Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: HD plus Motherboard rootkit infection

05 Mar 2012   #1
sfeg

Win7 Pro x64
 
 
HD plus Motherboard rootkit infection

If both a HD and the motherboard firmware are infected by a trojan virus, how does one go about disinfecting? For the Mobo, does a Bios flash with updates take care of it?

But which one to do first? It seems that upon wipe/reinstall, the HD could get infected immediately again by the Mobo, and vice versa for the Mobo.

I'm thinking HD wipe, then Mobo flash, then HD format/reinstall... still not completely foolproof, but does that make sense or not?


My System SpecsSystem Spec
.

05 Mar 2012   #2
profdlp

Main - Windows 7 Pro SP1 64-Bit; 2nd - Windows Server 2008 R2
 
 

You might try to first remove the hard drive, then flash the BIOS from a USB stick. Then attach the hard drive, boot from a DVD and wipe the drive. As for the BIOS flash, I've heard mixed results from ridding yourself of an infection that way. I'd try it, though, since the alternative is to order a brand new BIOS chip - and that's assuming it is of the "pop-out chip" type.
My System SpecsSystem Spec
05 Mar 2012   #3
sfeg

Win7 Pro x64
 
 

But wouldn't the HD just re-infect the flashed Mobo? I don't suppose there is any way to wipe/reformat the HD without being connected to the Mobo. Unless you pay for services at a place which has "immune" Mobos, if that exists. So I'm thinking wipe then quickly PULL that HD's SATA plug (and risk crashing?!)

This Tom's Hardware article, especially the final comment on 2/4/12, makes me feel very pessimistic about getting rid of rootkits

Webroot Discovers BIOS Rootkit

The scary thing is, how would one even know if one was still infected and being keylogged/spied upon silently?
My System SpecsSystem Spec
.


05 Mar 2012   #4
sfeg

Win7 Pro x64
 
 

If I use Diskpart or another utility (such as KillDisk or DBAN), is it possible to wipe the HD first but don't format it yet? (Or do all wipes also format?)

While still unformatted, will the HD be un-writable, and thus un-infectable?

Then I would do the HD format to NTFS later, after flashing Mobo. By the way, FYI my Mobo's updates can be flashed via a USB drive only (CD/DVD isn't an option).
My System SpecsSystem Spec
05 Mar 2012   #5
profdlp

Main - Windows 7 Pro SP1 64-Bit; 2nd - Windows Server 2008 R2
 
 

Booting from a DVD should allow you to wipe the HD without the HD having a chance to run anything. I'll hedge that a bit by saying that without knowing the nature of the worm in question I would hate to bet everything I own on that.

I haven't been in this situation myself so I can't offer any kind of precise "here's what I did and it worked" advice. Thinking by the seat of my pants, it seems your best option would be to give it a shot. If it doesn't work you'll be no worse off. The only 100% foolproof alternative I can think of would be to replace both the MB and the HD and toss the old ones in the trash.

You sound quite sure of the fact that the BIOS EEPROM is infected. I'm not doubting you, but I am curious as to how you came to this conclusion. I guess one of my worst fears when it comes to a MB would be something like this where it may be difficult to know that the patient has indeed been cured after treatment.
My System SpecsSystem Spec
05 Mar 2012   #6
profdlp

Main - Windows 7 Pro SP1 64-Bit; 2nd - Windows Server 2008 R2
 
 

Sorry, I'm a slow typist and hadn't seen your reply when i posted back.

Quote   Quote: Originally Posted by sfeg View Post
If I wipe the HD first but don't format it yet, will it be un-writable, and thus un-infectable?
That sounds very wise. I think that's an excellent way to go.

Quote:
By the way, my Mobo's updates can be flashed via a USB drive only (CD/DVD isn't an option).
That's fine. I was just suggesting you isolate the two devices while cleaning things up. Otherwise it would be like getting the flu and being admitted to the hospital, then sharing a room with another flu patient. You'd just end up passing it back and forth.
My System SpecsSystem Spec
05 Mar 2012   #7
sfeg

Win7 Pro x64
 
 

No problem, thanks

So then the question becomes, are there any wipe programs which will simply wipe but hold off on the formatting?

If not, do I maybe need to use Linux OS CD to do the wiping... and reformat it to FAT32 temporarily?
My System SpecsSystem Spec
05 Mar 2012   #8
Golden
Microsoft MVP

Windows 7 Ult. x64
 
 

Hi,

You seem sure you have a rootkit. Do you know the name, and how did you uncover it?

Also, what is the make/name of your BIOS?

Regards,
Golden
My System SpecsSystem Spec
Reply

 HD plus Motherboard rootkit infection




Thread Tools





Similar help and support threads
Thread Forum
Malware or Rootkit infection?
I originally had a thread in BSOD but was told to come here now after getting rid of BSOD's (http://www.sevenforums.com/bsod-help-support/286676-blue-screens-pop-ups-galore-ntoskrnl-exe.html#post2367597) Here are rouge killer and TDSS Logs RogueKiller V8.5.4 by Tigzy mail :...
System Security
W7 64-bit possible rootkit infection Error Code 0x80070424 on Firewall
Hi there I've been experiencing some weird problems where a 'System64' folder has been created in my Windows folder, when I am running Windows 7 64-Bit, I am led to believe that there should be no folder called 'System64' - instead there's just system32 & SysWOW64 (am I correct in that?) ...
System Security
Require (Rootkit.TDSS.TDL4) Rootkit Removal & Cleanup walkthrough
I would really appreciate some help from someone with experience with this matter. Introduction: Origin: False sense of security by AVG (updated), Windows kept updated, Browser settings, firewall, and self system maintainence. Presentation: Installed a 2nd HDD (Exclusively for daily...
System Security
Possible rootkit infection - Error Code 0x80070424 with Windows
I cannot open Firewall, Defender or any security functions within windows without this error message popping up. However, I have run Anti-rootkit utility TDSSKiller as well as Sophos anti-rootkit, but they both say that my machine is clean. I am running Win 7 64 bit. I read this in another...
System Security
Rootkit Infection Requires Windows Reinstall, Says Microsoft
Read More: Rootkit Infection Requires Windows Reinstall, Says Microsoft | PCWorld
Security News
Getting rid of the Sun infection
Anyone know the percentage of malware that uses java or flash to exploit the system? I decided to boycott it completely and my computers have had no crashes since, even running xp without an antivirus.
System Security

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 15:48.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App