Solved

Bios Rootkit or just an MBR rootkit?

Posted on 2013-01-13
44
1,637 Views
Last Modified: 2013-11-22
I believe I have a rootkit virus on a notebook running Vista home edition.  I'm actually suspecting a BIOS rootkit.  I plan to use diskpart clean to format the drive because that should handle an MBR rootkit, but I'm wondering about a BIOS rootkit.  I could use your thoughts and experience.  Do I format the drive and re-install Windows or do I set the bios back to default first?  Here's the history.

Initially, anti-virus scans would crash the PC before completion and all backup and restore points disappeared.  

I decided to re-install Vista.  It took about a dozen tries before the PC stopped crashing while copying files from the CD.  Eventually I got to the restore/repair options on the CD.  I did not have any restore points, and the repair option crashed the PC.  I  chose the custom install and re-installed Vista.  The PC frequently crashed while installing Windows updates.  Windows is still at the SP1 stage.  SP2 is the next update ready to install.  

I decided to run a rootkit detector before going further.  Avast MBR found nothing and returned the code:  Disk 0 Windows VISTA default MBR code

Kaspersky's TDSSkiller said the scan was "cancelled by user".  Nope, I didn't cancel.  I found a cloaked version of the TDSSkiller and it ran, but again found nothing.

GMER returned this:

<snip>

---- Threads - GMER 2.0 ----

Thread   C:\Windows\system32\SearchIndexer.exe [1992:2280]                      000007fef85641e0
---- Processes - GMER 2.0 ----

Library  ? (*** suspicious ***) @ C:\Windows\system32\SearchIndexer.exe [1992]  000007fefcb50000

<snip>

---- Kernel code sections - GMER 2.0 ----

.text  C:\Windows\System32\win32k.sys!W32pServiceTable      fffff96000113900 7 bytes [00, 6B, F3, FF, C1, 40, FC]
.text  C:\Windows\System32\win32k.sys!W32pServiceTable + 8  fffff96000113908 3 bytes [C0, E5, 01]

<snip>


A 2nd run of GMER also noted the C:\Windows\system32\lsass.exe process as suspicious.

What is the logical next step?  Format the hard drive using diskpart clean and re-install Windows, or set the bios back to default then format and reinstall?  This notebook is running a Phoenix bios with the latest update.  I have little time for running AV scan after scan only to end up ineffectively removing the rootkit.  I just want to wipe and re-install.  Thanks in advance.
0
Comment
Question by:Analog_Kid
  • 17
  • 11
  • 10
  • +1
44 Comments
 
LVL 91

Expert Comment

by:nobus
ID: 38773587
in that case, is uggest running DBAN to clear the drive -  you'll loose everything on it - then reinstall   http://www.dban.org/
0
 
LVL 46

Accepted Solution

by:
noxcho earned 166 total points
ID: 38773593
Actually what you describe indicates possible hardware problems with your machine. Rootkit won't cause so many crashes. Check the HDD itself and the RAM.
0
 
LVL 91

Assisted Solution

by:nobus
nobus earned 167 total points
ID: 38774060
you can always test if it runs ok from a live cd (make it on a known working PC)
http://www.ubcd4win.com/                              ubcd  Win
ftp://mirrors.kernel.org/knoppix-dvd/KNOPPIX_V7.0.4bootonly-2012-08-20-EN.iso        Knoppix      
www.nu2.nu/pebuilder/                               BartPe
0
 
LVL 42

Expert Comment

by:Davis McCarn
ID: 38774206
First, get the trial version of http://www.hdtune.com 's professional and run it.  On the health tab, inspect the reallocated sector count.  If the value in the data column is not zero, your hard disk drive is beginning to fail.  If you really want to check its health, run the error scan.  If even one red box appears, you have a huge problem because Vista, 7, & 8 all lock up when they hit a "bad sector" (CRC error).
If the drive does check out OK, many MBR trojans will survive unless you delete all of the partitions and cycle the power before you create new ones.  What happens is they load a memory resident component which reinfects new partitions and cycling power clobbers that.
0
 
LVL 4

Author Comment

by:Analog_Kid
ID: 38775080
These are some great tools!  DBAN and UBCD4Win require writing to a CD.  The only PC I have that will do that is this broken one.  I also have no software installed for that to happen either.  I see a note in the DBAN instructions that it's not advisable to use it to boot from USB, but that's my only option.  Any thoughts?

This is actually the 3rd time I'm reinstalling Vista over the course of the last 2 years.  Each time memory diagnostics failed to run and the HD analysis said 1k of the hard disk was bad.  After wiping the drive (diskpart clean all option used once, windows format before install used 2nd time) and re-installing Windows the PC ran flawlessly.  I'm sure it's possible that it is failing hardware, but the virus looked like hardware failure before.  If I can get to a stable OS, I'll probably replace the memory.  Hopefully that's the right order of operations.
0
 
LVL 4

Author Comment

by:Analog_Kid
ID: 38775152
I found a PC with a CDW.  Let me give it a try.
0
 
LVL 91

Expert Comment

by:nobus
ID: 38775189
take your time, and post results
0
 
LVL 4

Author Comment

by:Analog_Kid
ID: 38775441
Started DBAN and it tells me:  107.020028 Clocksource TSC unstable

Googling tells me little that I understand.  Should I ignore and continue, or abandon?
0
 
LVL 4

Author Comment

by:Analog_Kid
ID: 38775546
I ran HDTune and here's the results on the Health tab:

HD Tune Pro: WDC WD3200BEVT-22ZCT0 Health

ID                                  Current  Worst    ThresholdData     Status  
(01) Raw Read Error Rate            200      200      51       244      ok      
(03) Spin Up Time                   189      185      21       1516     ok      
(04) Start/Stop Count               94       94       0        6399     ok      
(05) Reallocated Sector Count       200      200      140      0        ok      
(07) Seek Error Rate                100      253      0        0        ok      
(09) Power On Hours Count           91       91       0        7113     ok      
(0A) Spin Retry Count               100      90       51       0        ok      
(0B) Calibration Retry Count        100      100      0        0        ok      
(0C) Power Cycle Count              96       96       0        4311     ok      
(C0) Unsafe Shutdown Count          199      199      0        915      ok      
(C1) Load Cycle Count               129      129      0        215049   ok      
(C2) Temperature                    115      90       0        32       ok      
(C4) Reallocated Event Count        200      200      0        0        ok      
(C5) Current Pending Sector         200      200      0        0        ok      
(C6) Offline Uncorrectable          100      253      0        0        ok      
(C7) Ultra DMA CRC Error Count      200      200      0        7        warning  
(C8) Write Error Rate               100      253      51       0        ok      

Health Status         : warning

Detailed info for the warning:

Description:  Number of interface communication errors:  7
Status:  There were comunication errors.  This may be caused by a damaged cable.
0
 
LVL 4

Author Comment

by:Analog_Kid
ID: 38775640
Ran the manufacturer's diagnostic SMART test and the HD passed.  Memory tests crash the PC.  Boom.  Abrupt shutdown so I get no results.
0
 
LVL 42

Assisted Solution

by:Davis McCarn
Davis McCarn earned 167 total points
ID: 38776147
(05) Reallocated Sector Count       200      200      140     0       ok      
Good, your HDD is OK!
But; you won't ever get a good install with bad ram.  There is no error checking on the memory and files will get corrupted when they are unpacked into the failing memory then written to the HDD (OOPS!)
Go get the free download of http://www.memtest86.com/ and burn the ISO image to a CD.
Almost all Dell's have a cover on the bottom to gain access to the memory.  Remove one of the two modules (pry the metal clips outward gently and the memory will pop up so you can slip it out) and boot to the Memtest86 CD.  If the bottom of the screen says empty for 15-20 minutes, you took out the bad module.  If it doesn't, switch which one is in the laptop and try again.
Once memtest86 runs clean, you can reinstall; but, it may be painfully slow until you buy a new memory module.
A second time; what is the model of your Dell so I can send you a link for memory?
0
 
LVL 4

Author Comment

by:Analog_Kid
ID: 38776246
This is actually a Gateway M-1631u.  I previously ran memtest86 and it crashed the PC (so did the memory test from the Vista install disk).  I haven't tried testing with a known good stick yet.  Since I got the PC to run fine in the past, I put off replacing memory.  Maybe now is the time to do it.  I can see the memory after removing the cover near the fan.  I also have the info to buy replacements.  Unfortunately, I'm currently running the diskpart clean all command now.
0
 
LVL 42

Expert Comment

by:Davis McCarn
ID: 38776450
0
 
LVL 46

Expert Comment

by:noxcho
ID: 38776494
I would suggest you thinking about buying new machine as yours seems to be designed at Vista time and about 5 years old. Also Vista was not the perfect OS done by MS. It will be worth to get new machine than replacing modules for old one. As the result with old one you will pay more.
0
 
LVL 4

Author Comment

by:Analog_Kid
ID: 38776704
I completely wiped the drive so there's no OS.  I ran memtest86 from CD and it again crashed abruptly.  I'm assuming this is bad memory.  I'm thinking now is the time to replace the memory.  After that's done, I'll re-install the operating system.  Let me know if this sounds like a good course of action at this point.

Right now memory is cheaper than a new PC, even if it is running Vista.  I'll probably look into Ubuntu or Linux for the future.  Now I just need it working.
0
 
LVL 91

Expert Comment

by:nobus
ID: 38777191
sure - the ram is bad
if you plan to buy ram, use the Max you can for that system - probably 4 GB
0
 
LVL 42

Expert Comment

by:Davis McCarn
ID: 38778269
Yup; Crucial says the max is 2 2GB modules.
Did you know you can get Windows 8 Pro for $39 until January 31st? http://windows.microsoft.com/en-US/windows/buy?ocid=GA8_SEM_GOO_Buy_Search_Txt_Desktop&semid=ef_GGL_e_t28040046uxa9216ja68_20067904392&WT.search=1
0
 
LVL 4

Author Comment

by:Analog_Kid
ID: 38788202
I tested the individual sticks of memory and it still crashes the PC on test 2.  Is there another test I can run?  I don't want to replace a component unless I know it is bad.
0
 
LVL 91

Expert Comment

by:nobus
ID: 38788244
if it crashes - it is bad - no need to test further, you can test each stick in each slot though, to check if it is the slot, or the stick that fails
0
 
LVL 46

Expert Comment

by:noxcho
ID: 38788421
You never know if the problem is in stick or in the memory slot before you try other ram sticks. Normally the pc shops allow returning the purchase in 2 weeks. Get two new sticks and test with them. If test reports errors then your motherboard needs to be replaced. If no error reported - sticks were bad.
0
 
LVL 42

Expert Comment

by:Davis McCarn
ID: 38788995
I started keeping the bad memory I ran into after seeing a massive failure rate in Samsung.  About 25 modules later, more than 75% are Samsung.  If that is who made your memory, buy at least one and test again.
0
 
LVL 4

Author Comment

by:Analog_Kid
ID: 38789035
Put in 2 brand new memory sticks and re-installed the OS.  Got past the install, named the computer and set the time zone.  PC then crashed.  I restarted and it began completing the installation, then crashed abruptly.  

I turned the power on again and it crashed during boot up.  That happened several times.  I kept trying and got to the point where I could run start-up repair off the install disk.  It returned no errors.  I then returned to the installation option on the CD and formatted the drive before doing another install.  The format went fine, but the install crashed on installing updates.   I think the error message is generic.  I can't see it before it crashes, but I believe it says something like Windows cannot complete the installation, restart and try again.  I've tried this twice with the same results.

Given the cost of a motherboard with processor, is there any kind of tests I can run to narrow this down?  TIA
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 46

Expert Comment

by:noxcho
ID: 38789285
You cannot test the sata connectors or ram slots or processor. Only removable parts such as ram and Hdd can be tested.
Think about new PC. The signs you get with this hardware are not good. It s like repairing the old haus. It will always suck money out of you and never be fed up.
0
 
LVL 42

Expert Comment

by:Davis McCarn
ID: 38789520
Does it run Memtest86 now, or does that still crash?
0
 
LVL 42

Expert Comment

by:Davis McCarn
ID: 38789543
There is a 2010 BIOS upgrade for your system ;but, DO NOT even try it if memtest86 still fails!
Your support page: http://support.gateway.com/us/en/product/default.aspx?tab=1&modelId=2354
What's odd is that none of your specs trigger alarms for defective hardware.
0
 
LVL 4

Author Comment

by:Analog_Kid
ID: 38789764
The bios was updated over 6 months ago to the latest listed on the gateway support site.  Memtest86+ runs longer, but still crashes in test 3.  It will boot to the hard drive, but it says, "bootmgr is missing".  I can't get the install disk to run.  I don't get to any options whatsoever on the disk, it shuts down during "windows is loading files".    I had a problem with a virus over 6 months ago that looked like failing hardware.  Last time wiping the HD and re-installing windows got it working flawlessly.  This time, it's become a brick.  Any last ideas before I chuck this thing?  I really need it working because replacement isn't an option at this time.  This thing is only 3 yrs old and has sat in 1 place the whole time.
0
 
LVL 4

Author Comment

by:Analog_Kid
ID: 38789974
Oh, the old memory is Hynix and the new is PNY.
0
 
LVL 46

Expert Comment

by:noxcho
ID: 38789985
Do you have a spare HDD to test installation onto it?
0
 
LVL 4

Author Comment

by:Analog_Kid
ID: 38790007
I have an external storage drive but no spare HD.
0
 
LVL 91

Expert Comment

by:nobus
ID: 38791945
in your case, i would test the ram on another system, since replacing it did not help (it can be the ram controller = mobo)
i always try to run from the Live Knoppix cd - posted above, it often gives more info to the problem (you can test with each stick separately, and in each slot)
another test is burnintest : http://www.passmark.com/download/index.htm

imo when you say " I had a problem with a virus over 6 months ago that looked like failing hardware. "  it was failing....
0
 
LVL 42

Expert Comment

by:Davis McCarn
ID: 38792987
Last summer and, again, two days ago, I have had hard disk drives that, when connected to a terminal, were in the process of executing commands aimed at destroying the drives internal management.  Those commands were the payload of a Trojan (which is a scary thought)
Regardless; if such a Trojan got into your system, the hard disk itself could be why memtest crashes.
In your PC, the hard disk drive is directly under the touchpad.  Take off that cover, remove the hard disk drive, and try memtest again. ( http://support.gateway.com/s/Mobile/2007/Avalon/1014782R/1014782Rbv.shtml )
If memtest then runs, you need a new drive.
0
 
LVL 91

Expert Comment

by:nobus
ID: 38793511
Hoi - Davis - can you remember what Trojabn that was??
0
 
LVL 42

Expert Comment

by:Davis McCarn
ID: 38793598
RogueKiller identified the one two days ago as Rogue.FakeHDD which notifies the user their hard disk drive is failing and prompts them to buy fake data recovery software.  There were also several Java Trojans cleaned up by MSE.
What was ugly is that HDTune reported he had 1856 reallocated sectors; but, the drive cloned flawlessly, and Seagate terminal commands restored the G-List to zero.  A complete media scan runs clean. Still, when I connect the terminal and turn on the drive, I get an abnormal startup and am researching that.
The one last summer ran two screens of terminal commands at power up without my touching it with the commands geared towards rewriting the system area.
0
 
LVL 4

Author Comment

by:Analog_Kid
ID: 38793822
Thanks for sharing that Davis.  This PC started out crashing on any virus scan and all backups or recovery options were gone.  I noticed a few other things prior to that point like a questionable admin user account.  That's what led me down the road to suspect a trojan in the first place.  That's why I wiped the drive and tried to re-install.  I've seen viruses make you think they're hardware problems.  But, it's always possible there IS a hardware problem.  I don't have another PC to swap out the RAM.

I'm downloading the ultimate boot CD now.  I'll let you know what happens.  Thanks all.
0
 
LVL 91

Expert Comment

by:nobus
ID: 38793985
Davis, very interesting; i'd like to be in on your search
see my contact details in my profile -  or post how i can contact you

@ AnalogKid : if the problem seems to change, or unresolved on 1 PC, best try to test all hardare on another one -  to sift out the good from the bad
0
 
LVL 42

Expert Comment

by:Davis McCarn
ID: 38793993
I suggested you simply remove the hard disk drive and run Memtest86 again.  If the firmware in the drive is infected, it could send spurious data to the system causing the crash.
0
 
LVL 4

Author Comment

by:Analog_Kid
ID: 38794044
Not possible to swap out hardware to another PC.  Just don't have it.
0
 
LVL 91

Expert Comment

by:nobus
ID: 38794051
look if you can use one from a friend - or relative
or steal one...lol
you need parts and devices to test
you can also ask a shop
0
 
LVL 4

Author Comment

by:Analog_Kid
ID: 38794056
I'm stuck.  It looks like I need the Vista OS to be running in order to create the ultimate boot cd.   I can create the disk on another PC running XP, but will that help the Vista PC?  I think I'm missing something.  The ultimate boot cd comes with some great tools, but should I use a build made from an XP machine??  I also don't have an XP install disk.
0
 
LVL 46

Expert Comment

by:noxcho
ID: 38794277
As you are going test the hardware and not the OS you can use the isk made on different o freely.
0
 
LVL 42

Expert Comment

by:Davis McCarn
ID: 38794708
I suggested you simply remove the hard disk drive and run Memtest86 again.  If the firmware in the drive is infected, it could send spurious data to the system causing the crash.

Memtest86 has worked great for me for almost ten years now and ought to run fine on your PC.
0
 
LVL 4

Author Comment

by:Analog_Kid
ID: 38795190
I removed the hard drive and memtest86 still crashes on something like the 3rd pass of test 3.  I ran the test without the HD, with both old and new RAM, with the same results.  Both crash at the same step.  Didn't mean to run it on the old, but it happened and now we know that too.  I have no doubt memtest86 is great.  Just once I'd like to see what the results look like.

I cross posted this to hardware and said I was able to get Mandriva Linux to run just fine.   Immediately after I posted that update it crashed.  The PC needs to cool off then I can run it again.  So, there's an overheating thing going on too.  It's not even that hot, just a bit warm.
0
 
LVL 4

Author Closing Comment

by:Analog_Kid
ID: 38795442
With no software on it, there's no virus there now.  Looks like we're dealing with a hardware issue.  Closing this Q, splitting the points evenly, and working the problem in the hardware TA here.  Feel free to monitor, I could use all the help I can get.  I had a hard time picking best solution because all were very helpful.   Thanks a lot.
0
 
LVL 91

Expert Comment

by:nobus
ID: 38795900
>>  looks like I need the Vista OS to be running in order to create the ultimate boot cd.  <<  NO
this CD is independant of any software on the PC - but of course, you need one to create it, like any software, and YES you can create it on a PC running XP.

i also pôsted my opinion here :
in your case, i would test the ram on another system, since replacing it did not help (it can be the ram controller = mobo)
0

Featured Post

Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

Join & Write a Comment

The intent of this Article is to provide the basic First Aid steps for working through most malware infections. The target audience includes experienced IT professionals and the casual user who just wants to make the infection go away. **********…
I recently had to create a utility which aim is to update McAfee's Virusscan and that had to be launched from a command line. I thought I’d share my experience with you. Why is it useful to be able to update an Antivirus from the command line?…
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now