Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus put bios password on computer.


  • Please log in to reply
10 replies to this topic

#1 deeann

deeann

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:13 AM

Posted 16 February 2016 - 07:33 PM

Hi,
I ran into a virus that put a bios password on my computer.  It was some virus demanding money or they would lock the computer.  I closed out of the windows demanding money and ran Malwarebytes. When Malwarebytes was done, it restarted the computer and when the computer turned back on, it showed the Toshiba symbol then went to a black screen with a blue box in the middle saying confirm password.   I am unable to get into the bios settings, safe mode, anything!  Now, I've scoured the internet looking for any solution and so far I've tried taking the cmos battery out and waiting for 24 hrs, when i did that and booted the computer, it said something about 'changing the time settings, press f2 to continue' I pushed f2 and it went straight to the password screen again.  I've also tried jumping the motherboard, still nothing,  i have never done this before and my only guidance was from a youtube video of an older model Toshiba, so i probably did it wrong.
 
Is there anything I can do to get past this?
 
And also should I be worried about my files? I have tons of pictures and music on my hard drive and I'm hesitant to plug it into another computer in case the same thing happens to that one.
 
I have a Toshiba Satellite c55t-a5222 laptop.

Edit: Moved topic from Virus, Trojan, Spyware, and Malware Removal Logs to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,932 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:13 PM

Posted 16 February 2016 - 09:30 PM

If it is similar to this...

syskey.png

If so, see these related topics for suggestions:

If using Windows 8/8.1, you can refer to the instructions (methods 4-6 or Shift+F8) in How To Access Advanced Startup Options in Windows 8 or 8.1


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,426 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:13 AM

Posted 19 February 2016 - 10:10 AM

I would pull the hard drive and connect to another computer. You should be able to get your data. It definitely will not spread to another computer as long as you don't run anything, just simply copy/paste data.

 

Once you have your data backed up, we can see about trying to figure out what is going on with the system.

 

We had someone else report something that sounds like this a few weeks ago. Is it similiar to the symptoms and screenshots shown in this topic?

 

http://www.bleepingcomputer.com/forums/t/603409/encrypted-boot-ransomware-support-topic/

 

Or does it look like this?

 

http://www.laptopish.com/wp-content/uploads/2014/05/bios-pass.jpg


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#4 deeann

deeann
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:13 AM

Posted 19 February 2016 - 12:58 PM

Thank you for the replies, yeah i just ended up putting the files on a desktop that has jumpers on it just in case.  Demonslay,  It looks like the second link. 



#5 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,426 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:13 AM

Posted 19 February 2016 - 01:46 PM

Weird, never heard of a virus being able to affect the BIOS password. For the time-being, we might have to refer you to the hardware support forum I think.

 

I would try a few quick guesses though. Just stuff like "1234", "12345", "123456", "password", etc. Also I believe there are some "known default" lists out there for Toshiba laptops you could look into. I have not heard of a ransomware being able to add a BIOS password before, but I've heard of a glitch that causes it to make a random password on its own.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,932 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:13 PM

Posted 19 February 2016 - 02:38 PM


Bios/UEFI (firmware) virus's exist but are very rare. Researchers have demonstrated in a test environment proof-of-concept viruses that could modify the flash BIOS or install a rootkit on the BIOS of some systems so that it could survive a reformat and reinfected a clean disk. This type of malware exists primarily in-the-wild and is not generic...meaning it's vendor specific and cannot modify all types of BIOS. Although in February 2015, Kaspersky Labs reported "persistent, invisible espionage malware inside the firmware of hard drives compatible with nearly all major hard drive brands: Seagate, Western Digital, Samsung". This particular threat targeted government and military institutions, telecom and energy companies, nuclear research facilities, oil companies, encryption software developers, and media outlets.This is a quote from my Security Colleague, Elise who works with the Emsisoft Anti-Malware Research Team.

Firmware is typically a small piece of software coded directly into a device (for example a video card or DVD writer) necessary for the device to function correctly. This code is highly device-dependent, different manufacturers and different models all require specific firmware. For that reason a firmware infection is not only highly unlikely but also very impractical for a malware writer. Someone who wants to create a successful infection not only needs to make sure the malware stays on the system (by making it harder to detect and delete), but also that it is distributed on a large scale. Deploying a firmware rootkit on a large scale is close to impossible as you'd have to write a lot of different versions for different hardware models.


UEFI (Unified Extensible Firmware Interface) was introducted as a replacement for traditional BIOS in order to standardize computer firmware through a reference specification. However, there are several companies that develop UEFI firmware and there can be significant differences between the implementations used by computer manufactures. These articles explain the complexity of the UEFI, secure boot protocol and exploitation.Fortunately, it's highly unlikely you will encounter a BIOS-level scenario as it is not practical for attackers to use such an exploit on a grand scale. Malware writers would much rather target a large audience through social engineering where they can use sophisticated but less technical means than a BIOS virus.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Captain_Chicken

Captain_Chicken

  • BC Advisor
  • 1,347 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:13 PM

Posted 21 February 2016 - 08:07 AM

I believe you can reset the BIOS password my removing the CMOS battery. I could not find any dis assembly guides for this laptop. If you do not trust doing this yourself, I recommend putting the laptop in the hands of a qualified technician. Otherwise, here is what you should do:

  1. Set the laptop on it's top and unscrew all the screws on the bottom panel. 
  2. From here I recommend taking some pictures to refer to when you put it back together
  3. Look for the watch sized battery in the middle of the motherboard. Remove the battery, count to five, and reinsert correctly.
  4. Reassemble the laptop

Hopefully when you boot the laptop up the password should be removed.


Computer Collection:

Spoiler

Spoiler

Spoiler

Spoiler

#8 Kelz Clive

Kelz Clive

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States
  • Local time:11:13 AM

Posted 09 March 2016 - 07:08 PM

If it is similar to this...

syskey.png

If so, see these related topics for suggestions:
If using Windows 8/8.1, you can refer to the instructions (methods 4-6 or Shift+F8) in How To Access Advanced Startup Options in Windows 8 or 8.1

This seems to be making a comeback, I had 2 customers bring in computers with the same issue within the last 2 weeks. For the first one I was able to restore good copies of the SAM, default, software, Security and System for the regback directory. For the second one the regback was also affected, I was able to reset the syskey with Passcape.



#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,932 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:13 PM

Posted 09 March 2016 - 07:39 PM

Glad to hear you were able to sort it out.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 Toe_knee1980

Toe_knee1980

  • Members
  • 1 posts
  • OFFLINE
  •  

Posted 13 January 2017 - 06:41 AM

I would pull the hard drive and connect to another computer. You should be able to get your data. It definitely will not spread to another computer as long as you don't run anything, just simply copy/paste data.
 
Once you have your data backed up, we can see about trying to figure out what is going on with the system.
 
We had someone else report something that sounds like this a few weeks ago. Is it similiar to the symptoms and screenshots shown in this topic?
 
http://www.bleepingcomputer.com/forums/t/603409/encrypted-boot-ransomware-support-topic/
 
Or does it look like this?
 
http://www.laptopish.com/wp-content/uploads/2014/05/bios-pass.jpg


I'm getting the problem but it's the same a the second screen shot. I have removed the Bios battery and it gets past that and starts to boot Windows. Half way through booting it restarts the pc and comes up with enter password. Any ideas?

#11 MDD1963

MDD1963

  • Members
  • 687 posts
  • OFFLINE
  •  
  • Local time:01:13 AM

Posted 24 January 2017 - 06:04 PM

Entirely possible the Syskey-looking image is not real, but, merely a fake browser image designed to appear as such...

 

(Try a bootable Defender, Kaspersky, etc..)

 

(I've not heard of a cryptolocker/ransomware that uses an involuntary syskey as punishment.)


Asus Z270A Prime/7700K/32 GB DDR4-3200/GTX1060





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users