General discussion

Locked

Absolutely flummoxed - BIOS virus?

By bfindlay ·
Wierdest behaviour I have ever heard of. I got infected with a trojan (virusblast) that tried to sell me software to 'clean up spypware and viruses'. (It WAS the viruse).

I flashed my BIOS to an updated version, then installed a new hard drive - formatted it, and installed WIndows. The install took far, far longer than it should - on the order of three hours or so. The computer is slow as molasses now taking 3 to 5 minutes to boot into windows, 30 seconds or so to open a window or any other tasks.

This is on a new, virgin windows install on a brand new formatted HD. Then a window pops ups saying that there are 55 errors in my registry (BRAND NEW SYSTEM!) and directs me to a third party site (registryupdate.com) to install a 'registry cleaner' that I am supposed to pay for.

This is the exact same behaviour as the machine had before I stuck the new HD in, and installed windows - except the scam is now pointing to 'registry update' instead of virus blast. Obviously the data for this did not come from corruption on a hard drive - there was no old hard drive in the system - and I deleted all partitions and re-formatted the hard drive upon installing it. The virus must live in the BIOS - but how can this be!? I am so confused, and at a loss on the correct move to bring my machine back to life.

Any help appreciated.

This conversation is currently closed to new comments.

55 total posts (Page 6 of 6)   Prev   04 | 05 | 06
Thread display: Collapse - | Expand +

All Comments

Collapse -

BIOS Problem or just dying hardware

by butkus In reply to Same Problem

Did you catch something or is something just dying (bad HD, bad memory, bad controller card)

Collapse -

mbr?

by dcl525 In reply to Absolutely flummoxed - BI ...

did u replace the hd, if not it could reside in the mastr boot record, i know spyaxe, and it usaully doesnt do that, but it is a tricky spyware app

Collapse -

Bios Virus removal...is it possible to recover from h-e-double-hockysticks?

by stre0539 In reply to Absolutely flummoxed - BI ...

Well, I can identify with your problem 100%. I however don't have any good information to share other than the following experience.

I got a virus from reading a text file. No, I didn't senselessly just double-click on a file, I selected it and told it to open it with wordpad (oh, oh how I wished I had stuck with my gut feeling to delete it.) Well before I knew it a quick black square flashed up on screen and and my whole screen did a stomach double-take as if it had been assaulted in some way and I knew instantly something bad had happened.

I shut it down instantly, planning to reboot and use norton fast-back or whatever its called to return my computer to pre-virus bliss. Well, upon reboot I noticed that characters in the boot post where funky. Not the usual text, but like something out of spams-R-us, and it hit me...CRAP a bios virus. The problem with a BIOS virus is its at ground zero--the system level. There is no crap before it (at least not in the general sense, perhaps there is something or things you can try before it depending on your manufacturer of motherboard).

So after trying things that didn't work, including re-flashing the bios, which only got re-infected while I was flashing it from the self-same bios that was infected, I realized something. Flashing from an infected bios is much like installing from an infected system. I found a procedure to boot another computer that also happend to be an ASUS like mine (not a P3V4X but close enough) and After booting, launching the "aflash" utility with the format booting block option enabled, and preparing to write the downloaded bin file--I hot-switched the bios eeprom and wrote the bios. Then I shut-off this computer, removed the chip and installed it in my previosly infected computer. This did have the benefit of making my computer a little less infected, but it was still infected (by less infected, I mean that the distortions on-screen where not as prolific as before, but still present especially when I went into setup.)

So,apparently there is something that is not being erased when the bios is flashed or I didn't properly clear cmos before flashing and it re-infected my bios upon reboot. Admittedly, I didn't wait the requisite "15 minute" to "8-hour" stretch to discharge the cmos because I was impatient to KNOW if I was sucessful. The only other possibility (beyond the virus residing elsewhere on the chip that is not erased on flash) I can think of is that hot-switching is flawed in that perhaps the bios uses write calls from the bios before it flashes it and those flash calls are virus infected. My last attempt (assuming the virus is on the bios as my hard-drives and all removable media is disconnected or in the case of the floppy--read-only) will be to ...
1. Clear the cmos
2. Hot-flash the chip by...
a. Booting with a clean eeprom
b. Launching "aflash" util with erase boot blocking enabled.
c. Hot-switching with infected eeprom
d. Writing downloaded bios update file.
e. Re-installing eeprom to previously infected CPU.
3. Then I will clear the cmos for a whole minute and leave computer off with no power/ no battery for 8 hours.

After that, if it all STILL FAILS, I am calling Asus, hoping the problem does indeed reside on the chip/eeprom. Asus, on the condition that the chip is removeable, has agreed to send me a replacement, and I hope this will not be infected because of something I forgot to try.

I do caution all of you out there that this is extremely risky stuff, and there is a lot I am doing that can go wrong, but I am both a tech and studying to be an EE major so I have some experience on the wilder side of life, plus a stake in learning about eeproms.

Please, does anyone have any input besides just suggesting more and more virus scanning software that can't touch the bios? I would be very interested to hear from you, especially if you have experience using an eeprom writer, have successfully re-flashed a computer eeprom (Asus preferably since they are a bit off the beaten path) or have experience with bios virus removal. Now I leave to publish my book on how to bore the heck out of the fake techs that feed you 2 cent answers like they are quoting the sacred text of who-minnuh-humminah!

Collapse -

Another tale of BIOS woe

by JCA1234 In reply to Bios Virus removal...is i ...

I don't feel quite so alone now. I am dealing with the same type of virus. After several attempts at wiping and reformatting my hard drive, I went out and bought a brand new HDD, installed Windows from an original licensed Windows CD, and the virus is still there. Even when I remove the CMOS battery overnight (unplugging everything) reset the CMOS and turn on my computer WITH NO HARD DRIVE CONNECTED, the virus revs right up as soon as I turn the power on. No anti-virus software I've found can detect it (Kaspersky, PCTOOLS, STOPZilla, AVG). But there's no doubt it's a virus. It completely hijacks my computer (I'm running XP) and sets up a phony "network" to keep me from gaining full access to my own computer. It creates phony user accounts and logs on to immediately undo any effort on my part to eliminate the threat. The best I have managed is to shut down all but the very essential Windows services, and the virus is unable to do much, but so am I. I can't access the Web, for instance. I guess it's hopeless. I'll have to buy a new motherboard. I am wondering about a few things, however:

1) Is there a chance the virus also resides in my graphics card? I have a GeForce 7950GT. Does it have its own EEPROM chip? I don't want to plug it in to a new motherboard and get infected all over again.

2) What about DVD-ROM drives? Could they also have the firmware virus?

3) If I buy a new motherboard and connect it to my infected hard drive for purposes of wiping and reformatting it, is there a chance the hard drive will infect the new motherboard? How can I prevent this from happening?

Any advice is much appreciated.

Collapse -

HOW ABOUT SOME MORE SPECIFICS

by Chim Chim 1959 In reply to Another tale of BIOS woe

The whole clearing CMOS thing (Which should be a jumper to accomplish) is overstated. CMOS clear is an electrical issue and can be done with the jumper or the battery pull (and power cord disconnect).

What accounts does it create?

The default XP load causes a user
account to be created and auto logged
into after the subsequent boot.

What network does it set up (IP ADRESSES PLEASE)?

By default WinXP will try to acquire
an IP ADX, if no DHCP server is found
it assigns an ip of 169.xxx.xxx.xxx
(the xxx varies).

If you do not connect to the internet it will be slow and weird as it is trying to phone home and get updates.

As for your questions:

1. I guess its possible but NOT PROBABLE.
2. See #1
3. I would get a Linux boot cd and use the fdisk and format utilities in that to wipe out the HDD. dban as mentioned before would be a good wipe option as well.

Back to Malware Forum
55 total posts (Page 6 of 6)   Prev   04 | 05 | 06

Related Discussions

Related Forums