how do i detect and remove a Bios Virus

Discussion in 'other security issues & news' started by winterlord, Oct 21, 2009.

Thread Status:
Not open for further replies.
  1. winterlord

    winterlord Registered Member

    Joined:
    Aug 23, 2009
    Posts:
    175
    hello, i believe i have a bios virus, no matter how many times i do a re-install with a retail disk withe a hour to a day, same problems appear. alot of times i redo my pc and instantly when it boots up there are subtle but probably huge problems. just a few i can think of right off hand. but when i log in somewhere, i'll type text, name , password and i will see absolutyl nothing, key scrambler wont even work until i type username and password twice.

    another issue i get sometimes is when i redo my pc i go to log in and i am unable to type anything. i type and it dos'nt show up thus i cant log into my own computer. iv used both legacy keyboards and USB keyboards. nothing will work except on screen keyboard. sometimes it dos'nt happen when i re-install my operating system but will happen weeks down the rd, then this problem persist usaly for 3+ reboots then is fine again typing ect.

    another random problem is i use a limited user account, and rarly use the admin account well sometimes i can be logged i8n as limited user i open through c: drive, documents and settings, users admin it promts for a password i type it in, then i see all these strange files, not quit sure what they are but they start mostly with nt.(then a bunch of strange sysmbles here) and there is like 10-20 different files like that. but if i log in as administrator i cannot see those same files not even with selecting show hidden files ect.

    re-installing everything never helps i get basicly the same random stuff. iv tried using a western digital factory disk and formatting the boot drive, tried dariks boot nuke. thats spose to erase everything. and iv tried all of these methods seperat and in many different combinations. also when i re-install the OS i always unplug every hard drive except the boot drive, i also unplug the internet , and i dont plug in other hard drives until all upates are done, antivirus, firewall is installed and updated ect. updates updates ec t , before i plug in any other hard drive.

    so this pionts me to a bios virus. i also have 2 bios chips one is a recovery bios on my X58 motherboard for core i7. iv tried everything under the sun. and have searched the internet trying to find how i can detect and remove a bios virus. cant find much about it, so i decided to post here and see if anyone could give me some good recommendations to find and remove a bios virus.


    thanks
    winter
     
  2. philby

    philby Registered Member

    Joined:
    Jan 10, 2008
    Posts:
    944
    Hello winterlord

    Wouldn't removing the bios battery for a few seconds reset the BIOS to factory default?

    Alternatively, wouldn't flashing as per bios update also do the trick?

    philby
     
  3. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Actually, it could point to hundreds of things and a bios virus probably wouldn't be on that list.

    Occam's razor suggests reinfection or a continuing source of soft corruption, possibly both. Walk through Securing Your PC and Data and take pains to validate all the executables that you install. Do you use a router? Check for possible hardware issues. Are you overclocking? Is the CPU fan working? Is there a some other hardware function issue?

    The basic idea is to build from the ground up, assume nothing, verify everything, and take the process slowly so that you don't change a thousand things all at once, leaving you unable to identify a small group of changes that likely tied to your problems.

    Break the problem into manageable pieces. That's how you deal with complex situations.

    Blue
     
  4. winterlord

    winterlord Registered Member

    Joined:
    Aug 23, 2009
    Posts:
    175
    i'll have to look at that link. but everything is working fine. built the computer in december 2008. no as far as verifying all exacutables. well im not sure i know how to do that. i normaly dont install much and usaly only use manufacter disk's or direct download to get stuff, from known websites. as for the bios battery i have'nt thought of that, but would it wipe the bios? also this motherboard wich is for the core i7 series, has dual bioses, so im not sure it would even be possable to wipe them both unless the bios battery would?? but i think bios's are programmed into the hardware. i also believe i would be a great target not because im rich or anything but because of stuff i use like etrade ect. also because my pc is extreamly fast i often worry about it being a good target to use as a server. strange things happen all the time that leads me to believe there is a ghost partition and or virtual machine installed.

    now i do very mildly overclock, nothing extream , but all has been tested and prime , and memtest verified to be stable. have high performance heatsink and fan. with lots of case fans in an antec case, and a very expinsive power supply. but i will check out the link
     
  5. Keyboard_Commando

    Keyboard_Commando Registered Member

    Joined:
    Mar 6, 2009
    Posts:
    690
    If you added a bios password from the start? then I'd say you are not infected there. Also, you mostly run LUA? That would protect you from such a happening taking place. You would be vulnerable (but it's rare) on an admin account.

    Removing the battery will probably just reset any custom settings you've added - might work though

    You could try re-flashing the bios from a clean source, such as USB drive or ye olde Floppy drive. But prepare whichever on a clean PC. Disconnect the hardrive of the suspect drive and flash from source. Most modern bios' have flash from USB drive - less hassle.

    Try wiping the drive from a live cd, if you haven't already. Darik's boot and nuke is on UBCD4Win

    It's a good idea to scan the whole drive from a Live CD also. Might uncover something not showing whilst working within Windows.

    From reading your posts ... my thought immediately went to a hardware problem. But the random files ... I guess might point to something else ... be helpful if you wrote them down so you could check them.
     
  6. winterlord

    winterlord Registered Member

    Joined:
    Aug 23, 2009
    Posts:
    175
    i did'nt use a bios password in the begging, but from here on out i will prolly always use one.
    however iv had the same similiar symptoms through 3 computers, that iv had in the past 4 years or so, (there are only 2 pc's in the house though mine and the wifes) now i know that may sound like a stretch, but on my last system i can recall actually having to RMA just the bios chip due to somthing i had no idea what but there where sypmtoms at the time i believe and ultamatly the bios became bricked so i had to RMA just the bios chip. strange but at the time it never occured to me it might of been a bios virus. iv never used pirated software, always has been manufacter disk only (i dont even trust downloadable iso's) but iv changed OS's over the years with almost identical symptoms (vista- windows 7rc and am getting retail) and every now and agian i find a new sympton and -an old symptom.
    i also unplug the 2 computers and do the updates ect indapendant from another and also i unplug router, modem ect for awhile to get new ip address. every time i redo um.

    now one thing that realy captured my attention that i found bizzare is i have a raid-0 array with 2 raptors 10krpm) well when i last redid my pc (in the past week) i deleted the raid array set drives back to non raid. and used dariks boot and nuke, i formatted from the cd, completly formated wiped ect just one of the drives. now when i set the raid back up installed win 7, i deleted and formated the drives as a raid (withen windows 7) again. then did the install. well as soon as everything was good and i went for the first reboot, to my suprise the disk that i fully wiped out registered as raid or system error. the one i did not fully nuke did'nt register any errors (on post, using an intel raid controller) so immediatly the disk i nuked basicly had errors and the other disk that i only formated through windows 7 had no errors, however the pc booted up just fine even though after rebooting a few times it still showed the one disk as having raid errors but not the other. and the pc would run fine showing the error on the boot screen, but i was not ok with that so i redid it again. later i find out that not all files are spanned across the raid , so next time i will nuke both disks seperatly wich will be very soon.

    hopefully this fixes the problem but all the strange stuff iv seen makes me kinda believe its in the bios. now when i nuke both disks and if the problem persists i am wondering,

    is there any way to scan for a bios virus?

    im in no hurry to rma or replace the bios chips, however if there is a bios check utility or somthin that would be alswome.
     
  7. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    At the moment an extremely unlikely scenario and I would recommend reading over BlueZannetti's post.

    Problems with BIOS infection :

    Getting it there.
    Detection of initial infection.
    Different manufactures.
    Checksums, the BIOS is made up of several sections, each having a checksum, patched incorrectly = no boot.
    Keeping it there - updates.

    Possible detection :

    Event log will throw up unusual behaviour.
    WinDbg.
    Use Advanced Configuration and Power Interface tools.
     
  8. Keyboard_Commando

    Keyboard_Commando Registered Member

    Joined:
    Mar 6, 2009
    Posts:
    690
    Ummm no, I haven't ever heard of a scanner capable of checking the bios.

    Most bios' have a virus protection setting, but even this doesn't actually fully protect the bios, it's a MBR write protection (someone with more knowledge will hopefully explain :p ) - I was told that if you use Imaging back-up/rollback software, or virtualization, it's best to steer well clear of the bios virus protection setting. Password protecting the bios is the safest option.
     
  9. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Protection,

    prevent flashing, depending on mobo - jumpers.
     
  10. winterlord

    winterlord Registered Member

    Joined:
    Aug 23, 2009
    Posts:
    175
    well i dont use virtualzation (unless it's rougly installed by malware) or rollback software, and backups are generaly stored on a spare disk drive.
    i did'nt use bios passwords either for the longest time, but i am now well more informed and will definatly use bios passwords in future.
     
  11. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Are you deleting all partitions first then recreating/formatting?
     
  12. Keyboard_Commando

    Keyboard_Commando Registered Member

    Joined:
    Mar 6, 2009
    Posts:
    690
    BTW, I don't mean Virtualization per se I meant stuff like Shadow Defender, Returnil, etc, that write to/control the MBR.
     
  13. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    A malware using direct disk access can circumvent the protection although you can guard against this. Also you would have to deny the use of MBR/Logical block addressing tools.
    I heard about something called MBRguard aka BootGuard by Blue Ridge Networks but I don't technically know how it works as I've never used it.
     
  14. winterlord

    winterlord Registered Member

    Joined:
    Aug 23, 2009
    Posts:
    175
    yea im deleting all. i only have 2 36gb raptors in a raid0 configeration. so no extra partitions. and the other hard drives i always unplug them before redoing pc. so i can update, install anti-virus and firewall and update some more, before plugging in the extra hard drives. this ensures everything is clean. also i do notice a good bit opf errors in event viewer. one that seems to appear alot, is Homegroup listening service terminated with system specific error, and winintLog
    Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications.
     
    Last edited: Oct 31, 2009
  15. winterlord

    winterlord Registered Member

    Joined:
    Aug 23, 2009
    Posts:
    175
    also, that BootGuard by Blue Ridge Networks, you mentioned, looks really great. was reading the pdf's but i could'nt figure out if it was compatable with windows 7 x64bit
     
  16. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Be sure to unplug the computer instead of rebooting, this will prevent a memory resident malware from persisting across reboots.
    Do the same for your router, unplug while computer is unplugged (maybe reset), this will prevent a memory resident malware from persisting.

    Maybe you have:
    A Memory Resident Malware
    A Blue Pill/Red pill/Purple Pill
    A Hidden Partition Malware with UcLinuxOS(300KB)
    A PCI card Malware
    (My personal favorite)ACPI Malware.

    I have coated my Tinfoil hat with high quality mylar, attached a wire from it to a grounding rod
    with a capacitor in between for the purpose of gaining the potential difference to offset the carbon
    I am using in making this post.
     
  17. winterlord

    winterlord Registered Member

    Joined:
    Aug 23, 2009
    Posts:
    175
    interesting. well whatever it is, and it causes several random problems, it actualy persist past total re-instals of windows. but im curios cause i noticed somthin in admin computer management. theres a 100mb partition that says system rereserved. seems iv seen that before but its not always there. but then again the iv seen it before may be because iv re-installed windows and everything else in the past 2 months (4hour or so job on a core i7 920 pc) so im not sure if its there on other re-installs or what, but i do rember that windows when you wipe the hard drives and do a fresh install of the OS in the begging windows reserves 100mb. i thought that was just for install but i could be wrong. also is this still suppose to be there under computer management in admin tools
     
  18. BILL G

    BILL G Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    80
    Location:
    MN USA
    This Thread reminds Me of one I read about 4yrs ago on Security Forum. The User tried many things over a 90Day period. It looked like he had some good help also. In the end he scraped the Computer & bought a new one. I came away from that Thread thinking there had to be a Bad Guy lurking in the Bushes in the Bios. Have you tried moving the Hardware 1 at a time to another Computer & see if the Problem follows?
     
  19. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    I always come away from those threads thinking there's an undiagnosed software conflict and/or hardware issues. The problem is that everyone immediately jumps to malware on any unexpected or difficult to diagnose issue. If what is being noted is correctly represented (i.e. similar/same symptoms emerge after repeated bare metal reinstalls), the most probable explanation is not some magic malware rooting its way through the firmware or software of a system à la "that virus planted on the alien spaceship in the movie Independence Day". The source is likely much more mundane - and there are oodles of possibilities. Let's review:

    Problems from the start - a clue that there's a fundamental issue from the get go. Apply Occam's razor. In addition, a keyscrambler is being used. Details? You're already walking on the wild side here. Are you using validated clean software downloads?

    Unable to type anything, key scrambler installed - sign of a software/hardware conflict?

    Screenshots? Look, you want a diagnosis? Come with details, not roughly remembered impressions. The only way to debug a complex problem is to break the situation down into manageable bits and get the details right on all those small parts.

    Again, no details. It may look random to you, that doesn't mean it's random.

    If you overclock - all bets are off. Yea, just a little won't hurt. Well, verify everything works for an extended period with no overclocking. If it works fine, do the challenge experiment. If it doesn't, focus on the load you place on the system. Expensive power supply means nothing - how does it stack up versus the expected load?

    This is a red flag - it points to you doing something to cause this. If it's malware - it is continued reinfection. If it's not malware, something you're doing is compromising the stability of the systems. it could be either cause.

    What the heck does this mean?

    Blue
     
  20. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Exactly don't assume, the problem is probably more quintessential than you think. Forget bios, firmware virus.
     
  21. winterlord

    winterlord Registered Member

    Joined:
    Aug 23, 2009
    Posts:
    175
    for the software, yea iv been using the bare minumal amount and it is all good stuff not pirated stuff.

    "Custom dynamic link libraries are being loaded for every application. "
    is something i see in the event viewer under admin tools.

    iv tried without light overclocks cause all my systems where generaly non overclocked for a good while before i tweaked them a bit. as for posably compramising somthing the only thing i can think of, but i doubt this would hurt, is i disable remote connections, and disable that windows remote desktop assistance. i also set my computer up using the public domain when it first detects a network. iv tried using home domain but id rather file and printer shareing be disabled so i use the public pc option for network wich says (this option is used for an untrusted network exp. coffe shops, airport, ect) that microsoft thing that pops up i forget what its called but it comes up as soon as you install the network drivers and it detects a network.

    im pretty savy with a pc have been learning pc's for gosh 15 years or so and took a few classes in networking at one time. iv tried just about everything that i know of. now the only other thing i can think of is if it is common, well when i order stuff like dvd burners hard drives ect, i always order them off newegg cause there cheaper there but are usaly new but an oem version.

    now as for checking firmware is firmware viruses common at all?

    also here are some of the most frequent things i notice in event viewer.

    1. Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications. (wininit)
    2. The HomeGroup Listener service terminated with service-specific error %%-2147023143.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
    <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />

    3. and there is this to, but this may be normal. as for the rest of the event viewer im not very fluent in what some of the code means

    Log Name: Security
    Source: Microsoft-Windows-Security-Auditing
    Date: 11/5/2009 11:20:03 PM
    Event ID: 4672
    Task Category: Special Logon
    Level: Information
    Keywords: Audit Success
    User: N/A
    PC
    Description:
    Special privileges assigned to new logon.



    Privileges: SeSecurityPrivilege
    SeTakeOwnershipPrivilege
    SeLoadDriverPrivilege
    SeBackupPrivilege
    SeRestorePrivilege
    SeDebugPrivilege
    SeSystemEnvironmentPrivilege
    SeImpersonatePrivilege
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4672</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12548</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2009-11-06T05:20:03.006586900Z" />
    <EventRecordID>3125</EventRecordID>
    <Correlation />
    <Execution ProcessID="684" ThreadID="4304" />
    <Channel>Security</Channel>

    <Data Name="PrivilegeList">SeSecurityPrivilege
    SeTakeOwnershipPrivilege
    SeLoadDriverPrivilege
    SeBackupPrivilege
    SeRestorePrivilege
    SeDebugPrivilege
    SeSystemEnvironmentPrivilege
    SeImpersonatePrivilege</Data>
    </EventData>
    </Event>


    the only thing that bugs me about that is the part it says SEImpersonate privleges. no idea what that means.

    also i noticed this occur and i did'nt logoff but yet its there as if i did

    Logon Type: 2

    This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />

    and it had the time as of just a few minutes ago wich i know i was loggerd on been reading for hours at my pc.

    also i notice anytime i got to burn a cd or dvd or plug in a new thumb drive. it tries to right a file to it called desktop.ini i never ualy notice except when i put in a blank cd or dvd cause a message pops up files waiting to be burned to disk when i hav'nt even made anything. so i look and there it is desktop.ini also as far as cd's go i dont burn a whole lot. i dont even do back-ups right now, because this constantly comes back no since in backing it up.
     
    Last edited: Nov 6, 2009
  22. winterlord

    winterlord Registered Member

    Joined:
    Aug 23, 2009
    Posts:
    175
    also here is a picture of that stuff i was talking about strange files ect. and sory for my slopy cut and paste job had to make the file smaller but cutting out most the windows you can see this thread in the backround on the side. thats what that is. but it's those wierd NT files i wonder about. also whenever i go to boot no matter it be safe morde or not i always find files that are in all caps then sometimes the same file in all lowercase. not sure if thats normal but i know when i boot into safe mode and as it shows stuff laoding half the driver names it loads are lower case, the other half are all upper case
     

    Attached Files:

    Last edited: Nov 6, 2009
  23. winterlord

    winterlord Registered Member

    Joined:
    Aug 23, 2009
    Posts:
    175
    ok update. im almost certian now its a bios virus. either that or gigabyte did a real sloppy job on its bios with the enthiusest line of its motherboards. i have a x58 board for core i7 just noticed in the bios where it says DRAM Termination there are 6 spots for this hence ddr3 memory. i dont overclock much everything was set to normal but just out of curosity i looked through all the manual settings well for
    dram termination it was set to normal wich is 0.75v

    well setting it manualy to that number on the first one i only had 0.74 or 0.76
    on all the lines below it it was 0.75 or 0.78

    so there is a discrepency in the bios under dram termination value. they should all have the same setting for all 6 slots. the dram termination being anyone of those would not cause a problem however iv never know a motherboard company to put out a bios that dont have settings that match for all bays of ram. i find this to be very odd. also for the first line it shows normal as 0.75 however for that slot 0.75 is not an option only 0.76 or 0.74

    what do you guys think about this? im willing to except it aint a bios virus but that seemed odd to me, not sure if a firmware virus could cause this, but i doubt it since it's programed into the bios. but given that there is no fix for that if it is, then lets say it's firmware or something in the above post.. not sure what to make of it
     
    Last edited: Nov 7, 2009
  24. BILL G

    BILL G Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    80
    Location:
    MN USA
    BLUE very good Posts Info & Advice

    winterlord Have You CKT out GB Tech Help at forums.tweaktown.com ?
     
  25. winterlord

    winterlord Registered Member

    Joined:
    Aug 23, 2009
    Posts:
    175
    no i hav'nt but i suppose i could give it a try thanks
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.