Laz Posted February 14, 2008 Share Posted February 14, 2008 Inspite of all the protection on my computer, (Comodo 3, Spyware Doctor, Fix-It Utilities (Trend Micro), Spybot S&D) aside from Microsoft's array of tools, something crawled in, and established a VM that can't be detected by anything, including various rootkit detection programs. I first noticed something was wrong as I watched a program installation bar proceed across the screen just after boot-up, and before Windows started. On successive restarts, new symptoms appeared. The BIOS indicated that it was starting from the DVD drive, although there was no media in the drive. (The activity LED remained on constantly.) This was followed up by an indication that the disk drive had a fault, and Windows insisted on analyzing it. From this point on Spyware Doctor was unable to get updates, producing an error code. This phase has ended now, some two weeks later, and the only indication of a problem is that an extra hop has been added between my computer and the DNS server. All external communications are filtered through 10.196.88.1. A "WhoIs" check only provides that this is called a "Black hole" for private use in the INA database. This is where my investigation has stalled, there is no further information available to me. If anyone knows what this is about, government or hacker, I'd love to find out. Quote Link to comment Share on other sites More sharing options...
redmaledeer Posted February 14, 2008 Share Posted February 14, 2008 I know very little about this. But I wonder if the following would be worth trying as a way of eliminating the extra hop: specifying the DNS you want to go to rather than letting the DNS be chosen for you automatically. Instructions for this are at https://www.opendns.com/start after you Choose Your Computer. You don't have to select OpenDNS as your DNS, tho many people would feel that doing so would be an additional gain for you. Quote Link to comment Share on other sites More sharing options...
Cluttermagnet Posted February 16, 2008 Share Posted February 16, 2008 In spite of all the protection on my computer, (Comodo 3, Spyware Doctor, Fix-It Utilities (Trend Micro), Spybot S&D) aside from Microsoft's array of tools, something crawled in, and established a VM that can't be detected by anything, including various rootkit detection programs.If you had kept up top date drive images, you could have simply restored an image over the smoking wreckage of C: and gone on as is nothing had ever happened.The BIOS indicated that it was starting from the DVD driveI've never seen a BIOS do this. You got something special there? Are you on broadband internet connection? Or just dialup? Are you running behind a router, or just directly connected to a cable modem?...established a VM that can't be detected by anything...How do you know that it did this? Quote Link to comment Share on other sites More sharing options...
goretsky Posted February 16, 2008 Share Posted February 16, 2008 Hello,Have you tried removing the hard disk drive from the computer, mounting it in an external hard disk drive case or as a secondary hard disk drive in a clean computer and then scanning it from there? If so, what, if anything, was found?Also, you might want to contact your security vendors' technical support departments to see what steps they recommend to troubleshoot the problem further.Regards,Aryeh Goretsky Quote Link to comment Share on other sites More sharing options...
Laz Posted March 23, 2008 Author Share Posted March 23, 2008 Hello,Have you tried removing the hard disk drive from the computer, mounting it in an external hard disk drive case or as a secondary hard disk drive in a clean computer and then scanning it from there? If so, what, if anything, was found?Aryeh Goretsky I did that in the end. It took some time because of the three components involved. I bounced around until I found out that all three had to be cleaned.1. Used MSDOS 6.22 debug to clean the BIOS, and witpe the HD.2. With only a floppy disk and the DVD drive attached, I over wrote the firmware.3. Re-formatted the HD, and loaded the systemany one or even two of the above proved insufficient, as the third item would infect everything all over again. The 10.x.x.x hop proved to be a red herring, as it was put in place by my service provider to identify my "new network" which disapeared after I cleaned everything. I still don't have a clue as to how I caught this thing, and thus feel vulnerable as I can't prevent a re-occurence.At least I can spot it and remove it though, which is a plus. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.