BIOS virus and custom format from Windows 7.

[stefsj]

Hello,

Recently I have found a rootkit on my computer, in particular rootkit.tdss.tdl4. From what I read only I got one of the best!

I have two questions:
First - how can I check if my BIOS was affected without flashing it? I am reading that this trojan could have been started exactly from the BIOS and very likely to show up again after doing a clean install. I have an HP laptop so seems like the flashing procedures require for disconnecting the hard drive- is that true for laptops?

Second, is how do I format to make sure I clean the MBR? I have Vista, and want to upgrade to Windows 7. I have Windows 7 upgrade Ultimate disk which can do a Custom install which should format it entirely. Tell me if I am thinking too old school here but should doing a low level (or zero level) format is necessary? From what I read, the Windows 7 full format function should be as powerful as the low-level. is that correct? I don't mind the extra few hours of work as long as I don't have any issues (at least with this trojan) afterwards. I am also worried that the upgrade Windows 7 disk might not have all of the formatting capabilities as a full version, is that nonsense?

Thank you for your help!
P.S. I posted this on Microsoft Answers - I didn't read any rules forbidding cross-posting but if there are, I will kindly remove and I apologize for which.

 

[Sub Styler]

I have never had to remove a hard disk in order to flash a bios, just make sure the battery is charged AND you have AC power, never cancel or restart during a BIOS flash.

To make sure the disk is clean you need to delete all the partitions, then create a new partition in the unpartitioned space (goodbye recovery partition so if possible make the recovery disks first)

Never used an upgrade version, but see the tutorials section of this site, there are brilliant ones for all installation scenarios.

 

[stefsj]

Thank you for the quick response. Seems like you have done this before, so can you recommend a particular software to flash the BIOS with? And what should be the steps I take? I will read the tutorials, but can you tell me if I should de-partition before I flash the BIOS?

I also wonder how can I check and be 100% that my data is not affected? I backed up (copied, not an image file - didn't copy any exe files and no zip/rar's) everything to a brand new external hard drive and checked it with Microsoft Essentials and also plan to scan it with Avast. Is there a way for this trojans to be hidden on the external hard drive if I test from different computer?

Edit: Will the BIOS flash file given by HP work? Link

 

[richnrockville]

Welcome Stefsj to the windows 7 forums.
Your edit..
Edit: Will the BIOS flash file given by HP work? Link

The only way to flash a bios is to use the manufacturers bios update program.
Anyone that tells you that they have a new bios for your laptop, they are trying to set you up for failure.

Go the the HP site for your model of computer and get the bios update for your computer.

Rich

 

[stefsj]

Thank you Rich, that's why I think this link that I provided should work since it is directly from HP's web site. But the process seems "too" easy for flashing BIOS, isn't it? Simply states to run an exe.

So does anyone suggests whether I should flash the BIOS before I do a zero-level install?

 

[Sub Styler]

If indeed you are confident that the virus has infected your Bios you should flash it just before you boot from the dvd to do the new install, otherwise your new installation could be just as infected as the previous one. As richnrockville said, you can only use the exact bios from HP, for your exact model of machine.

Yes bios flashing is commonly done from windows these days, used to be a floppy boot program but not anymore.

I wouldn't allow the OS to boot again after flashing the BIOS in case the virus re-infects your BIOS undoing your hard work. Just accept the restart then boot from installation media.

 

[gregrocker]

I'd not flash the BIOS without knowing for sure it's infected, and then it's likely too late.

To wipe the HD of possiblly infected or corrupt code use Diskpart from Command Line: SSD - HDD Optimize for Windows Reinstallation

Tips for getting a Perfect Reinstall

 

[stefsj]

thank you both, this is very helpful.
gregrocker, what is the best way to test for infections on the BIOS? I rather not flash it unless it is needed as well, but how can you know? this tdds rootkit has the potential to infect the BIOS so it will keep showing up when I format and I want to be sure before I do all of the work.

I guess let me ask this - what is the worst that can happen when you flash the BIOS using the HP program? Given that you do it right of course.

Thanks

 

[rubyrubyroo]

your computer will not produce more than a fan sound and a blank screen, thats the worst, and probably the best case scenario if BIOS is infected...

I just battled the same rootkit it is EXTENSIVE and VERY DIFFICULT TO REMOVE - depending on the exact version of the virus, It can propagate across a network by simulating a DHCP server, it can and does infect flashcards and media cards with auto loading hidden links which will infect the next system upon recognizing the USB device. And YESit absolutely infects the Repair Partition, and will be on any backups, whether images or files!

All have the common entity of a hidden encrypted partition at the end of the system drive, and extendedly after BIOS (sooner i guess if its infected too)

It is not worth the hassle, as greg said completely wipe/format/reinstall and take the hit with the file loss of your personal files, additionally wipe/format the backup media used at any point - and change your online passwords as it send keystrokes as well as other info to www servers.

trust me, ask anyone with advanced security system knowledge, and they will say do all but burn it down,

TRY saving your computer BIOS to still have a computer at least.
although i don't think the BIOS infection version is quite "perfected" as of yet, it exists , but is somewhat "buggy"!

Sincerely,
Mike

Edit: and if you do use diskpart from a cmd prompt, runn it off the dvd, and don't expect to see the boot/system drive - DR0 - it is not displayed when infected.

 

[Sub Styler]

Nine times out of ten flashing the BIOS will be fine, it's just so strongly advised against because when it does go wrong, it's a dead motherboard.

EDIT: or rubyrubyroo are you suggesting the virus will prevent a bios flash?

 

[rubyrubyroo]

and do you think that this paticular rootkit is not expecting the BIOs to be flashed, once its in thats all it must protect against. I doubt it will allow that.

 

[Sub Styler]

Good point, he really needs a way of identifying whether or not the BIOS has been infected, as if it has there seems little point re-installing as with it's foot in the BIOS it will surely re-manifest pretty soon.

 

[rubyrubyroo]

I do not know the particulars of the disassembled BIOS, as my system was lucky enough to not have that capability. But I am implying that when the code infiltrates the chip, it has no way of being removed (unless you happen to have a pull-able eeprom for bios, and it will have permanent reinfection control if it can stay in the BIOS, so it's basically going to devote every bit of it's virulence to not being removed. So I know that a hacker would want to protect against flashing the bios, therefore if it is possible, that would be their primary objective at that point in the game.

Can it be prevented from being flashed, or "resist" the flash, or crash the flash midstream to wreck the BIOS as you warned of earlier by not stopping in the middle of a BIOS flash...I don't know, but I don't see why not. Considering BIOS (therefore the root-kit code) executes prior to any drive INCLUDING optic, etc. I'm guessing it would place some sort of TSR code, or simulate the actual BIOS loading the CD but with the additional malicious software present to evade being destroyed.

Mike

 

[rubyrubyroo]

feel free to see the second half of my infection (first half was iding it, and getting into windows) together took around 1-2 weeks of tearing dlls out of every where, altering the binaries line by line at the boot sector, and probing every patched process including the kernel itself and the debugger , altoghter over a hndred files im sure It hijacks your DNS and flushes the cashe, bypasses patchprotectioon sn 64-bit driver signiature verification with ease. It's basically the devil (3.4 MILLION infections currently)
http://www.sevenforums.com/system-s...tdl4-rootkit-removal-cleanup-walkthrough.html

mike

 

[Sub Styler]

Yeah hopefully it's just in the MBR, I suppose all he can do it try the re-install and hope it's not infected. If the infection does come back after following drive cleaning instructions previously posted, then try a flash, if possible from a bootable CD or USB drive (thats known to be clean i.e. made on another non networked system and not connected while his OS is live).

Of course we dont know if the OP is using a laptop or desktop, as I have a fairly low end redundant gigabyte motherboard on my desk that does have a removable BIOS chip. So i'd say for a desktop it would be woth having a look to see if it's replacable, I very much doubt a laptop would have a removable BIOS chip as it's not even common on desktop boards.

 

[rubyrubyroo]

thats probibly his best chance I would agree. BUT the problem with rootkits specifically, is you will NEVER know if you still have the infection (this RK in it's earlier days was called "the virus that you'll never know you have" although it's technically not a virus, Just a dropper and a loader started preMBR) the point is, as I was continually told by every sec tech on these forums and more, you'll NEVER KNOW if it might be there or pop up, both due to its firm anchoring, fast evolution/mutation and esp. its stealthy ways of not being seen.

just please as heart-breaking as it might be, don't try to save any files, or this might happen next year and you end up loosing the file you saved, as well as all your files again!

sorry to be so bleak
As long as BIOS is clean, which i suspect it is, youve just got a bit of cleaning etc to do wiping the drive (not just format, you need to actually write over the drive with new meaningless 1's)

good luck and contact me if you need something

Mike

 

[stefsj]

take the hit with the file loss of your personal files, additionally wipe/format the backup media used at any point - and change your online passwords as it send keystrokes as well as other info to www servers.

Thank for the response rubyrubyroo.

So did you delete all of your data? Even music, pictures, word, excel, and other files? I just backed up everything on a external drive to be ready for format. How do you test other drives? I caught it once using AVG but it said 'it deleted it'. Since then nothing on that or the other two computers that have shared a usb with the infected computer.

Thanks

 

[rubyrubyroo]

caught it once on the backup drive or on the system drive (with AVG)?


EDIT: and your backup is infected, or at least needs to be regarded as such, since you have no way of knowing the date of infection, it may be asymptomatic for 10 min or 6 months.

My story is much more complex, as im a computer tech and the drive was a VIP client of mine a lawer with the ONLY copy of ALL his clients files on that drive. I did (PROBIBLY) remove it, but it took a very extensive knowledge of assembly language, windows processes and ntoskrnl.exe's actions and protections, it took me almost 2 weeks of noting else and it is impossible to be sure i did get it. If you could talk a rootkit/botkit expert into doing it, it would certianly cost many thousands of dollars. This man would have paid any price to have it fixed, as it was 25years of his carrier and with atty-client-confidenciality laws, he would surely be disbarred for neglogence in protection his clients sensitive info, potentially be placed in jail. so you can see one reason they can charge so much, added to the complexity and length of time spent, it is difficult for the best trained - and Thats not me, I owed the man a favor, and I repay other's good deeds when they are addressed towards me.

theres a tid-bit for ya!

 

[stefsj]

On the system drive. Since then, the data files were backed up and the system drive and the backed up drive have been tested. AVG, MSE and Avast. Nothing. Only the tdsskiller have another "minor" tdss system file on the system drive and removed it. Nothing on the other drive, or any of the other 2 computers that have shared at least a flash drive with the system drive for the past few months.

 

[rubyrubyroo]

when was the rootkit inserted into your system? There is no valid answer! your backup is nolonger sterile and there is not such thing as semisterile, it is considered sterile or contaminated "potentially", but is treated as definately infected. a virus scanner is almost ineffective against a rootkit, it takes over windows so when you click on a folder with a file lets say called "Hi-Im-A-Root-Kit.exe" in it, since the root kit is pulling the strings of windows, it wisely returns a folder that does not appear in any way to have that file present.

"only reliable way to remove them is to re-install the operating system from trusted media.[78][79] This is because antivirus and malware removal tools running on an untrusted system may be ineffective against well-written kernel-mode rootkits" - wikipedia

but your backup is untrusted media, and this is a very well-written kernel-mode rootkit/botkit, arguablly the "best" to date.

PLEASE read this: it's actually kinda technical for wikipedia but see if you can understaned a good bit of what is going on.
Rootkit - Wikipedia, the free encyclopedia
Please take the time to try to read it as you need to realize rootkits are the worst, but this one (maybe in the artical specificaly? not sure) is the worst of the worst!

don't trust me, talk to some of the higher level security forum experts, they'll tell you what I am telling you almost straight across the board.

the only truely savable thing is a rootkit free -fresh installed windows, by not keeping anything else you save the future of your comp.

sorry dude
I encourage more higher level conversations with others on these boards.

Mike