Need help identifying or removing BIOS/UEFI (firmware) virus on windows 11 PC

Question

Hi. I will give a quick brief of the virus I accidentally Installed.

After attempting to download ‘cracked’ software I thought I Installed a generic piece of malware that was easily removable. I tried to remove it using Norton scans but it detected nothing. There were still many red flags such as my system crashing and Norton symantec saying that it did detect traces of malware once in a while when I was using my PC.

I knew I was dealing with a more sophisticated malware so I decided to format and reinstall my OS via a bootable usb containing a copy of windows. Everything seemed normal when I started it up. The only red flags was that my cpu usage would drop immediately every time I would open task manager as if a virus is trying to evade detection. Out of desperation I formatted and reinstalled my OS again using a usb stick. Nothing really changed except from a few keys that stopped working. I’m not sure if that’s because of the virus or hardware issues.

Even after formatting and reinstalling my OS I think I still have malware since my cpu usage is abnormally high and all my firmware updates and drivers installed too. I came to conclusion that I have a BIOS/UEFI (firmware) rootkit. The only way to remove it is to replace or reflash certain parts of my computer. I’m not a computer specialist and it’s way to risky for me to disassemble my computer. Luckily I have a warranty on my PC which can cover accidental damage and a specialist can repair or replace my computer.
My main question is that I don’t know which parts need to be replaced in order to remove the firmware rootkit and if I am eligible to get it replaced.

Keep in mind that I used many antivirus and anti rootkit solutions and none of them have removed anything, thanks.

Answer 1

Hello

Thank you for your question and reaching out. I can understand you are having issues related to removing BIOS/UEFI (firmware) virus on windows 11.

Please reset UEFI or BIOS to Default

Go through the various UEFI/BIOS Setup tabs to report back the settings for UEFI (should be enabled), CSM or Legacy BIOS (should be disabled unless trying to boot a Legacy Windows install on the PC), Secure Boot (should be enabled) and Boot Priority order (Windows Boot Manager should remain first to boot at all times).

Then reset UEFI firmware to defaults, Save and Exit.

2. Download gparted.iso and make a bootable USB .

Then Remove all Partitions and Volumes from Gparted - > Then Again Install Windows

-------------------------------------------------------------------------------------------------------------------------------

--If the reply is helpful, please Upvote and Accept as answer--

Answer 2

Hi Everyone,

First of all thanks to all for sharing the details that may sound like fiction to many but in fact is reality of today and a big warning for tomorrow to. As briefly commented above. I never thought this level of control was possible in reality, that too without any proximity(#a little bit subjective; will explain). This event has also cemented even an iota of doubt that had regarding the giants of the industry, everyone of these Tech giants are pure evil and all they have done with every upgrade or release is gain that extra inch of territorial control on the common man. Some do it blatantly while some subtlety.

          This is day 5 for me not slept or eaten properly as this attack consumed me in literal sense and processing what I have come across. This Rootkit/Rat/C2Host/ Malware attacks seems the latest release / version and did a few more things than what most have explained on this post. I am sure this got planted a few weeks before it surfaced with its might and at an advanced stage on my machine. But when it started flexing I fought back - with no clue what I was up against. However, I am a Systems guy and was successful in identifying the changing behaviour of my machine and isolated the machine pretty early. As I am a natural paranoid I had this hunch that this Guy has come well prepared and I was right in some sense. Let me give some details:

My machine - ASUS X series 15 Vivobook

Intel i7 , 16Gb RAM, 1TB SSD

Running Kubernettes, Docker, HyperV, WSL with many Web configs, JAVA, JS, JSON, .NET, ASP etc etc, data crunching - Python and R. Perl, JQ interpreters. Arc GIS Pro, Desktop, QGIS.

Visual Studio, NPM, Sublime Text etc

OS Windows 11 64 bit Pro, With Macafee, Windows Defender, Malware Bytes, AVAST on Antivirus and Malware detection and prevention. Nothing picked it and I never got a chance to run an offline scan.

Data Analysis for which I rely on Data scraping the Webs, For my pipeline creation, management & have real-time architecture analysis and visualisation.

Most likely the activation binaries flowed to my machine as SVG files / Image / Logo files that activated the binaries already present at the BIOS level. From there impersonation of Admin rights at a very low level services took place via - Realtek Audio drivers and Intel chipset - mainly power management drivers. From there it just kept growing in strength and whatever I was manage to do and I did use all my skills and experience to trick the rat back and was able to salvage some of my critical data + I have got some explosive details that this virus of deleting after every stage or step that was achieved.

after day 3 I realised that whatever dent or damage I could do was recovered with it few hours and finally mins and this thing was way more Sophisticated than I anticipated. I didn’t give up completely but was and still am in shock. This is no small time 1-3 people group work. It’s way beyond imagination for me at least as to how and who all are facilitating or helping these kind of attacks.

Some observations that may help anyone who stumbles upon this at a later stage.

1. As I mentioned earlier - I was successful in detecting the patterns and isolate my machine. Note - the usual model for Rootkit or Rat kind of attacks and which makes it more efficient is they work in Command Control Mode. Means every step is instructed and outcome shared back to control, then control shares fresh commands and next step. So, ideally by early detection and isolation one can start celebrating. Which probably be true some years ago. However, what I have dealt with - while I was figuring and fighting the Rat.
   • My iPhone 15 was infected, waiting.
   • My Beats headphones
   • 2 x Samsung Smart TV’s in my house
   • Wireless Keyboard and Mouse.
   • 1xLarge Monitor I use for my regular work.
2. Everything Wireless and on the network was in some level of control of the Rat with no symptoms. One can easily overlook them and miss out the failsafe created by the Rat army.
3. I have taken down every pingable device big or small in my house. Since last 2 days I cannot log back to my machine and all I see is a black screen. As photo and other users have shared everything in the machine is spoofed and if you try deleting something you may realise eventually it was your data set only.
4. So why I am highlighting the above. One because for sure the main Rat was isolated at some stage. I am pretty sure there was no communication between the Alpha Node Rat and CC. However, it is still fighting back and improvising - How? I don’t think we need to guess that. It’s damn sure AI evolved Rat that can get to the lower layers of tech undetected.
5. The Rat created a Bot army or team before surfacing and carrying out the final kill. Today I took my main Router offline. I was not surprised while detailed inspection that it too was infected and had 18 lan connections within my house. I got zero notifications.
6. very important observation- since I have taken down the router completely as first I just factory reset it thinking it will resolve it but it didn’t. The strength of the whole LAN BOT Teams dwindles.
7. Another important thing to remember - believe your gut when it says something. So, they are masters in disguise. 18 connections around you no notifications, you won’t see even the Wifi Logo as connected or blinking lights. So get a layer or two deep. For my case they were using WS - socket based communications with each other no where to be picked. I mean the normal tools and apps.
8. Finally, I have started to see my CTRL+ALT+DEL screen again, it very hopeful but I will try and salvage as much data out not mine but this Rats.

Finally, it’s sad and depressing to see these control freaks - getting closer to their objective, of one day taking complete control over our lives. I was shocked to come across some datasets that name some of the biggest tech organisations being used for and during these attacks and the craziest shit is that they try and legitimise these attacks scary as shit!

Answer 3

What is the make and model of the computer?

If HP they are offering fixes for firmware malware:

https://www.bleepingcomputer.com/news/security/hp-patches-16-uefi-firmware-bugs-allowing-stealthy-malware-infections/

.
.
.
.
.

Please remember to vote and to mark the replies as answers if they help.

On the bottom of each post there is:

Propose as answer = answered the question

On the left side of each post there is /\ with a number: click = a helpful post
.
.
.
.
.

Answer 4

Some things you need to know about UEFI/EFI GPT GUID. It's all hype and marketing and very malicious. What it's actually used for is to take over your Personal (SIC) Computer.

32/64-bit BIOS. Nonsense, Intel Processors powerup in 16-bit mode for compatibility. UEFI does not change this.

Security? Quite the opposite. Once UEFI is taken over, your PC becomes their PC. You have limit control, especially under Windows.

Fancy GUI interface for BIOS settings. It's just to change system settings, you don't need fancy graphics. I don't spend much time in there for fancy graphics.

Boot speed? False. Once it's under rootkit or microsoft's control, you won't even be able to boot to your installed Windows, or booted into Window PE.

Virus can't be detected. It's not looking in the area of the drive that's infected. Windows is running in virtual mode and the anti virus software is scanning the Windows you installed, but not the rootkit (infected) Windows you are running under.