Featured Post

Avira Antivirus Pro - Review 2020 - PCMag India

Image
Avira Antivirus Pro - Review 2020 - PCMag IndiaAvira Antivirus Pro - Review 2020 - PCMag IndiaPosted: 11 Jun 2020 12:00 AM PDTEvery computer needs antivirus protection, and one way companies can support that aim is to provide free antivirus to the masses. But these companies can't survive unless some users shell out their hard-earned cash for paid antivirus utilities. Piling on pro-only tools and components is one way companies encourage upgrading to a paid antivirus. Avira Antivirus Pro adds several components not available to users of Avira Free Security, but they don't really add much value. The biggest reason to pay for it is if you want to use Avira in a commercial setting, which isn't allowed with the free version.Avira's pricing is undeniably on the high side, with a list price of $59.88 per year for one license, $71.88 for three, and $95.88 for five. Admittedly, it seems to be perpetually on sale; just now, the one-license price is discounted to $44.99. That…

Very concerned I have a LoJax style UEFI Boot/Rootkit Issue - Virus, Trojan, Spyware, and Malware Removal Help - BleepingComputer

Very concerned I have a LoJax style UEFI Boot/Rootkit Issue - Virus, Trojan, Spyware, and Malware Removal Help - BleepingComputer


Very concerned I have a LoJax style UEFI Boot/Rootkit Issue - Virus, Trojan, Spyware, and Malware Removal Help - BleepingComputer

Posted: 02 May 2020 02:23 AM PDT

Hi all,

I have been fighting for the last 2 weeks trying to get around a major security issue I have.

It started when my Windows 10 install seemed to become corrupted. After that things got worse and worse.

My main PC wouldn't boot, and the windows recovery couldn't help at all (mainly because I have found out its a fake version of the recovery enviroment provided by the virus / bootkit / rootkit), and it just destroyed my installation further.

My main machine no-longer recognises my main boot HDD.  I cannot boot into windows 10.

It seems that the bootkit takes control even before entering the BIOS. I have flashed the Dual BIOS 3 times to no avail.

Trying to boot up rescue CD's is useless as the main HDD isn't recognised, and even if they do boot up they are in Linux mode (seems to be controlled by the bootkit). Although..... I did manage to hotplug my HDD half way through booting Bitdefender's rescue CD and it somehow recognised it - I ran a scan and it found trojans and removed them - but the virus definitions are out of date as I cannot get online to update them.

The virus seems to control every single element of the machine as soon as I press the power on switch.

I looked in the BIOS tools on Hiren's boot cd (I can only seem to get boot Cd's to load when using legacy mode and not UEFI mode - probably so that I cannot see the HDD and try to clean them using these tools) and it mentioned a plug and play BIOS being in use.

Everything is locked down if I boot using the Linux tool Parted Magic (I think?) from Hiren's CD - root is controlling everything. I have tried to change permissions but no-matter what I try root is king.

I've tried running virus scans in linux but most of the files are protected by root and cannot be scanned.

If I boot into mini windows XP the dreaded X: drive appears. It seems that rescue CD's are somewhat being controlled by this virus too. The owner of all files is LSASETUPDOMAIN ADMIN, and I noticed before my windows 10 install died that a load of registry entries had been setup for new users {S0-xxxxxxx etc.

I have no internet - I'm using a close family member's PC to write this.

It looks like a whole set of drivers and virtualised networks have been setup - intel bridge adapters and NIC's i've never seen have been setup. Mac address 00:00:00:00:00:00 is the main culprit and the host files have a redirect from 127.0.0.1 to localhost as a loopback. In Linix the connected IP list shows 0.0.0.0 listening to a shed load of ports (869,39726,6000,22,23,47064). Mask 255.0.0.0 and broadcast address 0.0.0.0

127.0.0.1 has these ports open - 7 echo, 13 daytime, 22 ssh, 23 telnet, 37 time, 111 rcpbind, 6000 x11.

The routing table in my sky router shows:

destination                                                          mask                     gateway

0.0.0.0                                                                  0.0.0.0                  46.xxxxxxx.1

10.xxxxx                                                              255.255.255.0     0.0.0.0

10.xxxxx                                                              255.255.255.0     0.0.0.0

46.xxxxx.0                                                           255.255.255.0     0.0.0.0

(same ip as gateway above but 0 on end)    

192.168.0.0                                                         255.255.255.0     0.0.0.0

224.xxxxxxx                                                        224.xxxxxxxxx     0.0.0.0

My router IP is 192.168.0.1

Everything is locked down and I have very little control.

It has spread to two Windows 10 laptops doing the exact same thing. And worryingly the 127.0.0.1 IP address is showing on my iphone as a discoverable network - it's been acting very strange and I'm worried it may have a jailbroken iOS installed on it via this whole virus hell which is within our home network. My iphone has these ports open after scanning localhost with Fing 1080 socks, 1083 anasoft licence manager, 8021 ftp-proxy.

PLEASE PLEASE can someone help. I have no idea what to do from here. Is it time for a new motherboard? Can this virus exist in the firmware of other PCI devices too? I'm so lost I have no idea what to do.

I will provide anything you need (providing I can actually get it due to the whole system lockdown!)

Many thanks in advance for anyone who can try and help me.

J

Edited by jpmad4it, Today, 04:57 AM.

Comments

Popular Posts

System detected an overrun of a stack-based buffer in this application [FIX] - Windows Report

Valorant anti-cheat lead answers many questions on Reddit - Millenium US