Malware set a bios password -- Now what?

Posted on 2011-04-22
Last Modified: 2012-05-11
Ok I was in bios checked disks and then was going to use the recovery console on a Lenovo Y510 with Vista but I first decided to backup the few files on the computer to a flash drive. Finish the backup , reboot and try to get the options again for putting it back to factory state and I am now asked for a bios password.  I have done one to two hundred of these things and I am absolutely positive I did not accidentally set one.

Compounding the problem I am not even able to run .exe's from the desktop.  I am asked -- "What program do you want to use to open this program."

The bios has hard drive selected as first boot option so I can't use a disk to clean it up and safe mode is infected as well.

Where would you go from here ?
Question by:Sean Meyer
    LVL 2

    Expert Comment

    You have just remove the battery, if it's a notebook you can remove the battery and the transformer and hold the power button 30 secs (this not always work with all computer)
    LVL 2

    Expert Comment

    when I say the battery it's the CMOS battery on the mainboard
    LVL 2

    Expert Comment

    LVL 3

    Assisted Solution

    See manual at (Lenovo support is down, they removed password questions from support fomums anyway). Read section on passwords.  Note the support for HDD encryption. Call Lenovo support and hope they like your story, the standard based HD encryption may not recover.

    "Expert": motherboards built in the last ten years store legacy "cmos" ram data in flash, esp in bios chip. The battery is exclusively for the clock. See . Read the Lenovo lip service to security in the manual. Compaq has required unsoldering and replacing the BIOS chip to clear password since the 90's.

    Other options. It will help to know the BIOS brand. Get the Lenovo hardware manual, open up the laptop and remove the hard drive. You said bios is HD first, not HD only.
    1. Remove your laptop's HD (instructions in Lenovo hardware manual). Get an SATA to USB adapter from local computer shop or Amazon, about $10. Plug into USB of different computer then make sure it is visible (not encrypted by virus)(disable legacy support so you won't scramble this computer with the virus). If visible (not encrypted) then run A-V or other cleaner program.
    2. With HD removed from Laptop: Make bootable flash drive, DOS WinPE. Include type software. If HD was encrypted  If HD was not encrypted, can use Debug in DOS to poke values over password storage area for that BIOS type or, less reliable, poke random values into CMOS until cmos integrity error where bios overwrite cmos with default values. Debug procedure and useless "backdoor" passwords at
    3.  From Lenovo support link; your laptop has no floppy, however flash updates may be possible through bootable USB flash drive (or USB JTAG option, etc.) make sure you choose clear ESCD option when you update the BIOS, that will clear cmos.  There is often a key press combination that will allow boot to last good bios setup (saves ambitious over clockers). The key press option to boot from the previous bios before you flashed it certainly won't work if you hadn't upgraded the bios.

    LVL 47

    Accepted Solution

    Does Windows still loads? Do you have access to the desktop?
    If so, then run these tools to fix the .exe file association, then run RKill and MalwareBytes.

    Vista .exe files association fix.

    Or use Kaspersky's CleanAutoRun to restore .exe file association.

    Or you could Download exeHelper to your desktop.
    Double-click on to run the fix.
    A black window should pop up, press any key to close once the fix is completed.

    Once exe files asso, is fixed... run renamed RKill and MalwareBytes.
    1.  Download the renamed RKill (run it but do not reboot... then run MalwareBytes straightafter.

    2.  MalwareBytes
    LVL 9

    Author Comment

    by:Sean Meyer
    BIOS was AMI

    Michael -- that is old information.  As shjacks55 pointed out any new hardware does not have the battery limitations.  

    shjacks55 -  They did not like my story and all I was able to accomplish with the different software was to wipe the bios clock and now it is even more annoying in that it makes me hit F2 on boot and enter three times to attempt a password and F2 again to enter the OS.  Not a huge problem but the system clock will not stay set when adjusted within windows.  And because of this windows updates will not happen until you set the clock.

    rpggamergirl - Thank you for the solution of just fixing the problem.  The system threw me for a loop when it reset the BIOS password.  Computer is in working condition and will be sent to Lenovo for Bios reset.  
    LVL 9

    Author Closing Comment

    by:Sean Meyer
    shjacks55 -- I did not try the Debug in DOS as I did not want to brick the system.  Have you tried this yourself before ?
    LVL 3

    Expert Comment

    The Bios Companion I've uploaded includes "password checking option" page 138 ff which includes the debug code, the data in CMOS Ram area has a checksum. If the checksum fails the bios rebuilds it as if it was a brand new computer. The "CMOS" emulation will not be harmed by debug since most information stored there (except the password) is trivial, like 5 1/4 inch floppy drive information.

    Dell/Intel's made some newer boards that turn off the fan and the CPU overheats, but debug has nothing to with that: those boards were "born that way".

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    6 Surprising Benefits of Threat Intelligence

    All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

    Suggested Solutions

    I thought I'd write this up for anyone who has a request to create an anonymous whistle-blower-type submission form created using SharePoint 2010 (this would probably work the same for 2013). It's not 100% fool-proof but it's as close as you can get…
    Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
    The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now