Yeah, I realize it is not a pretty picture. I will read and wipe out. I am still wondering for the external drive however - it is 'potentially' infected, but when I run an anti-virus from a new clean computer, should it catch any of these bugs? Sound like it should.
yes, possibly some, but this is the latest and greatest rootkit (i believe the 1st to crack win7 x64's three exceptionally solid safeguards. it is the work of a true genius team, just a very very dark team!
remember you will never know your free of the bug ever ever
Well,
I think I am on course to re-write the MBR through the Windows CD Recover portion and then do a clean install. I think I will let Windows 7 format instead of me doing zero-fill format.
Since most likely this rootkit has made it to my USB's, which I keep testing from other computers and show are not infected, is it possible for a mac with bootcamp to be infected (the windows portion)? I ran avast pre-boot on the mac and the system machine but it didn't catch anything worthwhile. Is that rooktit really hiding that well?
You don't need to rewrite the MBR if you're going to reinstall. Just follow these steps: Clean Install Windows 7
Well, I booted from the Win 7 CD and used the cmd to 'clean all'. Let's hope it is all gone now. Any recommendations of what to do with the external hard drive that has all of my data? I think I will extensively test it with AVG, MSE and try to run malware bytes and tdsskiller on it. Any other suggestions?
That sounds like a good regimen to test the quarantined files on external, but I don't know if you can ever be certain they are safe again. It is a calculated risk to use them, less risk the more you disinfect.
It will be in the MBR if the virus uses the EFI/UEFI features. Or at least it's ID. Those types of BIOS viruses use the EFI feature,as if it were factory, to load shell extensions from a special partition. That's how most all the graphical BIOS update utilities work too. A drive that has that special partition would need to be wiped clean including the MBR. One of the secure erase programs should be used because the special partition is not visible to Windows. It can't be formated or deleted.
And, I would not use the ".exe" version of a BIOS flash--These will read portions of the BIOS first and save areas of the EPROM that could be infected. Use a USB BIOS Recovery drive (if your motherboard allows) or a CD to flash the BIOS. These should over-write the EPROM with a fresh copy. Both of which should be downloaded and created on a "clean" PC. A CMOS memory reset should be done too. This clears all hardware configurations and forces the new BIOS to re-evaluate the machine hardware.
These are NOT the typical viruses so you'll have to "Re-build" your machine from scratch. Use precautions such as checking the BIOS download file size and use the verify option when burning a CD. The BIOS flash MUST NOT be interrupted. Stay away for the mouse and keyboard. If you don't have a Uninteruptable Power Supply, buy or borrow one for the BIOS flash. Everyone with a PC should have one. A UPS is cheap now days--Cheaper than a motherboard or PSU. Consider it a necessary piece of PC hardware like any DVD or Disk drive.
Carwiz, I had a tech in Office Depot make an offhand comment to me the other day that BIOS viruses cannot usually be reflashed. As I know nothing about them, can you comment on this? (And No, I don't consider such comments any more than trivia).
I also have not had the time to read back through the thread to see where it's confirmed he has the BIOS virus. How is this actually seen, or is it just suspected because of it's presence?
Unless it's damaged, the BIOS should flash. A quick check is to see if the BIOS will allow the USB boot option. Or that you can get to the BIOS at all. The jumper setting for "Config" (on most motherboards) should be used. That's why it's better to use USB or CD. These contain a loader that the BIOS runs, if recognized. It's the first op after POST.
I've only seen a couple of viruses that may have been a BIOS virus but apparently, they're becoming more prevalent and sophisticated. Most are pretty basic--You get pop-ups that you have a virus and get linked to a "removal site" via IE. From there, the site may trick you into loading "fixes" but are really just more viruses. A virus scan won't show anything because the "code" is in the BIOS extended service area and in the special partition.
The more sophisticated viruses will turn your PC into a server or just sit back and "listen" to everything you do. More often than not, these are caught by accident. But, they all require initial loading. This is why it's important to keep your AV up to date, keep IE security settings tight and don't allow Flash to run for ALL sites. Pick and choose who you let add things to your PC.
Adobe Flash Player is(was) the biggest open hole to Windows. Flash allows programmers to load over 1KB of data to your PC. This data can be anything from cookie type info to coded instructions. (Executable coded instructions). You can do a lot with 1KB. And this is on top of what you "allow" Flash sites to use. The 1KB records are not an option and are hidden. This is probably why MS is pushing HTML5 and why Apple won't support it at all.
By the way, I allow only one site in all of the Internet to use Flash Player. That's Youtube.
Also, that's why the MBR must be cleared. The BIOS looks there for it's OS loaders. The BIOS virus will have an ID in the MBR and will get loaded from the special partition for every start. Wipe the disk, flash the BIOS and start like you're building a new system. Because that's what has to occur.
Quote