could be something very simple but I hope the rebuilds prove me wrong and that its a hard drive virus .
Some facts point to human controlled after it reaches out from the infected pc like Sam changes , Share searches etc.

I will DEF post after my laptop is cleaned and tested !

Thanks Glasskutter and Everyone !
I am sure we are getting close !

Regards

Rich
 

My Computer

System One

  • OS
    windows 11 pro
Good luck, man, and hope you get it all cleaned up.
 

My Computers

System One System Two

  • OS
    Windows 11 23H2 Current build
    Computer type
    PC/Desktop
    Manufacturer/Model
    HomeBrew
    CPU
    AMD Ryzen 9 3950X
    Motherboard
    MSI MEG X570 GODLIKE
    Memory
    4 * 32 GB - Corsair Vengeance 3600 MHz
    Graphics Card(s)
    EVGA GeForce RTX 3080 Ti XC3 ULTRA GAMING (12G-P5-3955-KR)
    Sound Card
    Realtek® ALC1220 Codec
    Monitor(s) Displays
    2x Eve Spectrum ES07D03 4K Gaming Monitor (Matte) | Eve Spectrum ES07DC9 4K Gaming Monitor (Glossy)
    Screen Resolution
    3x 3840 x 2160
    Hard Drives
    3x Samsung 980 Pro NVMe PCIe 4 M.2 2 TB SSD (MZ-V8P2T0B/AM) } 3x Sabrent Rocket NVMe 4.0 1 TB SSD (USB)
    PSU
    PC Power & Cooling’s Silencer Series 1050 Watt, 80 Plus Platinum
    Case
    Fractal Design Define 7 XL Dark ATX Full Tower Case
    Cooling
    NZXT KRAKEN Z73 73.11 CFM Liquid CPU Cooler (3x 120 mm push top) + Air 3x 140mm case fans (pull front) + 1x 120 mm (push back) and 1 x 120 mm (pull bottom)
    Keyboard
    SteelSeries Apex Pro Wired Gaming Keyboard
    Mouse
    Logitech MX Master 3S | MX Master 3 for Business
    Internet Speed
    AT&T LightSpeed Gigabit Duplex Ftth
    Browser
    Nightly (default) + Firefox (stable), Chrome, Edge
    Antivirus
    Defender + MB 5 Beta
  • Operating System
    ChromeOS Flex Dev Channel (current)
    Computer type
    Laptop
    Manufacturer/Model
    Dell Latitude E5470
    CPU
    Intel(R) Core(TM) i5-6300U CPU @ 2.40GHz, 2501 Mhz, 2 Core(s), 4 Logical Processor(s)
    Motherboard
    Dell
    Memory
    16 GB
    Graphics card(s)
    Intel(R) HD Graphics 520
    Sound Card
    Intel(R) HD Graphics 520 + RealTek Audio
    Monitor(s) Displays
    Dell laptop display 15"
    Screen Resolution
    1920 * 1080
    Hard Drives
    Toshiba 128GB M.2 22300 drive
    INTEL Cherryville 520 Series SSDSC2CW180A 180 GB SATA III SSD
    PSU
    Dell
    Case
    Dell
    Cooling
    Dell
    Mouse
    Logitech MX Master 3S (shared w. Sys 1) | Dell TouchPad
    Keyboard
    Dell
    Internet Speed
    AT&T LightSpeed Gigabit Duplex Ftth


 

My Computers

System One System Two

  • OS
    11 Home
    Computer type
    Laptop
    Manufacturer/Model
    Asus TUF Gaming (2024)
    CPU
    i7 13650HX
    Memory
    16GB DDR5
    Graphics Card(s)
    GeForce RTX 4060 Mobile
    Sound Card
    Eastern Electric MiniMax DAC Supreme; Emotiva UMC-200; Astell & Kern AK240
    Monitor(s) Displays
    Sony Bravia XR-55X90J
    Screen Resolution
    3840×2160
    Hard Drives
    512GB SSD internal
    37TB external
    PSU
    Li-ion
    Cooling
    2× Arc Flow Fans, 4× exhaust vents, 5× heatpipes
    Keyboard
    Logitech K800
    Mouse
    Logitech G402
    Internet Speed
    20Mbit/s up, 250Mbit/s down
    Browser
    FF
  • Operating System
    11 Home
    Computer type
    Laptop
    Manufacturer/Model
    Medion S15450
    CPU
    i5 1135G7
    Memory
    16GB DDR4
    Graphics card(s)
    Intel Iris Xe
    Sound Card
    Eastern Electric MiniMax DAC Supreme; Emotiva UMC-200; Astell & Kern AK240
    Monitor(s) Displays
    Sony Bravia XR-55X90J
    Screen Resolution
    3840×2160
    Hard Drives
    2TB SSD internal
    37TB external
    PSU
    Li-ion
    Mouse
    Logitech G402
    Keyboard
    Logitech K800
    Internet Speed
    20Mbit/s up, 250Mbit/s down
    Browser
    FF
Question for all you hardware guys...I'm wondering something. (again, remember these are simple thoughts from a simple person here) If you were to boot from a live Linux distro and everything was normal, would this not be proof that all firmware chips (except for hard drive) were clean? Seems to me this would be a quick test.
Hello glasskuter. As a dual OS (Windows 11- Linux Mint) user, your post reminded me of something that has always been on the back of my mind but I've never, so far anyway, had to confront. That is, if the Windows partition is severely infected, does that have an impact on the Linux partition? I have always assumed that it would not and that I can still boot up my pc to Linux Mint as the Linux GRUB bootloader is the first software that normally runs when the computer starts and Mint comes up by default. This thread, of course takes it beyond that basic consideration into infections more severe. For someone that does not run a dual boot system, the general consensus in the Linux community (see the link below) seems to indicate that a live Linux distro is the way to go to rule out the kind of damage discussed in this thread. I think running a dual system should also be able to test and see if it's just a partition hit or something more drastic. Although I would probably run my live LM thumb drive also.

 

My Computer

System One

  • OS
    Windows 11/Linux Mint
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 960
    CPU
    Intel Core 2 Duo CPU E8400 @ 3.00 GHz x 2
    Memory
    8 GB
    Graphics Card(s)
    Intel 4 Series Chipset Integrated Graphics Controller
    Monitor(s) Displays
    HP x22LED
    Hard Drives
    Crucial 250 GB SSD, HD 1Tb
Hello glasskuter. As a dual OS (Windows 11- Linux Mint) user, your post reminded me of something that has always been on the back of my mind but I've never, so far anyway, had to confront. That is, if the Windows partition is severely infected, does that have an impact on the Linux partition? I have always assumed that it would not and that I can still boot up my pc to Linux Mint as the Linux GRUB bootloader is the first software that normally runs when the computer starts and Mint comes up by default. This thread, of course takes it beyond that basic consideration into infections more severe. For someone that does not run a dual boot system, the general consensus in the Linux community (see the link below) seems to indicate that a live Linux distro is the way to go to rule out the kind of damage discussed in this thread. I think running a dual system should also be able to test and see if it's just a partition hit or something more drastic. Although I would probably run my live LM thumb drive also.



Hi @mackie

This depends on the binary ("executable program" ) used to "infect" the target system.

In general most of Windows malware is done in a Windows Binary executable format (usually an .exe file) which is incompatible with the standard Linux Binary /executable format. In addition Linux has many more "File system types" e.g XFS,EXT3,EXT4 etc etc so the "executable" would have to be able to recognize the file system. Also the Linux kernel has a better "Super user" and "standard user" separation so unless an executable is operating in a privileged state then the malware is unlikely to be able to attack GRUB.

I'm assuming the whole discussion implies that one is using GPT disks and EFI boot -- in this case the bootloader is run from an efi file on the actual hard disk rather than from a physical MBR (sector 0).

So on an EFI computer you will from the BIOS menu see a lot more choices even if on the same disk - if the computer is purely BIOS then you will only be able to choose which disk / device to boot from.
(You will often see in the BIOS boot menu) - as well as the OS system e.g Windows OS boot loader, GRUB, there's another item -- boot from efi file and scrolling through that gives other choices too).

That's not to say that malware can't run on Linux systems -- but hackers usually can't be bothered wasting their time on getting into Linux based home computers as numbers are fairly small compared with Windows users and the effort involved is of several orders of magnitude harder.

Things like rootkits etc or anything that can write to the initial CMOS can of course skew the whole system -- but one has to be really skilled to do that. The basic boot starts when you power on -- there's a fixed address in the computers BIOS which has a bootstrap loader in it.

So say this is at address 2000 (Hex) in the mobos BIOS. All that has in it is a tiny miniscule instruction in machine code is jump to another address which is another bit of machine code that says load code at another address address and start executing it. (Bootstrap process at address 0 -- Hardware --> to address1 to load code and execute at address 2 which is the BIOS menu etc and start executing). In the case of EFI computers the default EFI file will be in the BIOS'es CMOS (can be saved -- otherwise you'd need to use the computers Boot BIOS menu every time). If an attacker can get at that default EFI file then he / she's in "in business".. Not so Q.E.D !!!!!!!

Cheers
jimbo
 

My Computer

System One

  • OS
    Windows XP,7,10,11 Linux Arch Linux
    Computer type
    PC/Desktop
    CPU
    2 X Intel i7
Hello @jimbo45 All good points, thanks. In the case of what glasskuter posted about eliminating those deeper internal hardware/firmware infection possibilities, I think using a live Linux distro is the way to quickly rule those out. A usb live distro doesn't use the hdd/ssd, so it would bypass any boot sector virus or other virus that may have hammered the hdd/ssd. If you can't boot with a live distro, then I think you are in deep muck. What do you think?
 

My Computer

System One

  • OS
    Windows 11/Linux Mint
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 960
    CPU
    Intel Core 2 Duo CPU E8400 @ 3.00 GHz x 2
    Memory
    8 GB
    Graphics Card(s)
    Intel 4 Series Chipset Integrated Graphics Controller
    Monitor(s) Displays
    HP x22LED
    Hard Drives
    Crucial 250 GB SSD, HD 1Tb
I bet this flu I just came down with, can survive a reinstall of Windows.
I feel like I got hit by a cement truck. :-)

I got fever, chest congestion, serious aches and pains. Can't sleep or eat.
I have three sets of clothes on and I still can't get warm... and the high today is 60F.

So what's the verdict... Theraflu or Tylenol?
Someone could knock me over with a Dandelion. :-)
 

My Computers

System One System Two

  • OS
    Win 11 Home ♦♦♦22631.3374 ♦♦♦♦♦♦♦23H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built by Ghot® [May 2020]
    CPU
    AMD Ryzen 7 3700X
    Motherboard
    Asus Pro WS X570-ACE (BIOS 4702)
    Memory
    G.Skill (F4-3200C14D-16GTZKW)
    Graphics Card(s)
    EVGA RTX 2070 (08G-P4-2171-KR)
    Sound Card
    Realtek ALC1220P / ALC S1220A
    Monitor(s) Displays
    Dell U3011 30"
    Screen Resolution
    2560 x 1600
    Hard Drives
    2x Samsung 860 EVO 500GB,
    WD 4TB Black FZBX - SATA III,
    WD 8TB Black FZBX - SATA III,
    DRW-24B1ST CD/DVD Burner
    PSU
    PC Power & Cooling 750W Quad EPS12V
    Case
    Cooler Master ATCS 840 Tower
    Cooling
    CM Hyper 212 EVO (push/pull)
    Keyboard
    Ducky DK9008 Shine II Blue LED
    Mouse
    Logitech Optical M-100
    Internet Speed
    300/300
    Browser
    Firefox (latest)
    Antivirus
    Bitdefender Internet Security
    Other Info
    Speakers: Klipsch Pro Media 2.1
  • Operating System
    Windows XP Pro 32bit w/SP3
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built by Ghot® (not in use)
    CPU
    AMD Athlon 64 X2 5000+ (OC'd @ 3.2Ghz)
    Motherboard
    ASUS M2N32-SLI Deluxe Wireless Edition
    Memory
    TWIN2X2048-6400C4DHX (2 x 1GB, DDR2 800)
    Graphics card(s)
    EVGA 256-P2-N758-TR GeForce 8600GT SSC
    Sound Card
    Onboard
    Monitor(s) Displays
    ViewSonic G90FB Black 19" Professional (CRT)
    Screen Resolution
    up to 2048 x 1536
    Hard Drives
    WD 36GB 10,000rpm Raptor SATA
    Seagate 80GB 7200rpm SATA
    Lite-On LTR-52246S CD/RW
    Lite-On LH-18A1P CD/DVD Burner
    PSU
    PC Power & Cooling Silencer 750 Quad EPS12V
    Case
    Generic Beige case, 80mm fans
    Cooling
    ZALMAN 9500A 92mm CPU Cooler
    Mouse
    Logitech Optical M-BT96a
    Keyboard
    Logitech Classic Keybooard 200
    Internet Speed
    300/300
    Browser
    Firefox 3.x ??
    Antivirus
    Symantec (Norton)
    Other Info
    Still assembled, still runs. Haven't turned it on for 13 years?
I bet this flu I just came down with, can survive a reinstall of Windows.
I feel like I got hit by a cement truck. :-)
Stay well hydrated my friend. I've been there and a lack of hydration made things worse.
 

My Computer

System One

  • OS
    Windows 11/Linux Mint
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 960
    CPU
    Intel Core 2 Duo CPU E8400 @ 3.00 GHz x 2
    Memory
    8 GB
    Graphics Card(s)
    Intel 4 Series Chipset Integrated Graphics Controller
    Monitor(s) Displays
    HP x22LED
    Hard Drives
    Crucial 250 GB SSD, HD 1Tb

Latest Support Threads

Back
Top Bottom