HELP! UEFI BIOS or OS compromised?

RPmtl · 20 Mar 2016

I went to turn on my computer and the boot process stopped before loading Windows7 Pro(64) with a text message saying:

"The system found unauthorized changes on the firmware, operating system or UEFI drivers.
Press [N] to run next boot device, or enter directly to BIOS Setup, if there are no other boot devices installed.
Go to BIOS Setup > Advanced > Boot and change the current boot device into another secured boot devices"

The only thing I had done (afaik) since the last re-boot at the end of day the day before was install a bunch of Microsoft updates that required a reboot, and it rebooted without that message.

I went into the BIOS and changed the Secure Boot setting from "Windows UEFI mode" to "Other OS" and the system then booted without a problem.

BUT (YIKES!) - the whole thing has me worried that a security issue did occur and I've somehow been infected by something.

Is this something that others have seen before and should I be suspecting a real problem.

I did a full scan for any viruses as soon as I was back in Windows 7, but the system seems to be clean.

Any ideas??

Thanks,

Russell

Windows7Pro(64), Asus P9X79-DLX, i7-3930K, 32GB RAM, Nochua N1, Gforce GTX750Ti, Samsung850Pro 256GB SSD

ICIT2LOL · 21 Mar 2016

Hiyya Russell mate run this Kaspersky Rescue Disk 10 it will require you make a bootable disk or stick and set the BIOS to boot from whatever you have put the rescue disk on. I prefer a disk but the choice is yours.
It runs without involving Windows and may take some time to scan but it will scan everything.

RPmtl · 21 Mar 2016

ICIT2LOL said:

Hiyya Russell mate run this Kaspersky Rescue Disk 10 It runs without involving Windows and may take some time to scan but it will scan everything.

Thanks ICIT2LOL, I'll give a try. I did do a pretty thorough scan using Malwarebytes, though that was not via a boot disk. Kaspersky's not been on my favourite AV programs for the past few years. But it'll be interesting to see what it reports.

ICIT2LOL · 22 Mar 2016

Sorry late rpely mate broadband playing up No need to worry about it being Kaspersky as I said it runs in a non Windows system a bit like a Linux OS.

Personally I have used Kapsersky for the last six years on all my machines and have had no issues though I do run MBAM and SuperAntiSpyware and ADWCleaner if necessary the latter being the last to use and form y links you can see Kaspersky can at time snot like it so I disable that while I am using it.
SUPERAntiSpyware | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!
Malwarebytes | Malwarebytes Anti-Malware Premium
AdwCleaner Download
delete any rubbish found with the malware scans
(NB If one is running Kaspersky security it may rant about ADW - just ignore it or disable Kaspersky while the ADW is being used)

RPmtl · 22 Mar 2016

Hi ICIT2LOL,

I ran Kaspersky from the Boot CD and it came up clean after running all the various scan options (startup, root, efi, whole C drive). Though I worry about new infections that AV software knows nothing about yet.

This is not a public computer, I'm the only person who uses it, and I'm *very careful* about what I do with it. I was really surprised by that login screen message.

Could something in one of Microsoft's own own updates have trigger such a warning at the UEFI level?

Might something have just messed up on the MB BIOS (static charge..)?

Disabling the UEFI 'Secure Boot' feature is a workaround. But I just hate these kind of strange unexplained errors.

I have a 3 month old backup of my main system drive (OS and apps only) that I'll restore to see if it resolves the issue. If so I'll just proceed to do whatever installs, updates and changes are needed to being things up to date.

Thanks for your help and suggestions

Russell

ICIT2LOL · 23 Mar 2016

Hey Russell yes mate I am not fond of those untied ends either but sometimes glitches for want of a better term happen.
There is so much nonsense (in my own mind) going on with Windows updates and the fact that Microsoft want us all to use 10 come hell or high water I would not be surprised if it was caused by an update/s??

Now if you are not wanting to upgrade - again a nonsense to me - to 10 then you need to watch for the updates that are put out that do not necessarily state they are 10 related, and to that end I always set updates to let me know about them and let me decide whether or not to download or install them.

Personally I am using the batch file from this Upgrade to Windows 10 Update - Enable or Disable in Windows 7 or 8.1 - Windows 10 Forums to disable that upgrade and the GWX Control Panel from here Ultimate Outsider - Software Downloads < (use only the GWX app) to watch out for updates or files that creep through with updates that are 10 related on all of my machines.

MillKaDe · 24 Mar 2016

Hi Russell,

I had the same problem. Same message before booting Windows 7.
After turning off Secure Boot in the BIOS, I could boot Windows 7 again.

Windows 7 does not officially support Secure Boot, but in the past 23 months, Windows 7 happily booted with Secure Boot activated.

I don't know exactly what happened, but here is some info that might help to identify the real problem ..

My PC has an Asus Z87-Pro Motherboard.
I am using UEFI mode, not legacy BIOS mode, so that the disks are partitioned in GPT mode, not (legacy) MBR mode.

Windows 7 (64 bit) is installed on the first disk (Samsung SSD on first SATA port).
Windows 8.1 (64 bit) is installed on the second disk (Western Digital HDD on second SATA port).

Both Windows versions were installed independently from each other by physically disconnecting the other disk during installation.
So I am not using the standard dual boot options of Windows, where the first (older) Windows version appears as additional boot option in the Windows Boot Manager menu of the second (newer) Windows version. To select the Windows version to boot, I use the the Asus BIOS boot menu instead.

I was able to boot both Windows 7 and 8.1 with Secure Boot enabled in the past 23 months.
After installing some Microsoft update in Windows 8.1, I could not boot Windows 7 anymore with Secure Boot activated, so I had to turn Secure Boot off.

On March 21st, 2016, I installed the following optional 22 Microsoft updates for Windows 8.1 (64 bit):

KB3139923: MSI repair doesn't work when MSI source is installed on an HTTP share in Windows
KB3109976: Texas Instruments xHCI USB controllers may encounter a hardware issue on large data transfers in Windows 8.1
KB3140234: "0x0000009F" Stop error when a Windows VPN client computer is shutdown with an active L2TP VPN connection
KB3136019: Explorer.exe may crash when you play back an MPEG-4 file in Windows 8.1 or Windows RT 8.1
KB3105115: Can't connect to the desktop of Windows 8.1 or Windows Server 2012 R2 from a remote desktop at low screen resolution
KB3137728: VSS restore fails when you use ResyncLuns VSS API in Windows Server 2012 R2-based failover cluster
KB3133681: Virtual machines don't respond to your operation in SCVMM in Windows Server 2012 R2
KB3134785: Memory leak in RPCSS and DcomLaunch services in Windows 8.1 or Windows Serer 2012 R2
KB3140219: "0x00000133" Stop error after you install hotfix 3061460 in Windows Server 2012 R2
KB3138602: "File contents" option is always selectable, Start screen becomes blank, or computer freezes when startup in Windows 8.1
KB3140222: Conflicting files in Internet Explorer favorites when Work Folders is installed in Windows 8.1
KB3137061: Windows Azure VMs don't recover from a network outage and data corruption issues occur
KB3133690: Update to add Discrete Device Assignment support for Azure that runs on Windows Server 2012 R2-based guest VMs
KB3137725: Get-StorageReliabilityCounter doesn't report correct values of temperature in Windows Server 2012 R2
KB3100473: DNS records get deleted when you delete the scope on a Windows Server 2012 R2-based DHCP server
KB3140786: Windows Server backup fails despite sufficient free space on target volume in Windows Server 2012 R2
KB3103709: (no official MS docs ... check google yourself ...)
KB3139219: 0x1E Stop error when you restart or shut down a computer running Windows 8.1 or Windows Server 2012 R2
KB3115224: Reliability improvements for VMs that are running on a Windows Server 2012 R2 or Windows Server 2012 host
KB3139165: High CPU load on a Windows Server 2012 R2-based server because NAT keep-alive timer isn't cleaned up
KB3141074: "0x00000001" Stop error when a shared VHDX file is accessed in Windows Server 2012 R2-based Hyper-V guest
KB3140250: MinDiffAreaFileSize doesn't work on Windows Server 2012 R2

Right after these updates, the UEFI BIOS refused to boot Windows 7.

The other (important and recommended) updates for Windows 8.1 for March 2016 were already installed on March 9th. After those updates, Windows 7 still booted with Secure Boot.

Windows 7 updates also were installed on March 9th.

In other words, I have to suspect, that one of those 22 optional 8.1 updates messed something up ..

I have not tried to fix the issue by uninstalling these 22 updates.

Does someone know more or can explain what is going on ?

RPmtl · 25 Mar 2016

Hi MillKaDe,

Our systems are quite similar as I'm running Win7-64 on an Asus P9X79-DLX w/ a Samsung 850Pro SSD. I'm not dual booting with 8.1. I too GPT formatted my SSD and that's why Secure Boot was enabled with the UEFI BIOS.

I'm restoring my 4-month old backup this weekend on a second SSD and see what happens. If Secure Boot does not complain then I'll know it's something that happened after that point in time. I'll then add the MS updates and see if that breaks it. No big deal if it does as I'll just disable the Secure Boot feature knowing that the issue was caused by a MS update and not by some virus from outer space.

I run 5 computers of various vintages and have upgraded all the others to Win10 (all clean installs). But this is my main work system and it's working fine. So I'm in no rush to upgrade it. I have a running list of all the Win10 nagware KB updates to avoid - a bit like playing whack-a-mole. All the Win10 systems use Startisback to restore a 'Win7' environment and Spybot Anti-Beacon works great to turn off all the MS spyware.

I'll post my findings later this weekend re: what MS update(s) might have caused my Secure Boot option to start complaining.

MillKaDe · 25 Mar 2016

Hi Russell,

here is some more information about how Secure Boot works: https://technet.microsoft.com/en-us/.../hh824987.aspx

As far as i understand, the UEFI BIOS stores the required keys and signatures in NVRAM. The ASUS BIOS allows to backup the keys and signatures to a FAT formatted USB memory stick as files named 'PK', 'KEK', 'db' and 'dbx'.

Some other links which seems to describe the same problem:

a): windows 7 - System found unauthorized changes on the firmware - Super User

b): https://hardforum.com/threads/secure...ows-7.1894722/

In the second link, KB3133977 ( https://support.microsoft.com/en-us/kb/3133977 ) is mentioned. It seems to contain some UEFI related files: Bootmgfw.efi, Bootmgr.efi.
I think these are stored in one of the hidden partitions.

Maybe it is enough to uninstall KB 3133977 and maybe restore the hidden partition containing the EFI files. Of course you want to make a complete backup before trying my wild guesses ..

And about getting rid of Windows 10 update nagware: https://support.microsoft.com/en-us/kb/3080351
If you add the two registry keys explained in that KB, you wont get molested about Windows 10 anymore.

ICIT2LOL · 25 Mar 2016

Yes Millka it goes on and on and as I hinted at earlier I do not download updates per se' unless I know they are free of crap, because I feel that M$ are not really that interested in keeping 7 as good as it needs to be.

Plus as long as that batch file is installed and I use the GWX Control Panel (usually daily) I am happy as things are as I think that Microsoft are intent on everyone using 10 and no matter how benign updates look if I don't download them then the rubbish cannot creep in.

Having said that is what I do - the GWX panel does still pick up stuff!