Bios Rootkit or just an MBR rootkit?
Posted on 2013-01-13
I believe I have a rootkit virus on a notebook running Vista home edition. I'm actually suspecting a BIOS rootkit. I plan to use diskpart clean to format the drive because that should handle an MBR rootkit, but I'm wondering about a BIOS rootkit. I could use your thoughts and experience. Do I format the drive and re-install Windows or do I set the bios back to default first? Here's the history.
Initially, anti-virus scans would crash the PC before completion and all backup and restore points disappeared.
I decided to re-install Vista. It took about a dozen tries before the PC stopped crashing while copying files from the CD. Eventually I got to the restore/repair options on the CD. I did not have any restore points, and the repair option crashed the PC. I chose the custom install and re-installed Vista. The PC frequently crashed while installing Windows updates. Windows is still at the SP1 stage. SP2 is the next update ready to install.
I decided to run a rootkit detector before going further. Avast MBR found nothing and returned the code: Disk 0 Windows VISTA default MBR code
Kaspersky's TDSSkiller said the scan was "cancelled by user". Nope, I didn't cancel. I found a cloaked version of the TDSSkiller and it ran, but again found nothing.
GMER returned this:
---- Threads - GMER 2.0 ----
Thread C:\Windows\system32\SearchIndexer.exe [1992:2280] 000007fef85641e0
---- Processes - GMER 2.0 ----
Library ? (*** suspicious ***) @ C:\Windows\system32\SearchIndexer.exe  000007fefcb50000
---- Kernel code sections - GMER 2.0 ----
.text C:\Windows\System32\win32k.sys!W32pServiceTable fffff96000113900 7 bytes [00, 6B, F3, FF, C1, 40, FC]
.text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff96000113908 3 bytes [C0, E5, 01]
A 2nd run of GMER also noted the C:\Windows\system32\lsass.exe process as suspicious.
What is the logical next step? Format the hard drive using diskpart clean and re-install Windows, or set the bios back to default then format and reinstall? This notebook is running a Phoenix bios with the latest update. I have little time for running AV scan after scan only to end up ineffectively removing the rootkit. I just want to wipe and re-install. Thanks in advance.