DANGEROUS VIRUS: "LOJAX", PLEASE READ AND TAKE CARE

Please remember the terms of your membership agreement.

Moderators: valis, garyb

User avatar
Nestor
Posts: 6682
Joined: Tue Mar 27, 2001 4:00 pm
Location: Fourth Dimension Paradise, Cloud Nine!

DANGEROUS VIRUS: "LOJAX", PLEASE READ AND TAKE CARE

Post by Nestor »

This is an update: I discovered this dangerous virus along the way, please, keep reading dawn below to understand:

I was doing something in the PC, while watching the screen, suddenly, without me doing absolutely nothing, Opera browser installed itself in a VERY suspicious way, then opened itself and asked me if I wanted to configure it! What the hell is this? Anybody had this strange happening before?

I'm scare, I use ESET internet security and there is nothing found in the scan. What do you recommend me to do, in case you have gone though this one?

Edit:
Strange things are happening, there are some windows archives being detected as malicious for no reason. What are these guys doing with their lives? They could spend it in something interesting instate.
*MUSIC* The most Powerful Language in the world! *INDEED*
User avatar
valis
Posts: 7299
Joined: Sun Sep 23, 2001 4:00 pm
Location: West Coast USA
Contact:

Re: Sudanly, Opera browser installed itself!!! What? A virus?

Post by valis »

Opera and other browser makers have deals with smaller software companies to deploy their installations when you install a free or trial based utility. I'm sure you're aware of that, but perhaps that's the issue?

For Win10/11, you can fix windows data stores using DISM and then sfc /scannow as in the following link, but for Win7 you'll need an up to date ISO: https://answers.microsoft.com/en-us/win ... 5b60477a93
User avatar
Nestor
Posts: 6682
Joined: Tue Mar 27, 2001 4:00 pm
Location: Fourth Dimension Paradise, Cloud Nine!

Re: Sudanly, Opera browser installed itself!!! What? A virus?

Post by Nestor »

Thank you Valis

Everything started while I was freely browsing about the Nektar Impact keyboard, one of the very many pages must have been the cause of the problem, which one? I don't know. Then Vivaldi browser had this message from McAfee, (which I don't have installed), saying it detected a thread. I followed some tutorials on how to reset Vivaldi, I did, everything fine, the fake warning disappeared, but these strange problems and others kept going. Very unfortunately, I had just deleted an image of my C driver, as everything seemed to be good, I do that very often, I renew my last state of the system, but I was wrong...

The point is that my keyboard started writing totally incoherent characters when pressed. Then three processes from windows I don't know anything about were detected by the antivirus like dangerous, related with telemetry. Then, Win 7 tried to install some updates, it gets stack in this blue page that says: "Preparing to configure Windows. Do no turn off your computer". Then several browsers will no longer load. Some programs are extremely sluggish, wow...., many strange things.

Today I had, when restarting, a dos menu, something called GRUB4DOS, which I have never seen before, I guess it is part of windows. But well..., it seems I'm being hacked or something like that, maybe I'm just scare. I was so happy with my Win 7 system, perhaps..., after all, for security reasons, I should update to Win 10 :(

I had totally reset the softwaredistribution and catroot2 folders and downloaded the latest updates for Win 7, let's see now what happens.
*MUSIC* The most Powerful Language in the world! *INDEED*
User avatar
Nestor
Posts: 6682
Joined: Tue Mar 27, 2001 4:00 pm
Location: Fourth Dimension Paradise, Cloud Nine!

Re: Sudanly, Opera browser installed itself!!! What? A virus?

Post by Nestor »

Now, when trying to update, I got this error: WindowsUpdate_80080005
*MUSIC* The most Powerful Language in the world! *INDEED*
User avatar
valis
Posts: 7299
Joined: Sun Sep 23, 2001 4:00 pm
Location: West Coast USA
Contact:

Re: Sudanly, Opera browser installed itself!!! What? A virus?

Post by valis »

Grub is a boot loader. You have a virus and need to boot to clean media to backup data and reset that drive.

Vivaldi wouldn’t be to blame (have it installed here on three machine), something got clicked to facilitate the download execution.
User avatar
Bud Weiser
Posts: 2679
Joined: Tue Sep 14, 2010 5:29 am
Location: nowhere land

Re: Sudanly, Opera browser installed itself!!! What? A virus?

Post by Bud Weiser »

Nestor wrote: Fri Feb 17, 2023 7:01 pm Then, Win 7 tried to install some updates,...

a dos menu, something called GRUB4DOS

... I was so happy with my Win 7 system, perhaps..., after all, for security reasons, I should update to Win 10 :(

... downloaded the latest updates for Win 7

Opera is a very good browser w/ excellent privacy settings and doesn´t install itself out of the blue.
Firefox and Opera are the only 2 browsers I use.
Anyway ...

Don´t surf the web w/ a Win 7 machine ! - unless you have an Antivirus installed still supporting Win 7, have a configurated hardware firewall in your router and you don´t use the stock Windows (IE or Edge) browsers.

Yesterday I needed to enter the web w/ my DAW machine (Win7 Pro SP1 x64) for a quick service manual download.
No problem when I know where to go and find and/or visiting trusty websites like NI, Cockos Reaper, Presonus etc..
I have the above browsers and latest AVAST installed because they get (security-) updates still and also for Win7 Pro SP1 32Bit, which is my 2nd DAW machine.
The MS windows malicious software removal tool still gets updates for Win 7,- I got an update yesterday.

BUT,- I only use the Win 7 machines for the web on rare occasions,- mainly receiving NI updates via NI Access or from Cherry Audio.
Most of the times, I use my Win10 office machine, downstairs in my office, for web surfing and downloads.

You should at least have 1 machine being up to date for the web,- which means today,- Win10 or 11.
When using only ONE machine for everything,- Win10 is essential IMO.

:)

Bud
User avatar
Nestor
Posts: 6682
Joined: Tue Mar 27, 2001 4:00 pm
Location: Fourth Dimension Paradise, Cloud Nine!

Re: Sudanly, Opera browser installed itself!!! What? A virus?

Post by Nestor »

I understand what you say guys, thank you, it seems pretty serious. Right now I had many problems to connect in here, "denial of service" problem.

Well..., I don't know if I can save this "C" drive this time..., I am trying many things, but nothing works, the virus, whatever it is, it is not discovered by anything at all.
Cheers
*MUSIC* The most Powerful Language in the world! *INDEED*
User avatar
valis
Posts: 7299
Joined: Sun Sep 23, 2001 4:00 pm
Location: West Coast USA
Contact:

Re: Sudanly, Opera browser installed itself!!! What? A virus?

Post by valis »

You cannot. If there's a bootloader, the drive has been rooted and all other drives (and potentially your EFI) are suspect as well.

You need to create bootable media on a separate machine, for instance Windows installation media or Ultimate Boot CD (USB version) etc that will allow you to boot the old machine and mount drives. A non-windows boot is better, as you can then verify the drives.

OR, what I would do is remove all drives (disconnect the cable) and get a small cheap SSD, 60GB or so is enough. Do a fresh (non-activated) Windows install to that. Win10 or 11 would be fine, and again you can easily create installation media these days for such a task. If you need a guide for that, just ask.

Once you've done that, install ESET Nod32 (30 day trial with a free email address somewhere is fine) and something like Malwarebytes to support nod32 (the two shouldn't conflict that much for scans, and you will NOT be keeping this windows installation). There's a setting or two that I would check at this point, for instance you want to make sure that ESET is set to scan removeable media by default (it has a way of preventing the boot sector from mounting built in).

Once that's up and running with adequate protection, you can turn the machine off, reconnect the OLD drives and scan them. It's NOT necessary to clean the OLD windows installation, but you will want to remove the boot sector virus (if present) and GRUB etc. THEN backup all your project files and data you care about, either to another external drive or to the new windows drive (not as recommended, as you may end up putting files into an area that you have difficulty accessing later). THEN we can walk you through a method to 100% clean a drive (using diskpart /clean all) and get back up and running.
User avatar
Nestor
Posts: 6682
Joined: Tue Mar 27, 2001 4:00 pm
Location: Fourth Dimension Paradise, Cloud Nine!

Re: Sudanly, Opera browser installed itself!!! What? A virus?

Post by Nestor »

Wow, thank you so much Valis for all these explanations.

It is somehow, overwhelming all this, I will try to understand the points you are giving me and try to apply them, let's see.
*MUSIC* The most Powerful Language in the world! *INDEED*
User avatar
Bud Weiser
Posts: 2679
Joined: Tue Sep 14, 2010 5:29 am
Location: nowhere land

Re: Sudanly, Opera browser installed itself!!! What? A virus?

Post by Bud Weiser »

Nestor wrote: Sat Feb 18, 2023 6:22 pm Wow, thank you so much Valis for all these explanations.

It is somehow, overwhelming all this, I will try to understand the points you are giving me and try to apply them, let's see.
1st,- make a bootable media to boot your machine safely and have access to the web for additional investigation and downloads.
Like Valis said above, it´s a good idea to disconect the internal drives and go into BIOS to change the bootdrive.
Choose your new boot media,- USB stick or DVD,- as the desired drive and save in BIOS.
Shut down the machine and insert new boot media, power up and your machine will boot into the OS written on boot media.
I understood you were on Win7,- so have alook here https://tech-latest.com/download-windows-7-iso/.

There are other Windows PE ISO downloads in the web,- some already contain tools to remove virus, malware and s##t.
I dunno which is the best,- maybe Valis and/or other here know more.
The last version I used was WinXP PE "Maximilian Edition" many, many years ago and when I catched a virus.
Removal was a breeze once found.

good luck,-

:)

Bud
User avatar
Nestor
Posts: 6682
Joined: Tue Mar 27, 2001 4:00 pm
Location: Fourth Dimension Paradise, Cloud Nine!

Re: Sudanly, Opera browser installed itself!!! What? A virus?

Post by Nestor »

Guess what... I canot get into my PC anymore.... it keeps saying "preparing to configure windows", crazy

and guess what.... today, yes, TODAY :evil: :cry: :roll: , I'm getting my NEW Nektar LX 49+, coming from California ......... and cannot plug it into my little studio.... hhhhhhhhhhhhhaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa :-? :-? :-?

Man..., what is going on!
*MUSIC* The most Powerful Language in the world! *INDEED*
User avatar
Bud Weiser
Posts: 2679
Joined: Tue Sep 14, 2010 5:29 am
Location: nowhere land

Re: Sudanly, Opera browser installed itself!!! What? A virus?

Post by Bud Weiser »

Nestor wrote: Sun Feb 19, 2023 12:22 pm Guess what... I canot get into my PC anymore.... it keeps saying "preparing to configure windows", crazy

and guess what.... today, yes, TODAY :evil: :cry: :roll: , I'm getting my NEW Nektar LX 49+, coming from California ......... and cannot plug it into my little studio.... hhhhhhhhhhhhhaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa :-? :-? :-?

Man..., what is going on!
Dunno what you did to your machine by possibly unintentional mouse clicking on whatever it might have been.
But "preparing to configure windows" to me sounds like an interupted Windows update waiting to download missing data.
Unfortunately it seemed, you also catched that "bootloader" virus.
So,- a p.ex. Windows PE on a bootable USB drive or DVD might be the only help.
We´ll help you as good as possible, but YOU have to learn the "how to" at first !!!

:)

Bud
User avatar
Nestor
Posts: 6682
Joined: Tue Mar 27, 2001 4:00 pm
Location: Fourth Dimension Paradise, Cloud Nine!

Re: Sudanly, Opera browser installed itself!!! What? A virus?

Post by Nestor »

I will sure put my best in trying to solve this problem

I'm waiting for a CD writer to arrive home now

It is the second time a keyboard arrives to me, and I can't use it, funny
*MUSIC* The most Powerful Language in the world! *INDEED*
User avatar
Nestor
Posts: 6682
Joined: Tue Mar 27, 2001 4:00 pm
Location: Fourth Dimension Paradise, Cloud Nine!

Re: Sudanly, Opera browser installed itself!!! What? A virus?

Post by Nestor »

VERY IMPORTANT FOR YOU ALL:

I think I've found the exact virus I have in my system, as the descriptions given are exactly as what has happened to me in every detail, and the fact that it is impossible to find it, because, (as Valis said), it is hidden . It is out of the system (so to say in a way), because it is in the boot sector, the name of the virus is:

LoJax

If you have not switched on "Secure Boot" in your system, rush and put it active, because this is the way they get into your boot. It is said to have infected lost and lots of computers in Europe, the virus comes from a group from Russia called APT28. At least, I am pretty sure I've fond the real problem. Take care of your systems as this virus is out there and causing big problems at the moment. Cheers
*MUSIC* The most Powerful Language in the world! *INDEED*
User avatar
Nestor
Posts: 6682
Joined: Tue Mar 27, 2001 4:00 pm
Location: Fourth Dimension Paradise, Cloud Nine!

DANGEROUS VIRUS: "LOJAX", PLEASE READ AND TAKE CARE

Post by Nestor »

Strangely, a second Nektar LX+ keyboard was processed by Amazon, I mean, a second payment was processed without my consent, fortunately it was bounced back by the bank itself. More strangely is that Amazon itself did not ask or send any massage whatsoever about it, this is not their way of working, as far as I know.

Because of that, obviously, I am NOT switching on my pc anymore "with internet connection", until I fix it offline or I kill it totally.

It seems that this is the world in which we are living today! It is a dangerous world all over the place and in every matter and way. Sometimes I think that quite a few millions of human beings have lost it, totally and entirely lost it, so coldhearted we have become.

It seems, (correct me please if I'm wrong, I am not at all a security expert), this problem is not related to the OS you use really, but rather, to the BIOS and the lack of security in your settings.

I will change the title of this post to something more alarming, so everybody takes care of their BIOS immediately and don't have to go through this painful experience too.
*MUSIC* The most Powerful Language in the world! *INDEED*
User avatar
Nestor
Posts: 6682
Joined: Tue Mar 27, 2001 4:00 pm
Location: Fourth Dimension Paradise, Cloud Nine!

Re: DANGEROUS VIRUS: "LOJAX", PLEASE READ AND TAKE CARE

Post by Nestor »

Hello brothers, here I am, working to solve the problem. It seems to be a very complex piece of treachery software they have created. I see this virus has several years of existence already, but it might have been perfectioned in its evil capabilities. I thought it was something new.

So far, I'm waiting for a CD writer unit from Amazon I've just bought. USB flashing is not an option right now, it does not work.

One good news is that I have a Gigabyte board with dual BIOS, so I should be able to make the trick of changing the reading location from one of the chips to the other, let's see.

I have been without viruses for ages, I even forgot about these thigs all together.
*MUSIC* The most Powerful Language in the world! *INDEED*
User avatar
valis
Posts: 7299
Joined: Sun Sep 23, 2001 4:00 pm
Location: West Coast USA
Contact:

Re: DANGEROUS VIRUS: "LOJAX", PLEASE READ AND TAKE CARE

Post by valis »

In your case, LoJax is a UEFI rootkit. What's your motherboard make & model?
User avatar
Nestor
Posts: 6682
Joined: Tue Mar 27, 2001 4:00 pm
Location: Fourth Dimension Paradise, Cloud Nine!

Re: DANGEROUS VIRUS: "LOJAX", PLEASE READ AND TAKE CARE

Post by Nestor »

Hi Valis, exactly. Thanks God, it is a Gigabyte dual boot bios board GA-Z97X-UD5H-BK GIGABYTE UEFI DualBIOS, so I guess there is a good chance here.

This is what they say:

GIGABYTE 9 series Ultra Durable™ motherboards feature GIGABYTE DualBIOS™, an exclusive technology from GIGABYTE that protects arguably one of your PC’s most crucial components, the BIOS. GIGABYTE DualBIOS™ means that your motherboard has both a ‘Main BIOS’ and a ‘Backup BIOS’, making users protected from BIOS failure due to virus attack, hardware malfunction, improper OC settings or power failure during the update process.
*MUSIC* The most Powerful Language in the world! *INDEED*
User avatar
valis
Posts: 7299
Joined: Sun Sep 23, 2001 4:00 pm
Location: West Coast USA
Contact:

Re: DANGEROUS VIRUS: "LOJAX", PLEASE READ AND TAKE CARE

Post by valis »

Contact Gigabyte support. In the event that the version of your EFI is on is current, there may be some way to still ensure you can update both onboard versions to the current one so you are ensured to have overwritten any potential rootkit in your EFI. (typically updates will refuse to update a version if it matches what is already installed).
User avatar
Nestor
Posts: 6682
Joined: Tue Mar 27, 2001 4:00 pm
Location: Fourth Dimension Paradise, Cloud Nine!

Re: DANGEROUS VIRUS: "LOJAX", PLEASE READ AND TAKE CARE

Post by Nestor »

valis wrote: Wed Feb 22, 2023 8:42 pm Contact Gigabyte support. In the event that the version of your EFI is on is current, there may be some way to still ensure you can update both onboard versions to the current one so you are ensured to have overwritten any potential rootkit in your EFI. (typically updates will refuse to update a version if it matches what is already installed).
Ok, I understand. I will try to contact Gigabyte, but I don't know if this will actually apply for me, as I have had this board for many years already, I don't think I have any guaranty time left anymore.

I am in Rev 1.2 of GA-Z97X-UD5H-BK and have the latest BIOS installed which is the F8.

What I think it could probably work is installing through QFlash version F7 and then apply again F8 version, that should be possible.

Anyway, I am right now studying in detail the options and procedures. It seems you can flash BIOS A (let's say), into BIOS B, so they overwrite each other. I don't think that both BIOS can be infected at the same time because the second one is 100% inactive while the first one is active.

I'll keep you informed of any progress on this. Thank you so much for your help :)
*MUSIC* The most Powerful Language in the world! *INDEED*
Post Reply