Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ACPI and NVRAM malicious embedded code

I was remotely attacked by a hacker on my home network. 

I had a major spinal fusion last year that failed and I am getting married on 3 weeks. 

After Microsoft released a critical port 3389 patch on Msrch 12th, I was hacked remotely on march 13th. I have been in computers since 1982 but what is happening to me is way out of my league of expertise. First of all I get DNS spoofed so any programs I download or Windows updates and they are all legitimate Microsft ADS tools including java script, conscript, WMI, WBEM and Dot net. To sun up what is happening is the hacker used SMS BIOS in windows and rewrites the NVRAM or ACPI part of he BIOS. 

Once this happens, I don't even need to be plugged into the net and after a low level format of the hard drive, the hacker manipulates the Windows XP or Windows 7 install from CD and turn my system

Into an automated RIS or NDis unattended install using VM. Once that does my ARP cache gets poisoned and I get DNS spoofed and the moment I try and download xp critical patches right after the fresh CD install I end up becoming the MAn- in the -Middle attack. 

Under windsock in the registry they add along with the tcip protocol, 4 others. AppleTalk, ISOtp, NwlinkIPX and NwlinkSPX. They use BDA Tuner and install secretly version 4 of Internet explorer. They then add my workgroup onto a hidden domain and add a few snap-ins in MMC such as SID GhostWalker and ADSI Edit ( domain tools) 

I have tried flashing my bios's but no matter what I do they have a bunch of NULL code so I can't. I am suffering in pain everyday and I can't take much more of this as I have probably put 600 hours into it since March. They use VPN, RIS and NDIS to secretly create a network bridge between any of my computers and a hidden network device called RAS Asynch adapter to gain full access. They add domain server operators to be part of the Universal Plug and Play service as well as the SSD service for device discovery. They add domain network Configuration Operators to the DNS service as well as the DHCP client service. 

I have gone thru 3 different Internet Service Providers, at least 20 routers and at least 12 new laptops.  The bottom line is I need a way to auto flash all my home BIOS's fr s clean CD-ROM boot disk like Windows 98 and have scsi, atapi and USB drivers that load on this cd with all my bios and DOS utilities to flash the bios. 

The problem is before it reads the boot cd, the NVRAM or ACPI is loaded from the bios first do the bios malware makes it do I can't flash the BIOS's. 

If you have some boot cd's and if I gave you the bios's, would you be willing to make me the boot cd I need to clean my bios's as well as some way to have them stop DNS spoofing and ARP cache poisoning. Also the ability to block the SMSBios  management service in the windows registry so the hacker doesn't hit my bios's remotely again. 

Since all the C++, Dot net and all their other tools are Microsift ADS and becomes legitame tools that malware scanners do not detect. 

Also my ATAPI devices like the Cd-ROM are turned into SCSI devices.

Let me know if their id something you can do for me as this hacker has damn near killed me from all the stress and headaches they have caused since March. 

Kind Regards;

Brent Waddell 

Everyone's tags (3)
CreatePlease to create content