1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Other Virus -- FIXED -- WINNER

Discussion in 'Tech Support' started by Burnout21, 7 Jul 2012.

  1. Burnout21

    Burnout21 Is the daddy!

    Joined:
    9 Sep 2005
    Posts:
    8,614
    Likes Received:
    197
    Argh don't get me started on the potential cost of time, this a family favour and pride at stake. I heard of a machine with a virus and the local computer shop couldn't fix it, so I accepted the challenge.

    TBH i am avoiding HP products along with any other brands now considering the "inbuilt" lojacking without end user choice. Shame as I rated HP very high regarding there business kit.
     
  2. Margo Baggins

    Margo Baggins I'm good at Soldering Super Moderator

    Joined:
    28 May 2010
    Posts:
    5,650
    Likes Received:
    268
    Have you spoke to HP at all about this still? You want me to give them a call tomorrow? Can get you a price on a mainboard too if you like.
     
  3. Burnout21

    Burnout21 Is the daddy!

    Joined:
    9 Sep 2005
    Posts:
    8,614
    Likes Received:
    197
    PM'd
     
  4. The Monk

    The Monk Minimodder

    Joined:
    15 Dec 2010
    Posts:
    258
    Likes Received:
    9
    I've being following this thread from the start and honestly it scares the crap out of me. I wish you the best in sorting this out and keep us updated with how things are going.
     
  5. sp4nky

    sp4nky BF3: Aardfrith WoT: McGubbins

    Joined:
    15 Jul 2009
    Posts:
    1,706
    Likes Received:
    53
    Is it possible that computrace has been added to the motherboard as an extra chip, so it can't be removed / overwritten / etc.?
     
  6. Burnout21

    Burnout21 Is the daddy!

    Joined:
    9 Sep 2005
    Posts:
    8,614
    Likes Received:
    197
    Have to check that, i don't think so. I know the Gateway machines had their own chip. I wonder how much of a fit the machine would have if I was to remove the chip (if found). Can't be that simple...
     
  7. aramil

    aramil One does not simply upgrade Forums

    Joined:
    10 Jul 2012
    Posts:
    961
    Likes Received:
    57
    Ok having looked at this for a while the outgoing request goes to ip: 209.53.113.223 (so block it in router)

    Have a read......

    Edit: as you can see if you set a race condition it resets ALL options which would then mean you should get the bios options to enable/disable/perm disable, the last option removes the bios hooks so while it is on the bios the code is removed from the run list and so is not exploitable remotely. (you would have to create another race condition to reset the bios again.) which is why when you do a perm disable you cannot re enable it.
     
    Last edited: 31 Jul 2012
  8. glendronach

    glendronach What's a Dremel?

    Joined:
    1 May 2009
    Posts:
    360
    Likes Received:
    19
    Absolute state that the so-called Persistence Module is in a reserved area of the BIOS and is unaffected by reflashing.
    Quote
    Q. What happens if I flash my BIOS? Will I need to reinstall the software?
    A. No. If the Persistence Module in the BIOS has been enabled, the self-healing capability will repair the Agent software and your computer will still be protected. The enable/disable state of the Persistence Module is stored in a part of the BIOS that cannot be flashed to remove it

    I think your best bet is contact them rather than HP. If their software can be subject of a virus attack then it is very serious and has implications for a lot of people

    The Persistence Module is now in a very large number of PCs (Every Toshiba notebook) and notebooks from all the major companies.
     
  9. azrael-

    azrael- I'm special...

    Joined:
    18 May 2008
    Posts:
    3,852
    Likes Received:
    124
    Just finished reading this thread. Scary stuff indeed. Also had a look at the SP57421 BIOS distribution file (managed to find it before reading the part where you link to it :)).

    HP has actually gone out of its way to provide you with a total of 3 identical BIOS files. There's the J01.CAB file in the root folder, which is identical to the ROM.CAB file in the HPQFlash folder. Those CAB files contain a ROM.BIN file, which in turn is the binary equal of the J01_0221.BIN file in the DOS Flash folder.

    So I had a look at said file (as you also did, as far as I could gather) and sadly it doesn't use the structure of any firmware file known to me. I noticed however, that it is checksummed, so you probably couldn't tamper with it anyway. Also, there's a special file, flshuefi.cpu, which seems to be an UEFI driver. It's not present in any of the other folders.

    FWIW, of the three methods to flash the BIOS I'd use the DOSFlash utility. There's much less crap involved, unlike with HPQFlash. Why does it need to be 1.4MB in size, when DOSFlash is 58KB. And why does it need to contain root certificates from VeriSign et al. Also, DOSFlash, the small one, apparently has the ability to remove or alter the boot logo screen. That could mean that the code to create checksums is contained within the flasher and 58KB is a lot more managable than 1.4MB if one were to try to extract the checksum algorithm.

    Another thought crossed my mind regarding the HDD. Did you have any opportunity to try another HDD? Or have you tried low level formatting the drive? I wouldn't put it past this bugger to install itself in the spare area of the drive.
     
    Burnout21 likes this.
  10. Burnout21

    Burnout21 Is the daddy!

    Joined:
    9 Sep 2005
    Posts:
    8,614
    Likes Received:
    197
    I spotted that IP about 2 weeks ago, couldn't write it down fast enough, and I've never managed to find it again since! Thank you!!!

    In this HP bios there are no options to enable/disable the computrace functionality as shown in that Dell laptop in the video from the link.

    I've also been thinking that computrace has evolved since the days of separate chip, and what scares me is this.

    Computrace is now in a modern UEFI bios which gives it access to the network stack the instant the machine powers on, where upon it pings out to a server and gets a return message to enable the function to install rpcnet. Now if I was designing such an elegant security function I would enable a verify function, where upon the host requires a 'green' or 'red' light upon boot.

    So if the IP of the server is blocked at router level the computrace can't receive either a "green" or "red" light to which I would default to the "red" light condition which results in a lock down. I'm going to test this by blocking the IP, but I suspect there to be no change.


    Another scary function of this revision is its ability to evolve on the host machine. I can add additional start-up tools in hope to combat it after the white screen, but its changes and by-passes my attempts after one or two reboots.

    I seriously wish I had taken Computing science all those years ago and not Design, because computing for me is a mere hobby, but frankly this is more interesting than my Design profession at the moment.
     
  11. azrael-

    azrael- I'm special...

    Joined:
    18 May 2008
    Posts:
    3,852
    Likes Received:
    124
    A quick question. With this being a business-oriented Intel pc, is AMT enabled and if so, is it possible to disable it in the BIOS? With a bit of luck this option would be called something like "Unconfigure AMT".
     
  12. Margo Baggins

    Margo Baggins I'm good at Soldering Super Moderator

    Joined:
    28 May 2010
    Posts:
    5,650
    Likes Received:
    268
  13. Burnout21

    Burnout21 Is the daddy!

    Joined:
    9 Sep 2005
    Posts:
    8,614
    Likes Received:
    197
    AMT is enabled, and I can disable it,

    However

    I just stumbled upon the "embedded security device" which has now been disabled

    under Security > System Security > Embedded security device Enable/Disable

    Also "OS management of Embedded System Security" also now disabled.

    These weren't in the original Bios when I first received the machine, nor did the release notes on this Bios reference these changes.

    So fresh Win7 Install underway hoping never to see rpcnet in the processes..
     
  14. azrael-

    azrael- I'm special...

    Joined:
    18 May 2008
    Posts:
    3,852
    Likes Received:
    124
    Sounds promising. Best of luck with the (hopefully last) reinstall! :thumb:
     
  15. Margo Baggins

    Margo Baggins I'm good at Soldering Super Moderator

    Joined:
    28 May 2010
    Posts:
    5,650
    Likes Received:
    268
    just imagine if this WAS the last install. I will go out and sacrifice a few of my 6200's to the computer gods if it is.
     
  16. Burnout21

    Burnout21 Is the daddy!

    Joined:
    9 Sep 2005
    Posts:
    8,614
    Likes Received:
    197
    HELL NO,

    shutting off the embedded stuff just slowed the mofo down, the machine was up an extra 10min before it got white screened.

    I really should throw m0n0wall up and kill that IP, however its just putting a band aid on what is clearly a severed leg. The problem will remain.
     
  17. azrael-

    azrael- I'm special...

    Joined:
    18 May 2008
    Posts:
    3,852
    Likes Received:
    124
  18. Burnout21

    Burnout21 Is the daddy!

    Joined:
    9 Sep 2005
    Posts:
    8,614
    Likes Received:
    197
    You think turning off AMT might achieve something??

    Basically right now I am weighing up every new line of inquire against the hassle of re-installing Win7.

    Its not as if I can make an image of a clean install because rcpnetp is their from the beginning.
     
  19. azrael-

    azrael- I'm special...

    Joined:
    18 May 2008
    Posts:
    3,852
    Likes Received:
    124
    I know that an enabled and configured AMT module opens up a lot of access to the pc, including a built-in web server. But I'm not sure if you'll gain anything by disabling it. On the other hand you'll not lose anything that is important in this context either.

    I've been having a more thorough look at the firmware file to see if I can locate the CompuTrace module. I'm still having trouble with the structure, though. It's not clear where one component ends and another starts.
     
  20. aramil

    aramil One does not simply upgrade Forums

    Joined:
    10 Jul 2012
    Posts:
    961
    Likes Received:
    57
    OK I have some tools for you: HERE

    It has:
    sig disabled HP Bios Flasher (for flashing modded ROMs)
    CAB rom repacker & an update for it (for rebuilding HP ROMs)
    HP DMI TOOLKIT (can access options not listed in bios menus. ie back door) might be of use to you to have a look.

    Did you manage to dump a copy of your ROM?

    The struggle here is it seems (sorry not quiet finished looking at the decompile of the update ROM), is that it seems to hook into autochk.exe (which is a valid windows exe) and run it's own code directly at startup from there it is to late really (having a few conversations on this) so don't take as gospel yet....

    EDIT: I am using IDA pro to decom into separate files
     
    Last edited: 31 Jul 2012
    azrael- likes this.

Share This Page