Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: BIOS virus and custom format from Windows 7.

07 Nov 2011   #11
rubyrubyroo

MS Windows 7 Home Premium SP1 64-bit (Family Pack Lic.) Upgrade
 
 

and do you think that this paticular rootkit is not expecting the BIOs to be flashed, once its in thats all it must protect against. I doubt it will allow that.


My System SpecsSystem Spec
.
07 Nov 2011   #12
Sub Styler

Windows 7 Ultimate x64
 
 

Good point, he really needs a way of identifying whether or not the BIOS has been infected, as if it has there seems little point re-installing as with it's foot in the BIOS it will surely re-manifest pretty soon.
My System SpecsSystem Spec
07 Nov 2011   #13
rubyrubyroo

MS Windows 7 Home Premium SP1 64-bit (Family Pack Lic.) Upgrade
 
 

I do not know the particulars of the disassembled BIOS, as my system was lucky enough to not have that capability. But I am implying that when the code infiltrates the chip, it has no way of being removed (unless you happen to have a pull-able eeprom for bios, and it will have permanent reinfection control if it can stay in the BIOS, so it's basically going to devote every bit of it's virulence to not being removed. So I know that a hacker would want to protect against flashing the bios, therefore if it is possible, that would be their primary objective at that point in the game.

Can it be prevented from being flashed, or "resist" the flash, or crash the flash midstream to wreck the BIOS as you warned of earlier by not stopping in the middle of a BIOS flash...I don't know, but I don't see why not. Considering BIOS (therefore the root-kit code) executes prior to any drive INCLUDING optic, etc. I'm guessing it would place some sort of TSR code, or simulate the actual BIOS loading the CD but with the additional malicious software present to evade being destroyed.

Mike
My System SpecsSystem Spec
.

07 Nov 2011   #14
rubyrubyroo

MS Windows 7 Home Premium SP1 64-bit (Family Pack Lic.) Upgrade
 
 

feel free to see the second half of my infection (first half was iding it, and getting into windows) together took around 1-2 weeks of tearing dlls out of every where, altering the binaries line by line at the boot sector, and probing every patched process including the kernel itself and the debugger , altoghter over a hndred files im sure It hijacks your DNS and flushes the cashe, bypasses patchprotectioon sn 64-bit driver signiature verification with ease. It's basically the devil (3.4 MILLION infections currently)
Require (Rootkit.TDSS.TDL4) Rootkit Removal & Cleanup walkthrough

mike
My System SpecsSystem Spec
07 Nov 2011   #15
Sub Styler

Windows 7 Ultimate x64
 
 

Yeah hopefully it's just in the MBR, I suppose all he can do it try the re-install and hope it's not infected. If the infection does come back after following drive cleaning instructions previously posted, then try a flash, if possible from a bootable CD or USB drive (thats known to be clean i.e. made on another non networked system and not connected while his OS is live).

Of course we dont know if the OP is using a laptop or desktop, as I have a fairly low end redundant gigabyte motherboard on my desk that does have a removable BIOS chip. So i'd say for a desktop it would be woth having a look to see if it's replacable, I very much doubt a laptop would have a removable BIOS chip as it's not even common on desktop boards.
My System SpecsSystem Spec
07 Nov 2011   #16
rubyrubyroo

MS Windows 7 Home Premium SP1 64-bit (Family Pack Lic.) Upgrade
 
 

thats probibly his best chance I would agree. BUT the problem with rootkits specifically, is you will NEVER know if you still have the infection (this RK in it's earlier days was called "the virus that you'll never know you have" although it's technically not a virus, Just a dropper and a loader started preMBR) the point is, as I was continually told by every sec tech on these forums and more, you'll NEVER KNOW if it might be there or pop up, both due to its firm anchoring, fast evolution/mutation and esp. its stealthy ways of not being seen.

just please as heart-breaking as it might be, don't try to save any files, or this might happen next year and you end up loosing the file you saved, as well as all your files again!

sorry to be so bleak
As long as BIOS is clean, which i suspect it is, youve just got a bit of cleaning etc to do wiping the drive (not just format, you need to actually write over the drive with new meaningless 1's)

good luck and contact me if you need something

Mike
My System SpecsSystem Spec
07 Nov 2011   #17
stefsj

Windows Vista 32bit - updating to Windows 7 32bit
 
 

Quote   Quote: Originally Posted by rubyrubyroo View Post
take the hit with the file loss of your personal files, additionally wipe/format the backup media used at any point - and change your online passwords as it send keystrokes as well as other info to www servers.
Thank for the response rubyrubyroo.

So did you delete all of your data? Even music, pictures, word, excel, and other files? I just backed up everything on a external drive to be ready for format. How do you test other drives? I caught it once using AVG but it said 'it deleted it'. Since then nothing on that or the other two computers that have shared a usb with the infected computer.

Thanks
My System SpecsSystem Spec
07 Nov 2011   #18
rubyrubyroo

MS Windows 7 Home Premium SP1 64-bit (Family Pack Lic.) Upgrade
 
 

caught it once on the backup drive or on the system drive (with AVG)?


EDIT: and your backup is infected, or at least needs to be regarded as such, since you have no way of knowing the date of infection, it may be asymptomatic for 10 min or 6 months.

My story is much more complex, as im a computer tech and the drive was a VIP client of mine a lawer with the ONLY copy of ALL his clients files on that drive. I did (PROBIBLY) remove it, but it took a very extensive knowledge of assembly language, windows processes and ntoskrnl.exe's actions and protections, it took me almost 2 weeks of noting else and it is impossible to be sure i did get it. If you could talk a rootkit/botkit expert into doing it, it would certianly cost many thousands of dollars. This man would have paid any price to have it fixed, as it was 25years of his carrier and with atty-client-confidenciality laws, he would surely be disbarred for neglogence in protection his clients sensitive info, potentially be placed in jail. so you can see one reason they can charge so much, added to the complexity and length of time spent, it is difficult for the best trained - and Thats not me, I owed the man a favor, and I repay other's good deeds when they are addressed towards me.

theres a tid-bit for ya!
My System SpecsSystem Spec
07 Nov 2011   #19
stefsj

Windows Vista 32bit - updating to Windows 7 32bit
 
 

On the system drive. Since then, the data files were backed up and the system drive and the backed up drive have been tested. AVG, MSE and Avast. Nothing. Only the tdsskiller have another "minor" tdss system file on the system drive and removed it. Nothing on the other drive, or any of the other 2 computers that have shared at least a flash drive with the system drive for the past few months.
My System SpecsSystem Spec
07 Nov 2011   #20
rubyrubyroo

MS Windows 7 Home Premium SP1 64-bit (Family Pack Lic.) Upgrade
 
 

when was the rootkit inserted into your system? There is no valid answer! your backup is nolonger sterile and there is not such thing as semisterile, it is considered sterile or contaminated "potentially", but is treated as definately infected. a virus scanner is almost ineffective against a rootkit, it takes over windows so when you click on a folder with a file lets say called "Hi-Im-A-Root-Kit.exe" in it, since the root kit is pulling the strings of windows, it wisely returns a folder that does not appear in any way to have that file present.

"only reliable way to remove them is to re-install the operating system from trusted media.[78][79] This is because antivirus and malware removal tools running on an untrusted system may be ineffective against well-written kernel-mode rootkits" - wikipedia

but your backup is untrusted media, and this is a very well-written kernel-mode rootkit/botkit, arguablly the "best" to date.

PLEASE read this: it's actually kinda technical for wikipedia but see if you can understaned a good bit of what is going on.
Rootkit - Wikipedia, the free encyclopedia
Please take the time to try to read it as you need to realize rootkits are the worst, but this one (maybe in the artical specificaly? not sure) is the worst of the worst!

don't trust me, talk to some of the higher level security forum experts, they'll tell you what I am telling you almost straight across the board.

the only truely savable thing is a rootkit free -fresh installed windows, by not keeping anything else you save the future of your comp.

sorry dude
I encourage more higher level conversations with others on these boards.

Mike
My System SpecsSystem Spec
Reply

 BIOS virus and custom format from Windows 7.




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
Changing the BIOS format
I have an Asus board with EUFI and cannot boot a Linux OS form a stick for trying out the VMware with Mint MATE. Now it has been suggested that maybe the EUFI boot set up is not allowing the machine to boot from the stick the ISO is on and to change the BIOS to legacy. Now I have seen a few...
General Discussion
Bios update after format
Hi, do i need to update the BIOS everytime i format the hd and reinstall windows?
Drivers
Want to zero format HD, reinstall windows 7 to ensure virus is gone
I have been trying to rid my wife's laptop of a Trojan rootkit called Trojan:DOS/Alureon.e. This thing just won't go away no matter what I have tried. It keeps popping up and getting captured by my virus software (Windows Security Essentials) but that software can't remove it. I've tried a bunch...
Backup and Restore
Windows 7 Ult 64 Custom build: bios and windows install questions
Hey everyone, I'm sorry if I post this in the wrong forum, but I have a few questions about setting up the bios and installing windows. This is the computer that I am building for video production: Asus P6T Deluxe V2 Corsair Core i7 XMS3 12GB 5 Samsung 1 TB Spinpoint 7200 RPM Antec Nine...
General Discussion
Custom Bios Splash Screens!
Hey everyone I want to know who is using custom Splash screens and if you can post some.. I have an intel board and getting very sick of the oem screen. Please post screens people!!!!! Thank you, ot post links to other threads with splash screens.......Thanks!!!!
Customization
OEM Custom Bios
EDIT: I have successfully unlocked this bios. It can be found over at Biosmods.com
Hardware & Devices


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 07:57.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App