Hello Computer forum,
At present many new malicious software are active, now for two weeks ago I got
a virus which is not removal by the usually tools and procedures as mentioned. I
suspect this type of virus is one of the most dangerous I have ever had. My
computer itself is in topcondition. I also used GMER rootkit detection/removal
newest version 1.015 with no results.
Please let me explain what I have done before:
For clearing the virus can escape and executing in more identities and can not be
dectected by Anti-virus application Norton Internet Suite 2011 which is up to
date, Strongly speaking it manipulates with this program which I can not be trusted
any more. I can as usually work on my computer but with some differencies. (virus identities)
1e) manipulating with WindowXP SP3 settings such as: colors, textsize, messages like new program installed in start-menu (every time) and much more .,
2e) On internet it manipulates chosen webpages like textsize, reclames, icons, pictures. Scrollbars
3e) At turn on it can manipulate the bootprocecure.
4e) it can manipulate with download utilities to use its own settings or using slightly
different instruction the utility execute.
5e) it also manipulates with my Norton Internet Security which is running constantly
The following procedure on the highest level (extremity overkill) are described with no results: The floppys are clean and write-proctected.
1) turn-off computer (5 min.)
2) putting out the internet and powercable and remove the cmos battery.
3) disconnecting HDD from sataport
4) connect the usb-floppy with biosfile
5) turn on computer (without battery)
6) change bootsequence: 1 usb-floppy, 2 disabled 3 disabled
7) save biossettings
8) rebooting to the postscreen using F8 for the Flash utility (Gigabyte P35-dq6)
9) reading and updating the bios
10) after bioscomplete and before rebooting, turn off computer (see point 1,2 (except internetcable.))
11) turn on computer (without battery) and change again biosettings 1e usb-floppy 2 disabled 3 disabled
12) save biossettings
13) rebooting again to usb floppy with (Vendor seatools for full-zero filled)
14) after completed it takes 3 hours)
15) rebooting to change again the bootsequence: 1 usb-floppy, cdrom, 3 HDD
16) save biossettings.
17) Rebooting to the CD WindowsXP installation.
18) Installing a fresh WindowsXP (fixmbr (in case that), new partition, full format)
19) After installation was completed and I got my windows startscreen I did some tests if it is clean.
After that I also tried another procedure with NONE BIOS-DETECTING TO HDD with no results!!:
Step
01) Computer turned off
02) Internet en Powercable unplugged.
03) Satacable unplugged from SataController.
04) Turn-on computer after 5 min.
05) Biossettings: 1 USBfloppy 2 disabled 3 disabled
06 Reboot to USBfloppy (with Manufacturers Seatools)
07) After I accepted the license agreement from Seatools, I plugged-in the HDD into Sataport
08) Seatools detects the HDD and executed the full-zero filled operation.
09) After the operation I turned off the computer without Powercable for 5 min.
10) Turn-on the computer
11) bootsequence: 1) Cdrom, 2) disabled 3) disabled (note: HDD still disconnected)
12 reboot to installation-CD Winxp Pro
13) Now I let windows setup detecting my HDD
14) create new partition and full format. (FIXMBR also used)
15) During the installation, windows copies the systemfiles, suddenly the installation breakdown because
of the message said windows cannot copy the file xxxxxxx? try again, reboot or make sure that the CD
is in the cddrive. I have installed many window-installations with the same cd and no problems were appeared.
I was very shocked that above procedures help nothing to remove that nasty one
I believe it is a FlashBios rootkit and possible also a MBR rootkit.Why? I have
connected an old IDE HDD (clean) to install Windows (the same procedures as
asbove) but with no results. The most important is the startup sequence (starting
from turn-on computer until the moment the bios boot to the MBR. If in that
timeperiod no interaction (during the POST) from user is possible than the rootkit
can be transferred to memory but also biosroutine instructies are in memory.
Possible it can adhere to those biosinstructies, a way to convert the bios with its
own one. Of course memory dumps, binaries, datastructures, interupt vectors,
comparing tools are possible to discover it but its very complicated and a
lot of time consumed.Hotflash is no option for me it takes too much time to search,
adver the same/compatible chipset P35 Its als too old.The only way is forensic
analysis, that costs to much time and money for me. So if nobody can help me,
then I decide to buy a old new motherboard P45 and HDDs
Thanks in advance
At present many new malicious software are active, now for two weeks ago I got
a virus which is not removal by the usually tools and procedures as mentioned. I
suspect this type of virus is one of the most dangerous I have ever had. My
computer itself is in topcondition. I also used GMER rootkit detection/removal
newest version 1.015 with no results.
Please let me explain what I have done before:
For clearing the virus can escape and executing in more identities and can not be
dectected by Anti-virus application Norton Internet Suite 2011 which is up to
date, Strongly speaking it manipulates with this program which I can not be trusted
any more. I can as usually work on my computer but with some differencies. (virus identities)
1e) manipulating with WindowXP SP3 settings such as: colors, textsize, messages like new program installed in start-menu (every time) and much more .,
2e) On internet it manipulates chosen webpages like textsize, reclames, icons, pictures. Scrollbars
3e) At turn on it can manipulate the bootprocecure.
4e) it can manipulate with download utilities to use its own settings or using slightly
different instruction the utility execute.
5e) it also manipulates with my Norton Internet Security which is running constantly
The following procedure on the highest level (extremity overkill) are described with no results: The floppys are clean and write-proctected.
1) turn-off computer (5 min.)
2) putting out the internet and powercable and remove the cmos battery.
3) disconnecting HDD from sataport
4) connect the usb-floppy with biosfile
5) turn on computer (without battery)
6) change bootsequence: 1 usb-floppy, 2 disabled 3 disabled
7) save biossettings
8) rebooting to the postscreen using F8 for the Flash utility (Gigabyte P35-dq6)
9) reading and updating the bios
10) after bioscomplete and before rebooting, turn off computer (see point 1,2 (except internetcable.))
11) turn on computer (without battery) and change again biosettings 1e usb-floppy 2 disabled 3 disabled
12) save biossettings
13) rebooting again to usb floppy with (Vendor seatools for full-zero filled)
14) after completed it takes 3 hours)
15) rebooting to change again the bootsequence: 1 usb-floppy, cdrom, 3 HDD
16) save biossettings.
17) Rebooting to the CD WindowsXP installation.
18) Installing a fresh WindowsXP (fixmbr (in case that), new partition, full format)
19) After installation was completed and I got my windows startscreen I did some tests if it is clean.
After that I also tried another procedure with NONE BIOS-DETECTING TO HDD with no results!!:
Step
01) Computer turned off
02) Internet en Powercable unplugged.
03) Satacable unplugged from SataController.
04) Turn-on computer after 5 min.
05) Biossettings: 1 USBfloppy 2 disabled 3 disabled
06 Reboot to USBfloppy (with Manufacturers Seatools)
07) After I accepted the license agreement from Seatools, I plugged-in the HDD into Sataport
08) Seatools detects the HDD and executed the full-zero filled operation.
09) After the operation I turned off the computer without Powercable for 5 min.
10) Turn-on the computer
11) bootsequence: 1) Cdrom, 2) disabled 3) disabled (note: HDD still disconnected)
12 reboot to installation-CD Winxp Pro
13) Now I let windows setup detecting my HDD
14) create new partition and full format. (FIXMBR also used)
15) During the installation, windows copies the systemfiles, suddenly the installation breakdown because
of the message said windows cannot copy the file xxxxxxx? try again, reboot or make sure that the CD
is in the cddrive. I have installed many window-installations with the same cd and no problems were appeared.
I was very shocked that above procedures help nothing to remove that nasty one
I believe it is a FlashBios rootkit and possible also a MBR rootkit.Why? I have
connected an old IDE HDD (clean) to install Windows (the same procedures as
asbove) but with no results. The most important is the startup sequence (starting
from turn-on computer until the moment the bios boot to the MBR. If in that
timeperiod no interaction (during the POST) from user is possible than the rootkit
can be transferred to memory but also biosroutine instructies are in memory.
Possible it can adhere to those biosinstructies, a way to convert the bios with its
own one. Of course memory dumps, binaries, datastructures, interupt vectors,
comparing tools are possible to discover it but its very complicated and a
lot of time consumed.Hotflash is no option for me it takes too much time to search,
adver the same/compatible chipset P35 Its als too old.The only way is forensic
analysis, that costs to much time and money for me. So if nobody can help me,
then I decide to buy a old new motherboard P45 and HDDs
Thanks in advance
Facebook
Twitter