1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Other Virus -- FIXED -- WINNER

Discussion in 'Tech Support' started by Burnout21, 7 Jul 2012.

  1. Burnout21

    Burnout21 Is the daddy!

    Joined:
    9 Sep 2005
    Posts:
    8,614
    Likes Received:
    197
    Ok so i got dragged into trouble shooting a virus on my In-laws comp. Its a HP 6200 Pro and the only place on the whole internet i've found the same virus description is in the below link

    http://community.spiceworks.com/topic/233939-a-rather-stubborn-virus

    The machine has been in a local computer shop prior to me getting hold of it, (140 mile drive to collect it). There guy tried the following

    First thing i did upon getting my grubby hands on it was to pull the CMOS battery and DBAN it, however after 40min up time in Win7 the white screen reappears.

    So today i have done the following
    In short its either bouncing around between the UEFI bios and the MBR before POST or its in the Firmware of the HDD (SCARES THE SH*T OUT OF ME)

    One thing i did notice, is that the drive has 'one' bad sector which i am hoping DBAN will resolve..( if its hiding in there)

    The current method i am following now is this
    So any idea's even in indentifying this mofo virus?
     
    Last edited: 6 Aug 2012
  2. bulldogjeff

    bulldogjeff The modding head is firmly back on.

    Joined:
    2 Mar 2010
    Posts:
    8,403
    Likes Received:
    634
    Bios viruses are very rare indeed. One thing worth trying is a different hard drive to eliminate the possibility that it's hiding on there. Try doing a bios up date just in case as that will over write anything that is on there now.
     
  3. Burnout21

    Burnout21 Is the daddy!

    Joined:
    9 Sep 2005
    Posts:
    8,614
    Likes Received:
    197
    This is no ordinary bios update, this is a HP Bios update where upon its impossible to obtain a .ROM file

    Will look into that later, however i would rather not involve another HDD as its proving to be impossible to clear even with DBAN!!! HOLY MOTHER OF GOD!
     
  4. IvanIvanovich

    IvanIvanovich будет глотать вашу душу.

    Joined:
    31 Aug 2008
    Posts:
    4,870
    Likes Received:
    252
    Sounds like uefi root kit. Wipe HDD in another old pc that does not use uefi from read only media, burn dos and bios utility and most recent bios file on cd so read only, do a complete erase / reprogram cycle with bios utility. Surely they have dos based utility and file, but you might have to contact support to obtain it.
    If that dosen't sort it, you might have to get a new bios chip, hope it's the removable kind since it appears to be BTX style, so little hope of replace with cheap off the shelf mobo.
     
  5. Burnout21

    Burnout21 Is the daddy!

    Joined:
    9 Sep 2005
    Posts:
    8,614
    Likes Received:
    197
    Sounds like a plan
     
  6. Nexxo

    Nexxo * Prefab Sprout – The King of Rock 'n' Roll

    Joined:
    23 Oct 2001
    Posts:
    34,543
    Likes Received:
    1,972
    From what little I gleaned it does not only affect the rpcnet.exe file but also the wtcsys.exe file. But yes, looks like a UEFI issue. Brilliant invention, that. I mean, it has a network stack and a remote access protocol, with block-level access to all storage devices on the PC. What could possibly go wrong?
     
  7. Burnout21

    Burnout21 Is the daddy!

    Joined:
    9 Sep 2005
    Posts:
    8,614
    Likes Received:
    197
    Right just flashed the bios with the HDD unplugged,

    time to move on to DBAN under old machine, joy!
     
  8. thehippoz

    thehippoz What's a Dremel?

    Joined:
    19 Dec 2008
    Posts:
    5,780
    Likes Received:
    174
    the flash should take care of it.. the problem is your getting reinfected like lysol said

    run a linux distro- like in kde here

    fdisk -l
    fdisk /dev/[device]
    P, n, p, 1, enter x2, P, t, 83, w
    mkfs -t ext2 /dev/[partition]
    fsck -f -y /dev/[partition]

    now sync and turn off the system.. re-flash and reinstall windows (you can nuke the linux part now).. I should get paid for this kind of stuff- guys driving 140 miles to meet with luffagus who get paid to waste your time =]
     
  9. IvanIvanovich

    IvanIvanovich будет глотать вашу душу.

    Joined:
    31 Aug 2008
    Posts:
    4,870
    Likes Received:
    252
    Really uefi was not a bad idea, just they came up with secure boot too late and even then it is not often being utilized since it cause problems for non-Windows. Some uefi have the option to enable that, if it does you might want to as it defends against this type of rootkit at least some. It probably wasn't the best move for that person/team that found the flaws in uefi to publish their rootkit framework code on the internet... while knowing no one is fixing it. :thumb:
     
    thehippoz likes this.
  10. Burnout21

    Burnout21 Is the daddy!

    Joined:
    9 Sep 2005
    Posts:
    8,614
    Likes Received:
    197
    Pretty much just done the same, flashed bios without HDD installed PWR down. fired up old laptop and DBAN the infected HDD over USB (many many hours), will bring them both together i imagine tomorrow morning.
     
  11. Nexxo

    Nexxo * Prefab Sprout – The King of Rock 'n' Roll

    Joined:
    23 Oct 2001
    Posts:
    34,543
    Likes Received:
    1,972
    Some people should just be given a Chromebook. They're less trouble that way. :p
     
  12. Burnout21

    Burnout21 Is the daddy!

    Joined:
    9 Sep 2005
    Posts:
    8,614
    Likes Received:
    197
    Pen and paper you mean!
     
  13. digitaldunc

    digitaldunc What's a Dremel?

    Joined:
    4 Oct 2010
    Posts:
    629
    Likes Received:
    24
    Jesus, I'd never even heard of this -- the possibility never even occurred to me.

    I'm glad you posted this so I'm now aware of their existence.
     
  14. Burnout21

    Burnout21 Is the daddy!

    Joined:
    9 Sep 2005
    Posts:
    8,614
    Likes Received:
    197
    Aware yes, however a RootKit can lie dormant for as long as the Admin wishes and whilst dormant their virtually undetectable. And as for this one, virtually impossible to shift.

    So good luck with your paranoia
     
  15. Burnout21

    Burnout21 Is the daddy!

    Joined:
    9 Sep 2005
    Posts:
    8,614
    Likes Received:
    197
    ok, problem persists

    Since Saturday
    Machine restarted during the update process, to then throw the white screen of doom.
     
  16. Burnout21

    Burnout21 Is the daddy!

    Joined:
    9 Sep 2005
    Posts:
    8,614
    Likes Received:
    197
    Just used the Windows Defender Offline tool, still no luck.

    Picture time

    [​IMG]

    [​IMG]


    I've thrown everything the internet has to offer at it, and it still keeps on appearing. I'm just happy I am a linux user on hardware that uses old school bioses!
     
  17. RichCreedy

    RichCreedy Hey What Who

    Joined:
    24 Apr 2009
    Posts:
    4,699
    Likes Received:
    172
    ha, maybe for now, but wont be long before they are a major pain in the arse too
     
  18. digitaldunc

    digitaldunc What's a Dremel?

    Joined:
    4 Oct 2010
    Posts:
    629
    Likes Received:
    24
    Surely if you've nuked everything including the BIOS this can't keep re-occurring unless there's another entrance vector of some sort?

    It may sound unlikely, but is it a possibility either the install media/drivers are compromised or the infection is coming from within your network?

    Dependent on board I suppose you could swap out with a completely new flashed BIOS chip and see what happens then...
     
  19. Nexxo

    Nexxo * Prefab Sprout – The King of Rock 'n' Roll

    Joined:
    23 Oct 2001
    Posts:
    34,543
    Likes Received:
    1,972
    I think that re-flashing the BIOS won't work. There is up to 16Mb of storage in there where it can hide. New BIOS chip plus drive scanned on another computer.
     
  20. deathtaker27

    deathtaker27 #noob

    Joined:
    17 Apr 2010
    Posts:
    2,200
    Likes Received:
    156
    Silly question, but is it still under warranty? if it is you may be able to ask hp to come out and have a look or see if they have any suggestions, they have helped me when it was client damage and not their issue
     

Share This Page