Amydala Posted October 29, 2019 Report Share Posted October 29, 2019 So...I have been fighting a very awful infection that I think I finally nailed down to a former resident having hacked our cable modem and remoting in. Hardware has been replaced and since locked down. However, not before wreaking havoc on laptops and a brand new HP desktop. The HP is the one I'm stuck on. In fact, I'm going to be calling their paid support again this afternoon which is less than stellar as you can imagine. The old Dell laptops I have I was able to clean using ClamAV because for whatever reason, I could get those files that were infected. But on the HP? I simply cannot find where those damn bios files are living to even try to clean or replace them. Even when I boot from a usb stick or CD, most of the recovery drive files remain locked. And it seems like the recovery X: drive must also just be a clone of something else anyway because even if you do manage to delete an unlocked file in there, it happily comes right back on your next boot. Does Immunet handle this? I don't even have this thing up and running yet to get Immunet on it. But if there is a chance it can kill it, I will certainly give it a shot by direct connecting it to my cable modem. I am *not* putting it on my network for sure. Or alternatively, if there is a way to install it with the dat files already downloaded that would be preferable. I tried ClamAV to clean it but was unsuccessful because I just didn't know where to scan. The usually boot to the Recovery CMD didn't cut it on the HP. Possibly also because several of the files were locked and couldn't be read. Any advice is appreciated. Link to comment Share on other sites More sharing options...
Rob.T Posted October 29, 2019 Report Share Posted October 29, 2019 Unfortunately Immunet won't be able to remove bios and rootkit malware, but it should t least be able to be able to at detect and confirm if you have a bios or rootkit virus. At one point Immunet had a paid version that included an av engine that was capable of rootkit removal. With an infected bios your shot is to to re-flash the bios and hope that fixes it. I suspect You might be bumping into a "Feature" of dell machines - DElls sometimes have a portion of their hard drive partitioned as a recovery drive, that contains a full windows installer. In the case the machine needs to be factory reset the user disk partitions can be wiped, and the recovery partition used to re-install a fresh copy of windows. To support this factory reset feature , dell installs a custom bios with their machines that contains the factory reset program, also prevents anything from modifying the contents of the recovery partition so nothing can accidentally (user/av software), or intentionally (virus's/malware), corrupt the emergency recovery partition. Link to comment Share on other sites More sharing options...
zombunny2 Posted March 2, 2020 Report Share Posted March 2, 2020 If your machine uses BIOS ("legacy boot"), use something like Emsisoft Emergency Kit, Kaspersky rescue disk, etc. to clean your machine. That should fix any MBR virus. If the BIOS itself has been compromised, you could try reflashing the BIOS from the manufacturer's web site, but really you just can't trust that hardware any more. By the looks of things, it uses EFI though. If the hardware itself (chips) have somehow been compromised, the same applies as above - reflash or junk. However - if just the EFI boot partition has been infected, again EEK or a rescue disk should fix it. You need to have not booted from that hard disk, to be able to fix it. If it still can't be cleaned, just issue an ATA secure erase command (search the net for how to do it), to reset your hard disk to factory settings (or just buy a new hard disk). Then reinstall your OS and restore your files from backups. Be warned: 1. ATA secure-erase wipes absolutely everything from your hard drive. It will all be gone forever (including whatever virus is lurking on it). Don't do it without verifying you have already safely saved everything you needed elsewhere. Once your porn collection and cat-videos are gone, they're gone. 2. If your backups are also compromised, then restoring them will re-infect your machine and you'll be back where you started, just several hours older. This obviously also applies to cloud storage, not just USB sticks and hard drives. 3. If it's not offline and not disconnected, it's not a backup. "The cloud" isn't a backup. Even if it's called "cloud backup". An extra hard-disk partition isn't a backup. Two tapes or hard-disks in a safe, used in rotation, is a backup. Link to comment Share on other sites More sharing options...
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now