Question Ransomware on my mobo.

[BBrown1900]

Hi, I have an ASUS Sabertooth Z77 and ran into some malware/ransomware. It has been particularly difficult to remove and has completely invaded all parts of my system. It works by secretly infecting from somewhere I am unable to identify and can’t use farbar tool as it’s locked me out from recovery by changing passwords. It had re-written all WIN 10 programs with malicious code, shut off and impersonating all antiviruses, changed all software drivers to some form of hacked root versions. It uses the exploit in WIN 10 to elevate permissions and take over host and loads information from a server somewhere after infiltrating. When I try to flash the BIOS I get a blue light after holding it for 3 seconds indicating it failed. It locks partition tables in my drives and renders them unusable. It takes control of my GFX card and puts me in a shell instance and works in the background. Anyways.. not really sure what to try next or how to get rid of the drivers that were installed.. is there anyone who can maybe indicate a course of action or two to take? I’ve had viruses and malware before but nothing like this one. All fresh flashing OS doesn’t work. Somehow the BIOS flash attempts temporarily keep the permission escalation at bay for a while but even using icacls $env:windir\system32\config\*. * /inheritance:e. doesn’t stop it either. All the programs are registried to binary language and it appears the program uses windows media player or audio to read code and executes. It infects every device connected to it making troubleshooting a nightmare and it spreads via Bluetooth and Wifi network. Sounds crazy I know but it’s true…. Help please lol been a week already trying different methods, options and workarounds.
Thanks

 

[USAFRet]

This when you go full nuclear.
Wipe the drive completely, recover your data from the full drive backup you made before this happened.

If needed, on a completely new fresh drive.

 

[BBrown1900]

This when you go full nuclear.
Wipe the drive completely, recover your data from the full drive backup you made before this happened.

I tried that, it doesn’t work. Even after formatting the drive and rewriting the data it still infects and persists. I’ve completely wiped these drives 20 times or more and it doesn’t go away. Tried bios flashing and then hard drive flashing the OS onto a brand new drive and it ate that too. Also ate my laptop.

 

[Gam3r01]

Trash the motherboard and the drives.
Start over.

If you are really having this hard of a time, including brand new drives and flashing the BIOS/reinstalling OS, then its not worth your time.
Unless you arent properly disconnecting it from your network, or other drives, running a single drive at a time, etc.
Also, you mention flashing the OS onto the drive, I would take a known clean flash drive to a known clean network and download a new ISO there. Dont do anything on your network or existing hardware.

 

[USAFRet]

I tried that, it doesn’t work. Even after formatting the drive and rewriting the data it still infects and persists. I’ve completely wiped these drives 20 times or more and it doesn’t go away. Tried bios flashing and then hard drive flashing the OS onto a brand new drive and it ate that too. Also ate my laptop.

I can't help but think you're continuing on with some infected device.

 

[BBrown1900]

Trash the motherboard and the drives.
Start over.

If you are really having this hard of a time, including brand new drives and flashing the BIOS/reinstalling OS, then its not worth your time.
Unless you arent properly disconnecting it from your network, or other drives, running a single drive at a time, etc.

I shut off the networks and did offline flashing of BIOS but it doesn’t flash properly it is like a half flash where the light goes solid blue. I am considering tossing everything before it infects anything else. Not sure why the mobo drivers won’t reset on bios / OS flash, I even used a brand new windows 10 usb drive from Microsoft on a fresh drive too and that was after BIOS had been half flashed where the settings were wiped but the drivers for all the devices were still hacked and signed with some funky root terms
yes there is only 1 drive active at any given time

 

[USAFRet]

I shut off the networks and did offline flashing of BIOS but it doesn’t flash properly it is like a half flash where the light goes solid blue. I am considering tossing everything before it infects anything else. Not sure why the mobo drivers won’t reset on bios / OS flash, I even used a brand new windows 10 usb drive from Microsoft on a fresh drive too and that was after BIOS had been half flashed where the settings were wiped but the drivers for all the devices were still hacked and signed with some funky root terms

You new OS install thing needs to be created from a known uninfected system.

 

[BBrown1900]

You new OS install thing needs to be created from a known uninfected system.

Yes it was from Walmart I bought a win10 USB home edition for a bill. It still didn’t work. New drive, new win10usb, flashed BIOS and still infected same problem.

now that the win10usb was inserted into the usb drive I take it I need a brand new usb stick for the new system lol

 

[Gam3r01]

What size drive are you using for the fresh BIOS file? Is it properly formatted as per ASUS standards? Where did you source the BIOS file?
The system shouldnt even be on when you do this process, so I doubt anything would have enough autonomy to stop the BIOS flash, more likely its an issue with the process itself.

 

[BBrown1900]

What size drive are you using for the fresh BIOS file? Is it properly formatted as per ASUS standards? Where did you source the BIOS file?
The system shouldnt even be on when you do this process, so I doubt anything would have enough autonomy to stop the BIOS flash, more likely its an issue with the process itself.

Yes formatted exactly as ASUS standard, FAT32 single partition, the BIOS file is directly from their main website with the .CAP file. It’s not a difficult process. Nothing was powered on. The only thing I am yet to try is a new USB maybe it doesn’t like the brand new one I bought specifically for this task. The only thing that’s on is the PSU while flashing. I also unplugged all other devices.

the BIOS settings reset but the drivers on the board stay infected and don’t factory reset for some reason which is probably why the fail light is indicated

 

[egda23]

Did y

Yes formatted exactly as ASUS standard, FAT32 single partition, the BIOS file is directly from their main website with the .CAP file. It’s not a difficult process. Nothing was powered on. The only thing I am yet to try is a new USB maybe it doesn’t like the brand new one I bought specifically for this task. The only thing that’s on is the PSU while flashing. I also unplugged all other devices.

the BIOS settings reset but the drivers on the board stay infected and don’t factory reset for some reason which is probably why the fail light is indicated

Did you physically remove all the HDD and SSD from the computer while doeing the flash ?
And disconnected ethernet and wifi ?

 

[BBrown1900]

Did y

Did you physically remove all the HDD and SSD from the computer while doeing the flash ?
And disconnected ethernet and wifi ?

Yes I removed wifi adapter and unplugged Ethernet and there were zero HDD or SSD attached. Only the CD-ROM drive and floppy disc/ multimedia hub. I even tried removing gfx card and sound board too. Only thing I haven’t removed was the ram.
I am going to try double flashing to see if that might do something. Maybe reset the settings long enough to flash the whole board. Not sure what’s preventing the drivers from factory resetting to default.

 

[egda23]

What is a floppy disc/ multimedia hub ?
Are you sure you are not dealing with just a broken motherboard ?
How many PCs on your network are affected ?

 

[BBrown1900]

What is a floppy disc/ multimedia hub ?
Are you sure you are not dealing with just a broken motherboard ?
How many PCs on your network are affected ?

Multimedia hub meaning floppy disc reader, SD card reader and other media drive reader all in 1. My desktop PC is infected for sure, my laptop on the other end of the house was also infected but could have been sleeping on that machine for some time as my wife had funky credit card statements so that’s kind of where all this came about. Mine came from downloading a file while trying to build a CCLS language server for Neovim I was trying to fix compiler errors and the info was lacking or impossible to find so I tried a bit riskier things and yeah it came with nasties forsure. My cellphone might also be infected as it does not discriminate and the code base it has is huge I’ve read through a bunch when attempting to delete registry keys to stop it’s permissive takeover trying to understand where it came from or how it was infecting so I could stop it at choke points to cut off the assault. A lot of it was readable but a lot of it was encrypted.
Are there any secondary ways to get access to the notepad besides recovery mode came line so I could at least get the FRST tool from farbar working does anyone know? I know I can access cmd from sticky keys but not sure if FRST will work from there as it’s post login screen. Also trying to administrative cmd forceing password changes with net user doesn’t work because my user from the flash that it loads into is protected by a workgroup or network or some weird privilege like that. I tried changing the password manually to gain entry to the desktop.

 

[Deleted member 14196]

I bet your bios is infected. You’re going to need a new motherboard if that’s the case. You already indicating that it won’t flash