Jump to content

UEFI Bootkit (Win.Trojan) Removal?


Recommended Posts

So...I have been fighting a very awful infection that I think I finally nailed down to a former resident having hacked our cable modem and remoting in. Hardware has been replaced and since locked down. However, not before wreaking havoc on laptops and a brand new HP desktop. The HP is the one I'm stuck on. In fact, I'm going to be calling their paid support again this afternoon which is less than stellar as you can imagine. The old Dell laptops I have I was able to clean using ClamAV because for whatever reason, I could get those files that were infected. But on the HP? I simply cannot find where those damn bios files are living to even try to clean or replace them. Even when I boot from a usb stick or CD, most of the recovery drive files remain locked. And it seems like the recovery X: drive must also just be a clone of something else anyway because even if you do manage to delete an unlocked file in there, it happily comes right back on your next boot.

Does Immunet handle this? I don't even have this thing up and running yet to get Immunet on it. But if there is a chance it can kill it, I will certainly give it a shot by direct connecting it to my cable modem. I am *not* putting it on my network for sure. Or alternatively, if there is a way to install it with the dat files already downloaded that would be preferable. I tried ClamAV to clean it but was unsuccessful because I just didn't know where to scan. The usually boot to the Recovery CMD didn't cut it on the HP. Possibly also because several of the files were locked and couldn't be read.

Any advice is appreciated.

Link to comment
Share on other sites

Unfortunately  Immunet won't be able to remove bios and rootkit  malware,  but it should t least be able to be able to at detect and confirm if you have a bios or rootkit virus.

  At one point Immunet had a paid version that included an av engine that was capable of rootkit  removal.  With an infected bios your shot is to to re-flash  the bios and hope that fixes it.

I suspect You might be bumping into a "Feature" of dell machines - DElls sometimes have a portion of their hard drive partitioned  as a recovery drive,  that contains a full  windows installer.     In  the case the machine needs to be factory reset  the user disk partitions can be wiped, and the recovery partition used to re-install a fresh copy of windows.

To  support this factory reset feature , dell installs a custom bios with their machines that contains  the factory reset program,  also prevents anything from modifying the contents of the recovery partition so nothing can accidentally  (user/av software), or intentionally (virus's/malware), corrupt the emergency recovery partition. 

Link to comment
Share on other sites

  • 4 months later...

If your machine uses BIOS ("legacy boot"), use something like Emsisoft Emergency Kit, Kaspersky rescue disk, etc. to clean your machine. That should fix any MBR virus. If the BIOS itself has been compromised, you could try reflashing the BIOS from the manufacturer's web site, but really you just can't trust that hardware any more.

By the looks of things, it uses EFI though. If the hardware itself (chips) have somehow been compromised, the same applies as above - reflash or junk. However - if just the EFI boot partition has been infected, again EEK or a rescue disk should fix it. You need to have not booted from that hard disk, to be able to fix it. If it still can't be cleaned, just issue an ATA secure erase command (search the net for how to do it), to reset your hard disk to factory settings (or just buy a new hard disk). Then reinstall your OS and restore your files from backups. Be warned:

1. ATA secure-erase wipes absolutely everything from your hard drive. It will all be gone forever (including whatever virus is lurking on it). Don't do it without verifying you have already safely saved everything you needed elsewhere. Once your porn collection and cat-videos are gone, they're gone.

2. If your backups are also compromised, then restoring them will re-infect your machine and you'll be back where you started, just several hours older. This obviously also applies to cloud storage, not just USB sticks and hard drives.

3. If it's not offline and not disconnected, it's not a backup. "The cloud" isn't a backup. Even if it's called "cloud backup". An extra hard-disk partition isn't a backup. Two tapes or hard-disks in a safe, used in rotation, is a backup.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...