Featured Post

Phishing attacks: This sophisticated new group has been operating undiscovered for at least a year - ZDNet

Image
Phishing attacks: This sophisticated new group has been operating undiscovered for at least a year - ZDNetPhishing attacks: This sophisticated new group has been operating undiscovered for at least a year - ZDNetPosted: 07 Jul 2020 05:11 AM PDT A newly uncovered phishing group is targeting big companies around the world. It's thought to be the first major scam gang of its type operating out of Russia, indicating a potential shift in the cyber-threat landscape.Business email compromise (BEC) scams can be highly lucrative for cyber criminals, with organisations losing hundreds of millions of dollars a month after being tricked into sending finances into accounts owned by criminals.More on privacy Uncovered and detailed by cybersecurity researchers at Agari – who've named it Cosmic Lynx – the campaign has targeted individuals in 46 countries across six continents and combines in-depth research on target organisations and their executives alongside two spoof email chains sent to the…

Very concerned I have a LoJax style UEFI Boot/Rootkit Issue - Virus, Trojan, Spyware, and Malware Removal Help - BleepingComputer

Very concerned I have a LoJax style UEFI Boot/Rootkit Issue - Virus, Trojan, Spyware, and Malware Removal Help - BleepingComputer


Very concerned I have a LoJax style UEFI Boot/Rootkit Issue - Virus, Trojan, Spyware, and Malware Removal Help - BleepingComputer

Posted: 02 May 2020 02:23 AM PDT

Hi all,

I have been fighting for the last 2 weeks trying to get around a major security issue I have.

It started when my Windows 10 install seemed to become corrupted. After that things got worse and worse.

My main PC wouldn't boot, and the windows recovery couldn't help at all (mainly because I have found out its a fake version of the recovery enviroment provided by the virus / bootkit / rootkit), and it just destroyed my installation further.

My main machine no-longer recognises my main boot HDD.  I cannot boot into windows 10.

It seems that the bootkit takes control even before entering the BIOS. I have flashed the Dual BIOS 3 times to no avail.

Trying to boot up rescue CD's is useless as the main HDD isn't recognised, and even if they do boot up they are in Linux mode (seems to be controlled by the bootkit). Although..... I did manage to hotplug my HDD half way through booting Bitdefender's rescue CD and it somehow recognised it - I ran a scan and it found trojans and removed them - but the virus definitions are out of date as I cannot get online to update them.

The virus seems to control every single element of the machine as soon as I press the power on switch.

I looked in the BIOS tools on Hiren's boot cd (I can only seem to get boot Cd's to load when using legacy mode and not UEFI mode - probably so that I cannot see the HDD and try to clean them using these tools) and it mentioned a plug and play BIOS being in use.

Everything is locked down if I boot using the Linux tool Parted Magic (I think?) from Hiren's CD - root is controlling everything. I have tried to change permissions but no-matter what I try root is king.

I've tried running virus scans in linux but most of the files are protected by root and cannot be scanned.

If I boot into mini windows XP the dreaded X: drive appears. It seems that rescue CD's are somewhat being controlled by this virus too. The owner of all files is LSASETUPDOMAIN ADMIN, and I noticed before my windows 10 install died that a load of registry entries had been setup for new users {S0-xxxxxxx etc.

I have no internet - I'm using a close family member's PC to write this.

It looks like a whole set of drivers and virtualised networks have been setup - intel bridge adapters and NIC's i've never seen have been setup. Mac address 00:00:00:00:00:00 is the main culprit and the host files have a redirect from 127.0.0.1 to localhost as a loopback. In Linix the connected IP list shows 0.0.0.0 listening to a shed load of ports (869,39726,6000,22,23,47064). Mask 255.0.0.0 and broadcast address 0.0.0.0

127.0.0.1 has these ports open - 7 echo, 13 daytime, 22 ssh, 23 telnet, 37 time, 111 rcpbind, 6000 x11.

The routing table in my sky router shows:

destination                                                          mask                     gateway

0.0.0.0                                                                  0.0.0.0                  46.xxxxxxx.1

10.xxxxx                                                              255.255.255.0     0.0.0.0

10.xxxxx                                                              255.255.255.0     0.0.0.0

46.xxxxx.0                                                           255.255.255.0     0.0.0.0

(same ip as gateway above but 0 on end)    

192.168.0.0                                                         255.255.255.0     0.0.0.0

224.xxxxxxx                                                        224.xxxxxxxxx     0.0.0.0

My router IP is 192.168.0.1

Everything is locked down and I have very little control.

It has spread to two Windows 10 laptops doing the exact same thing. And worryingly the 127.0.0.1 IP address is showing on my iphone as a discoverable network - it's been acting very strange and I'm worried it may have a jailbroken iOS installed on it via this whole virus hell which is within our home network. My iphone has these ports open after scanning localhost with Fing 1080 socks, 1083 anasoft licence manager, 8021 ftp-proxy.

PLEASE PLEASE can someone help. I have no idea what to do from here. Is it time for a new motherboard? Can this virus exist in the firmware of other PCI devices too? I'm so lost I have no idea what to do.

I will provide anything you need (providing I can actually get it due to the whole system lockdown!)

Many thanks in advance for anyone who can try and help me.

J

Edited by jpmad4it, Yesterday, 04:57 AM.

Comments

Popular Posts

System detected an overrun of a stack-based buffer in this application [FIX] - Windows Report

Valorant anti-cheat lead answers many questions on Reddit - Millenium US