Ok so i got dragged into trouble shooting a virus on my In-laws comp. Its a HP 6200 Pro and the only place on the whole internet i've found the same virus description is in the below link http://community.spiceworks.com/topic/233939-a-rather-stubborn-virus The machine has been in a local computer shop prior to me getting hold of it, (140 mile drive to collect it). There guy tried the following First thing i did upon getting my grubby hands on it was to pull the CMOS battery and DBAN it, however after 40min up time in Win7 the white screen reappears. So today i have done the following In short its either bouncing around between the UEFI bios and the MBR before POST or its in the Firmware of the HDD (SCARES THE SH*T OUT OF ME) One thing i did notice, is that the drive has 'one' bad sector which i am hoping DBAN will resolve..( if its hiding in there) The current method i am following now is this So any idea's even in indentifying this mofo virus?
Bios viruses are very rare indeed. One thing worth trying is a different hard drive to eliminate the possibility that it's hiding on there. Try doing a bios up date just in case as that will over write anything that is on there now.
This is no ordinary bios update, this is a HP Bios update where upon its impossible to obtain a .ROM file Will look into that later, however i would rather not involve another HDD as its proving to be impossible to clear even with DBAN!!! HOLY MOTHER OF GOD!
Sounds like uefi root kit. Wipe HDD in another old pc that does not use uefi from read only media, burn dos and bios utility and most recent bios file on cd so read only, do a complete erase / reprogram cycle with bios utility. Surely they have dos based utility and file, but you might have to contact support to obtain it. If that dosen't sort it, you might have to get a new bios chip, hope it's the removable kind since it appears to be BTX style, so little hope of replace with cheap off the shelf mobo.
From what little I gleaned it does not only affect the rpcnet.exe file but also the wtcsys.exe file. But yes, looks like a UEFI issue. Brilliant invention, that. I mean, it has a network stack and a remote access protocol, with block-level access to all storage devices on the PC. What could possibly go wrong?
the flash should take care of it.. the problem is your getting reinfected like lysol said run a linux distro- like in kde here fdisk -l fdisk /dev/[device] P, n, p, 1, enter x2, P, t, 83, w mkfs -t ext2 /dev/[partition] fsck -f -y /dev/[partition] now sync and turn off the system.. re-flash and reinstall windows (you can nuke the linux part now).. I should get paid for this kind of stuff- guys driving 140 miles to meet with luffagus who get paid to waste your time =]
Really uefi was not a bad idea, just they came up with secure boot too late and even then it is not often being utilized since it cause problems for non-Windows. Some uefi have the option to enable that, if it does you might want to as it defends against this type of rootkit at least some. It probably wasn't the best move for that person/team that found the flaws in uefi to publish their rootkit framework code on the internet... while knowing no one is fixing it.
Pretty much just done the same, flashed bios without HDD installed PWR down. fired up old laptop and DBAN the infected HDD over USB (many many hours), will bring them both together i imagine tomorrow morning.
Jesus, I'd never even heard of this -- the possibility never even occurred to me. I'm glad you posted this so I'm now aware of their existence.
Aware yes, however a RootKit can lie dormant for as long as the Admin wishes and whilst dormant their virtually undetectable. And as for this one, virtually impossible to shift. So good luck with your paranoia
ok, problem persists Since Saturday Machine restarted during the update process, to then throw the white screen of doom.
Just used the Windows Defender Offline tool, still no luck. Picture time I've thrown everything the internet has to offer at it, and it still keeps on appearing. I'm just happy I am a linux user on hardware that uses old school bioses!
Surely if you've nuked everything including the BIOS this can't keep re-occurring unless there's another entrance vector of some sort? It may sound unlikely, but is it a possibility either the install media/drivers are compromised or the infection is coming from within your network? Dependent on board I suppose you could swap out with a completely new flashed BIOS chip and see what happens then...
I think that re-flashing the BIOS won't work. There is up to 16Mb of storage in there where it can hide. New BIOS chip plus drive scanned on another computer.
Silly question, but is it still under warranty? if it is you may be able to ask hp to come out and have a look or see if they have any suggestions, they have helped me when it was client damage and not their issue