BPR Removal Instructions
Last Updated: Evening of October 14, 2011
These instructions are brief yet sufficient to adequately address how to remove a BIOS Persistant Rootkit from a PC. They can be used for notebook infections as well, though removing the physical hardware from notebooks isn't as easy as a desktop system (though it is in fact entirely possible). If you're trying to clean a system but don't understand something on this page, I'd recommend printing these instructions and taking them to a professional with all your infected gear, and paying them to take care of this for you -- doing so will still be far less expensive than buying all new components. For deeper reference into BPR's and/or how they work, you should check this Web Folder for Research Documents. It's also a splendid idea to read ALL of this information before you begin trying to clean your system. Don't get in a hurry here, either -- this is a long and detailed process -- caution is needed to avoid falsly thinking you're in the clear. ALWAYS ERR ON THE SIDE OF CAUTION with BPR's!!!
Now that that's outta the way, and with no further ado: THE STEPS to clean a BPR!
1) Assume your network is infected, not just your PC. BIOS Persistant Rootkits are capable of (and very good at) infecting ANY DEVICE connected to your PC that has a writable/flashable EEPROM chip inside it. This means that quite likely the following devices could have parts of viral/rootkit code implanted on them: Router, printer, PC (including your hard drive, video card, any PCI/PCI-E expansion card(s), external drives, optical drives, and of course your CMOS chip on your motherboard and possibly even your north or southbridge code stored therein). ESPECIALLY susceptable are NICs and WLAN cards -- if you're sure your system is infected (common symptoms include a great deal of slowness, a lot of disk activity during non-scheduled events [IE: there are no updates being downloaded, no automatically scheduled disk checks running, etc], and/or mad activity on your internet router and/or cable/DSL modem LED indicators) then the first thing you want to do is isolate it from any other systems. This means, turn it OFF and unplug the ethernet cable (if applicable). If you're using a wireless-enabled PC, you should physically remove the WLAN card -- safest bet would be to remove ALL non-essential expansion cards from the system. Also assume your router is infected -- if you bought it at WalMart or are not at all savvy on such things, then this is likely the case -- NEVER run an unprotected and/or unencrypted wireless network (doing so is asking for trouble!). One OTHER way you can determine possible infection would be to attempt booting to a linux boot CD on your system. Most builds I've tried will kernel panic upon trying to boot. This is because the viral code was designed to prevent easy removal.
2) You CANNOT hook up another PC to an infected router safely. This may go without saying... but for people that might not realize that yes, your router does have a programmable EEPROM chip in it and yes, this makes it susceptable to viral attackers (especially if you're just using the default/out of box security...), then hooking up another/spare/TEST system to your router dooms all of that PC's hardware to the same fate as your first (infected) system..!
3) You will need to write down the make, model, and firmware revision from the hardware device labels of each component within your infected machine. If you have already followed step 1 and removed all the hardware, these should be easy to locate. Look for the manufacturer's label and write down the information -- for EACH expansion card, for your video card, for ANY/ALL network cards and/or modems (don't forget the boot ROM on network cards.. yep, that's a writeable EEPROM chip..!), EACH CD/DVD/BR Drive in your system, and also get your motherboard make/model/revision while you've got the case open. WRITE THESE ALL DOWN on a piece of paper, because you're going to have to go find a non-infected friend's internet to download the latest firmware versions for EACH AND EVERY device as well. Speaking of which...
4) Go to a cafe, library, or friend's place to download your tools. BE ABSOLUTELY SURE that your friend's system(s) are not infected (see #1 above). Public internet cafes, libraries and whatnot are not 100% secure either; but they're (currently) not on the hot-list of targets for these 'geniuses' attacking computers for their own gain. This is because the end goal, I surmise, is to widely distribute all information from home users so that nothing is left private. Public connections thus are thought of as annonymous users (this is your safest bet at this point). One tool you will need to download for your motherboard is the wonderful (and free) KillCMOS utility -- google it. It will force-reset your EEPROM/CMOS to the factory defaults, which typically are stored on a NON-WRITEABLE integrated circuit on your motherboard. That's a good thing... just (unfortunately) is the FIRST step of many, many more to come. (*sigh*) Note that most anti-virus apps will detect KillCMOS as a virus because it is capable of resetting your CMOS -- it is not a virus... And, While you are at it, also download the drivers for ALL of your hardware devices. Reloading a device driver (depending on the device manufacturer's design archetecture) usually (not always..) includes a forced reset of the device state, which COULD clear any infection from the device. Safest bet here would be BOTH the firmware AND the device driver.... Note that you might need multiple blank CD-R discs for this step... some drivers are FATWare (unnessecarilly large) and you may not be able to fit everything on one disc.
5) Download a bootable CD image. What you want to do is create a CD-R (***NOT*** a re-writeable disc..) with a FreeDOS (recommended, though others will do) boot image as well as each and every firmware for your system, any/all applicable FLASH utilities for the firmware operations, and the KillCMOS utility from #4 above. Once you have created the boot CD correctly, you may well be ready to go home and clean your PC -- BUT just in case...
6) Look for a linux-based partitioning tool. The viral code on my systems was found to have been 'eating' my dad's notebook hard drive partition so that it could create its own, which had some files on it that could only be recognized by *nix (Unix / Linux) OS's. I do not mention this step to enable you to find out who your attacker is -- for by all rights, if your system was vulnerable to attack in the first place, YOU ARE AT FAULT for not keeping it updated. Own up and don't do anything frivilous... the people writing these bugs are VERY intelligent (hence why no one's been able to remove them... well, almost no one). Above all -- be the 'better man' and don't try to retaliate.
7) Obtain a spare NON-INFECTED optical drive. This is to use in order to boot your system. Don't worry -- the CMOS won't infect your new (if you had to go buy one..) optical drive as the code needed to do so is stored in your hard drive's master boot record (AKA the bootstrap). The CMOS is the hive/central node that tends to regulate the other infected devices and it should be cleaned first and foremost; without an infected CMOS you'll be able to systematically restore proper operation to your entire system (ONE COMPONENT AT A TIME...!!!!!!) without losing your data.
8) Go back to your system and, having removed everything non-essential (all you need is a video output device and many motherboards include an onboard video controller -- if this is not an option, get another spare video card and plug it into your system INSTEAD of the one that you've been using! You want ONLY the motherboard to be infected at this point; other devices with infections will make it impossible to clean your CMOS!) hook up your new/spare optical drive and boot to your FreeDOS CD with the firmwares and KillCMOS on it. Once it's booted, run KillCMOS. This will restart your PC. When it comes up to POST (the splash screen, or where it counts the RAM) look for how to enter your machine's BIOS and do so.
9) Disable BIOS features that help the virus propogate. These features are typically located within the Advanced settings page and/or should be located in the CPU Features. Mainly, look for (and disable) HyperThreading (also called 'Vanderpool Technology' on older boards) for INTEL chips; not sure of the AMD terminology, but it has to do with virtualization. THIS IS KEY to how these BPR's operate; they use your system's abilities to virtualize and multitask CPU slices against you, to run your resources for their purposes. Disabling these features can be temporary; you may have applications on your system that make use of these features; therefor re-enable them ONLY WHEN YOU ARE 100% CLEAN and ALL security patches have been applied!
As an aside for this step, I thought I'd echo some of the words in the PDF documents supplied via the Web Folder for Research Documents link above. The reason Windows is able to directly access your hardware BIOS is because of features like APIC/ACPI being available (and often times, impossible to completely disable within modern BIOS). These typically show up in your Windows device manager as "ACPI PC" or "ACPI Multiprocessor PC" under the Computer section. Disabling these settings typically causes Windows to BSOD once you get that far -- and is not recommended unless you're proficient at working within Windows to the extent that you'd be able to fix said BSOD when it happens. I went this route at first -- deciding to try disabling ACPI/APIC features and install the OS on my music/studio PC the 'old way' (DevMan would call it 'Standard PC' in this instance) to increase performance; but doing so caused issues with my multiple-monitor setup, so I ended up redoing the OS yet again using the standard ACPI/APIC settings. If you want to play with this kind of thing, you're on your own -- but as most systems won't allow you to completely disable the ACPI of your BIOS you won't really be that secure if you decide to do so.. so it's almost a moot point in MOST circumstances.
10) Now that your motherboard is cleaned and hyperthreading/virtualization is disabled, begin systematically cleaning (or, ensuring they are clean -- when in doubt, assume it is infected..!! THIS WILL SAVE YOU TIME and hassle, trust me..!) each individual device which you removed from your system in step 1. To do so, you will basically turn the PC off, plug in a component, and turn the PC back on -- STILL BOOTING TO THE FREEDOS CD with your firmware updates on it! Update/replace the device's firmware, then turn the PC back OFF and remove the device from the system again. Then do the next device. ONLY CONNECT ONE DEVICE AT A TIME (again, please just trust me here..) and only when ALL devices are cleaned with proper firmware installed, INCLUDING YOUR HARD DRIVE, proceed to the next step.
11) Restore your system drive's bootstrap -- to do so, boot to your Windows CD and go into your recovery console. For Windows XP the commands you need to run are as follows:
FIXMBR (and press enter)
(then follow the prompts to write a new master boot record to your drive)
FIXBOOT (and press enter, following the subsequent prompts to write a new boot sector to the drive)
Once you've done those things, YOU'RE NOT YET DONE..!
12) Remember that router of yours? Yep. Hopefully you downloaded IT'S firmware as well; but it's not yet even time to clean it! Take your computer to a friend's place and INSTALL THE WINDOWS UPDATES! Then get a decent anti-virus program and install it (I tend to use Avira AntiVir these days, which is free). Also get a good firewall (I tend to use Comodo Personal Firewall, also free, these days). NEVER trust Microsoft's own built-in firewall; not to knock them here as their intentions are good (but we all know the saying about good intentions, right...?) Seriously, folks. The problem here in the first place was due to security vulnarabilities within Windows. Still think it's fine to just run Windows firewall? Be my guest..! Just know I don't recommend doing so. ;)
13) NOW you can take your cleaned PC home and get ready to clean your router! To do so, UNPLUG THE INTERNET/WAN cable from your router so it's not able to connect to the internet. Plug your PC's network interface (if not wireless) into your router, and apply it's firmware. Since you patched your system in step 12 (you DID do that, right??) you won't have any security holes on your system and thus won't re-infect your PC by completing this step (unless you weren't following directions.. lol). Just to be on the safe side I would NOT back up your router's settings; restore them to factory defaults, then apply the new firmware, and then reset all your network settings. ENSURE YOU ENCRYPT WIRELESS NETWORKS -- never EVER run with an open network..! Doing so is an open invitation to anyone/everyone within range to either steal your internet access (which could open you up to a host of legal issues not to mention the security vulnarabilities mentioned already..!) OR easilly gain access to your router and/or network PCs to re-plant the BPR on your poor (doomed might be a better word in this case.. lol) PC again. ALWAYS ERR ON THE SIDE OF CAUTION!
14) Continue cleaning any/all devices you have on your home network or in any way accessable to your PC. NEVER use USB memory devices in place of CD-R media as your boot devices -- though far more convenient these days, they're also re-writable (and thus capable of receiving infection)..! For reference at the time of this writing, I still have a pile of hardware left to clean (most of it is spare/test components and a few spare PC's I had used in finding all of this out for you... in the process I infected it all just by trying to use it without knowing fully what I was dealing with..!)
Take a breath. :D
If you've made it to this point, then you're likely in the clear! Please learn from the experience and never neglect your windows updates -- this is what enabled my BPR to do so much damage. I know it was a 'God thing' though so that I could help others with this problem as well and am humbled and greatful to have survived the experience without having to replace all of my gear (my synths could've even been infected -- I've not even turned them back on yet, hence why there's been no music from me in a while).
That's it for now -- these are basic steps and their detail may be expanded upon down the road. If you have questions or if it seems I've left anything out, please let me know via the "Get in touch" menu option and I'll be happy to quickly address the issue. Please don't ask me how to install or update your firmware -- your device manufacturer should supply that information.