BIOS virus and custom format from Windows 7.

Yeah, I realize it is not a pretty picture. I will read and wipe out. I am still wondering for the external drive however - it is 'potentially' infected, but when I run an anti-virus from a new clean computer, should it catch any of these bugs? Sound like it should.
 

My Computer My Computer

At a glance

Windows Vista 32bit - updating to Windows 7 3...
OS
Windows Vista 32bit - updating to Windows 7 32bit
yes, possibly some, but this is the latest and greatest rootkit (i believe the 1st to crack win7 x64's three exceptionally solid safeguards. it is the work of a true genius team, just a very very dark team!

remember you will never know your free of the bug ever ever
 

My Computer My Computer

At a glance

MS Windows 7 Home Premium SP1 64-bit (Family ...AMD Phenom II X6: Black Ed 1090T - AM3 / 3.2G...2 dual ch sets OCZ DDR3 PC3-10666 Platinum 13...Onboard
Computer Manufacturer/Model Number
Custom self build - Desktop
OS
MS Windows 7 Home Premium SP1 64-bit (Family Pack Lic.) Upgrade
CPU
AMD Phenom II X6: Black Ed 1090T - AM3 / 3.2GHz / 8MB
Motherboard
Biostar TA790XE3
Memory
2 dual ch sets OCZ DDR3 PC3-10666 Platinum 1333MHz 8GB total
Graphics Card(s)
Onboard
Sound Card
Onboard 5.1 channel HD
Monitor(s) Displays
SyncMaster "Legal-sized" LCD (rotatable)
Screen Resolution
unknown (8.5"x15")? pixels are not known
Hard Drives
HDD1: WD RE3 Enterprize [p/n: WD500ABYS-NDW]
________SATA-II (3Gb/s) 500GB/7200rpm/16MB

HDD2: Deskstar 7K1000.C [p/n: HDS721010CLA332]
________SATA-II (3Gb/s) 1TB/7200rpm/32MB
PSU
Antec 900W mATX 20+4 w/6-8SATA;2MLX;4x6(+2)PCIe[p/n HCG-900]
Case
Mid 10-bay tower - free space design interior & well vented
Cooling
CPU HS cooler, 14.5" Case-sysfan1, dual sysfan2, exhaust
Keyboard
Blue Star Ergonomic - ps/2
Mouse
LED coorded w/v. roller wheel - ps/2
Internet Speed
GbLAN 10/100/1000 & WLAN - on T1 (Peer Network)
Other Info
Harmon-Karden speakers (L,R @ sub)

APC (Lead/Acid Batt backup UPC+Surge protector+etc)

Sony DVD SATA(300) - RW DVD/CD SATA-II(300)
Well,
I think I am on course to re-write the MBR through the Windows CD Recover portion and then do a clean install. I think I will let Windows 7 format instead of me doing zero-fill format.
Since most likely this rootkit has made it to my USB's, which I keep testing from other computers and show are not infected, is it possible for a mac with bootcamp to be infected (the windows portion)? I ran avast pre-boot on the mac and the system machine but it didn't catch anything worthwhile. Is that rooktit really hiding that well?
 

My Computer My Computer

At a glance

Windows Vista 32bit - updating to Windows 7 3...
OS
Windows Vista 32bit - updating to Windows 7 32bit
Well, I booted from the Win 7 CD and used the cmd to 'clean all'. Let's hope it is all gone now. Any recommendations of what to do with the external hard drive that has all of my data? I think I will extensively test it with AVG, MSE and try to run malware bytes and tdsskiller on it. Any other suggestions?
 

My Computer My Computer

At a glance

Windows Vista 32bit - updating to Windows 7 3...
OS
Windows Vista 32bit - updating to Windows 7 32bit
That sounds like a good regimen to test the quarantined files on external, but I don't know if you can ever be certain they are safe again. It is a calculated risk to use them, less risk the more you disinfect.
 
It will be in the MBR if the virus uses the EFI/UEFI features. Or at least it's ID. Those types of BIOS viruses use the EFI feature,as if it were factory, to load shell extensions from a special partition. That's how most all the graphical BIOS update utilities work too. A drive that has that special partition would need to be wiped clean including the MBR. One of the secure erase programs should be used because the special partition is not visible to Windows. It can't be formated or deleted.

And, I would not use the ".exe" version of a BIOS flash--These will read portions of the BIOS first and save areas of the EPROM that could be infected. Use a USB BIOS Recovery drive (if your motherboard allows) or a CD to flash the BIOS. These should over-write the EPROM with a fresh copy. Both of which should be downloaded and created on a "clean" PC. A CMOS memory reset should be done too. This clears all hardware configurations and forces the new BIOS to re-evaluate the machine hardware.

These are NOT the typical viruses so you'll have to "Re-build" your machine from scratch. Use precautions such as checking the BIOS download file size and use the verify option when burning a CD. The BIOS flash MUST NOT be interrupted. Stay away for the mouse and keyboard. If you don't have a Uninteruptable Power Supply, buy or borrow one for the BIOS flash. Everyone with a PC should have one. A UPS is cheap now days--Cheaper than a motherboard or PSU. Consider it a necessary piece of PC hardware like any DVD or Disk drive.
 

My Computer My Computer

At a glance

Windows 7 Pro-x64i7-2600 3.4GHz - 3.8GHz Turbo8Gb - 2x4GB, Muskin 991770 PC3-1333Integrated Intel HD 2000
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Built 2/11/2011
OS
Windows 7 Pro-x64
CPU
i7-2600 3.4GHz - 3.8GHz Turbo
Motherboard
Intel DH67BL-B3
Memory
8Gb - 2x4GB, Muskin 991770 PC3-1333
Graphics Card(s)
Integrated Intel HD 2000
Sound Card
Integrated Intel 10.1 HD, RealTek ALC892
Monitor(s) Displays
Asus LCD VH222H, Haier HL24XSL2a
Screen Resolution
1920x1080, 1920x1080
Hard Drives
Crucial SSD C300-128Gb,
Western Digital WD5002AALX - 500Gb,
Western Digital WD7501AALS - 750Gb
PSU
Seasonic 650W 80+ Gold Modular
Case
Rosewill Defender
Cooling
Stock CPU, Four 120mm case fans, PCH fan added
Keyboard
Logitech EX100 Y-RBH94 Wireless
Mouse
Logitech EX100 M-RCE95 Wireless
Internet Speed
3.0/1.5 Mbs
Antivirus
Microsoft Security Essentials
Browser
Microsoft Internet Explorer 11
Other Info
Antec Veris Premier-Multimedia IR Station,
Cyber Accoustics-3602 Speakers,
AFT XM-5U Card Reader,
Hauppauge TV-HVR-2250,
Sony LX300 USB Turntable
Carwiz, I had a tech in Office Depot make an offhand comment to me the other day that BIOS viruses cannot usually be reflashed. As I know nothing about them, can you comment on this? (And No, I don't consider such comments any more than trivia).

I also have not had the time to read back through the thread to see where it's confirmed he has the BIOS virus. How is this actually seen, or is it just suspected because of it's presence?
 
Unless it's damaged, the BIOS should flash. A quick check is to see if the BIOS will allow the USB boot option. Or that you can get to the BIOS at all. The jumper setting for "Config" (on most motherboards) should be used. That's why it's better to use USB or CD. These contain a loader that the BIOS runs, if recognized. It's the first op after POST.

I've only seen a couple of viruses that may have been a BIOS virus but apparently, they're becoming more prevalent and sophisticated. Most are pretty basic--You get pop-ups that you have a virus and get linked to a "removal site" via IE. From there, the site may trick you into loading "fixes" but are really just more viruses. A virus scan won't show anything because the "code" is in the BIOS extended service area and in the special partition.

The more sophisticated viruses will turn your PC into a server or just sit back and "listen" to everything you do. More often than not, these are caught by accident. But, they all require initial loading. This is why it's important to keep your AV up to date, keep IE security settings tight and don't allow Flash to run for ALL sites. Pick and choose who you let add things to your PC.

Adobe Flash Player is(was) the biggest open hole to Windows. Flash allows programmers to load over 1KB of data to your PC. This data can be anything from cookie type info to coded instructions. (Executable coded instructions). You can do a lot with 1KB. And this is on top of what you "allow" Flash sites to use. The 1KB records are not an option and are hidden. This is probably why MS is pushing HTML5 and why Apple won't support it at all.

By the way, I allow only one site in all of the Internet to use Flash Player. That's Youtube.
 

My Computer My Computer

At a glance

Windows 7 Pro-x64i7-2600 3.4GHz - 3.8GHz Turbo8Gb - 2x4GB, Muskin 991770 PC3-1333Integrated Intel HD 2000
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Built 2/11/2011
OS
Windows 7 Pro-x64
CPU
i7-2600 3.4GHz - 3.8GHz Turbo
Motherboard
Intel DH67BL-B3
Memory
8Gb - 2x4GB, Muskin 991770 PC3-1333
Graphics Card(s)
Integrated Intel HD 2000
Sound Card
Integrated Intel 10.1 HD, RealTek ALC892
Monitor(s) Displays
Asus LCD VH222H, Haier HL24XSL2a
Screen Resolution
1920x1080, 1920x1080
Hard Drives
Crucial SSD C300-128Gb,
Western Digital WD5002AALX - 500Gb,
Western Digital WD7501AALS - 750Gb
PSU
Seasonic 650W 80+ Gold Modular
Case
Rosewill Defender
Cooling
Stock CPU, Four 120mm case fans, PCH fan added
Keyboard
Logitech EX100 Y-RBH94 Wireless
Mouse
Logitech EX100 M-RCE95 Wireless
Internet Speed
3.0/1.5 Mbs
Antivirus
Microsoft Security Essentials
Browser
Microsoft Internet Explorer 11
Other Info
Antec Veris Premier-Multimedia IR Station,
Cyber Accoustics-3602 Speakers,
AFT XM-5U Card Reader,
Hauppauge TV-HVR-2250,
Sony LX300 USB Turntable
Also, that's why the MBR must be cleared. The BIOS looks there for it's OS loaders. The BIOS virus will have an ID in the MBR and will get loaded from the special partition for every start. Wipe the disk, flash the BIOS and start like you're building a new system. Because that's what has to occur.
 

My Computer My Computer

At a glance

Windows 7 Pro-x64i7-2600 3.4GHz - 3.8GHz Turbo8Gb - 2x4GB, Muskin 991770 PC3-1333Integrated Intel HD 2000
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Built 2/11/2011
OS
Windows 7 Pro-x64
CPU
i7-2600 3.4GHz - 3.8GHz Turbo
Motherboard
Intel DH67BL-B3
Memory
8Gb - 2x4GB, Muskin 991770 PC3-1333
Graphics Card(s)
Integrated Intel HD 2000
Sound Card
Integrated Intel 10.1 HD, RealTek ALC892
Monitor(s) Displays
Asus LCD VH222H, Haier HL24XSL2a
Screen Resolution
1920x1080, 1920x1080
Hard Drives
Crucial SSD C300-128Gb,
Western Digital WD5002AALX - 500Gb,
Western Digital WD7501AALS - 750Gb
PSU
Seasonic 650W 80+ Gold Modular
Case
Rosewill Defender
Cooling
Stock CPU, Four 120mm case fans, PCH fan added
Keyboard
Logitech EX100 Y-RBH94 Wireless
Mouse
Logitech EX100 M-RCE95 Wireless
Internet Speed
3.0/1.5 Mbs
Antivirus
Microsoft Security Essentials
Browser
Microsoft Internet Explorer 11
Other Info
Antec Veris Premier-Multimedia IR Station,
Cyber Accoustics-3602 Speakers,
AFT XM-5U Card Reader,
Hauppauge TV-HVR-2250,
Sony LX300 USB Turntable
There is something I suspect is in the boot sector of the HD which Cleaning with Diskpart will solve on installation failures. It works quite frequently. We once thought it required Clean All but that is overkill since it works just as well with Clean. It is one of our first troubleshooting steps for Install failures. I'd like to know exactly what it is, assuming it's corrupt boot code.

Recently we had 2 cases in a row where BIOS wouldn't budge past POST with HD attached, where Cleaning solved it and allowed reinstall. It's a clue.
 
Last edited:
I'm pretty sure you already know this but I've quoted a summation of the interaction of the BIOS with the boot sector for folks that are trying to follow this. Also add CD to the floppy and USB groups below. (These have VBRs) I've also underlined in the quote what you are probably seeing/fixing.

On IBM PC compatible machines, the BIOS is ignorant of the distinction between Volume Boot Records (VBRs) and Master Boot Records (MBRs), and of partitioning. The firmware simply loads and runs the first sector of the storage device. If the device is a floppy or USB flash drive, that will be a VBR. If the device is a hard disk, that will be an MBR. It is the code in the MBR which generally understands disk partitioning, and in turn, is responsible for loading and running the VBR of whichever primary partition is set to boot (the active partition). The VBR then loads a second-stage bootloader from another location on the disk.

Furthermore, whatever is stored in the first sector of a floppy diskette, USB device, hard disk or any other bootable storage device, is not required to immediately load any bootstrap code for an OS, if ever. The BIOS merely passes control to whatever exists there, as long as the sector meets the very simple qualification of having the boot record signature of 0x55, 0xAA in its last two bytes. This is why it's easy to replace the usual bootstrap code found in an MBR with more complex loaders, even large multi-functional boot managers (programs stored elsewhere on the device which can run without an operating system), allowing users a number of choices in what occurs next. With this kind of freedom, abuse often occurs in the form of boot sector viruses.
 

My Computer My Computer

At a glance

Windows 7 Pro-x64i7-2600 3.4GHz - 3.8GHz Turbo8Gb - 2x4GB, Muskin 991770 PC3-1333Integrated Intel HD 2000
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Built 2/11/2011
OS
Windows 7 Pro-x64
CPU
i7-2600 3.4GHz - 3.8GHz Turbo
Motherboard
Intel DH67BL-B3
Memory
8Gb - 2x4GB, Muskin 991770 PC3-1333
Graphics Card(s)
Integrated Intel HD 2000
Sound Card
Integrated Intel 10.1 HD, RealTek ALC892
Monitor(s) Displays
Asus LCD VH222H, Haier HL24XSL2a
Screen Resolution
1920x1080, 1920x1080
Hard Drives
Crucial SSD C300-128Gb,
Western Digital WD5002AALX - 500Gb,
Western Digital WD7501AALS - 750Gb
PSU
Seasonic 650W 80+ Gold Modular
Case
Rosewill Defender
Cooling
Stock CPU, Four 120mm case fans, PCH fan added
Keyboard
Logitech EX100 Y-RBH94 Wireless
Mouse
Logitech EX100 M-RCE95 Wireless
Internet Speed
3.0/1.5 Mbs
Antivirus
Microsoft Security Essentials
Browser
Microsoft Internet Explorer 11
Other Info
Antec Veris Premier-Multimedia IR Station,
Cyber Accoustics-3602 Speakers,
AFT XM-5U Card Reader,
Hauppauge TV-HVR-2250,
Sony LX300 USB Turntable

My Computer My Computer

At a glance

Windows 7 Ultimate 32bit SP1Intel(R) Core(TM)2 Quad CPU @ 2.40GHz, 2400 MHz4 GBATI Radeon HD 2600 Pro
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Bruce ... somewhere in his 40's
OS
Windows 7 Ultimate 32bit SP1
CPU
Intel(R) Core(TM)2 Quad CPU @ 2.40GHz, 2400 MHz
Motherboard
INTEL/D975XBX2
Memory
4 GB
Graphics Card(s)
ATI Radeon HD 2600 Pro
Monitor(s) Displays
Samsung SyncMaster 914v
Screen Resolution
1280 x 1024
Hard Drives
2/500GB each ... ST3500630AS ATA Device.
One is not connected
PSU
Rocketfish 700 W
Case
G.Skill Gigabyte Chassis
Keyboard
Standard PS/2 Keyboard
Mouse
Microsoft PS/2 Mouse
Internet Speed
DSL
Antivirus
Avira Internet Security
Browser
IE 11
Other Info
ATI HDMI Audio
yep it overwrites the 13h interupt in the int tbl to start the 1st portion of the loader (which is one way to stop it from reinfecting upon reboot if you must work on it)


Carwiz...any idea where i could find a BIOS set of code (any newer x64 type machine) for reading through on the subway (any format)
 

My Computer My Computer

At a glance

MS Windows 7 Home Premium SP1 64-bit (Family ...AMD Phenom II X6: Black Ed 1090T - AM3 / 3.2G...2 dual ch sets OCZ DDR3 PC3-10666 Platinum 13...Onboard
Computer Manufacturer/Model Number
Custom self build - Desktop
OS
MS Windows 7 Home Premium SP1 64-bit (Family Pack Lic.) Upgrade
CPU
AMD Phenom II X6: Black Ed 1090T - AM3 / 3.2GHz / 8MB
Motherboard
Biostar TA790XE3
Memory
2 dual ch sets OCZ DDR3 PC3-10666 Platinum 1333MHz 8GB total
Graphics Card(s)
Onboard
Sound Card
Onboard 5.1 channel HD
Monitor(s) Displays
SyncMaster "Legal-sized" LCD (rotatable)
Screen Resolution
unknown (8.5"x15")? pixels are not known
Hard Drives
HDD1: WD RE3 Enterprize [p/n: WD500ABYS-NDW]
________SATA-II (3Gb/s) 500GB/7200rpm/16MB

HDD2: Deskstar 7K1000.C [p/n: HDS721010CLA332]
________SATA-II (3Gb/s) 1TB/7200rpm/32MB
PSU
Antec 900W mATX 20+4 w/6-8SATA;2MLX;4x6(+2)PCIe[p/n HCG-900]
Case
Mid 10-bay tower - free space design interior & well vented
Cooling
CPU HS cooler, 14.5" Case-sysfan1, dual sysfan2, exhaust
Keyboard
Blue Star Ergonomic - ps/2
Mouse
LED coorded w/v. roller wheel - ps/2
Internet Speed
GbLAN 10/100/1000 & WLAN - on T1 (Peer Network)
Other Info
Harmon-Karden speakers (L,R @ sub)

APC (Lead/Acid Batt backup UPC+Surge protector+etc)

Sony DVD SATA(300) - RW DVD/CD SATA-II(300)
Carwiz...any idea where i could find a BIOS set of code (any newer x64 type machine) for reading through on the subway (any format)
I haven't really looked but I'm guessing it could be extracted from a BIOS Flash.
(I won't mention how.) :)
 

My Computer My Computer

At a glance

Windows 7 Pro-x64i7-2600 3.4GHz - 3.8GHz Turbo8Gb - 2x4GB, Muskin 991770 PC3-1333Integrated Intel HD 2000
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Built 2/11/2011
OS
Windows 7 Pro-x64
CPU
i7-2600 3.4GHz - 3.8GHz Turbo
Motherboard
Intel DH67BL-B3
Memory
8Gb - 2x4GB, Muskin 991770 PC3-1333
Graphics Card(s)
Integrated Intel HD 2000
Sound Card
Integrated Intel 10.1 HD, RealTek ALC892
Monitor(s) Displays
Asus LCD VH222H, Haier HL24XSL2a
Screen Resolution
1920x1080, 1920x1080
Hard Drives
Crucial SSD C300-128Gb,
Western Digital WD5002AALX - 500Gb,
Western Digital WD7501AALS - 750Gb
PSU
Seasonic 650W 80+ Gold Modular
Case
Rosewill Defender
Cooling
Stock CPU, Four 120mm case fans, PCH fan added
Keyboard
Logitech EX100 Y-RBH94 Wireless
Mouse
Logitech EX100 M-RCE95 Wireless
Internet Speed
3.0/1.5 Mbs
Antivirus
Microsoft Security Essentials
Browser
Microsoft Internet Explorer 11
Other Info
Antec Veris Premier-Multimedia IR Station,
Cyber Accoustics-3602 Speakers,
AFT XM-5U Card Reader,
Hauppauge TV-HVR-2250,
Sony LX300 USB Turntable
of that i have no doubt, but I am sure there is some floating around out there, I was just asking if you had any idea of where, but thanks for the answer (it's probibly pretty straight forward to extract, as it makes "injection" or "flashing" a more startghtforward process to preform):)
 

My Computer My Computer

At a glance

MS Windows 7 Home Premium SP1 64-bit (Family ...AMD Phenom II X6: Black Ed 1090T - AM3 / 3.2G...2 dual ch sets OCZ DDR3 PC3-10666 Platinum 13...Onboard
Computer Manufacturer/Model Number
Custom self build - Desktop
OS
MS Windows 7 Home Premium SP1 64-bit (Family Pack Lic.) Upgrade
CPU
AMD Phenom II X6: Black Ed 1090T - AM3 / 3.2GHz / 8MB
Motherboard
Biostar TA790XE3
Memory
2 dual ch sets OCZ DDR3 PC3-10666 Platinum 1333MHz 8GB total
Graphics Card(s)
Onboard
Sound Card
Onboard 5.1 channel HD
Monitor(s) Displays
SyncMaster "Legal-sized" LCD (rotatable)
Screen Resolution
unknown (8.5"x15")? pixels are not known
Hard Drives
HDD1: WD RE3 Enterprize [p/n: WD500ABYS-NDW]
________SATA-II (3Gb/s) 500GB/7200rpm/16MB

HDD2: Deskstar 7K1000.C [p/n: HDS721010CLA332]
________SATA-II (3Gb/s) 1TB/7200rpm/32MB
PSU
Antec 900W mATX 20+4 w/6-8SATA;2MLX;4x6(+2)PCIe[p/n HCG-900]
Case
Mid 10-bay tower - free space design interior & well vented
Cooling
CPU HS cooler, 14.5" Case-sysfan1, dual sysfan2, exhaust
Keyboard
Blue Star Ergonomic - ps/2
Mouse
LED coorded w/v. roller wheel - ps/2
Internet Speed
GbLAN 10/100/1000 & WLAN - on T1 (Peer Network)
Other Info
Harmon-Karden speakers (L,R @ sub)

APC (Lead/Acid Batt backup UPC+Surge protector+etc)

Sony DVD SATA(300) - RW DVD/CD SATA-II(300)
Back
Top