Jump to content
Sign in to follow this  
Amydala

UEFI Bootkit (Win.Trojan) Removal?

Recommended Posts

So...I have been fighting a very awful infection that I think I finally nailed down to a former resident having hacked our cable modem and remoting in. Hardware has been replaced and since locked down. However, not before wreaking havoc on laptops and a brand new HP desktop. The HP is the one I'm stuck on. In fact, I'm going to be calling their paid support again this afternoon which is less than stellar as you can imagine. The old Dell laptops I have I was able to clean using ClamAV because for whatever reason, I could get those files that were infected. But on the HP? I simply cannot find where those damn bios files are living to even try to clean or replace them. Even when I boot from a usb stick or CD, most of the recovery drive files remain locked. And it seems like the recovery X: drive must also just be a clone of something else anyway because even if you do manage to delete an unlocked file in there, it happily comes right back on your next boot.

Does Immunet handle this? I don't even have this thing up and running yet to get Immunet on it. But if there is a chance it can kill it, I will certainly give it a shot by direct connecting it to my cable modem. I am *not* putting it on my network for sure. Or alternatively, if there is a way to install it with the dat files already downloaded that would be preferable. I tried ClamAV to clean it but was unsuccessful because I just didn't know where to scan. The usually boot to the Recovery CMD didn't cut it on the HP. Possibly also because several of the files were locked and couldn't be read.

Any advice is appreciated.

Share this post


Link to post
Share on other sites

Unfortunately  Immunet won't be able to remove bios and rootkit  malware,  but it should t least be able to be able to at detect and confirm if you have a bios or rootkit virus.

  At one point Immunet had a paid version that included an av engine that was capable of rootkit  removal.  With an infected bios your shot is to to re-flash  the bios and hope that fixes it.

I suspect You might be bumping into a "Feature" of dell machines - DElls sometimes have a portion of their hard drive partitioned  as a recovery drive,  that contains a full  windows installer.     In  the case the machine needs to be factory reset  the user disk partitions can be wiped, and the recovery partition used to re-install a fresh copy of windows.

To  support this factory reset feature , dell installs a custom bios with their machines that contains  the factory reset program,  also prevents anything from modifying the contents of the recovery partition so nothing can accidentally  (user/av software), or intentionally (virus's/malware), corrupt the emergency recovery partition. 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

×
×
  • Create New...