Jump to content


  • Posts

  • Joined

  • Last visited

  • Days Won


Everything posted by pallino

  1. with attach RKreport_SCN_12132014_201829.log
  2. I ll attach all I find before the HD dies completely.....roguekiller report
  3. Hd is sudenly dead....very strange. Just managed to check hd with rescue disk. FRST.txt Addition.txt
  4. I just tried to run Emsisoft: it started and I tried to run an update (definitions 4 days old). It told me, update done, but nothing happened, no new definitions were downloaded. Then a window told me that I could get a Emsi E Kit key at 50% discount. I reinstalled the old copy. It copied the files but didn't start, I also couldn't start it. I downloaded a new version , installed it but I couldn't start it again. Fbar run, files were created but I cannot upload them. I cannot install Flash. I'll cut&paste the 2 .txt as a report generated by roguekiller after "infection"...sorry for that.
  5. Dear Emsisoft Team, some weeks ago I decided to transform an old, unused desktop in a test pc and to install windows enterprise 8.1, a AV, Virtualbox and windows enterprise 8.1 on it. I installed windows, then right after Avast IS, then after 30 days Avast free both with max/hardened protection settings,I updated Avast and then updated Windows. I then istalled Sanboxie, EMET 5.1, Emsisoft Emergency kit, Hitmanpro, Norton power eraser, Malwarebytes. Same on the VM. Some days ago I decided to download some registry/system monitor programs. I was online with Firefox under sandboxie, both updated. EMET was on with recommended settings and Avast in hardened mode. Suddenly while downloading a file, Avast alerted me a file was infected (evo-gen or generic malware); I asked to get more infos and Avast froze. Sandboxie was slow but could empty the cache and close the program. EMET 5.1 disappeared, no icon nor program in memory (checked with process hacker and task manager). Same after restart! I cannot repair it since framework 3.5 or later is missing now.... Hitmanpro didn't detect anything. Kaspersky's TDDSK after some time needed to start, nothing. Gmer froze; Emsi froze. I started NPE that restarted my desktop. No sign of Norton after restart. I restarted Norton that restarted the PC. This time Norton could update and scan and found nothing. Same for Gmer and Malwarebytes. I started the pc with rescue disks created with another PC (new one). Esets froze many times, sometimes switched to a command/text mode and showed many lines, also "kernel tried to execute NX-protected page - exploit attempt? (Uid: 0) Unable to handle kernel paging request at f3fdb628...... Sometimes pc suddenly turnes off. Bitdefender froze during scan as Kaspersky rescue 10 and Gdata (all latest available versions). Avira rescue disk managed to update and check the hd and found nothing. I thought at a hardware problem too. Memory test: passed 2.5 scans and 4.5 Hrs of time. Disk test ok. Power supply changed, same issues. I have the feeling my samsung S4 restarts too often (2-3 times in the last 10 days) and my internet connection is (very) slow sometimes (also when and after I tried to update the definition of ESET from rescue disk; download was fast the first times, then way slower the last ones). Did I get some persistent, undetected, terrible malware that hides in Bios, Firmware, Router? I hope you can help me! thank you in advance for your help!
  6. So the badusb exploitable code on https://github.com/adamcaudill/Psychson was already tested and it is sure it is detected by Emsisoft? I asked (also)about an infected usb debice that gets plugged to a pc, at what stage of the connection process does a badusb infection take place, right after a device is connected to a pc, kind of "plug-by download" or when the usb device is accessed by windows?
  7. At what stage of the connection process does a badusb infection take place, right after a device is connected, kind of "plug-by download"?
  8. What happens exactly when a usb device is connected to the pc till it is accessible? The pc checks what was connected and gets the info from the firmware of the device or the device tells the pc what it is?
  9. The only defense we users have at the end is prevention, so to avoid firmware changes and to rely on the behavioral capability of the av (and on the user that cannot allow the flash if he sees a warning) since if we get infected, it will be very difficult to detect it and even more to get rid if it...while the device will be a dangerous and fast infection vector.. thanks
  10. In my opinion the thread is Interesting and still related to bios, firmware, new and difficult to detect infections..
  11. Thank you. I understand. I know it could be caused by hw as sw..but suddenly in all 3, actually 4(a laptop that has problems to see usb devices) devices? I prefer to check the maleware possibility. On the other side I see the actual scenario, badusb, bios malware, more like the risk of getting Ebola..I prefer to know we are ready before it reaches us..
  12. I didn't know the thread is "personal"... Any chances that AV companies will get access, possibility to scan to the usb controller s firmware? The badusb code that was just posted and is avaliable to everyone is or will be detected and blocked or cause an alert by Emsisoft since this code will flash the usb firmware?
  13. I m also worried about the bios and the USB firmware infections. I know the interface to write the bios is not public but unfortunately malware writer decoded it and have now access to it. Can the AV company get help , access to firmware programming code from manufacturers? When mebroni was discovered by 360 and webroot av, did emsisoft also detect it immediately through behavior components or only after a program and or signature update? How can and will Emsi protect users from bad USB ?
  14. I know some kind of infections are rare, difficult to reach normal users or unlikely to pass the POC phase and be in the wild.....but I never liked the idea that we shouldn t worry about thinks that are unlikely to happen. This is a passive approach that might-will lead to impreparation and posible huge infections. I m a little over security oriented, I know, say in paranoid mode but imagine e.g the badusb, whose code was just uploaded and of public access, that spreads quickly before people and AV companies get ready. Many, many pcs and firmware might get infected in a very short time before anyone get even aware of it. Worst of all is that apparently as of today there is not an easy and fast solution to this problem-bug...and that for a final solution we are mostly in the hands of usb devices manufacturers ...who knows if and when they ll fix this problem.....till then the only thing we can do is avoid an infection since when infected the disinfection will be impossible or really difficult for a normal user. That s why I still believe and prefer to prevent is bette than to cure... See e.g the anser of Bobby Nikkhah in http://security.stackexchange.com/questions/7181/does-the-mebromi-bios-flashing-rootkit-mean-apts-for-personal-computers-are-here http://malwaretips.com/threads/the-unpatchable-malware-that-infects-usbs-is-now-on-the-loose.34528/ When I read about blue pill and opened 100s of pages I thing I read that someone in India created an blue pill application, so that it s not a POC anymore, do I remeber right? In my case I think I might have gotten something nasty and advanced since no AV nor detection tool (tdds, aswmbr, NPE, boot cds ..) detected anything till now and I still have a notebook, my smartphone and a desktop that act wiered, restart suddenly (S4), take forever to boot (laptop), have Blue screen (desktop). I hope AV companies will be soon be able to block usbs device s firmware updates and to scan it (with or without the help of manufacturers).
  15. Thank you! In your opinion, what's the best way to scan an infected system? To use a boot cd, to scan the hd from another pc...?
  16. With hardware dependent are meant all Award Bios versions or just some of them? Do infections of devices firmware (e.g USB, printers, cards...) already exist or are still theoretical or POC? Reflashing the router (as the Bios) firmware is not 100 % sure since there are (very very few I hope) malwares that "resist" a reflash, correct? My problem is that the firmware of my router is an adapted one from my ISP (Verizon) so not sure if there is a reflasing program and the original firmware available to users.... Al these questions because these infections (Bios and hardware firmware) are (very) difficult to be detected/removed and little is known about them as on how to avoid, detect, remove them. They are scary and not "in the wild" yet but might become it one day...and anyway I prefer to prevent than to cure.. So Thank you for all these interesting and useful informations!
  17. Thank you! I'll try the support forum for infections. I'm not sure if I got a Bios or/and a router infection....or if I' m just super paranoic.... Can newer, really advanced Bios infections or router hacks be detected with the "standard" tools/procedure used in the malware support forum for analysis (DDS, FBAR,OTS etc)? Connecting an infected drive with the cidox or the mebroni to another pc might infect it or is it safe to scan it this way? What's the best way to scan an infected system? I always thought a boot/rescue cd would be the best but now I'm doubting that since a bios malware could just delete the infection from the MBR and from windows at every shut down and reinfect at every start up so that the rescue cd cannot detect it since in the BIOS and apparently this cannot be scanned (or it could be, but since the BIOS and the malware start first they could hide themselves from a scan, correct)? Thank you!!!
  18. Since I read about Bios rootkits and Bluepill proof of concept I'm trying to find informations about these kind of infections and defence measures since I' m worried about it. A piece of malware acting as a hypervisor in the style of something like Blue Pill is still a proof of concept or already implemented in a rootkit/malware? If already seen outside laboratories, what's their name and how and by what program can these be detected? How much hardware dependent is this kind of rootkit technology as any kind of BIOS infection (only Award bios with a specific version nr, all Award Bios, all Bios by any manufacturer...)? What do you mean with "hardware dependent"? Can you pls make an example? The as of now known BIOS infections target "only" Award Bios or also AMI or Phoenix's ones? How can we protect our systems from BIOS malware? Last concern, how can we protect our routers from getting hacked (changing password, disabling remote access, updating firmware, ....) and how and what program can we use to detect if our router was hackedinfected? Thank you!
  19. I might have something similar to this and as of now no AV is detecting anything.....what scan type and settings would have detected the Cidox infection (full scan and or smart scan)? Connecting an infected drive with the cidox or the mebroni to another pc might infect it or is it safe to scan it this way? Can the Cidox and the Mebroni be detected on a boot drive? From windows or only using a boot cd? Which programs would you recommend to check for bios/mbr rootkits and what procedure would you suggest? thank you !
  • Create New...