System Boot Hijacked to Workstation

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by user is me, Jul 19, 2014.

  1. user is me

    user is me Private E-2

    Hi everybody, I'm looking for some other answer to this bug before I start my chainsaw and put this laptop out of my misery!

    When I power on a program is taking control of my pc, redirecting the bios to it's own and consequently has advanced administrator privileges. I say advanced because early in the battle, I could access the admin account in Win 7, but couldn't override any of the settings from this program. Now I am locked out of everything but basic user. When I try anything, a command prompt pops up from X: Administrator, and whatever I'm trying to do gets stopped or I get a permission denied window. It seems that someone else is in my pc with me.
    The program has set my pc up as a workstation and server. File sharing, search, IE, Remote access, DCOM and networks are all locked on. I cannot access UAC, Group Policy or Secpol, or anything else for that matter.

    I don't know a lot about computers, but I know enough to be dangerous, so, after trying every software I could get, GMER, Commodo, Trend, SAS, Kapersky,etc. with no success whatsoever, the program stops them and some cases has actually removed exe files, I decided to be dangerous and I started a search and destroy campaign with extreme prejudice.
    Since my pc was / is worthless in this state, my goal was to nuke everything.
    First I removed the Centrino WIFI adapter from the motherboard to disable any communications. That hasn't worked. It's now communicating I think through the 3G chip in the processor and I can't get to it in services to disable it.
    I put in Hirems Boot disk And started random mass destruction of everything I could get to.
    The program removed all the 7zip exe files from the cd, even through the write protection, so the programs, of course, don't open.

    Currently, I have completely erased and overwritten the main hard drive and removed it from my pc, along with the RAM card and the wifi card. There is no OS installed. I have an 8 gig ssd on the board for the cache, and whatever other memory comes on a motherboard.???
    The program is still there of course, but now it has nowhere to jump to.
    Using Acronis, I discovered 2 hidden drives, one labeled X;Boot, and one labeled Drive 31.
    The program is operating out of X:Boot, Administrator, and has full control of system 32, as well as everything else.
    I don't have a clue what drive 31 is, I've formatted it and it shows empty but it's write protected and I cannot get rid of it..I suspect this is where the evil resides. There is only one drive in my pc, the ssd, so drive 31 I believe, is a virtual drive installed on the ssd. It lists as a fixed disk. X;Boot is also write protected.

    I can boot, but I'm always intercepted and redirected. The Windows 7 install disk repair option cannot fix it. Kon Boot cannot by pass it. The program is live, it's communicating somehow, (I think 3G), and reacting almost instantly to everything I try via the X: Command Prompt, and I don't know how to stop it.
    I can access bios at start up, but I don't know if it's my original bios or not.
    The HDD password is frozen. I can change the boot order, but both Legacy and UEFI options are disabled and locked out. I have removed the CMOS battery a couple times, resetting the bios, but it hasn't helped.
    Before I nuked the OS, I could go into safe mode but because this thing starts before windows, I'm always in X: and cannot change to any other dive like C or D, and do not have admin access. I don't know DOS commands...

    I read today in a forum somewhere, I don't know which of the dozens I've looked at, about Windows workstation being set up with PE.. I think that's what's been done to me..
    This is a personal pc, not connected to any groups or work networks or anything else at all, and never has been until this problem.

    Help would be greatly appreciated!
    I'm going now to buy gas for my chainsaw...

    Thanks for reading and hope to hear something soon...
    J.
     
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Welcome to Major Geeks! :)

    Please read ALL of this message including the notes before doing anything.

    Please follow the instructions in the below link:

    READ & RUN ME FIRST. Malware Removal Guide

    and attach the requested logs when you finish these instructions.
    • **** If something does not run, write down the info to explain to us later but keep on going. ****
    • Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.

    • After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!
    Helpful Notes:

    1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
    2. If you have problems downloading on the problem PC, download the tools and the manual update Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
    3. If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only RogueKiller and Malwarebytes while logged into this other user account. Then reboot and see if you can log into the problem user account. If you can then run the rest of the READ & RUN ME FIRST instructions on the infected account.
    4. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:
    Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.
     
  3. user is me

    user is me Private E-2

    Thanks for the quick response. I have to ask you to look at my post again.. I read your run me page before I contacted you, and I have tried the steps a couple times but the problem is my pc is redirected at power up, before anything loads. When the system is up and running it's completely controlled by the virus, I have no way to install or run anything. I only get access denied windows or " you don't have permission to run this program " message.
    Also, please note that I do not currently have any operating system installed, or main HDD, and the virus is still redirecting my bios. No matter what, I'm locked in X:, even in setup or safe mode. I'm working off Hirems boot disk now, but with very limited capabilities. None of the tools you list find anything at all except GMER gave a flag that it can't check sys 32 sys config. because it's being held open by another program. Since I don't have any OS installed, there shouldn't even be any Sys 32..
    I need to get to this thing from outside somehow I think... is there any information I can get for you from the command prompt? Or from one of the programs on Hirems that might work?
    Thanks, J
     
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I'm sorry but at no point did I see you mention running our tools specifically. You mentioned running GMER, Commodo, Trend, SAS, Kapersky,etc... but you have not run our specific tools. You then tell me nothing will run anyway but you said you ran them, and that some even removed .exe files. So can you eleborate on what's happening and let me know if you can run any of the below:
    • RogueKiller
    • Hitman Pro
    • Malware Bytes
    • TDSSKiller
    • MGTools
     
  5. user is me

    user is me Private E-2

    Hi Kestrel 13, Thank you for your kindness, and you are correct. I wasn’t very clear, my apologies.
    I’ve been in this particular battle for a couple months now and I’ve tried so many things that it’s difficult to keep them in order.
    Initially this bug was very quiet. I discovered it because my keyboard light started coming on seemingly randomly, and I started seeing IE files being picked up by CC Cleaner, even though I have removed IE from the programs menu. I immediately removed all my info from my pc.
    The events I described to you before took place gradually over the next month or so. Starting with task manager and performance monitor, I started seeing things that I didn’t like, network connections that shouldn’t have been there, and that I couldn’t disable. High numbered ports that I couldn’t close, etc. Moving into services I found that The DCOM applications were on and locked, also that all the Remote services, (assistance, desktop, workstation, server, etc.) were on and locked along with indexing, search and background transfer.
    Lanman, the Wwan and Wlan autoconfig and bluetooth were / are in this condition, as is the virtual miniport adapter, and sharing. Group policy and secpol are locked out.
    My normal configuration is File sharing and homegroup disabled, all wireless connections closed and the respective adapters manually disabled, lan disconnected, and IE removed via the remove windows features tab, so I know something’s up, and the fight is on..
    My normal security load out is
    1. Trend Micro Titanium
    2. Super Anti-Spyware Pro
    3. Malware Bytes
    4. CC Cleaner.
    These are always running, updated, and are on a frequent scan schedule.
    I keep a pretty good selection of other software available for spot checks, but not installed, so I dug it out and started hunting. I ran Spybot, Hitman, Sophos, Norton, Panda, GMER, and a couple others I can’t remember right now. I got no hits with any of them except the one flag from GMER I mentioned before. As I was going through this, the bug became increasingly active. I would see a command prompt open for X: Administrator very briefly, and whatever I was trying to do would be blocked and undone. This quickly progressed into first being locked out of the native Windows Admin acct, then my Admin acct. By this time I had deleted windows entirely and tried to format and reload to use the repair tool. Startup repair shows a boot redirect but is unable to fix it. The Windows Disk tools don’t show anything out of the ordinary other than that my SSD, which is only for the cache, and has always been empty, now starts at sector 63. I went to the Hirems Boot Disk and from there I found the locked virtual drive #31, and X: Boot, also write protected. I read somewhere that X:Boot is normal, but I’ve reloaded this a couple times and I’ve looked at the drives before and didn’t see it. Plus the command prompt is coming from there, so even if it is normal, it’s corrupted now.
    I’m still seeing network traffic, even without Windows installed, so I physically removed the wireless card from the motherboard. The bug reacts almost instantly to everything I do so it seems to me that someone is actively countering me through the remote access services that I cannot disable. Even without the wireless card, (Maybe I only got the BT Card, I’m not sure), the pc is still communicating. I can’t get to the 3G telephony service to disable it. Access Denied…
    At this point I’ve pretty much reached the extent of my knowledge about what I’m doing, but my pc is just an expensive paper weight now anyway, so I change tactics and approach it kind of like a blind guy with a shotgun. I reset the bios, formatted and overwrote the main HDD with random data 5 times, then removed it from the pc. I also removed the DDR3 memory, and disconnected the battery so I could have instant shutdown. I have deliberately got the command prompt to open and pulled the power plug trying to damage the file system, but it hasn’t worked.
    Now I’m left with the 8 gig on board SSD, and whatever memory is in Bios or on the board, I don’t know how that works.. (High Memory?)
    Looking at the system with Acronis, I see 3 Drives. The SSD, Something called Drive 31, which is the same size as the SSD, and X:Boot, which shows as a fixed disk, but I can’t map it’s location, access denied.. Drive 31 shows empty, as does the SSD, but I know that’s not true because of the sectors, I can view them, but can’t change them. The SSD has also been configured with an MBR. X: has windows components. Drive 31 and X:Boot are both write protected. The MBR and sectors on the SSD are access denied.
    I go into the windows folder, and I find the services that were locked out in windows. Sharing, Group Policy, UAC etc. I can view the files but can’t edit or delete, so I get out a file splitter and go to town.. I can delete the splits, but I don’t know if that will hold. I know this won’t kill the bug, I’m just trying to cripple it enough that it can’t counter my attacks. I have gotten a couple security windows that say I need permission from NT Authority to do whatever it was I was trying do at the time…
    Oh and before I wiped windows, I found 8 unknown accounts, all using the S-1-5xxxx designation…
    I will go and download Rogue and MG if you think it’s absolutely necessary, and try to run them from the mini windows 7 on Hirems, or from a live disk if that’s an option.. I’m just concerned that with this thing still communicating, whoever is doing this is just going to lock the pc entirely…
    I read an article about creating or taking ownership of an NT Auth account but you have to have Admin to do it.. If I could force flash the SSD and Bios, I would just do that and start over...
    Thanks for your time and effort Kestrel, I do appreciate it.
    J.
     
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I will contact Chaslang and get him to take a look at this. ;)
     
  7. user is me

    user is me Private E-2

    Thanks Kestrel, this has become a better "Boss Fight" than even Metroid Prime.. :guns. :-D
    J.
     
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Just attach the logs from them then please. I am trained to analyse logs.
     
  9. user is me

    user is me Private E-2

    Hi Kestrel, how you are today?

    I go now to the part right before I contacted you..
    I've reloaded Windows several times. I can get only a user account.
    I can't load programs in windows, I can't even change the screen brightness. The bug uses windows against me so I took it out. It uses the space on my HDD against me, so I took it out. It uses my 8 gigs of ram against me so I took it out. Same with the wifi card.
    Right now, the bug has nowhere to go, and it doesn't have windows to copy new files from to repair itself. Nor does it have a bunch of memory to work with.

    However, it most likely still has control of the startup and boot processes, so, even when I boot from a cd, I'm in X: and it has complete control over what gets loaded and run. I have to fight with it to get the Hirems disk to load because it just stops the boot process completely. It will let me load windows just fine but anything else gets shut down. The bug is reading the cd drive. The things I've been able to do so far are only because the bug wasn't ready. But it learns and counters fast with "Super User " access.
    So, any of the programs that need windows are not going to work now.
    Again, this thing has control as soon as the pc gets power. It's intercepting the boot. I don't even think I can get to the real bios in setup.
    I need the command-lines to kill this thing in C Language or I need a destructive program that will run from a cd and cannot be stopped by anything... not accounts, not passwords, and not write protection.. I want Total Annihilation!
    If these things aren't possible, I'm going to have to replace the board,
    and then I'm going to sell this p.o.s. Because the factory locks the bios and it defaults to booting with wifi and BT on, which is how I got this problem to begin with.

    Ok, having said all that, if any of the logs you need can be acquired with a cd drive and no operating system, let me know which ones and I'll try to get you something to work with....
    I do have a picture of the boot redirect something.. I don't know if it's the file name or a command line, but it's to big to send, I tried.. if you think it might help, I'll go to find another pc and make it small enough to send to you...

    Thanks Kestrel! J.
     
  10. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hi there. We very much doubt you have a BIOS infection.

    You may want to try the hard disk in a physically different PC just to ensure that the harddisk and OS install are okay. Or you may want to see if you can reflash the BIOS. Could just be the motherboard is bad. Either way, not topics for the Malware Forum. :)
     
  11. user is me

    user is me Private E-2

    Hi Kestrel, How are you today?
    I think you're right, it's not a bios infection. But it's not a drive or install issue because if you remember, I have removed the OS and HDD.
    See my attachment, maybe that will help...
    Thanks again and always! :) J.
     

    Attached Files:

  12. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Chaslang has already stated this is not a malware issue therefore not topic for the malware forum. Sorry.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds