Computer Hope

Software => Computer viruses and spyware => Topic started by: Valorus on November 20, 2012, 03:28:16 PM

Title: Malware changed bios settings, any way to access it again?
Post by: Valorus on November 20, 2012, 03:28:16 PM

I have a Gigabyte DQ6, core  2 duo that has picked up a virus that changed BIOS settings and won't allow me
to ref lash the BIOS. It changed the allowable upload to floppy only and the new BIOS is over 5mb so it won't
fit on a floppy. I need help changing BIOS upload choices to allow uploading to a USB stick or CD.

If anyone has any ideas, I'd really appreciate it.

Title: Re: Malware changed bios settings, any way to access it again?
Post by: SuperDave on November 20, 2012, 04:20:21 PM

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************
Let's run some scans to see if your computer is clean.

Please download AdwCleaner  (http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/2-adwcleaner)by Xplode onto your Desktop.

• Double click on AdwCleaner.exe to run the tool.
  
• Click on Search.
  
• A logfile will automatically open after the scan has finished.
• Please post the content of that logfile in your reply.
• You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.

*********************************************
(http://i424.photobucket.com/albums/pp322/digistar/mbamicontw5.gif) Please download Malwarebytes Anti-Malware from here. (http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe)
Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• Please save the log to a location you will remember.
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
*************************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1 (http://screen317.spywareinfoforum.org/SecurityCheck.exe)
Link 2 (http://screen317.changelog.fr/SecurityCheck.exe)

* Double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

Title: Re: Malware changed bios settings, any way to access it again?
Post by: Valorus on November 20, 2012, 04:32:41 PM

Hi Super Dave, thanks for your reply. I'm typing on a tablet now. I don't have a hard drive in the computer right now,
but I think I've got a clean one on the bench and if you'll bare with me,I'll get the data you wanted.


Thanks, Norm

Title: Re: Malware changed bios settings, any way to access it again?
Post by: Valorus on November 20, 2012, 07:39:23 PM

Here are the logs Dave:

I'm a little embarassed that this thing is working so well. I even deep formatted several HDDs and the bugs were always back.
I bought all new thumbdrives and just when I connected to the net, every thing I was trying to get rid of was back.
Well, let's see how the logs turn out. Thanks again,

Norm

PS I spoke too soon, it  only boots into the safe mode or system repair, then shuts down.

[year+ old attachment deleted by admin]

Title: Re: Malware changed bios settings, any way to access it again?
Post by: SuperDave on November 21, 2012, 01:32:06 PM

Go to this link to create a Rescue CD (http://evilfantasy.wordpress.com/2009/05/06/rescue-cds/) or to this site to create a Rescue USB (http://evilfantasy.wordpress.com/bitdefender-rescue-usb/). Carefully follow all the instructions for whichever method you choose.

Title: Re: Malware changed bios settings, any way to access it again?
Post by: Valorus on November 22, 2012, 08:59:50 AM

I've already done that Dave. The bug turns off the net connectivity when BitDefender begins, so it only has definitions from 2010. I know it's difficult
to believe a virus has actually gotten into the bios, but then how do we explain the fact that the user password has been disabled, the choices in QBIOS
have been altered to prevent changes to the bios, and this malware survived two deep formats that cleaned the whole HDD, including the boot sector
then replaced the boot files. If I'm completely off base, tell me, and if anyone has any suggestions, I'd sure like to know.

Thanks for your patience with my fumbling, I appreciate your help and hope you'll stick with me.

Title: Re: Malware changed bios settings, any way to access it again?
Post by: SuperDave on November 22, 2012, 01:36:27 PM

It's a long shot but let's try this. Note: there are three versions; one for 32 bit, one for 64 bit and one if you don't know which one to use.

x86 (32-bit) scan for Vista/7

Code:
Download Farbar Recovery Scan Tool  (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/) and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  
• Use the arrow keys to select the Repair your computer menu item.
  
• Choose your language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account and click Next.
  

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
  
• Choose your language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account an click Next.
  

On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[/list]

• Select Command Prompt
  
• In the command window type in notepad and press Enter.
  
• The notepad opens. Under File menu select Open.
  
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe  and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
  
• The tool will start to run.
• When the tool opens click Yes to the disclaimer.
  
• Place a check next to List Drivers MD5 as well as the default check marks that are already there
• Press Scan button.
  
• type exit and reboot the computer normally
• FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.

x64 (64-bit) scan for Vista/7

Code:
Download Farbar Recovery Scan Tool  (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/) and save it to a flash drive.

Please make sure to download the 64-bit version.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  
• Use the arrow keys to select the Repair your computer menu item.
  
• Choose your language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account and click Next.
  

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
  
• Choose your language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account an click Next.
  

On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[/list]

• Select Command Prompt
  
• In the command window type in notepad and press Enter.
  
• The notepad opens. Under File menu select Open.
  
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst64 and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
  
• The tool will start to run.
• When the tool opens click Yes to the disclaimer.
  
• Place a check next to List Drivers MD5 as well as the default check marks that are already there
• Press Scan button.
  
• type exit and reboot the computer normally
• FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.

Unsure if x86 or x64 for Vista/7 scan

Code:
Download Farbar Recovery Scan Tool  (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/) and save it to a flash drive.

Depending on your type of system, you will have to select 32-bit or 64-bit accordingly. How do I tell? (http://windows.microsoft.com/en-us/windows-vista/32-bit-and-64-bit-windows-frequently-asked-questions)
 
Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  
• Use the arrow keys to select the Repair your computer menu item.
  
• Choose your language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account and click Next.
  

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
  
• Choose your language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account an click Next.
  

On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[/list]

• Select Command Prompt
  
• In the command window type in notepad and press Enter.
  
• The notepad opens. Under File menu select Open.
  
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe  and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
  
• The tool will start to run.
• When the tool opens click Yes to the disclaimer.
  
• Place a check next to List Drivers MD5 as well as the default check marks that are already there
• Press Scan button.
  
• type exit and reboot the computer normally
• FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.