Solved Who (or what) is setting BIOS password?

[yky]

Recently, when trying to enter BIOS (an Asus motherboard), I was asked for a password. I have never set a password. Thus, the fact that I was asked for a password is unusual. I shutdown the computer, removed the CMOS battery, waited for a while, then started up the computer and hit "DEL" to enter the BIOS. This time, I was NOT asked for a password. I then boot into Windows 7 and restarted the computer. When trying to enter BIOS during this startup, I WAS asked for a password again.

Summary:

1. remove power cord, remove CMOS battery, put everything back, start the computer - no password request
2. afterwards, boot into Windows 7, restart the computer - BIOS asks for a password.

It seems to me a trojan on the harddisk is setting a BIOS password. Is this a valid interpretation of the above behavior?

I have scanned the harddisk with tdsskiller, rkill, aswmbr, AVG. They found nothing. I have used aswmbr to rewrite the MBR, run "bootrec "/fixboot" or "/fixmbr". The password request persists.

For now, I leave the computer alone. But I am thinking perhaps I should try a low level reformat of the harddisk to see if it can stop the password setting behavior. If I do that, I'll have to reinstall and update the Windows. It'll take many hours. I don't want to do it if I don't have to.

 

[HarriePateman]

Well im not to sure on how to get rid off it.

However it can be used in a work place were you don't want employees tampering around

Did you just buy the laptop?

 

[yky]

Thanks for the reply.

The desktop has been around for about a year. It was recently recovered (or maybe not?) from a virus (or viruses?) attack.

http://www.sevenforums.com/system-security/342408-strange-executable-name-folder-name-exe.html

 

[whs]

Maybe this would work: How to clear an unknown BIOS or CMOS password.

This would be the first case I have seen that a virus manipulates the BIOS - scary.

 

[LMiller7]

Computer specs? Is it a desktop or laptop?

For malware to change a BIOS password is barely possible but highly unlikely. The BIOS is proprietary and information about where and how BIOS passwords are stored is deliberately undocumented.

 

[Alejandro85]

Have you tried to properly reset the CMOS? Look at the motherboard manual for the reset jumper, there is always one that, when switches, completely clears the memory and all its settings. Switch the jumper to the "delete" position for a few seconds, then place it back where it was. Usually it's located near the battery but be sure and look in the manuals.

Then enter BIOS again, password should be gone forever.
It's rare to be a virus changing this, but it's not technically impossible. But for such level of an access, a driver is most likely needed, and for rootkits often the only sure way is to reformat and wipe the current install. I would seriously consider that if the problem persist.

 

[andrew129260]

As everyone else has already stated, while it is possible it is highly unlikely a virus or rootkit is doing this.
UNLESS the bios is uefi. If the bios is the old school bios, then it is unlikely.

I would go the clean install route however just to be certain. Or better yet, a different hard drive.


If it is a business pc or was before, some companies ask the manufacturer to apply what they call a persistent bios, where no matter what you do (except remove the cmos battery-you can make changes but then they are lost again on next boot) changes are lost in the bios firmware and cannot be changed. This is typically found is most secure business environments such as the government, or large corporations that are very keen on security.

 

[yky]

Thanks to everyone who replies to my problem.

The motherboard indeed has uefi. I have yet to find out the motherboard model number so to download its manual. Beside the password, everything else seems to work fine. Thus, I'm not in a hurry to figure out what's going on. I don't think the BIOS is permanently changed since removing battery gets rid of the problem (for once only).

 

[andrew129260]

I would flash the bios to defaults, and or update the bios to clear the possible threat.

 

[Layback Bear]

To get information about your system including your motherboard this little free program works well.

https://www.piriform.com/speccy

https://www.piriform.com/speccy/download

 

[yky]

Thanks to everyone who replied to my question.

I'm not suggesting that the BIOS has been changed. As removing the button battery would get rid of the password request problem (for one time only), it's clear BIOS itself is clean.

Anyway, I removed the battery and set the jumper to clear CMOS. Upon first startup, I was able to enter BIOS as there was no password request. However, just like before, since the second startup, the password request appeared again.

I finally set a BIOS password. Now, I can enter BIOS because I know what the password is.

 

[HarriePateman]

Thanks to everyone who replied to my question.

I'm not suggesting that the BIOS has been changed. As removing the button battery would get rid of the password request problem (for one time only), it's clear BIOS itself is clean.

Anyway, I removed the battery and set the jumper to clear CMOS. Upon first startup, I was able to enter BIOS as there was no password request. However, just like before, since the second startup, the password request appeared again.

I finally set a BIOS password. Now, I can enter BIOS because I know what the password is.

Its still strange why this happened though

Glad to hear its sorted though!