Hello. I have a story for all of you! It's long so brew a pot!
I purchased a PC off of Facebook Marketplace. Intel i7-10700KF / 24GB RAM / Nvidia Geforce 3060 12GB. Cute little all-white panoramic glass case. I called to pick it up and the guy said "Just give me half an hour to reset the PC"
I'm ok with it. I'm going to put my own SSD's inside anyway, and re-install Windows 11 that's associated with my account.
I get home and begin to do just that. It's got some crappy "KINGFAST" SSD in it anyway, which is a paperweight in my opinion.
-----
There's a big white STGAUBRON logo that greets me at first.
I check the Bios. (It's the ESC key that launches the UEFI BIOS setup I figure out after a few attempts)
It's AMI Bios, Ver 5.19, 2023-03-01.
Motherboard is STGAUBRON ZRD5104 V1.0 (NEVER heard of it, but it's also on the CPU Fan cooler so I assume it's an Amazon special LMAO)
Can't find anything about the video card, however. It's generic. CLOSEST I can figure is it's just a frankencard. There are a BUNCH of 12GB cards listed on TechPowerUp. But only 1 in the section LISTED as 12GB. So I went with that information.
I put my first 120 GB SSD in, which I intend to only put Windows and a few programs on. I plug a Flashdrive I have Windows 11 on in (in write-protect mode), and proceed to install.
Install completes quite fast, and I'm at my desktop. I install the Geforce Driver from Nvidia.com (565.90) along with Blizzard Launcher to rock some D2.
This is where it gets REALLY fun!
-----------------------------------------------
About 30 minutes later, the game freezes. I restart and check the error reporting service. A NEW Geforce driver was downloaded and installed while I was playing, which caused the freeze.
And a WHOLE BUNCH of other files were downloaded, and someone had taken over remote control of my PC. Interesting.
I eventually found out that I was running in a Virtualized Environment the moment I installed Windows 11. That has never happened before. I start poking and prodding and notice like 12 more user accounts than I should have with the long GUID strings. Remote connections are enabled (I'm on Win 11 HOME!) and keylogging is happening.
I go to bios again to REALLY check things out. There are irregularities in the Secure Boot setup (Some of the keys say "EXTERNAL SOURCE")
I try to go back to defaults in BIOS but nothing changes. I look at the motherboard itself for signs of tampering or flashing. I don't see any. But then I notice the green SATA ports and decide to just order an ASROCK H510M motherboard anyway, and decide to investigate as much as I can offline, in the meantime.
I unplug the ethernet cable and boot back into Windows. There are in the low 100's of registry entries that are not normal. I unlink my Microsoft account and revert to a LOCAL account. Only I can't. Something about a Group Policy preventing it.
So NOW, my Microsoft account isn't linked, but I can't go local, FORCING me to sign in. I say GOOD DAY TO YOU SIR and reboot and reinstall again.
--------------
Second install attempt, I didn't have ethernet plugged in so I bypassed the sign-in (OOBE\BYPASSNRO) and made a local account. EVEN though I had no internet connection whatsoever, I noticed a few "Windows Updates" go through quickly (A quick pop-up that flashed is what I saw) So I look, and sure enough... There are Nvidia Control Panel updates, ethernet drivers, mouse, keyboard, display drivers, virtual drivers, devices I would never use, etc). I check Error Report and see all kinds of Virtual devices being installed, security policies being set, users being added to group policies, a whole BUNCH of entries that were obfuscating and "impersonate" flags... Then I noticed RDC was on, My version of Windows wasn't matching up with what WINVER reported, root certificates and drivers were downloading (I'M OFFLINE!) from //?/root/usr/var/ (or something extremely similar). Regardless of origin, it was from a shadow volume I could NOT gain access to, and constantly overwriting other certificates! I realize it was coming from a root folder, but the error report said the cert was DOWLOADING from crl3.verisign, which is impossible since again, to drive this home... I WAS COMPLETELY OFFLINE. Time server was changing to Thailand server, and there was a humongous mess of what looked like AI attempts at bruteforcing authtoken spoofing and login credential retrievals. They would finally get a SUCCESS value, and then it would encrypt those values to the Shadow Volume I couldn't access. I couldn't access it from diskpart either, although I could see some of them.
And that reminds me... on 1 or 2 of the multiple install/format/install/format/install late night sessions, the drive Windows wanted to install to was a remote drive that couldn't be accessed (since I was offline the entire time), but it had a drive size of like 6.42 PETAbytes or something LMAO. SnooooowwwWWWWWWDENNNNNNNN!!!!! I CURSE YOU!
I saw virtual display adapters, my mouse moved on its own a few times, my keyboard would stop reponding for seconds at a time and then ksjlfdhggakls;fdjgkldasfjg at it's merry leisure. And device manager showed about 30 drives attached to my PC (After I clicked on "show hidden"). I could not retrieve any information for any of the virtual hardware that was "attached" to my PC. I could not replace certain registry entries. ALWAYS after about 30 minutes of fresh install, regardless of my touching the computer or not.
I downloaded "0&0 ShutItUp!" to try some things and was correct in my assumptions. I would turn off RDC, Remote Assistance, disable autocompletion and prediction of websites, disable showing history, disable synchronization of all settings, etc etc etc. And it would ALL turn back on after restarting (I actually did this right after installing F-Secure, every time after this just as a check to see if it would change. It always did)
Hyper-v was active on Win 11 Home, and I was running as a client lol. I then started to see odd Computer names as the origin of the eventlogs. Always either really long, random characters, My unique PC name or sometimes TrustedInstaller (And once I remember seeing a bunch being triggered from //?/PCI14-something-or-other) But this flew over my head at the time, as I was focused on the problem at hand.
All of a sudden, I couldn't access Windows Defender, Settings, basically ANYTHING. My computer usage was spiking like crazy, and my disk usage too.
I was able to open CMD as an Admin, with WIN+R however. I run SFC /VERIFYONLY to see if there was corruption and there was. Ran SFC /SCANNOW and it would not repair anything, based on re-verifying. I tried SFC /SCANFILE= to try and use the Windows 11 DVD media as the source to replace the files with (I figured if it's an ABSOLUTELY clean, read only source, it should work. I was wrong) It did not work either. I was getting "ACCESS DENIED" errors for almost every option. I chalk that up to being a dusty ol' DVD though, files being updated and whatnot over the years. But I digress.
I run DISM /ONLINE /RESTOREHEALTH and it doesn't fix. I run DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH and it doesn't work either 
I eventually get a notification to restart, and I do because now I'm REALLY curious.
I download F-SECURE (Which I have a sub to) and generate a link to download the installer. Install it and it finds nothing. I try MalwareBytes, AVAST!, etc. And they all find NOTHING.
I rebooted again. Took my write protected Flash Drive to the laptop and downloaded the F-Secure installer, AVAST! and their Secure Browser installer, and a bunch of Rootkit detectors from BleepingComputer. Farbar as well. Took the write protection off the drive, added the installers into the [SOURCE] folder of the bootable USB, and put the write protection back on. Went back to the Trojan'd PC.
Formatted the drive again (This time through the UEFI BIOS "Secure SSD Erase" (WHICH IS A BIG NONONONONOOOOOOOOOOOOO AT THIS POINT, IN HINDSIGHT)
----------------
Third install, offline again, I install the anti-virus, AS SOON as the desktop loads. No Geforce drivers this time. And I install the A/V 1 at a time. If it scans and finds nothing, I delete it, restart, and install the next one and try again. Upon the 3rd restart, I get the NVIDIA CONTROL PANEL UPDATES AND EVERYTHING ELSE AGAIN. Ugh.
I format the drive again (THIS TIME USING HIREN'S WINPE BOOTCD, and the LOW LEVEL HDD FORMAT TOOL)
----------------
Fourth install, offline again. Antivirus just in case. Same thing happens. Except NOW, my internet is starting to stutter and my Firestick in my TV keeps buffering and eventually stops playing alltogether. W.T.F.
I reboot into Hirens again, and plug my Ethernet in. I run ESET online and it just fails and fails and fails. Some websites wont load. MOSTLY the antivirus sites. I come to BleepingComputer and download a few scanners from there. Farbar wouldn't even work. I add Farbar to my write protected flash drive at this time.
I do the ol' 192.168.0.1 and lo and behold.... There are doubles of ALL of my devices now listed in the router. With different MAC addresses, and IP Addresses. My Cell Phone, wife, daughter, TV'S, Firesticks, laptop, EVERYTHING.
I call my ISP and they don't see anything. No remote access. They even tell me I'm on my own (I'M NOT KIDDING!)
----------------------
Fifth install, online now. I don't even care anymore lmao. Still a local account however. I scour for an updated AMI Bios to flash and have the hardest time ever. I find one from some company in China, Shenzhen TRXT or something of the like. I compare some strings and it looks like the right one!
I use the official AMIBIOS windows flashing tool (AFUWIN64) to flash the bios. IT SAYS SUCCESS! And restarts automatically.
And never comes back to life again, R.I.P Chinese motherboard. I pull it out and put it aside, because I'm not done with you YET, buddy!
-------------------------
Couple days go by and the New ASRock motherboard arrives. I excitedly put it all together (Using a DIFFERENT SSD I didn't attach to the other motherboard at all)
I turn the PC on and load the UEFI BIOS. FINALLY GRAPHICS! (The other MOBO had the 90's blue menus)
I check and make sure everything is good to go, and BAM! I'm installing Windows. Again. For the 6th time (at LEAST at this point, there were frustrating nights where I forget W.T.F. I did, but it wasn't revolulitionary or anything. I even had a DVD drive hooked up externally at one point using a SATA-to-USB kit half-way, and Windows 11 would NOT go past 51% installation. Windows 10 was exactly the same problems, and I even had Windows 8 on at one point AND IT WORKED to an extant... but no thanks)
to get to the end of this attempt... NOTHING CHANGED. THE REMOTE ACCESS TROJAN WAS BACK.
So, I deduced it was NOT living in the motherboard anymore, but something else. I ripped apart the wireless DLINK card the guy gave me, I destroyed the Bluetooth adapter too looking for a little rom chip or something lmao. I don't even care. Took the 300 dollar keyboard and 150 mouse apart too, I WILL FIND YOU!
Into the BIOS again. NOW I notice this section about Clever Access Memory and Upper 4G. Again, my deduction takes me to "AH HA! IT'S IN THE VIDEOCARD!" I shut the PC down.
It was now like 4 AM on the 4th night of THIS motherboard being a brat. And I notice my Phone downloading apps and changing permissions. Camera is coming on, Microphone is activating as well. I start to hear the signature sound of high-frequency data-transfers (think of when you press your ear against a mechanical harddrive when it's transferring data.... THAT'S what I could hear, in the middle of the night, in my living room. And as a side-note, I have researched this EXACT same method of transmissions years prior, frequency shifting, steganography and bla bla bla so I KNOW what that sound is!)
I IMMEDIATELY shut the phone down, went to the factory reset menu, wiped cache and formatted the phone. I lost everything, and was OK with that. It was time to freshen up the phone anyway. I could still hear it. It was ACTUALLY coming from my router. AND THIS IS SCARY GUYS. When I turned my phone off, cutting off the microphone and way to upload data, without using the router to log a connection.... it stopped for about 5 seconds, then SCREECHED a nice long one, and my Firestick turned on (which turned my TV on due to CEC settings, otherwise I wouldn't have noticed!!!) . I realized then, that my firestick remote ALSO has a microphone, communicates with the firestick directly, which has internet access as well. I pulled the batteries out of the remote. I put my turned off phone in the microwave (Thanks Snowden!).The high-frequency noise went away. And the whole time I worked with the FOLLOWING setup, which did NOT have the Geforce 3060 Video Card installed...... I did NOT hear the noise. But it DID come back, stay tuned...
------------------------
7th install attempt, I took an OLD Acer Aspire motherboard with an i3 something-or-other chip with INTEGRATED intel graphics. Took forever and a day, but I was able to install Windows 10 on it (OBVIOUSLY, AS I WAS USING ONBOARD GFX, and nothing I was using had come into contact with the infected new PC)
Booted Windows just fine. No trojan. Ran it for an entire Day. But slow as molasses. Obviously, I'm not able to play games on this CPU however. But this is just investigating. And relieving some stress and passing time by Playing Cyberpunk through Geforce NOW lmao.
So day 2 of this PC, I finally shut it down. Time for the moment of truth. I put the Geforce 3060 into the PCIe slot (only 4 lanes on this motherboard, but it's enough for what i'm doing). I get the drivers in, I download GPU-Z and Save the current Bios (just in case).
I used NVFLASH64 -6 to flash a clean MSI 12GB 3060 rom from TechPowerUp. Partial Success. Because yes, it's reading as an MSI card now, but the problem still remains. This video card causes my computer to become hijacked.
And I hear that DAMNED noise again, but this time, COMING FROM THE VIDEO CARD ITSELF. Shut it down. Pull the Card. Pull the power from PC. Hear the noise coming from the router again lmao. Turn my phone off and pull the batteries from remote again. Noise goes away. Understand how HARD this is, when you can't even go online to get info LMAO. So, in my wisdom.... I finally figured it all out. I tear the video card apart, and See 3 spots on the card where there was soldering done. One was along the entire bank of 2 chips beside the processor, and 2 were on tiny little micro-procesors. So SOMEBODY (ahem ahem cough cough) physically installed these 2 new ram chips, flashed with something nasty (LOGOfail), and called it a day.
-------------------------
My theory is that the Resizeable BAR area has been written to, as it can load before anything else. And whatever was written to the BAR, was specifically for THAT specific STGAUBRON motherboard for double-persistence. The BIOS on the ASRock motherboard became "VIRTUAL" when the videocard was plugged in. And because the computer has an i7-10700KF, it has no onboard video. He didn't expect me to be a wonderkid when it came down to it. So, once I took one leg out, it could still hop around.
-------------------------
I downloaded and installed KALI LINUX, and went through a lot of the information with terminal. It's boring AF so i'll just get to what I did. I installed as dual boot in the slow molasses rig. Downloaded Nvidia Linux driver (550.120), installed it and dumped the bios to a microSD.
Formatted that Kali Linux partition and re-installed it.
It was now time to update the Nvidia Container Toolkit. I FOUND IT THE ONLY WAY TO FLUSH OUT THE BAR AND REWRITE IT EMPTY. I don't know if there's any easier way but whatever. It's working for me. And it needs a little bit of wierdness to work for my situation, so bear with me.
Open TERMINAL. (remove all quotes for commands)
1 - "sudo nano /etc/modprobe.d/blacklist-nouveau.conf" ******and make sure to ADD the following 2 LINES : blacklist nouveau
options nouveau modeset=0 (THIS DISABLES NOUVEAU KERNEL HOOK)
2- "sudo update-initramfs -u"
Back to top
