Spyware, Viruses, & Security forum

General discussion

BIOS Infected

by highly frustrated / November 29, 2009 10:31 AM PST

I have totally erased my hard drive and have clean installed a fresh OS, but noticed right away that my system immediately became corrupted again before I even had a chance to get on the internet. I highly suspect I have a trojan in my BIOS. I know that the type of infection that is in there allows someone to spy and take administrative control over my pc.

What is the 'easiest' and sure way of removing this trash from my pc? Would Debugging my system be an option? Whatever would be the best way to go, I will need step by step instructions, please.

Discussion is locked
You are posting a reply to: BIOS Infected
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: BIOS Infected
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Easiest way if to DBAN the HD
by Donna Buenaventura / November 29, 2009 4:47 PM PST
In reply to: BIOS Infected
Collapse -
DBAN is what I used .....
by highly frustrated / November 30, 2009 4:21 AM PST

... to erase the hard drive then I reinstalled on a clean raw partition a new Windows XP.

I know that the system is still corrupted because as soon as my roomate would go connect to his laptop in his office then suddenly my tower would start making all kinds of noises but my task manager would not show what was requiring so much CPU, especially when I would be sitting idle. He has now blocked me from going to Sophos, Combofix, whatever address might take me to anything that mentions rootkit or what he has known me to use in the past. He has locked down my CD/DVD ROM before and I had that replaced under warranty just for him to turn around and lock it down again. My gmail sign-in window is one of the tell-tale signs that lets me know there is something wrong and then I have other programs that will misbehave as well. I paid an online tech help $87 to find what was going on and they removed what they said was a corrupted file. However, even after uninstalling and reinstalling some programs that appeared to have been damaged by that file, those very programs continued to misbehave. They did not do this before I opened a stupid email from my roomate asking me a stupid question that he could have come right into the dining room to ask me. There are several other tell-tale signs but since he is constantly spying on my pc activities then I am not at liberty to say what they are because he will 'tweak' his gateway connection (which has flashed up a few times where it should not be showing up) and then it will turn up as another program suddenly misbehaving. Moving out unfortunately isn't an option for me right now so I am stuck trying to clean up my system and try to keep him out even when I have a BIOS password set, Safe Mode Administrator password set, and auotplays turned off with Old McDonald's Autorun Eater installed. I do not have any more cash to spend on this pc so I am looking for any way possible to make this pc safe again.

Collapse -
How about...
by Donna Buenaventura / November 30, 2009 10:55 AM PST

trying MBR Rootkit Detector and Avira Boot Sector Repair Tool
http://free-av.com/en/tools/9/avira_boot_sector_repair_tool.html
http://www2.gmer.net/mbr/

You can also use the command fix /mbr

Collapse -
Please tell more.
by Kees Bakker / November 29, 2009 4:53 PM PST
In reply to: BIOS Infected

1. About your infection.
2. How you noticed your system was 'corrupted' and what exactly that means.
3. How you 'totally erased' the hard drive.

Kees

Collapse -
DBAN again
by highly frustrated / November 30, 2009 10:28 AM PST
In reply to: Please tell more.

I just successfully completed another DBAN and before I even installed my OS I had 8MB of Unpartitioned space showing. My message says C: Parition1 [New <Raw>] on 152587 MB Disk 0 at ID 0 on bus 0 on NvAtaBus [MBR] Then in the window I can select the partition I want it is saying I already have 8 MB of partitioned information stored. This is where that infection is sitting and I desparately need it gone.

I do not have a floppy drive so if I had to learn how to flash BIOS then I need step by step directions, please. If you know of something safer that I can do to get rid of that trash then I would like to try that first. I have read some horror stories about flashing a BIOS and I am a newbie when it comes to PCs.

Collapse -
Why doesn't that 8 MB show up under disk management?
by highly frustrated / December 1, 2009 2:10 AM PST
In reply to: DBAN again

Is this where I could have a rootkit lying or is the problem in my BIOS?

Collapse -
results of gmer
by highly frustrated / December 1, 2009 2:16 AM PST
In reply to: BIOS Infected

Library C:\Documents (*** hidden *** ) @ C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe [2668] 0x01EC0000
Library C:\Documents (*** hidden *** ) @ C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe [2668] 0x06360000
Library C:\Documents (*** hidden *** ) @ C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe [2668] 0x06870000
Library C:\Documents (*** hidden *** ) @ C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe [2668] 0x06AD0000
Library C:\Documents (*** hidden *** ) @ C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe [2668]

Collapse -
If that's the only result...
by Donna Buenaventura / December 1, 2009 3:27 AM PST
In reply to: results of gmer

then there's no mbr rootkit. Did Antivir tool found any?
You got to try to fix the MBR then wiping it again before fresh installing Windows. And make sure no other device is connected that could be the source of re-infection. Configure the router to disconnect or not connect other devices first.

Collapse -
No, the Avira didn't show anything
by highly frustrated / December 1, 2009 8:56 AM PST

But about an hour after I completed that scan, I went to take care of some of my chores and then came back to the pc only to find that one of those tell-tale signs had taken place that signifies me when that person has logged into their Gateway connection and has begun spying on my pc activities again. Is there any way at all to delete that 8MB of unpartitioned/unaccessible space in the hard drive as I believe that might be the only other place that this rootkit is hiding? I have even gone as far as to price some hard drives for my system but even the refurbished ones are much more than I can afford currently. I've even been trying to figure out a way that I might be able to get my hard drive replaced under warranty but they don't touch anything that has to do with spyware so I am left with trying to clean up what I have.

I was able to find out for sure about this rootkit from doing some online scans but now, unless I jump straight onto those websites as soon as I have completed a HD erase and clean install then he has already been able to block me from downloading anything with the word rootkit in it or any other program he has known me to use before.

I know that he uses a totally different internet connection now even though he is saying that he is connecting to our local telephone company wirelessly by his laptop. We do not have a router in the house, just a modem and that modem is hard connected to my tower. I have set my Windows XP Home firewall to not allow any exceptions but sometimes I will go check on it and it will be unchecked and sometimes, the firewall itself will be unchecked even though I know the importance of keeping it on.

I am not being paranoid here. I am just facing something way bigger than my understanding and something that scans do not seem to pick up. If I could just clean out my entire hard drive and not just what a program recognizes but to clean out the ENTIRE hard drive then I am confident that will eliminate my problem. I thought it might be BIOS only because I thought I was cleaning out my entire hard drive but then only to discover that any of those erase programs are only cleaning out what they recognize. If this rootkit is good enough to hide from all of the scans I can find to use on it then why wouldn't it be good enough to be sitting in my unpartitioned hard drive or maybe even the BIOS?

I am so exasperated about all of this that I would love to just shove this pc down that man's throat but this pc is my only link to the outside world due to my disability so I am desperately wanting to keep my link but also, to have my privacy back.

Collapse -
This is sad
by highly frustrated / December 1, 2009 10:49 AM PST

I just installed the update to disable autorun and my toolbar went back to how I had installed it a few days ago. The changes I had made to it since then have disappeared as though I had not made any changes at all. This is what happens when I reinstall things anywhere near like I had before. If what I am installing looks even a little like what I had before then he goes ahead and resets my pc back to a day when he had full control over it. My toolbar should not have just installed things that I did not install into it. This is the kind of problem I am facing with his having some kind of control over my pc after I have erased my hard drive and reinstalled my OS. I am anxious for help.

Collapse -
Dban et al should take care of all partitions
by Donna Buenaventura / December 1, 2009 3:58 PM PST
In reply to: This is sad

including the 8MB. Can you please try to use another program, KillDisk from http://www.killdisk.com/
Use the highest security standard if you like. That should erase all partition (wipe all).

When re-installing Windows, the 8MB is created again unless you will delete it manually using partition manager software.

Have you tried changing your internet connection password so no one else know your password except you? That way he cannot connect to your account at all.

Collapse -
Some peace of mind
by highly frustrated / December 3, 2009 1:27 AM PST

Thank you Donna, for explaining the 8 MB to me. I feel like an idiot for having stressed so much over that but considering I just picked up a pc for the first time one year ago then I hope you don't think I am a complete idiot. Since that part of my "problem" has been explained, perhaps you could comfort my mind about these other few issues as well?

1. After a clean install, my pc's time changes back exactly three hours. It only does it once but I don't understand why it will do it all since I set the time to EST when I am reinstalling the OS.

2. When I reinstall Kaspersky then it keeps putting the virtual keyboard button back into my toolbar when that was an option that I had selected back several HD erases and clean installs ago. It shouldn't keep showing up as a default when I download and install a completely new clean copy. This one might be explained by KIS keeping some kind of log into any of my activities regarding the AV through my activation code number.

3. I keep getting a pop-up gmail sign in window which used to ask me for my password all the time but now asks me just to confirm the password it has saved. This window popping up is a new thing that began to happen after the first time that idiot I live with used to take control over the page I was on noticeable by my cursor moving around on it's own. That was before he began to shut down my CD/DVD ROM drive.

4. I have installed Kaspersky 2010 Internet Security, Malwarebytes, Superantispyware, CCleaner and Advanced SystemCare3. I also have Gmer installed. I just did a brand new HD erase and clean install yesterday and have not installed any superfluous programs (minus YIM) yet I received a warning from Superantispyware last night that an attempt had been made to change my homepage and I do not go to any websites that WOT is not in the green for.

5. Sometimes a program will pop up by itself without me calling for it. YIM just did that even though it is set to sign me in at system start-up.

6. I don't get any icons representing the programs I have installed in my start menu though I used to when this pc was brand new less than two years ago. This one is not important to me but I wanted to make sure to mention in the event it might hold any impact to support my concerns.

Following is a list of things I have done to protect my Dell Inspiron 531 Home edition desktop Windows XP pc:
(Btw, we don't have a router but just a modem for DSL and I do not use my IP addy for my default email.)

- Unchecked the box to allow remote assistance invitations to be sent from this computer.

- checked the box under Windows Firewall to not allow exceptions.

- have disabled autorun for ALL drives and have installed Old McDonald's Autorun Eater.

- Have Bios, Safe Mode Administrator, and my user account password protected with three different passwords using capital letters, semi-colons, and numbers.

- have the boot order changed to hard drive first.

Is there anything that I am missing here? Does it sound like I have reason to be worried about the health and privacy of my pc?

Collapse -
One more thing
by highly frustrated / December 3, 2009 1:37 AM PST
In reply to: Some peace of mind

If I get all of my downloads installed into my Firefox browser as soon as possible after a clean install then I do not have any problems but if I wait too long then I can not get anymore add-ons added into my browser. I just tried to install my google toolbar into my Firefox browser and it will say it is downloading then it asks me to restart Firefox. When Firefox comes back then I do not have my toolbar no matter how many times I try. This has happened before with different programs as well such as Adblock Plus and Fireshot. It seems as though I am being "timed out" after an amount of time that I suspect that *&$* I live with has accessed into my system somehow.

Collapse -
What modem you have?
by Donna Buenaventura / December 3, 2009 5:29 AM PST
In reply to: One more thing

I need to know what type and brand of modem you have. Some modem have built-in routers and it have control panel.

Collapse -
forgot to mention Sophos
by highly frustrated / December 3, 2009 1:52 AM PST
In reply to: Some peace of mind

I had downloaded Sophos last night and this is the results of it's scan:

1. Area: Local hard drives
Description: Unknown hidden file
Location: C:\System Volume Information\_restore{60A87D6A-AC41-4A83-8DBC-CF974915B5C6}\RP13\A0000541.exe
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)

2. Area: Local hard drives
Description: Unknown hidden file
Location: C:\RECYCLER\S-1-5-21-1275210071-725345543-839522115-1004\Dc5.exe
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)

3. Area: Local hard drives
Description: Unknown hidden file
Location: C:\Documents and Settings\Larisa\Application Data\Mozilla\Firefox\Profiles\auyuae8h.default\.autoreg
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)

4. Area: Local hard drives
Description: Unknown hidden file
Location: C:\Documents and Settings\Larisa\Local Settings\Temporary Internet Files\Content.IE5\KPUZGP6V\0%2F%2A%24,http%3A%2F%2Finsider.msg.yahoo.com%2Fclient_ad.php%3Fp%3D409640%26fmt%3D2.0%26intl%3Dus%26os%3Dwin%26ver%3D10.0.0[1].1102%26lang%3Den-us,;ord=1259858883
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)

Collapse -
new networked interface card ?
by highly frustrated / December 3, 2009 5:01 AM PST

One of the technicians from the help desk of my local IP mentioned me purchasing a new NIC card. Would this be in any way helpful to me?

Collapse -
(NT) No, don't jump to buying if no problem with your NIC adapter
by Donna Buenaventura / December 3, 2009 5:11 AM PST
Collapse -
Empty the Temporary Internet Files
by Donna Buenaventura / December 3, 2009 5:16 AM PST

The items found by Sophos is in Temporary Internet Files by Firefox and Internet Explorer. Please empty your temporary files using your Kaspersky's cleaner for such. There is option for it in Kaspersky. Or you can get CCleaner (no toolbar, slim installer) from http://www.ccleaner.com/download/builds

The two is in System Restore, you can leave it as that as long as you will not restore to it. Or if you are comfortable to trash a restore point, you can do that by following the guide here:
http://support.microsoft.com/kb/310405
Then turn it on again so Windows will monitor the system and later create a restore point or if you want, you can create your own restore point.

Collapse -
I'll try :D
by Donna Buenaventura / December 3, 2009 5:28 AM PST
In reply to: Some peace of mind

>>>Thank you Donna, for explaining the 8 MB to me. I feel like an idiot for having stressed so much over that but considering I just picked up a pc for the first time one year ago then I hope you don't think I am a complete idiot. Since that part of my "problem" has been explained, perhaps you could comfort my mind about these other few issues as well?

Don't hesitate to ask anything about computers. We're all here in the community forums to help and share our input Happy

>>>1. After a clean install, my pc's time changes back exactly three hours. It only does it once but I don't understand why it will do it all since I set the time to EST when I am reinstalling the OS.

It could be the BIOS. The BIOS have date/time settings too. Try to boot to BIOS and see if you have the right settings.

>>>2. When I reinstall Kaspersky then it keeps putting the virtual keyboard button back into my toolbar when that was an option that I had selected back several HD erases and clean installs ago. It shouldn't keep showing up as a default when I download and install a completely new clean copy. This one might be explained by KIS keeping some kind of log into any of my activities regarding the AV through my activation code number.
You can disable Virtual Keyboard in Kaspersky IS program and then reboot. Re-configure it. See if any changes.

>>>3. I keep getting a pop-up gmail sign in window which used to ask me for my password all the time but now asks me just to confirm the password it has saved. This window popping up is a new thing that began to happen after the first time that idiot I live with used to take control over the page I was on noticeable by my cursor moving around on it's own. That was before he began to shut down my CD/DVD ROM drive.
You can try to empty the cookies of Gmail and other websites using CCleaner program. See if Gmail site will now prompt for password. DO not check the option to always sign you in.

>>>4. I have installed Kaspersky 2010 Internet Security, Malwarebytes, Superantispyware, CCleaner and Advanced SystemCare3. I also have Gmer installed. I just did a brand new HD erase and clean install yesterday and have not installed any superfluous programs (minus YIM) yet I received a warning from Superantispyware last night that an attempt had been made to change my homepage and I do not go to any websites that WOT is not in the green for.
Can you please remove Advanced SystemCare and see if the issue will occur again? Just to troubleshoot. This program is not I will personally recommend in using or keeping.

>>>5. Sometimes a program will pop up by itself without me calling for it. YIM just did that even though it is set to sign me in at system start-up.
Configure YIM to not to start-up. Open YIM, login and go to options. You will see the option to automatically start YIM. Uncheck it. See if YIM will pop-up again. It should not.

>>>6. I don't get any icons representing the programs I have installed in my start menu though I used to when this pc was brand new less than two years ago. This one is not important to me but I wanted to make sure to mention in the event it might hold any impact to support my concerns.
Is this happening still even after reinstalling Windows?

Collapse -
My modem is :
by highly frustrated / December 3, 2009 5:58 AM PST
In reply to: I'll try :D

a VisionNet model M505.
There is a login: admin and a password: 0123456789
I have tried to look this up before on how to change that but didn't have any luck.

Collapse -
Here you go :)
by Donna Buenaventura / December 3, 2009 6:50 AM PST
In reply to: My modem is :
http://651fpcha.fairpoint.com/modem/visionnet1.php
Follow the guide to login to your modem control panel by entering http://10.0.0.2 in your browser. Login using the credentials you got, look around at Advanced Setup or Admin options to change your password. Take note of your password, please.

Review the Security options too and all of the options. Make sure that only your computer/device is allowed.
Collapse -
Trouble
by highly frustrated / December 3, 2009 7:17 AM PST
In reply to: Here you go :)

When I deleted those temp files and then dumped system restore, I somehow broke the path to all pc function under my user account and had to go into last known good configuration. I couldn't even pull up My Computer from Start. What's more, I had to reinstall YIM because it only pulled up a blank window. Whatever caused that seems to have been corrected for my last reboot didn't "break my back".

I have tried to access the VisionNet site by inserting 10.0.0.2 in the address bar but it will not pull up. I tried to go into Run>ipconfig and I tried turning off my firewalls to access that but none of which I was successful at. ipconfig will not pull up. A little black screen flashes for a split second but won't come up.

Thank you for your continual help. I am certain that we will be able to find the answers I need to make sure that I have full sole access of my pc and that I can download anything I want when I want. I am still not being able to install my google toolbar into my Firefox browser but all of security scans say I am clean, no viruses.

Collapse -
Reset
by Donna Buenaventura / December 3, 2009 7:26 AM PST
In reply to: Trouble

Try resetting the modem. There should be a small "hole" (very small) Grin at the back or at the side or bottom of the modem to reset.

Are there other add-ons for Firefox that was successfully installed?

Collapse -
That didn't do any good
by highly frustrated / December 3, 2009 8:11 AM PST
In reply to: Reset

Resetting the modem doesn't do anything but make me lose internet connection so that I have to power off and then on the modem then reboot the pc.

As far as adding any addon back into my Firefox browser? I just uninstalled the Fireshot and then attempted to reinstall it but now it will not reinstall either.

When I try to remove those temp files that Sophos warned about and then dump system restore then I lose paths all over the pc. Plus, I have not even opened up IE and just did another Sophos scan but it is saying now that I have four more hidden paths not recommended to be removed and all from temp files of IE.

This problem I am having seems to go above and beyond just those temp files and whatever was sitting in system restore.

Collapse -
I think...
by Donna Buenaventura / December 6, 2009 11:35 AM PST

we've done more than the basic here but it seems you need to do more if nothing will be able install or reinstall after trying and things are not as it is whenever you use the internet (that as if there's someone or something changing or adding stuff).

You've wiped the drive. Fresh install. The same thing will occur. The only that comes to mind is any media that is causing the infection (once inserted or plug-in). The control panel of your modem is inaccessible unless there is another page for it, please check the documentation that came with the modem or if its provided by your ISP, you might want to ask them for the correct URL of the control panel. There should be no one to be able in planting anything in your PC unless all passwords is using the default (internet connection password, system password, bios password, modem panel password).

I suggest to send a system log in any forums below and they might be able to diagnose what we can't determine here:

Go to http://hjt-data.trendmicro.com/hjt/analyzethis/index.php and choose 1 HijackThis forum to post your HijackThis log. You will need only to download HijackThis from http://free.antivirus.com/hijackthis/ and then choose to scan. A log file will be created in the desktop. Copy the content of this log in 1 of the forum in the above link.

Collapse -
I am happy to report .....
by highly frustrated / December 16, 2009 7:45 AM PST
In reply to: BIOS Infected

.... that I have managed to get my pc free and clear from my roomate spying on me. I have changed my NIC card and have been up and running as I am supposed to be with no browser changes, addresses blocked, being locked out of my own email accounts, or having my security settings changed without my doing so. I have spammed his email addresses so I will never open another infected file from him again, in which is how he initially got into my pc to find out all of my system's information. Thanks for trying to help. If it had not been for your suggestions then I would not have been able to rule out all other avenues (and I have to admit that the NIC card was much cheaper than an entire hard drive as had been suggested to me elsewhere. :P) Hoping I never have to go througth this again, Ms. Unfrustrated. Grin

Collapse -
That's great to hear!
by Paul C / December 16, 2009 8:12 AM PST

Now, a little unsolicited advice: DUMP THE ROOMMATE! Methinks the guy's more trouble than he's worth.

Collapse -
One step further
by wayneepalmer / January 15, 2010 12:26 PM PST
In reply to: That's great to hear!

Given the amount of trouble this person has given you and your disability, you might want to try and find some free legal assistance.

There has got to be something this clown has done that is illegal and I'd bet you could find someone to help you turn his life into a lesson involving contact with a courtroom, the police, and maybe a jail cell.

There is a word for people like this: STALKER.

Anyone this obsessed with you and your life is dangerous and needs help best given to him as ordered by a judge.

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

GIVEAWAY

We are giving away 'Black Panther' swag!

Four lucky readers will be taking home *Marvel*ous "Black Panther" prizes, including magazines autographed by the King of Wakanda himself! Giveaway ends Feb. 25, 2018.