?
Solved

Malware set a bios password -- Now what?

Posted on 2011-04-22
8
Medium Priority
?
658 Views
Last Modified: 2012-05-11
Ok I was in bios checked disks and then was going to use the recovery console on a Lenovo Y510 with Vista but I first decided to backup the few files on the computer to a flash drive. Finish the backup , reboot and try to get the options again for putting it back to factory state and I am now asked for a bios password.  I have done one to two hundred of these things and I am absolutely positive I did not accidentally set one.

Compounding the problem I am not even able to run .exe's from the desktop.  I am asked -- "What program do you want to use to open this program."

The bios has hard drive selected as first boot option so I can't use a disk to clean it up and safe mode is infected as well.

Where would you go from here ?
0
Comment
Question by:Sean Meyer
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 2

Expert Comment

by:michael626
ID: 35451612
You have just remove the battery, if it's a notebook you can remove the battery and the transformer and hold the power button 30 secs (this not always work with all computer)
0
 
LVL 2

Expert Comment

by:michael626
ID: 35451614
when I say the battery it's the CMOS battery on the mainboard
0
 
LVL 2

Expert Comment

by:michael626
ID: 35451617
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
LVL 3

Assisted Solution

by:shjacks55
shjacks55 earned 600 total points
ID: 35451858
See manual at http://static.highspeedbackbone.net/pdf/Lenovo_IdeaPad_Y510_NotebookPC-UserGuide.pdf (Lenovo support is down, they removed password questions from support fomums anyway). Read section on passwords.  Note the support for HDD encryption. Call Lenovo support and hope they like your story, the standard based HD encryption may not recover.

"Expert": motherboards built in the last ten years store legacy "cmos" ram data in flash, esp in bios chip. The battery is exclusively for the clock. See http://www-307.ibm.com/pc/support/site.wss/MIGR-52235.html . Read the Lenovo lip service to security in the manual. Compaq has required unsoldering and replacing the BIOS chip to clear password since the 90's.

Other options. It will help to know the BIOS brand. Get the Lenovo hardware manual, open up the laptop and remove the hard drive. You said bios is HD first, not HD only.
Methods:
1. Remove your laptop's HD (instructions in Lenovo hardware manual). Get an SATA to USB adapter from local computer shop or Amazon, about $10. Plug into USB of different computer then make sure it is visible (not encrypted by virus)(disable legacy support so you won't scramble this computer with the virus). If visible (not encrypted) then run A-V or other cleaner program.
2. With HD removed from Laptop: Make bootable flash drive, DOS WinPE. Include biospasswordrecovery.com type software. If HD was encrypted  If HD was not encrypted, can use Debug in DOS to poke values over password storage area for that BIOS type or, less reliable, poke random values into CMOS until cmos integrity error where bios overwrite cmos with default values. Debug procedure and useless "backdoor" passwords at http://www.pctesttool.com/down/manual.pdf
3.  From Lenovo support link http://www-307.ibm.com/pc/support/site.wss/MIGR-45385.html; your laptop has no floppy, however flash updates may be possible through bootable USB flash drive (or USB JTAG option, etc.) make sure you choose clear ESCD option when you update the BIOS, that will clear cmos.  There is often a key press combination that will allow boot to last good bios setup (saves ambitious over clockers). The key press option to boot from the previous bios before you flashed it certainly won't work if you hadn't upgraded the bios.


0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 1400 total points
ID: 35451954
Does Windows still loads? Do you have access to the desktop?
If so, then run these tools to fix the .exe file association, then run RKill and MalwareBytes.


Vista .exe files association fix.
http://www.winhelponline.com/articles/105/1/File-association-fixes-for-Windows-Vista.html

Or use Kaspersky's CleanAutoRun to restore .exe file association.
http://support.kaspersky.com/viruses/cleanautorun

Or you could Download exeHelper to your desktop.
http://www.raktor.net/exeHelper/exeHelper.com
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.


Once exe files asso, is fixed... run renamed RKill and MalwareBytes.
1.  Download the renamed RKill (run it but do not reboot... then run MalwareBytes straightafter.
http://www.bleepingcomputer.com/download/anti-virus/rkill

2.  MalwareBytes
Malwarebytes http://www.malwarebytes.org/mbam-download.php
0
 
LVL 9

Author Comment

by:Sean Meyer
ID: 35505905
BIOS was AMI

Michael -- that is old information.  As shjacks55 pointed out any new hardware does not have the battery limitations.  

shjacks55 -  They did not like my story and all I was able to accomplish with the different software was to wipe the bios clock and now it is even more annoying in that it makes me hit F2 on boot and enter three times to attempt a password and F2 again to enter the OS.  Not a huge problem but the system clock will not stay set when adjusted within windows.  And because of this windows updates will not happen until you set the clock.

rpggamergirl - Thank you for the solution of just fixing the problem.  The system threw me for a loop when it reset the BIOS password.  Computer is in working condition and will be sent to Lenovo for Bios reset.  
0
 
LVL 9

Author Closing Comment

by:Sean Meyer
ID: 35505927
shjacks55 -- I did not try the Debug in DOS as I did not want to brick the system.  Have you tried this yourself before ?
0
 
LVL 3

Expert Comment

by:shjacks55
ID: 35698963
The Bios Companion I've uploaded includes "password checking option" page 138 ff which includes the debug code, the data in CMOS Ram area has a checksum. If the checksum fails the bios rebuilds it as if it was a brand new computer. The "CMOS" emulation will not be harmed by debug since most information stored there (except the password) is trivial, like 5 1/4 inch floppy drive information.

Dell/Intel's made some newer boards that turn off the fan and the CPU overheats, but debug has nothing to with that: those boards were "born that way".
the-20BIOS-20companion2.pdf
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Internet has made sending and receiving information online a breeze. But there is also the threat of unauthorized viewing, data tampering, and phoney messages. Surprisingly, a lot of business owners do not fully understand how to use security t…
Last month Marc Laliberte, WatchGuard’s Senior Threat Analyst, contributed reviewed the three major email authentication anti-phishing technology standards: SPF, DKIM, and DMARC. Learn more in part 2 of the series originally posted in Cyber Defense …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question