Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

nvram clearing?


  • Please log in to reply
12 replies to this topic

#1 veliusXI

veliusXI

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:50 AM

Posted 09 May 2014 - 10:48 PM

How do i clear nvram exactly? My tower as of last year shows that its loading nvram on bootup. Never used to do that. How would i clear it and could this indicate some type of bios/vbios virus of anykind?

Konboot report smap entries wrong and possible bios virus?



BC AdBot (Login to Remove)

 


m

#2 Platypus

Platypus

  • Moderator
  • 12,807 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:04:50 PM

Posted 09 May 2014 - 10:55 PM

NVRAM is also known as the CMOS memory. Your CMOS backup battery (commonly a 2032 button cell) is possibly low, so replacing this may solve the issue. The change in boot reporting can be caused by the loss of backup requiring the defaults to be loaded into NVRAM each time.

 

Clearing NVRAM on a desktop can be done by removing the backup battery for a period (sometimes a few minutes is enough, sometimes needs rather longer), or there is typically a motherboard jumper to move for a forced clear. But if the battery being flat is the problem, clearing is what is continually happening, so a new battery fixes it.


Top 5 things that never get done:

1.


#3 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:03:50 PM

Posted 09 May 2014 - 10:57 PM

beat me to it Platypus... I was halfway through typing the same thing.



#4 Platypus

Platypus

  • Moderator
  • 12,807 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:04:50 PM

Posted 10 May 2014 - 04:19 AM

:)


Top 5 things that never get done:

1.


#5 mjd420nova

mjd420nova

  • Members
  • 1,600 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:50 PM

Posted 10 May 2014 - 09:18 AM

This has become a problem for some users and infections often hide in the "flash" bios chip.  Clearing the CMOS forces the BIOS to load from the NVRAM (ROM) and not the flash where the virus resided.  A failing CMOS battery can give off all kinds of strange and unrelated faults that can defy troubleshooting.



#6 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:03:50 PM

Posted 10 May 2014 - 07:01 PM

This has become a problem for some users and infections often hide in the "flash" bios chip. 

No, fantasy idea being perpetuated online.

 

http://www.rootwyrm.com/2013/11/the-badbios-analysis-is-wrong/

 

Bios infections are VERY rare, target specific chips and always have a rootkit associated... (like Membroni)


Edited by TsVk!, 10 May 2014 - 07:34 PM.


#7 mjd420nova

mjd420nova

  • Members
  • 1,600 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:50 PM

Posted 10 May 2014 - 10:18 PM

I was giving the user options and reason for clearing the CMOS.  Without knowing any specifics of anyones unit, the solutions must be general and non-specific also.



#8 veliusXI

veliusXI
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:50 AM

Posted 14 May 2014 - 11:30 PM

Well heres the kicker new bios battery or no bios battery it says it still :). I have an asus crosshair formula 3. I put in a new bios once i noticed some mispellings in my bios and when konboot reported wrong smap entries. I notice that on bootup without any usb devices (or any storage devices at all ) it says its loading a "mass storage device"? My fear is i do know there are some rootkits out there that can flash the vbios. After replaceing old bios with new one from asus it still reported "loading nvram" on bootup but not on first bootup? Just wondering why my tower is doing this? It never used to do this until after i installed a hacked linux distro in dec 2012.


Edited by veliusXI, 14 May 2014 - 11:52 PM.


#9 veliusXI

veliusXI
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:50 AM

Posted 14 May 2014 - 11:32 PM

To note is there a way to clear the vbios settings without ruining a video card? just to make sure.

 

Im noticing any linux distro i boot to initramfs uses blackbox... with weird commands.. even when no harddrive installed (using linux off of a cd or usb). tried a bunch of distros from gentoo, mint, debian, and fedora. All of them report the same commands once booted to initramfs via using certain kernel options on boot-up. For example a command called ??? lol.(every distro i use includes rbash? Never used to.)  Just strange.

I dont know if i believe in badbios. But there are alternatives such as vbios kits and firmware kits that are proven. Like i said i dont know for sure but just seems weird... blackbox in all linux livecd distros with no hdd installed and weird diagnostic tool results like konboot. Unless im getting false positives. I do know the apt servers that i used were hijacked by a group called infected. (security focus article in december 2012.) Thats when alot of weird stuff started happening.

Heres a good question if one of you malware specialist were in theory infected by a video bios virus or bios virus what would you do? This might become a trend in future infections if not already. How is one to fight against it? Would make one very good tutorial for users. Anywho I tried what you suggested still getting the "loading nvram" on bootup. Virus or not. My motherboard never used to do that. New cmos battery or new bios. :)

 

 

specs:

AMD Phenom x4 black edition am2

Asus crosshair formula 3 newest bios

74 gb western digital raptor hdd

7850 ati hfi video

creative sb xfi

dlink dwa-552

pioneer dvd-rw

 

NOTE: when infection happened in 2012 i had 2 other hdds that were 120gb a peice. unit has been offline till now. only 1 of the three hdds work. I used it in 2013 for 3 months using a livecd with no hdds just to read stuff online. Now just dont care and put the 74 gb wd in at that time. Im getting ready to rebuild with a gigabyte dual bios setup. flashrom scares me....


Edited by veliusXI, 15 May 2014 - 12:25 AM.


#10 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:03:50 PM

Posted 15 May 2014 - 12:31 AM

In "theory" one would have to see a machine with that sort of infection, before trying to find a solution for it. All known BIOS virus can be removed by fixing the MBR or flashing the BIOS, in conjunction with securely erasing/overwriting the HDD to remove the associated rootkit.

 

The nvram is supposed to load on boot, it contains information like

  • Speaker volume
  • Screen resolution
  • Startup disk selection
  • Recent kernel panic information, if any.
  • and more

Without this stuff your computer wouldn't load correctly, and would need to search for this information and fill the NVRAM for the next boot.

 

So, you can reset your NVRAM by removing the CMOS battery but the first time you boot you won't see loading NVram, because the memory will be empty, it will then save it for the next boot... You can flash your BIOS to a factory image to remove all possibility of any non standard code.. You can 0 write your entire hard disk after checking for HPA's... then, there is no where physically possible for any malicious code to reside.

 

Only leftover possibilities

 

1. You do not fully understand your computer, and are misinterpreting the way it behaves.

2. There is a hardware fault and your system is malfunctioning.

 

 

The person who can come up with a multi-platform, multi-chip, firmware, transportable, executable code... doesn't need to make malware. They will already be multimillionaire (if not billionaire) for solving the problem of driver and chip support across various systems, platforms and OS's.

 

:busy:

 

edit: please provide links to any information to vBIOS kits you have seen. thankyou. (as compared to vbios.dll which is part of Windows)


Edited by TsVk!, 15 May 2014 - 01:00 AM.


#11 veliusXI

veliusXI
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:50 AM

Posted 16 May 2014 - 11:36 PM

No i agree with you completely.  I read about the theory of them acpi pci rootkits.

 

link to what i have read about pci rootkits... www.blackhat.com/presentatiDns/bh-dc-07/Heasman/Paper/bh-dc-07-Heasman-WP.pdf

 

Maybe I dont understand my computer then. Please tell me what part is non functional. I have had no windows or linux hang-ups, and no issues with my hardware whats so ever on my tower. Oh and im not refering to vbios.dll.

 

To add to your removal instructions it would be wise to flash bios with a copy protected floppy created from a clean computer, without any storage media connected. Then zero out harddrive using linux's dd command on a clean computer. I would never use windows for removal for such infection. I would also use flashrom instead of dos on the floppy. ;)

 

To again add to this.... No offense.. but not all people who make that software do it for money... i mean really if you had that power why not do it for fun or territory? Look at mydoom vs netsky worms..? Dont take that offensively im just saying you dont know what i know. Hell i could be dummer or smarter. you never know. Your last post seemed to unnerving..... I do agree with you though. I Thank you for telling me how to clear my nvram..... Are you one of the removal specialist for bleepingcomputer? Do you know any operating system other than windows? Are you a programmer just curious? TsVk!? (what does that stand for?)

 

 

I thought membromi was used in china against another industrial target in china never heard of it happening here (im from america). oh another question TsVk are you from america cause im a "helper of the public too" but have only seen mebroot ("not sure if its related to mebromi") once and i have helped alot of people  out. I have come here because im haveing some issues that are above me...


Edited by veliusXI, 17 May 2014 - 01:07 AM.


#12 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:03:50 PM

Posted 17 May 2014 - 03:56 AM

Hi VeliusXI,

 

Thanks for the name of that article, I enjoyed the read.

 

As far as the removal I outlined, I have very recent experience with a particularly persistent rootkit which appears to fall into the category of the problem you are experiencing. I used this technique:

 

  • remove the hard disks
  • removed the BIOS battery
  • mounted the HDD's on a Linux machine and deleted all partitions, rewrote the MBR's. (the slave was actually worse than the boot disk)
  • used HPARM from the command line to remove hidden protected areas
  • booted with Derik's Boot & Nuke and rewrote 0's to the entire disks
  • replaced the BIOS battery and HDD's in original machine
  • reinstalled Windows

In this case I did not need to re-flash the BIOS. As I mentioned before BIOS resident malware is very rare, and in most cases re-writing the MBR on a disk completely destroys the last active components of these malware infections. You may find that you are one of the unlucky ones and actually need to re-flash your BIOS though. You can find the file and the instructions on the motherboard manufacturers product page. Follow them step by step carefully, and make sure you don't have the infected HDD attached when you do this, or it will just reinfect itself.

 

I agree, some people can't be swayed by money, one day there will be a programmer who brings the net to its knees. "Just because he can." Lol... Some of the largest botnets ever built were never activated, some geeks college project or brag rights on ICQ.

 

I'm in training now in the BC study hall to help out people here in the BC way. It's great to be part of the team and the training is very thorough. One day, after I have completed the 'trial by fire' I may get the coveted MRT title though... I use Linux as well as MS, and dabble a bit in programming. TsVk! is part of a mnemonic code so I don't forget my passwords...  :wink:

 

Personally I've never seen a BIOS infection and I deal with a lot of computers on a daily basis, both public and inside the company I work for. Here in Australia though people still have the undying urge to click flashing stuff, download dodgy software and open mail from strangers. I'll never be out of a job. Asia is completely malware riddled. and I notice even my Asian clients have particularly unhealthy machines. I dunno why they like installing that stuff so much.  :scratchhead: 

 

Anyhow, I hope you get along with your machine.

 

Cheers

 

TsVk!


Edited by TsVk!, 17 May 2014 - 04:05 AM.


#13 Scoop8

Scoop8

  • Members
  • 326 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dallas TX
  • Local time:11:50 PM

Posted 18 May 2014 - 11:11 AM

TsVk!

 

Thanks for posting your recent rootkit HDD recovery experience :).  I'm interested in this topic and want to ask a couple of questions and also to see what you think about another recovery approach in the event that one would need to sanitize and restore the affected HDD back to a working HDD.

 

First, I wanted to ask you about HDPARM.  I downloaded it a few weeks ago since I wanted to learn about it.  The download created this file hdparm-9.43.tar.gz .  I'm not sure how to load HDPARM from this file.  I did some searching about this and it appears to be a "gzip" file.  I'm not sure how to access the file.

 

I'm not familiar with Linux but I have used some Linux-based tools, "Gparted" and "Clonezilla".  I also burned a Linux Mint ISO to a CD and have booted up into Mint without problems but I haven't explored Mint yet.

 

Is HDPARM already present as a native Linux command tool within the Mint platform?  If so, how would I access it in Mint?

 

 

Regarding your post about HDD recovery from a rootkit that's possibly residing in the HPA, DCO, or another hidden sector, what do you think about this approach?

 

- Remove the BIOS Battery to clear the CMOS NVRAM.  Use a "clear CMOS" jumper on the MoBo if available.  Re-install battery.

 

- Boot up the PC with "Gparted" or another Linux tool.  Delete the partitions on the HDD.  * Regarding the MBR re-write, I'll ask about this in my next section of my post.

 

- Boot up the PC on a Win 7 Installation or System Repair Disc to access CMD prompt.  Within CMD, run DISKPART.  When in DISKPART, use the "Clean" command to mark all content on the HDD for deletion.  * According to one of the Admin's over at the Windows 7 Forum, the "Clean" command access all areas of the HDD, including the HPA and other hidden sectors.  I haven't verified this myself but I asked this question at that forum and that's what the Admin replied to my question.

 

- Run the "Clean all" command in DISKAPART.  This is a one-pass secure-erase command for the HDD.

 

- Shut down PC.  Install a known clean cloned HDD, ie, a cloned copy that was cloned prior to the rootkit/malicious intrusion.

 

- Boot up on a "Rescue/Recovery" media, ie Macrium Reflect, Acronis, etc. 

 

- Clone the previously infected HDD from the clean Source HDD.

 

- Boot up on the newly-cloned HDD, the one that was previously infected.  Resume normal Windows PC activities.

 

 

What do you think about this approach?  This assumes that my BIOS IC wasn't compromised, no re-flashing needed.

 

Regarding the MBR re-write, I know that the MBR resides at Sector 0, prior to the "System Reserved" partition in a Win 7 install.  The cloning process also copies the MBR from the Source to the Target HDD, thus over-writing it in the process. 

 

If one uses a known good cloned HDD to clone to the previously infected Target HDD, the Target HDD's MBR contents will be over-written, thus removing any malicious content.

 

That's my understanding of this but I may be incorrect about it.  I guess it's a moot point since the infected HDD's MBR would already be erased with the DISKPART "Clean all" command or DBAN.

 

 

Regarding the HDPARM tool, I was reading about this elsewhere and I wanted to ask you about the commands that you used to unhide the HPA and erase its contents.

 

---------------------------------------------------------------------------------------------------------------------

 

To check for the existence of an HPA:

 

# hdparm -N /dev/sd

 

The command will return a message like this:

 

/dev/sdx:
max sectors   = xxxxxxx/yyyyyyyy, HPA is enabled  (where the "x"'s are sector numbers)

 

 

To remove the HPA and utilize that area out to the full size of the HDD,

 

# hdparm -N pyyyyyyyy /dev/sdx

 

The command will return a message like this:

 

/dev/sdx:
setting max visible sectors to yyyyyyyy (permanent)
max sectors   = yyyyyyyy/yyyyyyyy, HPA is disabled

 

---------------------------------------------------------------------------------------------------------------------


Edited by Scoop8, 18 May 2014 - 11:15 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users