Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bios CMD before actual boot?


  • Please log in to reply
21 replies to this topic

#1 fueryin

fueryin

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:24 PM

Posted 05 December 2017 - 07:16 PM

Hey all, when ever I boot up my computer i get the bios logo screen like normal, and the it it goes to the actual computer command prompt shell ( not windows). I have to type exit for it to boot up into windows, or sometimes it will say there was no operating system found and I have to reboot.

 

What could be the cause of this? I have 2 theories.  

 

1. I was recently infected with a rootkit, you can read all about it hereof how it went if you need more info , https://forums.malwarebytes.com/topic/216202-igfmxtc/ . But in the end, my system is clean. But what worries me is there anyway this rootkit could have gotten into my bios?

 

or my second one ( and most probable)

 

2. While dealing with the rootkit, i tried booting into a usb with linux on it, changing my boot order quit a few times. I read somewhere if moved around to much, the bios will get confused every time and boot up into the shell command prompt. They said something about having to swap SATA cables to fix this? Not sure. 

 

Im attaching my msinfo32.txt file here to help identify my motherboard and bios, and a picture of the command prompt shell just for reference. 

 

OpIed4G.jpg

Attached Files


Edited by fueryin, 05 December 2017 - 08:20 PM.


BC AdBot (Login to Remove)

 


#2 mjd420nova

mjd420nova

  • Members
  • 1,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:24 PM

Posted 05 December 2017 - 07:51 PM

One approach to rootkit infections is to remove the CMOS battery and set from BIOS the system to factory reset settings.  This forces the BIOS to boot from the firmware and not the infected flash memory chip.  Some units have a jumper on the MOBO to affect a factory reset but most can be done from the BIOS.  This appears that the bulk of the infection is gone but some still hangs on in the CMD file.  Once into WIN, try a restore back to before the infection to try and clear the CMD fault.



#3 fueryin

fueryin
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:24 PM

Posted 05 December 2017 - 08:19 PM

Right but is there any way to see if this is actually the rootkit? What i read the infector needs physical access to your computer. And when I reboot my comp Windows is still free of the rootkit. 

 

I do not have a a restore of windows before the virus, and how would I go about clearing out CMD fault?



#4 JohnC_21

JohnC_21

  • Members
  • 23,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:24 PM

Posted 05 December 2017 - 09:01 PM

Your System Information files shows you using Legacy Boot Mode. Is there some reason your are doing this with a UEFI motherboard? 

 

Boot into Windows. Open an command prompt and type.

 

diskpart

list disk

 

Is there an asterisk under the GPT column? If not Windows 10 should have been installed in UEFI mode using a GPT disk, not MBR which requires Legacy Mode in order to boot on a UEFI motherboard.

 

Was this a custom build? The motherboard I found referenced by MS-7721 was this



#5 fueryin

fueryin
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:24 PM

Posted 05 December 2017 - 09:06 PM

No there is no *, and yes I built this computer. So in bios i should switch over to UEFI mode?

 

EDIT: uploaded my dxdiag info in case this helps. Also would like to add this use to never happen before I got the rootkit and started messing with my boot order.

Attached Files


Edited by fueryin, 05 December 2017 - 09:08 PM.


#6 JohnC_21

JohnC_21

  • Members
  • 23,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:24 PM

Posted 05 December 2017 - 09:14 PM

It's too late to change to UEFI. That should have been done when the OS was installed. GPT has the advantage over MBR in that malware targeting MBR does not affect the GPT disk as GPT does not use MBR to boot. If you changed to UEFI mode your hard drive would not boot.

 

It there a fast boot setting in your UEFI settings. Change it to disabled if enabled. If disabled change to enabled.

 

What is your thoughts on reinstalling the OS in UEFI mode? Is this something you would consider or would it be too much trouble.



#7 fueryin

fueryin
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:24 PM

Posted 05 December 2017 - 09:15 PM

Well depends, What kind of disadvantage am I in right now?



#8 JohnC_21

JohnC_21

  • Members
  • 23,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:24 PM

Posted 05 December 2017 - 09:26 PM

No real disadvantage other than the EFI shell you get at boot every time and the fact you are using MBR which can be infected with MBR specific malware that does not affect a GPT disk. Also GPT has redundancy compared to MBR. Did you find fast startup in your UEFI settings?

 

https://www.disk-partition.com/gpt-mbr/gpt-guid-partition-table-disk-1203.html



#9 fueryin

fueryin
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:24 PM

Posted 05 December 2017 - 09:30 PM

No, couldn't find anything related. And sorry for noob questions, but what do you mean GPT has redundancy compared to MBR? it runs slower? And so there is a possibility the rootkit is in my bios? And are you sure this is because I installed Os in legacy mode, because this use to never happen to me before I messed with my boot options trying to solve the rootkit, and ive used this system for at least 4 years now. 

 

Sorry for the silly questions :)



#10 JohnC_21

JohnC_21

  • Members
  • 23,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:24 PM

Posted 05 December 2017 - 09:42 PM

GPT using a GUID partition scheme. There is a backup in case the primary is damaged. This isn't the case with MBR. It is explained in the link I posted. 

 

I doubt there is a rootkit in your UEFI. Rootkits only affect the hard drive itself not the UEFI firmware. I don't know why you are getting the EFI shell at boot though.

 

This happened after clearing your malware?



#11 fueryin

fueryin
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:24 PM

Posted 05 December 2017 - 09:48 PM

Well, happened after re arranging boot order to go into usb. My original plan was to put linux on a usb, boot into that and delete the rootkit. I failed to get linux to boot through usb, so I set my boot order back to normal, and ever since its done that. Ive tried re arranging it since, still boots into shell.

 

So technically happened in the middle of my infection.



#12 JohnC_21

JohnC_21

  • Members
  • 23,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:24 PM

Posted 05 December 2017 - 09:56 PM

Yeah, I am not sure why this is happening. You computer has Windows 10 Pro. Was this an upgrade from Windows 7 or a clean install of Windows 10?

 

I am not sure how you would delete the rootkit with linux if you still think you had one. The Malwarebytes forum confirmed you were clean, correct? 

 

What did you use to create the bootable USB of linux? I would use Rufus with the iso of Mint Cinnamon. I would then change the mode from Legacy to UEFI mode and attempt to boot linux. Tapping F11 at boot may give you a boot menu where you could select the USB flash drive.

 

If you wanted to be 100% sure the rootkit is gone from the HDD you would zero wipe it before reinstalling the OS. That would take care of any rootkit infection.

 

Edit: I read the manual on the motherboard and it seems this MB had a very early implementation of UEFI. According to the manual Legacy ROM is default and UEFI driver is only available when installing Windows to a RAID volume. This MB was initially designed for XP. 

 

Board SATA RAID ROM
This item is used to switch RAID ROM. The default settng is “Legacy ROM”. If you 
plan to install Windows on a RAID volume greater than 2.2TB, please set this op-
tion to “UEFI DRIVER” and refer to section “Installing OS on 2.2TB RAID” chapter 
B “AMD RAID”.

Looking at this I would say you need to leave the setting at Legacy. Sorry, I don't know why you are getting this EFI shell now. From the manual it looks like you can clear your CMOS settings using a jumper. That would set everything back to default.


Edited by JohnC_21, 05 December 2017 - 10:22 PM.


#13 fueryin

fueryin
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:24 PM

Posted 06 December 2017 - 12:25 AM

Upgrade from windows 7 long ago, before i had this problem.And yeah, this was before I reached out to malwarebytes forum. Realized linux wouldn't work. And I did use rufus. Would boot up fine on my brothers pc, failed on mine so I gave that up.

 

Yes, malwarebytes forum did say I was clean, Im just paranoid it could be in my bios, even though the possibility is slim to none. 

 

Ok, I will move my jumpers and also switch SATA cables to see if this works.


Edited by fueryin, 06 December 2017 - 12:26 AM.


#14 JohnC_21

JohnC_21

  • Members
  • 23,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:24 PM

Posted 06 December 2017 - 07:57 AM

If your motherboard has a later UEFI/BIOS version available a flash would remove any firmware rootkit but a bad flash could brick the computer.



#15 fueryin

fueryin
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:24 PM

Posted 06 December 2017 - 02:32 PM

If your motherboard has a later UEFI/BIOS version available a flash would remove any firmware rootkit but a bad flash could brick the computer.

How challenging could this be and is it possible on my motherboard? I read somewhere moving jumpers doesn't always kill the rootkit.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users