Search the Community
Showing results for tags 'uefi'.
I have a Lenovo Ideapad 3 with AMD Ryzen 5, it's only one year and 3 weeks old. In April, Lenovo released a security advisory stating that their devices had 3 bios/UEFI related vulnerabilities which allowed a virus to rewrite the SPI and deactivate the UEFI (among other things.) I assume that's what caused the issue but I don't know for certain. Lenovo claimed a bios update would fix the vulnerability but did nothing about those of us already infected. I have done everything imaginable to fix this but nothing works.It has survived every reset, every restore, every clean OS install. Each time I reinstall Windows, I completely format and delete every partition, I tried putting Windows 10 Home, 10 N, 10 Pro, 10 Pro N, something called Windows 10 Single Language, Windows 11 Home, Linux, Debian, Ubuntu, and multiple live Linux versions via Yumi. I also tried the Lenovo Recovery Media, nothing works! I have tried MANY different antivirus programs including Sophos, Malwarebytes, ADWcleaner, Microsoft Malicious Software Removal Tool, Windows Defender, Microsoft Security Essentials, Restoro, McAfee, etc. They all claim there's no virus. They do their scan with no problems found! They're wrong. After resetting the PC (done this about 60 times) I go straight to the Event Viewer, it's the only obvious sign of the infection. The very moment the OS starts up, the virus has already made MULTIPLE privileged users with a long list of "special privileges" added to those users. I removed the wifi card in case that might help, it made no difference. I have run the SFC scannow command dozens of times, sometimes it says it fixed corrupt files, sometimes it says it found nothing, sometimes it says "access denied." I have also tried Dism and bootrec commands they all say successful, except /fixboot which says "access is denied." I'm out of ideas! The 4 other laptops in my house and 2 desktops all have the same symptoms now. It must have gotten into the router. I know I probably gave the virus to one of the desktops via a USB that was used to get the OS downloads from a clean computer (the desktop) to my laptop but I never used that USB on any of the other machines. I am open to any possible help... other than replacing the motherboard... but I think that's the only way to fix this Thanks!!
I was infected by zero day deeply integrated into system rootkit , that my current av (bitdefender) detected with behaviour detection , and removed it . For safety I clean install the windows . Everything went fine ,even full scan and rescue scan scan by Bitdefender went fine .Now , I am unable to install malwarebytes now , also malwares extension isn't working . Also I once found many suspected traffic from my device , again this time I formatted hard disk and then clean install windows . Still I find that many system files are getting corrupted now for no reason . Please check my system for any malware ,adware ,spyware , keylogger, viruses ,etc and check for especially rootkits (uefi , kernal , bootkit , mbr , virtualization ,ring 0 , ring 1 ,ring 3 , firmware ,etc) .Fabar recovery reports are in the attachment of this post. Thanks FRST.txt Addition.txt Shortcut.txt
First off- using a vm machine, host OS is ubuntu linux- the logs attached are from Virtual Box of a Window 10 machine. I have to use a linux machine because; - can not reinstall any Windows without the infection hijacking the install, I've tried installing WinXP, 8.1, 7, 7 pro, WinUltimate, -during reinstall, at the cd/rom loads, then at a point the install instructions are taken over, and a similiar gui appears to complete install. -infects any device attached physical of network, usb will be formatted automatically (fake warning posted gui) -registry is infected -possible firmware exploited, usb and pci seem to be used as alternate devices, -system32 files are unusual -unable to flash bios -appears as hidden sector or directory, hijacks the mbr, -has the ability to replicate if deleted or core files, registry is changed -suspected WMI Shell running with TRUSTED INSTALLER -Possible ChipSec related? I think I've tried everthing as far as scans, rkhunter, Hirens Boot Cd, Process Monitor, msconfig, BIOS settings, hdd replacement. All my machines at home are down/infected. Only way to get back was Linux, and using VM to start Windows 10. This is from a enterprise PC Tech Level 2 working at home. FRST.txt Addition.txt mbt first scan.txt
Yo guys I'm in serious trouble but I'm not sure if this is the right place to do a thread but I'm struggling with some kind of BIOS/UEFI rootkit. I have for a while been getting weird entries in the Rootkit/Malware tab in Gmer. I have also noticed some strange executables running among processes. All described as Windows services but you could easily see that those executables didn't belong to a clean Windows 7 install. I have been using DBAN to wipe all disks, formatted them and reinstalled but I keep getting infected. All above mentioned returns. To ensure that I'm infected I have compared processes running in the Task Manager with my neighbour. He has almost the same setup as me but most importantly he has the same motherboard as I. We've compared the DMI information inside the BIOS and we can confirm that mine has been modified. My problem is that if I try to reflash the motherboard through USB it seems like the Virus/Rootkit just will write to the USB and execute its own code cause a USB is writable. With that said I have also been working on making a bootable DOS-CD with a new BIOS version and a DOS Flash Utility with no success either. It's like the DOS can't read the files from the CD, even though I meddle a little with CONFIG.SYS and AUTOEXEC.BAT. It's like the DOS can't find any cd drivers. Another mysterious thing that indicates infection is when I set the clear CMOS jumper or clear CMOS button with no effect, it looks like that the motherboard resets and runs normally for 3-5 seconds, and then it executes some other code. A reason for me believing it runs another code is that I am using a Corsair H100i water cooling kit which you can't change the LED color on, unless you install Corsair Link in Windows and change the LED color. When I reset the CMOS and want to boot, it lights up the cooler LED as white, as it should per default, if you don't change the color in Corsair Link it should show a damn white light! But then after 3-5 seconds the LED lights turns up as red. If I go to my neighbour with exact same motherboard, CPU and cooler the LED light is white all the time. In the BIOS you have two functions, GO2BIOS and boot BIOS from file if I use the first function it just reboots to the screen where I can either enter BIOS or Boot Menu by pressing F2 or F11. If I use the boot BIOS from file I get an error saying "The data mapping running is different from the BIOS you want to boot, if you press enter your system might not start." If I press enter it just reboots to the same screen as mentioned above. Should the two functions act like that? Or is it the Rootkit messing things up? I think my laptop has been infected too. Any feedback would be awesome since I'm becoming quite desperate! Setup: MOB: MSI Z87 G45 Gaming SSD: Samsung 840 evo CPU: i5 4690K