Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Possible BIOS virus, P4P800


  • Please log in to reply

#1
trampas

trampas

    Member

  • Member
  • PipPip
  • 99 posts
Hi Guys

After long experience with this problem I think that the BIOS of my PC is infected with a virus. However I'm not sure if I can re-flash the BIOS. It seems to block access to the floppy drive. Is there another way ?

Thanks in advance !

trampas
  • 0

Advertisements


#2
Alzeimer

Alzeimer

    Member 1K

  • Member
  • PipPipPipPip
  • 1,330 posts
It is possible to update it from a cd, here is how from the manual.

[attachment=56352:bios p4p800.JPG]

Hope this helps
  • 0

#3
trampas

trampas

    Member

  • Topic Starter
  • Member
  • PipPip
  • 99 posts
Hi Alzeimer !

Thanks for that reply. The PC doesn't report a checksum error on the BIOS so it doesn't try to restore the BIOS from CD.

However, another way to reset the BIOS is described on p4-4. You can initiate a BIOS restore by pressing <ALT> and <F2> during POST. The only problem is that it searches for the ROM file on floppy disk. If the floppy disk is absent what happens next is not described in the manual. So I tried it.

As I'd hoped, the PC then searches for the ROM file on the CD-ROM. It found this file and automatically re-flashed the BIOS. When it rebooted I received this message (just below the AMI logo) :

"CMOS Checksum Bad
Overclocking failed! Please enter Setup to re-configure your system.
Press F1 to Run SETUP
Press F2 to load default values and continue"

In case I select the wrong option I'll leave the PC that way for a while.

trampas

Edited by trampas, 28 February 2012 - 04:53 PM.

  • 0

#4
trampas

trampas

    Member

  • Topic Starter
  • Member
  • PipPip
  • 99 posts
...update. I didn't select either of the two options but I did power off the PC. Pulled the power cord out and pressed power ON again.

This was just in case there was something residing in RAM after the BIOS restore.

When I power the PC up in an hour or so I will report what happens next. I expect to go back to the same point as before.

Some research that I've done suggests that I also need to perform a low-level format of the hard drive rather than just allow the MS setup disk to wipe it.

Before doing this BIOS restore the last thing I'd done was rebuild the PC using a Setup disk. This isn't completely satisfactory for two reasons. Firstly, the hard disk wasn't low-level formatted, as mentioned. Secondly, the Setup disk is one that I created that had the RAID driver installed. I cannot guarantee that *this* CD is clean.

So I think I need to do low-level format. dban has been suggested. And I think I need to reload windows off the original Setup CD. This CD doesn't have the RAID driver on it so I need to supply that off a floppy disk.

trampas

Edited by trampas, 28 February 2012 - 05:36 PM.

  • 0

#5
Alzeimer

Alzeimer

    Member 1K

  • Member
  • PipPipPipPip
  • 1,330 posts

Hi Alzeimer !

Thanks for that reply. The PC doesn't report a checksum error on the BIOS so it doesn't try to restore the BIOS from CD.

However, another way to reset the BIOS is described on p4-4. You can initiate a BIOS restore by pressing <ALT> and <F2> during POST. The only problem is that it searches for the ROM file on floppy disk. If the floppy disk is absent what happens next is not described in the manual. So I tried it.

As I'd hoped, the PC then searches for the ROM file on the CD-ROM. It found this file and automatically re-flashed the BIOS. When it rebooted I received this message (just below the AMI logo) :

"CMOS Checksum Bad
Overclocking failed! Please enter Setup to re-configure your system.
Press F1 to Run SETUP
Press F2 to load default values and continue"

In case I select the wrong option I'll leave the PC that way for a while.

trampas



Press F1 to run setup and check all your options (date & time also) to make sure they are as you wish.

It would be better to use a third party program to completely erase your Hard drive, I suggest using Darik's Boot and Nuke DBAN depending on your computer and Hard drive size it might take a long time but it will erase everything on your HD.
http://sourceforge.n...cts/dban/files/
  • 0

#6
trampas

trampas

    Member

  • Topic Starter
  • Member
  • PipPip
  • 99 posts
Thanks Alzeimer. Went into the setup and saved the changes. That fixed the checksum and overclock errors. I also cleared the CMOS RAM as per p2-20 of the manual.

DBAN sounds like a great choice for wiping the disks. The beast will die screaming !

Presumably the MS Setup CD will create new partitions when it runs.

trampas
  • 0

#7
trampas

trampas

    Member

  • Topic Starter
  • Member
  • PipPip
  • 99 posts
During this investigation it became apparent that the floppy disk drive is faulty, which explains the problem in the original post. It's at times like these that you wish you'd created a bootable CD or USB stick.

Still, I burned dban to a CD and it's running now. And salvaged a FDD from an old PC.

As dban doesn't work with RAID I've connected the disks temporarily to the primary IDE slot.

In about 36 hours all that screaming should've died down !!!!

Thanks again Alzeimer.

Next steps: put a more recent BIOS image onto the motherboard. I was thinking of using version 1010 which is probably close to what I had originally. The one that's active now (off the ASUS CD) is probably v1006 or earlier.

trampas
  • 0

#8
happyrock

happyrock

    Tech Moderator

  • Retired Staff
  • 9,285 posts
what made you think you had a bios virus...

also that asus mobo had a utility cd that contained a live bios updater that you can use to reflash the bios from within windows...I used it many times...

you also could have just had xp do a format on the drive during a new install...

the reason I'm telling you is that if you really have a bios virus...wiping the hard drive will do nothing to resolve it
  • 0

#9
trampas

trampas

    Member

  • Topic Starter
  • Member
  • PipPip
  • 99 posts
Hi Happyrock

The background is that the virus has returned each time I rebuilt the PC - say 3 times. Part of the problem was that I was using a Setup CD that I'd built, so it was untrusted.

Recently, when I disconnected the hard drives but still had a problem reading anything from the floppy disk drive I was suspicious of the BIOS. However it turns out the floppy drive had become faulty.

So, to answer your question, it's still unclear to me whether there was a virus on the disk or in the BIOS. I've had to hedge my bets by allowing for both possibilities. I also cleared the CMOS RAM but, arguably, that was just out of ignorance - I've no evidence that a virus could occupy CMOS RAM. Maybe someone does ? And I unplugged the power in case there was something managing to survive warm restarts in system RAM.

The advice I've had is that the Format done by the the MS Setup CD would not guarantee to remove certain viruses on the hard drive. dban will overwrite anything on the disk so that gets a tick from me.

It will be interesting to see what happens when I restore some of my backed up data to the hard drive. I'm almost certain that some of my .RTF files have had malware attached to them, possibly in encrypted form.

At the moment I have no plan for testing those files......

It's an unfortunate case where no malware has been identified. I still have another XP PC, a laptop, that I need to deal with which I suspect has been infected from the first. The laptop doesn't come with a Setup CD so I'm wondering how will I remove the virus from it if the malware isn't identified ? I was going to start a new thread for that issue.

Thanks for your post.

trampas
  • 0

#10
happyrock

happyrock

    Tech Moderator

  • Retired Staff
  • 9,285 posts

I've no evidence that a virus could occupy CMOS RAM.

there was a proof of concept done on that a while back and yes it could...the real kick in the butt was there was no way to remove it but to remove and replace the bios chip from the mobo...
it was determined the only way to keep it off was to password protect your bios...
I have not ever seen one or heard of one in the wild...yours will be my first if its true...

Part of the problem was that I was using a Setup CD that I'd built, so it was untrusted.

that would be my guess to if its not in your data backups...that is the most likely choice of the 2
by all means start a topic in the malware forum...
and please post back in this thread or PM me with a link to the topic

At the moment I have no plan for testing those files......

that will be your downfall
  • 0

Advertisements


#11
trampas

trampas

    Member

  • Topic Starter
  • Member
  • PipPip
  • 99 posts
Cheers Happyrock,

Possibly my last post was misleading in a couple of ways so I'll try to clear it up. Once I've rebuilt my desktop PC I'll create a new thread, specifically for my laptop, on the malware forum. I'd be more than happy to send you the link. In the meantime I'm still very keen to listen to ideas on what to do for the best about my desktop PC and I'll continue to post here for that. With the desktop PC there seem to be two outstanding issues :

1. CMOS RAM that cannot be cleared of a virus. Wow !
Can this happen on my mobo ?
I've read the P4P800 deluxe manual and cannot claim to fully understand which memory is on which chip. My understanding is that the BIOS flash chip is a 4Mbit device and that the BIOS code is 512KBytes. Does this mean that the BIOS code fills every bit of that chip exactly ?

I'm not sure where the CMOS RAM is physically. I removed the lithium battery and shifted a jumper for 10 seconds. This reset the system date and time i.e. data values for the BIOS. So my other question would be : on the P4P800 deluxe is any part of the CMOS RAM ever executed or is it all used purely for data for the BIOS and other things ?
One more question: is there another block of CMOS RAM that isn't cleared when I remove the battery and shift that jumper ?


2. My WORD .RTF files
Please understand that I'm really not happy that I have no plan for testing these ! I've already submitted one of them to virscan.org and got a negative on any malware. I don't believe that opening a .RTF file with WORD will place my PC at risk but it'd be good to be certain of that. And I guess I'm not thrilled at the possibility of there being malware attached to some of those files long term. I did a test on some of them : open the .RTF file, select all of the text, copy to clipboard, paste to a new file. The new file is 100KB smaller than the original.



All help is greatly appreciated !

trampas

Edited by trampas, 03 March 2012 - 08:58 PM.

  • 0

#12
trampas

trampas

    Member

  • Topic Starter
  • Member
  • PipPip
  • 99 posts
A summary of the rebuild process is given below :

Process for completely clearing the PC's memory

1. Run dban on the hard drives (on the primary IDE connector)
Then restored drives to the RAID connector
2. Power off PC, unplug power cable. Remove CMOS battery and short two terminals.
3. Leave power off for 20 minutes to clear system RAM
4. Boot off the ASUS CD and press ALT-F2. Reflash the BIOS.


Restoration of XP SP3

1. Reconfigure the RAID array.
2. Boot off MS setup CD SP 1A and supply RAID driver from floppy disk.
3. Build Windows but do not register at this stage
4. Load the SP3 exe from a clean USB memory stick (with no autorun file)
5. Same with Avira A/V and ZoneAlarm firewall exes
6. Plug in the USB broadband modem and install it's s/w
7. Connect to internet and take updates for SP 3; also register Windows
8. Take updates for Avira and ZoneAlarm
9. Create restore point

Note: no browser activity until after step 9.

At that point I decided to create an Ultimate Boot CD for Windows (as per the instructions linked to from this site). My initial Boot CD has minimal changes to the files that come in the download pack. So, for example, the virus definitions are dated Jun or July 2010.

I ran all three of the A/V scanners provided on the Boot CD and the system was reported clean. Just one detection was highlighted by Avira, which I understand is a false positive. This file is actually part of the UBCD4Win download package :
FixOEM.exe TR/Dropper.Gen

In my last post I raised two issues which I'll expand on a little. At the moment I'm unsure whether my mobo could actually suffer from a virus in CMOS RAM and I think I've done everything that I could to clear the CMOS. After the steps taken (as above), if anyone knows how a P4P800 deluxe could still be at risk please let me know.

What remains now is to decide what to do with my personal data, currently archived.

I'm fairly sure that malware has been attached to some files (possibly just .RTF files). The malware may be in a compressed form and therefore unable to execute.

The malware was placed on my PC by a hacker who then continued to control my PC for many months. This is fairly unusual and so I question whether this malware is widespread enough to ever appear in a virus signature database.

But is there any way I can get an AV supplier to check out one of the suspicious RTF files for a *NEW* virus ? Someone else in the world will have the same malware as me, I'm just not sure how many. And my laptop is probably still infected (new thread for that).

In the meantime is there a way for me to prove that my .RTF files have been extended, other than by using the simplistic test mentioned in my last post ?

In that regard, I wonder if anyone has written a utility that checks an RTF file for *strict* conformance to the standard. I assume that both WORD and WORDpad provide this functionality to some degree but I don't know how strict they are e.g. would they bother to highlight redundant blocks in an RTF file (again, see last post, these *do* seem to exist).

All feedback appreciated.

trampas
  • 0

#13
happyrock

happyrock

    Tech Moderator

  • Retired Staff
  • 9,285 posts
I did a little research this morning on the status of bios viruses...
the old one I read on a few years back summed it up as replacing the bios chip as the only fix...I concurred at that time because of the way they laid it out...it couldn't be removed flashing the bios but this recent research says reflashing the bios does clear it out...decide for yourself
links below...

http://www.tomshardw...romi,13447.html
http://www.symantec....t-showing-again

http://www.tomshardw...romi,13447.html

http://www.broadband...argets-MBR-BIOS
http://www.theregist...ureon_advances/

http://www.virus.org...d-bios-malware/

as for the RTF files why not convert them to MS Word Documents...how to here...
  • 0

#14
trampas

trampas

    Member

  • Topic Starter
  • Member
  • PipPip
  • 99 posts
Thanks for all that research h !

I'll have a good read-up on that stuff. I couldn't see the link for the RTF->DOC conversion though. Funny thing is, these files were *ALL* DOCs in the first place :)

I converted them all to RTF (big job) one folder at a time because the hacker had introduced a WORD macro virus onto my PC.

When they were in DOC format a lot of them were smaller because they contain tables. I concluded that RTF isn't as efficient with tables as DOCs are. Whether the conversion removes anything undesirable is the key point. I'll dig into that.

EDIT: I'm still wondering if I can send a file somewhere for analysis for presence of either a new virus or a compressed block of code that might be a known virus. I guess the encryption key would be the problem.

t.

Edited by trampas, 05 March 2012 - 07:02 PM.

  • 0

#15
trampas

trampas

    Member

  • Topic Starter
  • Member
  • PipPip
  • 99 posts
There are some interesting comments on the end of those articles.

For example, how long does it take for someone to seriously consider whether they have malware in the BIOS ? Once that point has been reached a decision then needs to be made : which version will I reflash my BIOS to and can I still download it ?

It could be advisable to record all of the BIOS settings before re-flashing.

I've not noticed any serious concerns regarding CMOS RAM.

As for my desktop PC I suspect that I've probably now cleared it of malware. It just remains to be seen whether I can keep it that way as I re-introduce applications and data.

It's possible I had a virus in the BIOS but, failing that, it could have been in the MBR. It could also have been on the SP3 Setup CD that I created - this passes all AV tests incidently. My problem will always be : the virus signature may not yet be known.

I wish I could change that :)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP