An exploit that defies detection

[Guest]

[czl]

  My computer has been infested by something that no software can detect up to now.  In spite of using all manners of protection from firewalls to malware / spyware detectors something has been loaded on my machine that I can't get rid of.  How do I know? here are the cluses.
1. When the computer boots up, it claims to be loading from CD. (Untrue, there is no media in the drive.

2. The DVD drive activity light remains constantly on.

3. Disconnecting the DVD drive leads to a failure to boot at the BIOS level.
4. Replacing the DVD drive with another unit also leads to boot failure.
5. After draining then flashing the BIOS there is a "Wide Area Protection" warning from the BIOS on the first re-boot, but the computer starts normally as long as the original hard drive, and DVD drive are installed.
A change in any of the above leads to a boot failure.
6. Low level formatting the drive does not improve the situation either.
7.  The TCP View utility from Sysinternals used to indicate both the local address and the remote address of any online communication.  It now indicates both local and remote arresses as ports on my computer, and seems unable to see beyond, seemingly as in a "man in the middle" exploit.

  To date I tried Microsoft's Malicious Software Removal Tool,  Fix-It utilities (Trend Micro)  Spyware Doctor, BOClean, various rootkit detectors,
nothing has any effect on this.  By the way I managed to transfer the problem to a second computer via a USB device I used to transfer files.

  If anyone has any ideas, I would sure like to hear from you.
 Laz

[MorphOS REBOL]

Buy a new PC, install Linux will help.

[Melih]

Another evidence of my point of the inadequacies of Detection technologies !

The best thing is to re-install OS I am afraid

Once u have re-installed, then install v3 Comodo Firewall.

thanks
Melih

[Pedro*]

Try to get professional help. I would, and probably sooner or later from the HW manufacturer.

Try a forum that analyses HijackThis logs first, one that has the best expertise of not only malware, but hardware also. I never used one, but i can try and find out some of the most reputable if you wish.

[sded]

One place to try posting would be the security forum at http://www.dslreports.com .  Lots of MVPs and such provide help there.

[gibran]

I guess  you got a series of issues or a faulty hardware.
Sometime removing a dvd dive will cause an issue if the bios drive autodetection is disabled (may not apply to every brand).
Another thing to check is your DVD cable. Change it with a new one to see if you got a bad cable.
Remove any dust you see in your case using an air compressor. Dust can cause all kinds of issues.
If your DVD behave strangely before windows boot don't bother to load your OS.
Pay attention to cable orientation if your ide connectors don't have forced insertion connectors.

Even if there is only a remote chance consider a faulty ide controller to cause this issue. I guess that damaged ata cables could make this chance a reality.

[czl]

  Thank you all for the suggestions. I'm beginning to think Ubuntu will be the solution.  The computer runs just fine, it isn't a hardware issue, although BIOS, firmware, and HD MBR's have been compromised.  I can't blame Comodo Firewall, I am using version 3, and it just updated today. This thing
must have installed itself via a script from some web page I visited, somewhere around Jan 29 this year.  I have been fighting with it ever since.

  The machine works fine for routine stuff , but I can't trust it for communications with the outside.  I'll have one more run at it with a new DVD drive, HD, and freshly flashed BIOS.  I can't think where else this thing could have set root.

[czl]

Another evidence of my point of the inadequacies of Detection technologies !

The best thing is to re-install OS I am afraid

Once u have re-installed, then install v3 Comodo Firewall.

thanks
Melih

  I would love to do that, but I'm afraid there is now a hidden partition on the HD, that I can't remove. Low level formatting doesn't touch it, so I'd end up with the same conditions after a system re-installation.  There used to be a way to do a low, low level format using DEBUG in DOS, unfortunately I don't remember it any more.

Thanks for your interest Laz

[andyman35]

Certainly a strange set of symptoms.When you say low level formatting made no difference,how exactly was this done? If you used a boot util such as DBAN then NOTHING should remain on that drive and therefore that would include any malware.Any form of 'normal' formatting might not delete malware if it made changes to the file structure of the drive.

The most perplexing thing about your issue,is the fact that it'll only boot up with the original dvd drive installed,it's a new one on me for sure.The whole idea of your system being infected by a so-called malware hypervisor is in the realms of proof of concept rather than current threats in the wild.

The best way to be certain that the hard drive hasn't been affected by malware,or hidden partitions created would be to scan it from a boot cd such as UBCD4Win and run one of the disk utils on that.If you want to be 100% certain that the drive is clean,I suggest sticking it into another system and running DBAN,nothing will survive that!!

http://dban.sourceforge.net/

[MrSurfTurf]

One place to try posting would be the security forum at http://www.dslreports.com .  Lots of MVPs and such provide help there.

Worthless search function. Can't search for anything on that site.

[3xist]

Topic Locked.

Reason: Out-Dated post.

Josh

[Tags:]