Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: HELP! UEFI BIOS or OS compromised?

20 Mar 2016   #1
RPmtl

Win 10 Pro
 
 
HELP! UEFI BIOS or OS compromised?

I went to turn on my computer and the boot process stopped before loading Windows7 Pro(64) with a text message saying:

"The system found unauthorized changes on the firmware, operating system or UEFI drivers.
Press [N] to run next boot device, or enter directly to BIOS Setup, if there are no other boot devices installed.
Go to BIOS Setup > Advanced > Boot and change the current boot device into another secured boot devices"

The only thing I had done (afaik) since the last re-boot at the end of day the day before was install a bunch of Microsoft updates that required a reboot, and it rebooted without that message.

I went into the BIOS and changed the Secure Boot setting from "Windows UEFI mode" to "Other OS" and the system then booted without a problem.

BUT (YIKES!) - the whole thing has me worried that a security issue did occur and I've somehow been infected by something.

Is this something that others have seen before and should I be suspecting a real problem.

I did a full scan for any viruses as soon as I was back in Windows 7, but the system seems to be clean.

Any ideas??

Thanks,

Russell

Windows7Pro(64), Asus P9X79-DLX, i7-3930K, 32GB RAM, Nochua N1, Gforce GTX750Ti, Samsung850Pro 256GB SSD


My System SpecsSystem Spec
.
21 Mar 2016   #2
ICIT2LOL

Desk1 7 Home Prem / Desk2 10 Pro / Main lap Asus ROG 10 Pro 2 laptop Toshiba 7 Pro Asus P2520 7 & 10
 
 

Hiyya Russell mate run this Kaspersky Rescue Disk 10 it will require you make a bootable disk or stick and set the BIOS to boot from whatever you have put the rescue disk on. I prefer a disk but the choice is yours.
It runs without involving Windows and may take some time to scan but it will scan everything.
My System SpecsSystem Spec
21 Mar 2016   #3
RPmtl

Win 10 Pro
 
 

Quote   Quote: Originally Posted by ICIT2LOL View Post
Hiyya Russell mate run this Kaspersky Rescue Disk 10 It runs without involving Windows and may take some time to scan but it will scan everything.
Thanks ICIT2LOL, I'll give a try. I did do a pretty thorough scan using Malwarebytes, though that was not via a boot disk. Kaspersky's not been on my favourite AV programs for the past few years. But it'll be interesting to see what it reports.
My System SpecsSystem Spec
.

22 Mar 2016   #4
ICIT2LOL

Desk1 7 Home Prem / Desk2 10 Pro / Main lap Asus ROG 10 Pro 2 laptop Toshiba 7 Pro Asus P2520 7 & 10
 
 

Sorry late rpely mate broadband playing up No need to worry about it being Kaspersky as I said it runs in a non Windows system a bit like a Linux OS.

Personally I have used Kapsersky for the last six years on all my machines and have had no issues though I do run MBAM and SuperAntiSpyware and ADWCleaner if necessary the latter being the last to use and form y links you can see Kaspersky can at time snot like it so I disable that while I am using it.
SUPERAntiSpyware | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!
Malwarebytes | Malwarebytes Anti-Malware Premium
AdwCleaner Download
delete any rubbish found with the malware scans
(NB If one is running Kaspersky security it may rant about ADW - just ignore it or disable Kaspersky while the ADW is being used)
My System SpecsSystem Spec
22 Mar 2016   #5
RPmtl

Win 10 Pro
 
 

Hi ICIT2LOL,

I ran Kaspersky from the Boot CD and it came up clean after running all the various scan options (startup, root, efi, whole C drive). Though I worry about new infections that AV software knows nothing about yet.

This is not a public computer, I'm the only person who uses it, and I'm *very careful* about what I do with it. I was really surprised by that login screen message.

Could something in one of Microsoft's own own updates have trigger such a warning at the UEFI level?

Might something have just messed up on the MB BIOS (static charge..)?

Disabling the UEFI 'Secure Boot' feature is a workaround. But I just hate these kind of strange unexplained errors.

I have a 3 month old backup of my main system drive (OS and apps only) that I'll restore to see if it resolves the issue. If so I'll just proceed to do whatever installs, updates and changes are needed to being things up to date.

Thanks for your help and suggestions :-)

Russell
My System SpecsSystem Spec
23 Mar 2016   #6
ICIT2LOL

Desk1 7 Home Prem / Desk2 10 Pro / Main lap Asus ROG 10 Pro 2 laptop Toshiba 7 Pro Asus P2520 7 & 10
 
 

Hey Russell yes mate I am not fond of those untied ends either but sometimes glitches for want of a better term happen.
There is so much nonsense (in my own mind) going on with Windows updates and the fact that Microsoft want us all to use 10 come hell or high water I would not be surprised if it was caused by an update/s??

Now if you are not wanting to upgrade - again a nonsense to me - to 10 then you need to watch for the updates that are put out that do not necessarily state they are 10 related, and to that end I always set updates to let me know about them and let me decide whether or not to download or install them.

Personally I am using the batch file from this Upgrade to Windows 10 Update - Enable or Disable in Windows 7 or 8.1 - Windows 10 Forums to disable that upgrade and the GWX Control Panel from here Ultimate Outsider - Software Downloads < (use only the GWX app) to watch out for updates or files that creep through with updates that are 10 related on all of my machines.


Attached Thumbnails
HELP! UEFI BIOS or OS compromised?-gwx-control.png  
Attached Images
HELP! UEFI BIOS or OS compromised?-update-settings.png 
My System SpecsSystem Spec
24 Mar 2016   #7
MillKaDe

W7 Ultimate SP1 x64 + W8.1 Enterprise x64
 
 

Hi Russell,

I had the same problem. Same message before booting Windows 7.
After turning off Secure Boot in the BIOS, I could boot Windows 7 again.

Windows 7 does not officially support Secure Boot, but in the past 23 months, Windows 7 happily booted with Secure Boot activated.

I don't know exactly what happened, but here is some info that might help to identify the real problem ..

My PC has an Asus Z87-Pro Motherboard.
I am using UEFI mode, not legacy BIOS mode, so that the disks are partitioned in GPT mode, not (legacy) MBR mode.

Windows 7 (64 bit) is installed on the first disk (Samsung SSD on first SATA port).
Windows 8.1 (64 bit) is installed on the second disk (Western Digital HDD on second SATA port).

Both Windows versions were installed independently from each other by physically disconnecting the other disk during installation.
So I am not using the standard dual boot options of Windows, where the first (older) Windows version appears as additional boot option in the Windows Boot Manager menu of the second (newer) Windows version. To select the Windows version to boot, I use the the Asus BIOS boot menu instead.

I was able to boot both Windows 7 and 8.1 with Secure Boot enabled in the past 23 months.
After installing some Microsoft update in Windows 8.1, I could not boot Windows 7 anymore with Secure Boot activated, so I had to turn Secure Boot off.

On March 21st, 2016, I installed the following optional 22 Microsoft updates for Windows 8.1 (64 bit):

KB3139923: MSI repair doesn't work when MSI source is installed on an HTTP share in Windows
KB3109976: Texas Instruments xHCI USB controllers may encounter a hardware issue on large data transfers in Windows 8.1
KB3140234: "0x0000009F" Stop error when a Windows VPN client computer is shutdown with an active L2TP VPN connection
KB3136019: Explorer.exe may crash when you play back an MPEG-4 file in Windows 8.1 or Windows RT 8.1
KB3105115: Can't connect to the desktop of Windows 8.1 or Windows Server 2012 R2 from a remote desktop at low screen resolution
KB3137728: VSS restore fails when you use ResyncLuns VSS API in Windows Server 2012 R2-based failover cluster
KB3133681: Virtual machines don't respond to your operation in SCVMM in Windows Server 2012 R2
KB3134785: Memory leak in RPCSS and DcomLaunch services in Windows 8.1 or Windows Serer 2012 R2
KB3140219: "0x00000133" Stop error after you install hotfix 3061460 in Windows Server 2012 R2
KB3138602: "File contents" option is always selectable, Start screen becomes blank, or computer freezes when startup in Windows 8.1
KB3140222: Conflicting files in Internet Explorer favorites when Work Folders is installed in Windows 8.1
KB3137061: Windows Azure VMs don't recover from a network outage and data corruption issues occur
KB3133690: Update to add Discrete Device Assignment support for Azure that runs on Windows Server 2012 R2-based guest VMs
KB3137725: Get-StorageReliabilityCounter doesn't report correct values of temperature in Windows Server 2012 R2
KB3100473: DNS records get deleted when you delete the scope on a Windows Server 2012 R2-based DHCP server
KB3140786: Windows Server backup fails despite sufficient free space on target volume in Windows Server 2012 R2
KB3103709: (no official MS docs ... check google yourself ...)
KB3139219: 0x1E Stop error when you restart or shut down a computer running Windows 8.1 or Windows Server 2012 R2
KB3115224: Reliability improvements for VMs that are running on a Windows Server 2012 R2 or Windows Server 2012 host
KB3139165: High CPU load on a Windows Server 2012 R2-based server because NAT keep-alive timer isn't cleaned up
KB3141074: "0x00000001" Stop error when a shared VHDX file is accessed in Windows Server 2012 R2-based Hyper-V guest
KB3140250: MinDiffAreaFileSize doesn't work on Windows Server 2012 R2

Right after these updates, the UEFI BIOS refused to boot Windows 7.

The other (important and recommended) updates for Windows 8.1 for March 2016 were already installed on March 9th. After those updates, Windows 7 still booted with Secure Boot.

Windows 7 updates also were installed on March 9th.

In other words, I have to suspect, that one of those 22 optional 8.1 updates messed something up ..

I have not tried to fix the issue by uninstalling these 22 updates.

Does someone know more or can explain what is going on ?
My System SpecsSystem Spec
25 Mar 2016   #8
RPmtl

Win 10 Pro
 
 

Hi MillKaDe,

Our systems are quite similar as I'm running Win7-64 on an Asus P9X79-DLX w/ a Samsung 850Pro SSD. I'm not dual booting with 8.1. I too GPT formatted my SSD and that's why Secure Boot was enabled with the UEFI BIOS.

I'm restoring my 4-month old backup this weekend on a second SSD and see what happens. If Secure Boot does not complain then I'll know it's something that happened after that point in time. I'll then add the MS updates and see if that breaks it. No big deal if it does as I'll just disable the Secure Boot feature knowing that the issue was caused by a MS update and not by some virus from outer space.

I run 5 computers of various vintages and have upgraded all the others to Win10 (all clean installs). But this is my main work system and it's working fine. So I'm in no rush to upgrade it. I have a running list of all the Win10 nagware KB updates to avoid - a bit like playing whack-a-mole. All the Win10 systems use Startisback to restore a 'Win7' environment and Spybot Anti-Beacon works great to turn off all the MS spyware.

I'll post my findings later this weekend re: what MS update(s) might have caused my Secure Boot option to start complaining.
My System SpecsSystem Spec
25 Mar 2016   #9
MillKaDe

W7 Ultimate SP1 x64 + W8.1 Enterprise x64
 
 

Hi Russell,

here is some more information about how Secure Boot works: https://technet.microsoft.com/en-us/.../hh824987.aspx

As far as i understand, the UEFI BIOS stores the required keys and signatures in NVRAM. The ASUS BIOS allows to backup the keys and signatures to a FAT formatted USB memory stick as files named 'PK', 'KEK', 'db' and 'dbx'.

Some other links which seems to describe the same problem:

a): windows 7 - System found unauthorized changes on the firmware - Super User

b): https://hardforum.com/threads/secure...ows-7.1894722/

In the second link, KB3133977 ( https://support.microsoft.com/en-us/kb/3133977 ) is mentioned. It seems to contain some UEFI related files: Bootmgfw.efi, Bootmgr.efi.
I think these are stored in one of the hidden partitions.

Maybe it is enough to uninstall KB 3133977 and maybe restore the hidden partition containing the EFI files. Of course you want to make a complete backup before trying my wild guesses ..

And about getting rid of Windows 10 update nagware: https://support.microsoft.com/en-us/kb/3080351
If you add the two registry keys explained in that KB, you wont get molested about Windows 10 anymore.
My System SpecsSystem Spec
25 Mar 2016   #10
ICIT2LOL

Desk1 7 Home Prem / Desk2 10 Pro / Main lap Asus ROG 10 Pro 2 laptop Toshiba 7 Pro Asus P2520 7 & 10
 
 

Yes Millka it goes on and on and as I hinted at earlier I do not download updates per se' unless I know they are free of crap, because I feel that M$ are not really that interested in keeping 7 as good as it needs to be.

Plus as long as that batch file is installed and I use the GWX Control Panel (usually daily) I am happy as things are as I think that Microsoft are intent on everyone using 10 and no matter how benign updates look if I don't download them then the rubbish cannot creep in.

Having said that is what I do - the GWX panel does still pick up stuff!
My System SpecsSystem Spec
Reply

 HELP! UEFI BIOS or OS compromised?




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
BIOS MB & UEFI MB Installation
I have an SSD System Drive which contains Win 7 64bit Professional OS and all of my Programs, which was built on a GB BIOS MB, so has MBR Boot Sector. I wish to transfer this SSD, complete as is, to a new GB MB which has UEFI Boot Sector and then install Chipset Drivers. a) Is this idea sound....
Installation & Setup
UEFI BIOS upgrade
My machine is 2 1/2 years old and due a bit of an upgrade and tidy up. Only hardware upgrade this time will be replacement of the C: drive with an SSD. I'll be doing a full OS & SW re-install rather than cloning what I've got now, so I'm checking for the latest drivers etc to use. Looking at...
Hardware & Devices
UEFI BIOS Windows 7 do I have it??
Hello everybody. I have a question I'm hoping somebody can help me with. I have a Dell XPS 8500 which will be 2 years old this August. I am looking into installing a much bigger internal hard drive but have found out that I need the newer UEFI BIOS to do that. Well I have been driving myself crazy...
General Discussion
UEFI or BIOS??
Is the Dell Vostro 400 (my computer) and Toshiba T135 (my laptop) legacy BIOS or UEFI? Note: I have not yet updated the BIOS because I'm too lazy to do so and because it is not required.
Hardware & Devices
Uefi bios setup
Hello here, I am new here and i would at first say thanks to all them who supports that site to be alive and help all in the world. I need your help: I want want install windows 7, it is asrock, but when i choose boot priority there is only one option hitachi there is no dvdrom to boot...
Installation & Setup
UEFI BIOS Option
I have two options (CSM) or (UEFI) in my Toshiba Laptop BIOS. When I select UEFI the computer will not boot. I tried to get Toshiba's tech support to explain this to me but besides not speaking english I did not get a clear answer. If anyone has the time and knowledge to explain this option...
Hardware & Devices


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 17:02.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App