BIOS/UEFI I think i have some sort of rootkit

lagigolo · Jun 6, 2016

I noticed the other day my lsass file had been modified. Started looking at the pc and it seems the bios has been rewritten.

It seems like the files its protecting are in the bios and its not really letting me boot from cd first. It pretends too, but any recovery stuff always comes up with errors or out of memory.

Any ideas or anybody come across something like this? I currently can't boot into windows as there is now a problem with the bootmanager and it won't let me reinstall or use any programmes to get it back. The original install disk it now says doesn't match.

I have tried linux discs too, but again fobs me off with fake loaders!!!
It won't let me delete anything, or modify anything, it keeps rebuilding itself. Although i managed to mess up the bootmanager somehow.

Spectre · Jun 6, 2016

I can't say that I've personally heard of it but have you tried updating it?

lagigolo · Jun 6, 2016

How would i do that? It now boots up to windows is missing boot manager press ctrl alt delete. Then if i put windows 7 dvd in, it won't repair, it won't install, its just stuck. It won't even let me load a live linux dvd to get on the internet with.

Even with the hdd removed bios stays the same, so its not the hdd faking it. Tried removing bios battery but it won't boot without it in.

Spectre · Jun 6, 2016

I'd try BIOS update from USB if you can.

Can you get into the BIOS/UEFI? If I remember right some have a mode to emulate old style BIOS.

lagigolo · Jun 6, 2016

i can get into the bios. Do you think a setting has changed into old style bios? If so what would i be looking for?

Its an amibios, so not many settings in there.

Spectre · Jun 6, 2016

lagigolo said:
i can get into the bios. Do you think a setting has changed into old style bios? If so what would i be looking for?

Its an amibios, so not many settings in there.

I was wondering if anything was different in old style BIOS emulation mode.

What board is it?

ketmp · Jun 6, 2016

What led you to see that BIOS files have been re-written?

BIOS is held on a EPROM type chip (maybe something similar nowadays) and retains date/time and some settings by use of CR2032 BIOS battery.

With Win7, you need to use CSM mode (legacy mode) and can you use hiren's bootCD and boot from that? This would then give you option of replacing boot table or using it's own one to see if you can then boot normally.

lagigolo · Jun 7, 2016

I was using hirens bootcd to nose around, it was this that let me look at some stuff. But again its only partially working. I did read one file on my pc which actually talks about creating fake copies of iso's and loading it from hard drive and pretending its booting from the dvd drive. It even quotes "Hirens" would be good to do this with, which is what i think is happening.

I will have another look at the weekend and get some more details.

It would be good if we could fix this as this was my best pc.

vessagoza · Jun 8, 2016

disable the secure boot and try again

lagigolo · Jun 11, 2016

I have tried disabling/enabling loads of different things in bios. But still no closer.

I do see something flash up on the screen before hirens loads up. One is something about pxe stack, the other is just too quick to read.

I can't reload windows 7 as it says its wrong version.

I am now thinking go for a windows 10 download. Can i download an official windows 10 iso? Also can i get the details i need for activation from a file on my pc so i can put the activation code in at the end or the beginning? Can it even be done this way?

I will need to burn this iso from another pc.

Hexadecimus · Nov 22, 2016

I think it would be very rare to have a virus actually infect the BIOS region unless it's a very old computer. Most modern chipsets have BIOS virus protection, and it would have to have written itself at least checksum before flashing if not a lot more to defeat antivirus countermeasures.

This might sound dumb, but have you run Memtest on it? I mean for a long time, not just one or two good passes. Load tested your power supply? I've had PCs to really weird things when RAM was intermittently flaky, including Windows running perfectly but refusing to install or boot from CDs.

I've also seen random crashes from dirty power on a flaky power supply. Things would work find and then crash or throw odd errors, access violations, just weird random stuff.

lagigolo · Nov 23, 2016

Thanks. I will get back round to this one day. Currently using another.

wattsy1612real · Nov 23, 2016

2 solutions you have in my opinion and very easy to rectify

solution 1 (extreme)

Boot a live kali distro from usb, once in the live OS run online house call and a root kit analyser

irradiate anything you find !

solution 2 Easy

create a windows 2 go image on a usb stick

load windows 2 go download the latest bios f/w from manufactures website update bios from windows end of.

i dont personally believe its your bios more than likely your ram i agree with Hexadecimus

bios (uefi) can be affected but its rare

cheers

wattsy1612

BIOS/UEFI I think i have some sort of rootkit

lagigolo

VIP Member

Spectre

Administrator

lagigolo

VIP Member

Spectre

Administrator

lagigolo

VIP Member

Spectre

Administrator

ketmp

Satellite Moderator

lagigolo

VIP Member

vessagoza

Inactive User

lagigolo

VIP Member

Hexadecimus

New Member ++

lagigolo

VIP Member

wattsy1612real

Inactive User

Similar threads

We value your privacy