Win Def Offline - no access to results, no log created

Back to purple.

UsernameIssues said:

Thank you for taking the time to write that out again. I somehow missed your post #28 on page 3 where you give similar details. I have never used DBAN. My cure for persistent infections is buying a new hard drive. Because folks give me "broken" computers in exchange for wiping the drives, I have used 7 SATA drives I knew to be clean.

I need to try the BIOS password clearer you linked to. I have the HP BIOS downloaded on a clean computer to a new flash drive. However, I've run across PowerShell XML scripts that appear to force reboot as soon as you attempt to flash BIOS with a shocking error message screen right before it restarts. They simply rewrite the BIOS to their stored settings, as shown in this screen shot..



It is odd that you have to log into this forum multiple times to make a post. It is a redirection in an attempt to key-log my password. So far my copy post, sign out, close Firefox, open Firefox, sign in, paste post strategy has worked.

re: post #28:
The "DO" in the URL is normal.


I'm not sure what the "X:\V::" could be or where the XP OS is coming from. Let's see if Jacee or other forum members know of tools that might wipe the drive better. That would be wonderful! In the meantime, I need to work on clearing out the substitute BIOS and my cable modem (no router). I'm working through your posts as I have time.

REALLY, REALLY appreciate your help, UNI! UG

Adding to my post #51

UNI, I tried clearing the BIOS/CMOS using Method 2 here as you recommended in your post#46. I've tried the other 2 ways numerous times without success.

Failing to enter the Setup Password 3 times did not give me the code I needed (surprise,surprise - NOT!). The PC simply proceeded to boot successfully (for the baddies, I guess).

Could we take the info in that "WMIBIOS.inf" Notepad document and do anything with it to clear BIOS? I notice an entry for "hpqBIOSPasswordValue" and "HPBIOSUser". What about that security code at the end?

Thanks, UNI, for any insight you might have.

Maybe I'm not understanding what you are saying:
You mentioned running across PowerShell XML scripts and then you show a WMIBIOS.inf file opened in notepad. The contents of that INF file are not in the XML format* and the contents do not form a PowerShell script**. The INF file might be used by a PowerShell script, but the file itself is not a script. Think of that file as an answer file. Something that is used to tell a generic app info that it needs to do a specific series of tasks.


*Scroll down a bit for the sample XML file.
https://technet.microsoft.com/en-us/...=sql.105).aspx

** Scan this website for sample PowerShell scripts:
https://technet.microsoft.com/en-us/.../hh551144.aspx


The WMIBIOS.inf file seems to be for a 32bit app. Maybe that is not a problem or maybe you need a WMIBIOS.inf file that has the answers for a 64bit BIOS update app. I'm just guessing at this point - since the BIOS update app just reboots the computer without updating BIOS. I would not know how to make use of any of the info in that WMIBIOS.inf file - other than to use if with the app that it was written for.


If you cannot get a Windows based app to update BIOS, can you find a BIOS update app/tool on the HP website that works with Linux? If so, then maybe you could boot to a Linux CD and update BIOS from there.

You can manually open notepad...
...set it to wrap text (Format > Word Wrap)
...drag/drop any file that you want into notepad.

If you happen to drag/drop an EXE or DLL file into notepad, ignore the gibberish and scroll thru to read any plain text that there might be. I've found command line switches by doing that. If the file won't open because it is in use by another process, opening a copy of the file of interest sometimes helps (e.g. C:\Windows\Logs\CBS\CBS.log). If the file is too big for notepad, Wordpad might be able to handle it. I've opened 1GB+ text CBS log files in WordPad.


Minh works for HP in some capacity. That line is a changelog.


The alphanumeric items within those brackets are WmiClassGUID. You can read about them in this MS Word doc:
download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/wmi_security.doc Skip to pages 7 and 8.

You mentioned the registry. I think that you were thinking of a Class-GUID. The WmiClassGUID that you see in that INF file are longer than a Class-GUID. You can read about Class-GUIDs here: https://technet.microsoft.com/en-us/.../cc957340.aspx


If you can run a 64bit app, then you are on a 64bit OS. XP can be 64bit too.


To boot to a Linux CD, bring up the boot options menu. For HP, you repeatedly tap F9 during a reboot or force the menu by incorrectly powering down the computer.

BEEPASQUILLRAOOOOOBEEP! ALARM! SYNAPSE OVERLOAD! SHUT DOWN UBERGOOBER'S BRAIN IMMEDIATELY TO PREVENT FATAL ERROR!

I'm going to explore what you provided over the next 2 or 3 days, UNI.

UsernameIssues said:

You can manually open notepad...
...set it to wrap text (Format > Word Wrap)
...drag/drop any file that you want into notepad.

If you happen to drag/drop an EXE or DLL file into notepad (Didn't know you could do that!), ignore the gibberish and scroll thru to read any plain text that there might be. I've found command line switches by doing that (if I do, might you be willing to help me interpret them?). If the file won't open because it is in use by another process, opening a copy of the file of interest sometimes helps (e.g. C:\Windows\Logs\CBS\CBS.log). If the file is too big for notepad, Wordpad might be able to handle it. I've opened 1GB+ text CBS log files in WordPad.


Minh works for HP in some capacity. That line is a changelog.


The alphanumeric items within those brackets are WmiClassGUID. You can read about them in this MS Word doc:
download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/wmi_security.doc Skip to pages 7 and 8.

You mentioned the registry. I think that you were thinking of a Class-GUID. The WmiClassGUID that you see in that INF file are longer than a Class-GUID. You can read about Class-GUIDs here: https://technet.microsoft.com/en-us/.../cc957340.aspx


If you can run a 64bit app, then you are on a 64bit OS. XP can be 64bit too.


To boot to a Linux CD, bring up the boot options menu. Ubuntu CD asked for "any key to boot from CD", which I did. F9 still works, too. I have CD/USB/HDD order just in hopes I'll always be able to boot from something. I'm talking about the problem mentioned in posts 28 and 49 where W2000, XPHome & Vista install CD's just trigger loading of the malware's version Of W7. Did it to Ubuntu, too. For HP, you repeatedly tap F9 during a reboot or force the menu by incorrectly powering down the computer.

Gonna get some brain food! Thanks again, UNI. UG

So sorry to have left this hanging, UNI. Had a health problem.

Wanted to provide these attachments for folks who might be figuring out whether they have this malware or not. If you have the time and inclination, please look them over and let us know of any ideas they spark.

Again, I thank you very much for all the time and effort you put in to helping me. UG

usbinfcopy.txt

I see nothing wrong with the usbinfcopy text file that you attached and the file that you show via Notepad is normal. The remote server being talked about there is a Windows Update server. A server that sends you OS patches.

I'm not sure what you are attempting to convey with the other screenshots. You will need to provide some context of how you got the them.