Jump to content

Need help with bootkit deletion

Recommended Posts

Hi, I am having major problems with a very advanced virus/hack that I believe has been targetted at me specifically to steal my personal info by certain people. I know I have been hacked very badly, and what I have seen on my screen I suspect has been streamed to a server for others to view.


My computer detects no viruses or malware on any scan, however i have noticed significant behaviour oddities over the last fe weeks that have only now made me realise just how bad things were. My computer got turned into a domain on the logon screen despite never being part of a netowrk aside from the internet. I used TCP/IP viewer and witness hundreds and thousands of connections made silently to websites and advertising bots. This may be relevant or simply a distraction. I have slowly begun to understand the hack and what is actually taking place. My antivirus and firewall are apparently active, but  the operating system as I see it is nothing more than a virtual shell, so changes I make have no real impact.


There is an remote procedure call that controls everything and is an impossible process to shut down. In services.msc, there are many processes operating with customised paramaeters that I never set.


After trying lots of scans, I decided to just format/reinstall everything and hope that worked. It didn't, the TCP/IP logs still show the botnet as active, and I know there is still streaming happening to a server. After researching ways to fix this, I tried as many as I could. I flashed the bios, but that didn't work. I installed linux and that didn't work.


After paying closer attention to what was happening and researching what I saw, I discovered I had a fake Master Boot Record that is impossible to delete. In windows repair prior to installing and having already formatted, it still exists. Nothing I do can delete or format it. The installer is operating from X:Sources and won't let me cd into C:/ Any attempt to delete the partitions doesnt work, and windows views them as legitimate. Linux does the same and wont delete them. One is called free space and 0mb and the other I forget but is about 88mb in size. I tried to split these partitions into smaller partitions which works,m but they always remain approximately 75% full of data and stay undeletable.


The only time I have ever been able to cd into C: or X: from the command prompt in the installer is after doing a 25 hour Boot & Nuke of my hard drive. Even then I couldnt format it, it would ask me to provide the correct hard drive label and I have no idea what that is or where I would find it.


Simulataneously I have noticed that my UEFI bios is acting strangely and changes I make to it, seem to not have a significant effect. It always tries to boot into UEFI and if I choose ACPI then I get a boot loader missing error. I actually went out and bought a cheap laptop just to try and do some work and naively used a flash drive that I had used with the PC. If it wasn't this then it was because I had left my smartphone on nearby. (Oh yes, I used to tether my phone for internet from my PC and have since discovered that I cannot format or reinstall that either, and everything I browse or say and contacts can be stolen) The only time I ever noticed a virus alert was for PUP activity for known threats by malwarebytes, when I installed an anti virus on the system. However I am sure that as I am basically operating in an already compromised VM, so no action is taken, and the alerts disappear if I restart the machine and scan again. I am curious how the virus embedded itself in the .exe, but maybe it only triggers installation upon my attempts to install a program. I previously thought other programs I trusted were similarly infected, but now think, it is just a smaller symptom of a much bigger problem.


After using the flash drive on my laptop I found that it too was now displaying the same problems, and had set itself a HDD password in the bios. Curiously when I loaded it up, I opened the recycle bin and was surprised to see the recycle bin from my PC had been saved and stored onto the laptop, which proved I was operating some kind of virtual machine. The rules in windows firewall all prove such a theory, with virtual machine and windows media server and others all active with high permissions.


Right now, I am completely at a loss what to do. The hack is almost defintely in the BIOS for it to survive Boot + Nuke on the HDD, or potentially in the DDR Ram, although I am not sure if there is the potential for code to be stored permanently in dynamic ram. I removed my video card prior to nuking the hdd, so I think it is safe. When I launch TCP/IP viewer I see a local address that seemingly corresponds to a memory address [0:0:0:0:0:0:0:1] , so it is a very low level hack. Currently I dug out an old mobo and chip and memory and am going to try installing an OS on the HDD after it has been nuked. Beyond that I have no idea what to do.


It is a very stressful and depressing experience to be spied on like this. The attackers have also certainly seen all my personal details and pics and all the other embarassing things I have done on the internet lol, so I fully expect to be the victim of identity fraud in the future.


Any help or advice would be much appreciated. The only thing I can think of doing now, is throwing all my hardware away and using clean machines on public wifi networks, so my IP cant be attacked again at home. (I was using a secure VPN with 128 bit encryption occasionally but if that could have prevented this, then is makes no difference running it now, as the hack is already in my system)


I suspect I am the target of a hacker and Im not confident in any way that even if I clean my system that it wont be targetted immediately upon connecting back to the internet.

Link to post
Share on other sites

  • 2 weeks later...
  • 1 month later...
  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.