Help needed to fully erase and flash bios (possible virus in bios)

atlanzer · Jun 17, 2012

Hi everybody.

I am new in this forum and I need help on a big problem I am having. I hope you can help me.

I need to erase all bios and flash a new one since it´s highly possible there lies a virus in it.

I already contacted my antivirus support, Kaspersky, but I had no solution for it yet, although they confirmed me there is a virus in the pc (for those interested and that can contact Kaspersky for further information, I inform here the last protocol number in www.kaspersky.com.br of a series of relates I did, in portuguese: 313959109).

Some weird behaviors that the virus cause is offline actualization of the registry in the windows installation process, almost equal to the number of errors AVG detects in a system scan in UBUNTU Linux (files with permission denied and files absent), and also changing permissions in files, disk and directories, unknown users and groups in the system, changing windows system files, hidden network drives, and so on.

Problem is difficult to result, for instance see:

http://www.tomshardware.com/news/bios-virus-rootkit-security-backdoor,7400.html

and

http://forums.cnet.com/7723-6132_102-281792/can-viruses-be-removed-from-the-bios/.

In the actual stage of the evaluation of the problem, after I used bios flash utility (MB ASUS M4N68T-M LE), It happens that with 4096Mb of memory, the bios reads usable as 3860Mb, and it readed 2560Mb before with video card plugged on the MB.

Bios is updated to last version available in ASUS website.

Through afudos /i<biosname> /pbnc it stops erasing bios in 81% and I really need to erase it all (100%).

By now, it seems to me that through this way I will be free of the virus.

The help I need is the parameters for afudos (version 2.41, last in ASUS website) to fully erase and flash a new bios, and also, if possible, a parameters in afudos to copy the entire content of the bios so I can send it for the support of the antivirus I use.

If possible, a link of the manual of afudos would greatly help, since I didn´t find it in ASUS website in the page of afudos download for the MB i cited above.

Thanks for your help !

Andre.

Rattle · Jun 17, 2012

That mobo has asus ez flash utility via the bios.... just put the bios on a USB flash drive and flash it that way...

http://www.asus.com/Motherboards/AMD_AM3/M4N68TM_LE/#download

download the manual and follow the instructions on asus easy flash via bios

atlanzer · Jun 18, 2012

Thanks for the reply.

I did it already, but problem remains.

I used the flash utility from the mobo, turned off the pc before automatic restart, removed and discharged memory, all this with jumper in clear CMOS position, and also without HDs installed and without video card installed.

After this, when I turn it on again and enter in bios, problem remains.

I am not sure but it seems that flash utility from the bios doesn´t erase all the bios, as afudos doesn´t too as I related before (stops in 81%), that´s why I need to know the parameter for going to 100% erase of the bios and to copy 100% of it before erasing...

atlanzer · Jun 18, 2012

Ah, I remember to say one thing:

The flash utility from the bios doesn´t erase all the bios, what can be seen in the process bar while it is beeing done.

Andre.

Crystal_Castles · Jun 18, 2012

If you feel like you have a virus in your BIOS (which is REALLY rare), you can contact Asus and see if they can possibly send you a preprogrammed BIOS ROM chip. They are replaceable on most motherboards now, and yours is replaceable. It's the small black chip directly under your 24pin power connector.

atlanzer · Jun 18, 2012

Thanks for the reply again.

I contacted ASUS yesterday on the same subject, but I read somewhere in the internet that it may take a month for them to answer me. Meanwhile, I am beeing pushed to fix the PC.

If it really have a virus in the BIOS (and I had never seen one, but so far is what it seems to me), I believe it would be a great opportunity to catch it (saving the entire content of the bios) and sending it for the support of the antivirus I use (Kaspersky).

Also, it would be cheaper and faster to erase the entire content of the bios with an appropriate software (afudos) and to write it again than to buy a new chip

Andre.

featsdontfailme · Jun 18, 2012

What you have is a bad board, not a virus in the BIOS.

This same "disappearing" memory issue was a real problem on some of the X58 motherboards in the past year, and there was no fix.

I had one of the affected X58 boards, and tried everything possible to remedy it.

Finally had to RMA the motherboard as the only solution.

If you really think the problem lies in the BIOS, then the only way to deal with it is to fully replace the BIOS eprom......if you have a BIOS tool, and the BIOS is not soldered in, you can purcahse an eprom from any one of several dealers on line.
ASUS replaced a BIOS chip for me a few years back.....only took a week to get it done.

Have you tested your memory against memtest?
Have you reseated the CPU?

Those are common problems in this finding.

atlanzer · Jun 18, 2012

Thanks once more for the reply.

It only could be a bad board if it was a factory malfunction, since it was buyed a few months ago, what is also a possibility, but...

- Memory test, 2 default passes with MemTest86+ v4.20, no errors at all, but it showed memory as 3838Mb instead of 4.096Mb, against the 3.860Mb memory shown as usable by the BIOS.

- Board was resetted putting the CMOS jumper in the clear position, waiting some minutes, and also removing battery from the board.

The behavior of offline actualizations of the registry (almost 34K of them) happened before with another board and another processor, and with same original Windows 7 Home Premium DVD, buyed in a computer shop. Before a connection to internet is set, antivirus (Kaspersky Internet Security 2012) is installed with the most possible aggressive options, and runned, finding no viruses.

Board was changed to this new one (ASUS M4N68T-M LE) and hard disks were keeped the same, no wiping on them during the board and processor changing. Memory was changed.

I suspect that the virus was in the disks, somehow undiscovered by the antivirus, what could be possible, I guess, if the virus was on a lower layer of the system, where the antivirus doesn´t search, but I am not aware if the antivirus really doesn´t search in lower layers of the system. That could be checked with antivirus support, but would demand some time... Perhaps in another moment I will suggest this to them

A possible explanation for this could be the virus beeing in the BIOS, uploaded from the disk, perhaps programmed in machine code, where lower layers of the system are.

Smart Boot Manager of Hiren´s Boot CD 15.1 revealed unknown disk boots which were not related to any physical existent disk. Also, hidden network drives were found in the installed system.

By now, to check if the virus is really in the BIOS, it is necessary to copy the entire content of the BIOS (100%) and sending it to antivirus support before erasing all the BIOS (100%) and writing it again, what it seems to be possible with afudos, but parameters already tested and found elsewhere in the internet didn´t produce the expected results. It stops erasing in 81%, probably the same value that the flash bios utility stops erasing (progress bar of erasing doesn´t complete).

After this, I can check memory values again, to see if it goes beyond 3.860Mb when there are 4.096Mb (2 new and recently buyed sticks of 2Gb each).

So, I need to know parameters of afudos v2.41 to fully copy the contents of the bios and to fully erase and flash a new bios. I didn´t find these parameters in ASUS website...

Andre.

atlanzer · Jun 18, 2012

For those who may be interested, here are the parameters of AFUDOS that I found in internet:

http://www.scribd.com/doc/79351607/19/Chapter-6-AFUDOS-AMI-Firmware-Update

and

http://forums.mydigitallife.info/archive/index.php/t-12556.html

...but they didn´t work as expected.

I don´t know if I used the wrong parameters, or if v2.41 changed them...

If someone knows how to use them correctly in v2.41 it would be a great help for me, to:

fully (100%) copy the contents of the bios to an archive,

and

fully erase (100%) and flash a new bios.

Thanks for any reply on this subject

Andre.

night_2004 · Jun 18, 2012

That board has an integrated GPU built in to it that is going to utilize some of system RAM (which is why you do not 'see' all 4GB). There is no virus in your BIOS.

atlanzer · Jun 18, 2012

Wow, that information helps a lot. Thanks for the reply

I don´t understand why this memory usage changes, but why offline actualizations of the registry happens while Windows installs (some 34k of them) ? I usually don´t see this behavior in original windows installations.

There are also unknown users in the system, as for instance "PROPRIETARIO CRIADOR" and "DIREITOS DO PROPRIETARIO", the last one unknown in Microsoft when I reported it in a phone call to them.

This last user, "DIREITOS DO PROPRIETARIO", owns registry key of the license of the windows (I checked this registry key in Microsoft´s website), and I am usually needing to make a phone call to validate the installation, without changing the hardware... Could it be possible to someone had owned the license and had been using it in other equipments ? In a phone call to Microsoft, they said to me its impossible to get the license...

It was also said by someone else that it was impossible to go beyond 40miles when first trains were developed...

Other behaviors reported before are also suspicious...

Any ideas ?

Thanks for any reply on this subject.

Andre.

atlanzer · Jun 18, 2012

I just remembered one more thing.

When I checked the problem with UBUNTU Linux installation, after some time system said it was not an official system installation, but UBUNTU ISO was downloaded from official UBUNTU website, and AVG was installed offline (downloaded in another PC).

Just remembering that with AVG runned under UBUNTU the number of errors reported was close or perhaps equal to the number of registry actualizations during windows 7 Home Premium offline installation (original DVD, no copies for no one).

Andre.

FrgMstr · Jun 18, 2012

This thread brought back a fond memory.

BinarySynapse · Jun 18, 2012

It is highly unlikely for a virus to infect a BIOS, and impossible for it to have survived a flash update. It MUCH more likely that the master boot record of the hard drive is infected, but reinstalling Windows should wipe that out. If you want to be 100% sure use a tool called DBAN to zero fill the drive to erase every single accessible bit of data on the drive. Just be sure that any data you wanted to save is backed up first.

I don't know what you mean by "actualizing the registry", so no help from me on that one.

atlanzer · Jun 18, 2012

Thanks for the reply.

I will look for DBAN in the Internet and try it.

Meanwhile, for actualizations of the registry, I mean that when Windows installation proceeds (original DVD without any allowed copies or installations of it), registry keys are added for an unknown reason (not commonly seen behavior in Windows installations), what makes me believe that something wrong is going on in this process.

Also, as I reported before, I found some suspicious behaviors in Windows system.

Some 34k registry keys are added during Windows installation, what is possibly the number of errors that AVG finds as errors during scan in UBUNTU Linux (downloaded from official website). I can´t be completely sure of this number since they happen very fast, and I can´t count them precisely.

Andre.

atlanzer · Jun 18, 2012

Ah, I just checked on the internet.

DBAN (http://www.dban.org/), Darik´s Boot and Nuke, which is available in Hiren´s Boot CD 15.1.

I used it already, with no success. Problem remains.

Andre.

atlanzer · Jun 18, 2012

LOL Kyle. Funny reply

I must say that problem happened before with a GIGABYTE MB and also with a PHITRONICS MB but now I am analyzing it more deeply, as it is becoming nasting

Also interesting to say that user of the PC plays online games.

Thanks for the reply.

Andre.

BinarySynapse · Jun 19, 2012

The registry additions may either be a counterfeit DVD, or it's a DVD with updates rolled in that have to be applied after install.

EDIT: OR you could have an OEM install disc that has it's own software rolled into the installation. Either way, three different motherboards would have three different BIOSes and thus no way for a single virus to exist across all three platforms. Wiping the drive would eliminate that as avenue for reinfection as well. Everything is pointing to your install media.

atlanzer · Jun 19, 2012

Thanks for the reply.

Disks were wiped only in this last motherboard change, after problem was noticed and more deeply evaluated.

Not all these problems happened before.

DVD is intact and its new, buyed in this year.

As a matter of fact, there are 2 PCs in a home network linked in a router which is connected to the modem.

Problem is similar in both PCs, and each one has is own DVD for installation of Windows 7 Home Premium, both DVDs originals.

Andre.

atlanzer · Jun 19, 2012

I have just found AFUDOS from AMIBIOS Website.

Here follows the link for those interested:

http://ami.com/support/downloadagreement.cfm?DLFile=support/downloads/amiflash.zip&InpDrvID=90

It contains a manual

Andre.

atlanzer · Jun 19, 2012

Said to say that this version of AFUDOS available in website of AMIBIOS, v4.40, is not supported by the motherboard... and version of AFUDOS (2.41) in ASUS website is from 2009... but latest BIOS revisions for the motherboard are from 2011...

Anyone knows all parameters of AFUDOS v2.41 ?

Or perhaps a link for another version of AFUDOS which could be supported by the motherboard, also with its parameters ?

Thanks

Andre.

FrgMstr · Jun 19, 2012

Have you reached out to the ASUS reps on our forum?

atlanzer · Jun 19, 2012

Thanks for the reply, Kyle.

Answering your question, not yet, I will look for them and see if something helps me in there.

I placed this thread here since it looked the proper place to do it. As I said previously, I am new in the forum and also new in discussing subjects of this matter in forums.

If I don´t find something to help me there, I will place another text here in this thread.

Andre.

atlanzer · Jun 19, 2012

Some interesting links I found:

About engineered version of AFUDOS v2.41:

http://hardforum.com/archive/index.php/t-1578865-p-23.html

Several versions of AFUDOS available to download but not 2.27 (read elsewhere in the internet that it was removed from the site since it was too powerful):

ftp://ftp.asus.com.tw/pub/ASUS/mb/flash/

A case of success with AFUDOS v2.27:

http://www.bios-mods.com/forum/archive/index.php/thread-7955.html

Andre.

atlanzer · Jun 20, 2012

Just a remark:

I gave a shot with AFUDOS v2.07 downloaded from Asus FTP and it erased till 86%, options used were: /n /pbnc, memory reads 3840Mb as usable by the system in bios now (idea got from http://www.xtremesystems.org/forums/archive/index.php/t-62366.html).

Will still keep trying.

atlanzer · Jun 20, 2012

For those who may be interested,

here it follows the links of the AVG Scan results executed in UBUNTU Linux 12.04.

Problem remains even going to 86% erasing of the bios with v2.07 of AFUDOS...

As it was before (suspicious files with permission denied and several files not found, in a number of errors close to the number of registry entries that happen in Windows 7 Home Premium installation):

https://rapidshare.com/files/3621441645/scanresultfullwithupdate2.txt

As it is now (errors detected in UBUNTU Linux remains):

https://rapidshare.com/files/966713191/scanresult20062012_after_afudos_207.txt

I may post further information here if I find something interesting or new on the subject.

Thanks once more for your attention.

Andre.

atlanzer · Jun 20, 2012

Yes, night_2004.

About the usable memory you are completely right. Dropping OnChip VGA Frame Buffer Size from 256Mb as it was by default to 32Mb usable memory reads now as 4064Mb, plus 32Mb = 4096Mb, the exact amount of memory I have with the 2 sticks of 2Gb each.

This solves the question of the possible virus lying in the memory reinforcing the possibility that it could lie in other place, for instance, in the BIOS.

ryan_975,

I agree with you that it is highly unlikely to a virus infect a BIOS, but they exist (see, for instance, http://www.tomshardware.com/news/bios-virus-rootkit-security-backdoor,7400.html).

The test that I want to do is to fully (100%) copy and later erase the BIOS, to later check how AVG proceeds in a scan in an UBUNTU installation, and further to check if registry entries are added during a Windows installation, with disks wiped before with DBAN.

The most I can erase the BIOS now is 86%, with AFUDOS /i<biosname.rom> /n /pbn.

Anyone know parameters of AFUDOS V <= 2.41 and not beeing 2.27 (which I didn´t find in a whole day of research in Internet) to make this ?

Andre.

atlanzer · Jun 21, 2012

Small remark: with AFUDOS 2.07 parameters /n /pbnc it erases bootlock. Same with version 2.27 that I found here: http://rickypt.home.sapo.pt/afudos.rar. BIOS works fine even flashing it with these two versions, which are not the 2.41 available in ASUS website for the Mother Board.

So it seems it flashes all the BIOS (first goes to 86%, after continues in bootlock till 100%).

I had just buyed a pendrive with antivirus on it (PQI Traveling Disk U273 with Norton on it), since in the process of installing AVG in UBUNTU I was using another one without antivirus on it.

As a matter of fact, just a remark. Pendrive with antivirus is this one: Sandisk http://www.mcafee.com/us/about/news/2008/20081021_050000_x.aspx, which I am still looking for. Actually, best shot: McAfee VirusScan USB - http://home.mcafee.com/Store/PackageDetail.aspx?pkgid=269.

2 possible choices I will check: virus was on pendrive (boot, perhaps) and wrote itself to disk (what doesn´t explain registry key insertions or actualizations of the registry in Windows installation, since it happened without pendrive on it), virus was on pendrive and wrote itself to BIOS (what could be weird, but... I learned some time ago that in computer science almost everything is possible).

Anything new I post here, if no problems for you, people.

Thanks once more for your attention and for the opportunity to post here in this forum !

Andre.

atlanzer · Jun 21, 2012

For those who may be interested, I posted a thread in UBUNTU Forum about the results of AVG Scan in Ubuntu Linux.

Here it follows the link: http://ubuntuforums.org/showthread.php?p=12043997

Only that.

Andre.

runs2far · Jun 21, 2012

atlanzer said:
For those who may be interested, I posted a thread in UBUNTU Forum about the results of AVG Scan in Ubuntu Linux.

Here it follows the link: http://ubuntuforums.org/showthread.php?p=12043997

Only that.

Andre.

You should note that it is still worth it for WINE, as a virus loaded in WINE can seriously hurt your Linux installation because there is limited protection between Linux and WINE.

atlanzer · Jun 21, 2012

But do UBUNTU 12.04 comes with WINE installed on it ?

I just installed it with normal options and without connecting to internet... and with disk wiped with DBAN before... and erasing it all during installation...

Also, by now, I was thinking in all that happens:

Could it be a virus in MBR that uploaded itself to memory and/or to BIOS ?

runs2far · Jun 22, 2012

atlanzer said:
But do UBUNTU 12.04 comes with WINE installed on it ?

Nope, WINE is off topic in this thread, but I thought that I would throw in a warning before people dismiss the chance of a virus in Linux, as a virus in WINE can cause horrible damage.

atlanzer · Jun 22, 2012

Yep, if something I said here in this post can help in that, a warning always can help people avoiding a worst situation where it can be avoided

atlanzer · Jun 23, 2012

Hi people.

McAfee virus didn´t work in a Kingston DT101pen drive with 4Gb and UrDrive. Previous contact informed it was going to work on it. Sent an email asking for a solution.

Meanwhile, I was considering a good sequence to get rid of it.

I am thinking in an:

- Board without battery and on clear CMOS position;
- Boot on Hiren´s Boot CD;
- Access pen-drive with anti-virus on it (as for instance, McAfee VirusScan Usb) and run F-PROT;
- Access Hiren´S Boot CD and clear disk with DBAN.
- Erase all partitions and MBR with Super Fdisk or something else.
- Turn off (cut energy, don´t reboot).
- Unplug disk;
- Remove memory sticks and discharge them;
- Put battery, wait clearing CMOS;
- Remove battery;
- Boot in Hiren´s Boot CD.
- Access pen-drive with anti-virus on it (as for instance, McAfee VirusScan Usb) and run F-PROT;
- Run AFUDOS 2.27 /n /pbnc;
- Turn off PC (cut energy), don´t reboot;
- Remove memory sticks and discharge them;
- Put battery, wait clearing CMOS;

(Pray

)

(Could any virus resist this

)

- If appears press F1 to configure BIOS, configure it.

- Install Windows and check (also see http://ubuntuforums.org/showthread.php?p=12049170&posted=1#post12049170).

Any comments on this are appreciated. Some help here would be good. I wrote sometimes and nobody answered...

If I were an expert I would sell this and not share with you -.-

Thanks.

BinarySynapse · Jun 23, 2012

After you've reflashed, rewiped, and reinstalled so many times, the only way a virus could possibly survive all that is by installing itself from a compromised DVD, which you say was legitimately purchased from a computer store. So assuming the computer store didn't sell you something that's counterfeited (and those things can look incredibly real), you do not have any form of malware on that computer.

Unless you can provide a log of what AGV is reporting as errors, then I can only suggest that it's finding problems related to entries for items that don't exist on that specific instance of Windows (remember, Windows has to exist on an unimaginable combination of hardware and software) or because it's scanning through an unenumerated registry (somethings won't be set until the hardware and OS are booting up).

Almost every system update makes changes to the registry. And many times I have seen the system display the each of the keys that are being changed during a reboot after an update is installed, especially if it's a service pack or roll-up.

atlanzer · Jun 24, 2012

Thanks for the reply, Ryan ! It helped me a lot !

I provided log of AVG on 06-20-2012, but no problem with the logs by now. In UBUNTU Forum they reported me that the suspected files are system files (see http://ubuntuforums.org/showthread.php?p=12043997#post12043997 for more information).

I already had this kind of problem you say (counterfeit) in another one computer store I buyed sometimes when it happened that I bought a counterfeit part. Of course, lightnings flash all over the sky

. But I trust in the computer store I bought the installation DVDs. In the store I bought them, they were bought in different times, so one doesn´t have SP1 on it and the other has.

Also, the information you provided me about you seeing registry entries in the installation process makes me more calm, as it doesn´t happen only here ! But this is something new, ahn ? I was not used to see these things in offline installations...

Andre.

BinarySynapse · Jun 24, 2012

I completely missed that you had posted that log earlier. Anyway, I skimmed through it and there was nothing listed that had anything to do with Windows or a Windows filesystem (NTFS). All the files listed were part of Ubuntu, and most likely couldn't be accessed due to permissions, or they were open ended symlinks. I saw nothing to worry about at all.

Also, in case I missed it before, which version of Windows are you working with? I've been assuming it was Windows 7 this whole time (not that it would change anything I've said).

atlanzer · Jun 28, 2012

Andre.

BinarySynapse · Jun 28, 2012

The BIOS AV isn't really an AV, it just montiors the MBR of a hard drive and warns you of ANY attempts to write to it. That include tools like DBAN, fdisks, and even Windows Installer. It popped 3 times because YOU were trying to make changes, not any virus.

As for your suspicious code fragments... I think you're stretching for that one. It just looks like you used DBAN in a way that generated random data. Your disk editor is just using a character set that gives those particular data sets an almost recognizeable pattern... use a tool with a different character set and I'm sure you could find almost recognizeable patterns in areas that didn't have them before.

Finally, Windows is designed with predefined users and groups already in existence, TrustedInstaller being one of them (which always owns the system drive unless someones' changed it). You're using a different language than I'm familiar with, so I can't say whether those users are normal or not, but given that there is absolutely no evidence of malicious activity anywhere else in your posts, I'm going to lean towards this being the same case as well.

atlanzer · Jun 28, 2012

Thanks in advance for your comments !

You helped me a lot ! I was going nervous with all this, because many lag happens in online gaming, and after I researched a while in the system I thought these things I said quite uncommon, but knowing they are common makes me much calm now !

Ah, one thing. The fragments of supposed code I found were found only in the beginning of the disk, all the rest was fullfilled with zeros. I thought it strange because someone said nothing resist do DBAN, and I found that. DOD (3 passes) were used in DBAN.

Once more, thanks for your attention !

Andre.

Help needed to fully erase and flash bios (possible virus in bios)

n00b

2[H]4U

n00b

n00b

Weaksauce

n00b

Limp Gawd

n00b

n00b

2[H]4U

n00b

n00b

Just Plain Mean

[H]F Junkie

n00b

n00b

n00b

[H]F Junkie

n00b

n00b

n00b

Just Plain Mean

n00b

n00b

n00b

n00b

n00b

n00b

n00b

Gawd

n00b

Gawd

n00b

n00b

[H]F Junkie

n00b

[H]F Junkie

n00b

[H]F Junkie

n00b