BIOS Virus

Anyone got any ideas on ridding my T61's BIOS of a virus.
The BIOS rev is the latest so flashing is not an option.
Is there anyway to downgrade the BIOS?
Does anybody know if the BIOS chip is removable (socketed)?

I'm stuck in a big way here.
Any fix or good service center suggestions will be greatly appreciated.
Thanks
Will

 

BIOS Virus? How do you know you have a BIOS Virus. Did you set up a supervisor password? This should always be the first step with a new thinkpad. No you can't remove the BIOS, in fact if you forget your supervisor password you have to send it in to have the mb replaced...

You can try reflashing an old BIOS if it lets you, look for them at the bottom of this page.
BIOS Update Utility - ThinkPad R61 14.1inch widescreen with IEEE 1394, ThinkPad T61, T61p

 

No I did not set a password in the BIOS. Lesson learned. I don't think it will let me roll back BIOS. I wish I could just re-flash the newest version. I'm sure lenovo service techs have this ability.
I'm not sure the BIOS has a virus.
After I install Win XP SP3 and the install finishes. I'm at the desktop, no drivers loaded yet, and things just start to disappear. I was at that point and had transferred from a usb memstick all my Lenovo drivers. I was going to do the first one, chipset, and I watched as all, one at a time, my driver programs vanish. Next came all the quick launch and desktop icons. After that the start/programs menu was empty. Then came a auto shutdown followed by a "user profile could not be loaded, could not find the file.
I've loaded windows xp and 7 several times. The same thing happens every time. I installed a new hard drive as well. BIOS Virus is my only answer. Anyone know of another thing?

 

If you install Windows and it works properly until you insert a USB stick with your files, I would be looking more closely at the stick and files.

 

Look at your Windows source and USB drive for the virus, if there is one. Are you using an original Windows disk for the install?

 

No, hardware failure, borked copy of Windows, and/or driver/configuration issues are all much more likely.

Any malware that's sophisticated enough to modify your BIOS isn't the sort that's going to do something obvious like "make files disappear" (there hasn't been common malware that's done that in *ages*). It's going to do something a lot more profitable, such as act as a scareware/spyware distribution vector, data mine, or act as a CnC/distribution hook for a botnet client.

 

Funny thing is that in order to delete files in Windows, it would have to support NTFS file system. Although there is open source NTFS implementation, it needs Linux kernel and maybe some userspace utilities, so some basic linux installation would be necessary. BIOS itself would of course still have to work to boot the machine etc. I don't think T61 BIOS has enough capacity for that.

 

It has done the exact same things with a new out of the package win xp sp3 and windows 7 disk. It has done it prior to me transferring any files after setup. The person I bought it from said just before he gave it to me that he loaded windows 7 off a disk he downloaded via torrent.
That is why I suspect a virus. Search "windows 7 bios virus". I guess Sep 13 2011 they made a discovery of a nasty virus, written in Python, going around.

I do appreciate all the input. Thanks a bunch.
Will

 

Sounds like a return to the seller is in order.

 

That wasn't a discovery of a virus in the wild, that was a discovery on how it can be done. They proved it is possible not that one is in the wild using the exploit.

 

I agree it's not likely on the BIOS, are you connected to a network when this happens? I would use the manufactures disk utility to format the new h/d. Toss in different ram, bad ram could be causing corruption, and then do a clean install from the official win 7 CD. Play with it for a bit before plugging in any USB, network, or using driver cd's.

 

I would do a reinstall of Windows from a verified source as you can't be sure what the Seller may have accidently bundled on your current system. If you have a valid key for Windows 7 then you can obtain Digital River's (Microsoft's Distributor) copy of Windows 7 from this link. This has been verified by other users on the forum to be safe and untampered with.

As for the BIOS, use the CD-ROM boot method instead of the Windows BIOS Utility to flash the BIOS. Being "Read-Only" on the CD makes it very unlikely for it to be tampered with by the viruses. You could also consider using Middleton's Modified BIOS for the T61 which is safe (I personally have this on my T61) and enhances the capabilities of the system (no WLAN whitelist, full SATA II speeds etc).

 

Thanks everyone for the advice, it is much appreciated.

Yesterday late I flashed the latest BIOS and then password protected.

Today:
Set Supervisor password.

Took out the new 250GB hard drive, gave it to my IT guy.
He put it on a machine made to format drives and did a complete format and write random characters to to all sectors then re-formatted again.

Installed drive.
Turned off wireless switch.
Loaded Windows 7 from my IT guys disk.

Machine has been running for three hours now with no problems.
I'm gonna play with it for a while then when I get brave put it on the network and see what happens.
I'll load Mcafee first.

I got my fingers crossed.

BTW I have 4 desktops at home and have had to do many formate re-installs but have never had this type of an issue. If it continues to run smooth, I'm at a loss of knowing exactly what the problem was.

You guys/gals have been very supportive so I owe all of you a beverage of choice. Just come to MA and collect anytime. :>
Will

 

Feeling scruffy? Try the New, Improved Occam's Razor!

Seriously though, if your machine does get compromised -- not at all implausible if you're running Windows -- I doubt it's via a compromised BIOS. You're far more likely being bitten by a remote root exploit, infected installation media, a dodgy flash key, etc.

 

I write this filled with aggravation and with a small tear in my eye.

I ran the T61 at work for several hours and at home for two. The first sign I noticed was a windows security alert stating that my anti-virus and spyware programs were turned off. I checked my up to date Mcafee software and it says all was on and normal. So having been down this road, I checked for icons under the start menu; all gone as expected. rebooted and I could not log back in because the message said user profile could not be loaded.

Anyone have a procedure I could follow to eliminate software/virus from a hardware defect? I did run the mem test suggested several time and it passes every time. I'm lost.

 

Well ditch Macfee and download Avast, it's free and works good for me and most people I know.
Start by scanning all the computers on your home network and any usb sticks that you have. It sound's like it started when you got it home?
Do the same thing to the laptop that you did last time and once you have the system back to where you had it at work, turn off the auto play, hook it up straight to the Internet modem or router, if possible disconnect anything else on the network and install all the windows patches and then Avast.
I can't say I've heard of any virus that'll take down windows 7 the way you described, but hardware issues usually result in BSOD and the like.

 

Mystery Solved!! I knew it was in the BIOS. Aftergiving up on finding and killing the BIOS Virus I just knew I had, I started looking into the Absolute Software anti-theft software called Computrace. I read on the web that when a computer, with this service paid for, goes missing the owner calls the company and they activate the code that resides in the BIOS. This code reports the IP address and deletes system files making the computer useless.
I verfied this was the case by killing the processes associated with this service and all the strangeness ended.
I called Absolute Software and explained to them that I just purchased this from an individual who advertised it on Craigslist.org. I provided the ESN and they indicated it was not reported and it belonges, last they new in 2009, to a company. Now they are trying to contact IT at said company to verify it is not stolen and maybe they sold it to a wholesale house which is where the person I bought it from bought it.
I asked why the BIOS code was active while the computer was not reported stolen and they had no answer.
So now I'm waiting for a phone call to let me know if I can keep it or have to cooperate with them on the recovery.
What a PITA, last used laptop I buy without knowing for sure the exact history of purchase.

Thanks for all the help.
Will

 

Computrace can remotely delete data, but doesn't remotely delete system files (or at least it's not supposed to.) It does act a little like a rootkit though and, like some rootkits, may break its host OS.

I'm glad you got it sorted.

 

WOW, that does make sense...
Seems strange that a company would register for Computrace but not setup a supervisor password. I know in the W520 I can actually go in to the BIOS and turn that off.

let use know how it turns out!

 

There may have been a password when the T61 was being administered by the company that sold it. Assuming of course the transaction history is legit.

Timing wise it makes sense. The T61 is likely out of warranty and amortized on the books.