Windows 7: BIOS virus and custom format from Windows 7.

Hello,

Recently I have found a rootkit on my computer, in particular rootkit.tdss.tdl4. From what I read only I got one of the best!

I have two questions:
First - how can I check if my BIOS was affected without flashing it? I am reading that this trojan could have been started exactly from the BIOS and very likely to show up again after doing a clean install. I have an HP laptop so seems like the flashing procedures require for disconnecting the hard drive- is that true for laptops?

Second, is how do I format to make sure I clean the MBR? I have Vista, and want to upgrade to Windows 7. I have Windows 7 upgrade Ultimate disk which can do a Custom install which should format it entirely. Tell me if I am thinking too old school here but should doing a low level (or zero level) format is necessary? From what I read, the Windows 7 full format function should be as powerful as the low-level. is that correct? I don't mind the extra few hours of work as long as I don't have any issues (at least with this trojan) afterwards. I am also worried that the upgrade Windows 7 disk might not have all of the formatting capabilities as a full version, is that nonsense?



Thank you for your help!
P.S. I posted this on Microsoft Answers - I didn't read any rules forbidding cross-posting but if there are, I will kindly remove and I apologize for which.

I have never had to remove a hard disk in order to flash a bios, just make sure the battery is charged AND you have AC power, never cancel or restart during a BIOS flash.

To make sure the disk is clean you need to delete all the partitions, then create a new partition in the unpartitioned space (goodbye recovery partition so if possible make the recovery disks first)

Never used an upgrade version, but see the tutorials section of this site, there are brilliant ones for all installation scenarios.

Thank you for the quick response. Seems like you have done this before, so can you recommend a particular software to flash the BIOS with? And what should be the steps I take? I will read the tutorials, but can you tell me if I should de-partition before I flash the BIOS?

I also wonder how can I check and be 100% that my data is not affected? I backed up (copied, not an image file - didn't copy any exe files and no zip/rar's) everything to a brand new external hard drive and checked it with Microsoft Essentials and also plan to scan it with Avast. Is there a way for this trojans to be hidden on the external hard drive if I test from different computer?

Edit: Will the BIOS flash file given by HP work? Link

Welcome Stefsj to the windows 7 forums.
Your edit..
Edit: Will the BIOS flash file given by HP work? Link

The only way to flash a bios is to use the manufacturers bios update program.
Anyone that tells you that they have a new bios for your laptop, they are trying to set you up for failure.

Go the the HP site for your model of computer and get the bios update for your computer.

Rich

Thank you Rich, that's why I think this link that I provided should work since it is directly from HP's web site. But the process seems "too" easy for flashing BIOS, isn't it? Simply states to run an exe.

So does anyone suggests whether I should flash the BIOS before I do a zero-level install?

If indeed you are confident that the virus has infected your Bios you should flash it just before you boot from the dvd to do the new install, otherwise your new installation could be just as infected as the previous one. As richnrockville said, you can only use the exact bios from HP, for your exact model of machine.

Yes bios flashing is commonly done from windows these days, used to be a floppy boot program but not anymore.

I wouldn't allow the OS to boot again after flashing the BIOS in case the virus re-infects your BIOS undoing your hard work. Just accept the restart then boot from installation media.

I'd not flash the BIOS without knowing for sure it's infected, and then it's likely too late.

To wipe the HD of possiblly infected or corrupt code use Diskpart from Command Line: SSD - HDD Optimize for Windows Reinstallation

Tips for getting a Perfect Reinstall

thank you both, this is very helpful.
gregrocker, what is the best way to test for infections on the BIOS? I rather not flash it unless it is needed as well, but how can you know? this tdds rootkit has the potential to infect the BIOS so it will keep showing up when I format and I want to be sure before I do all of the work.

I guess let me ask this - what is the worst that can happen when you flash the BIOS using the HP program? Given that you do it right of course.

Thanks

your computer will not produce more than a fan sound and a blank screen, thats the worst, and probably the best case scenario if BIOS is infected...

I just battled the same rootkit it is EXTENSIVE and VERY DIFFICULT TO REMOVE - depending on the exact version of the virus, It can propagate across a network by simulating a DHCP server, it can and does infect flashcards and media cards with auto loading hidden links which will infect the next system upon recognizing the USB device. And YESit absolutely infects the Repair Partition, and will be on any backups, whether images or files!

All have the common entity of a hidden encrypted partition at the end of the system drive, and extendedly after BIOS (sooner i guess if its infected too)

It is not worth the hassle, as greg said completely wipe/format/reinstall and take the hit with the file loss of your personal files, additionally wipe/format the backup media used at any point - and change your online passwords as it send keystrokes as well as other info to www servers.

trust me, ask anyone with advanced security system knowledge, and they will say do all but burn it down,

TRY saving your computer BIOS to still have a computer at least.
although i don't think the BIOS infection version is quite "perfected" as of yet, it exists , but is somewhat "buggy"!

Sincerely,
Mike

Edit: and if you do use diskpart from a cmd prompt, runn it off the dvd, and don't expect to see the boot/system drive - DR0 - it is not displayed when infected.

Nine times out of ten flashing the BIOS will be fine, it's just so strongly advised against because when it does go wrong, it's a dead motherboard.

EDIT: or rubyrubyroo are you suggesting the virus will prevent a bios flash?