+ Post New Thread
Results 1 to 5 of 5
Hardware Thread, fake cmos enter code or all data will be erased issue in Technical; Got a Lenovo T400 today, I think the issue is either 1. The MBR on the hard drive 2. The ...
  1. #1

    mac_shinobi's Avatar
    Join Date
    Aug 2005
    Posts
    9,807
    Thank Post
    3,320
    Thanked 1,056 Times in 977 Posts
    Rep Power
    365

    fake cmos enter code or all data will be erased issue

    Got a Lenovo T400 today, I think the issue is either

    1. The MBR on the hard drive
    2. The CMOS has been altered

    Everytime you boot without the hard drive you don't seem to get the message but as soon as you have the hard drive in you get a message something to the effect of

    Important, if you do not enter the correct code all data will be erased / wiped, to get a valid code please send payment to
    <email address>

    Enter Code


    Most of the text is in yellow / red and I know is fake

    Can't get into safe mode or any where near windows so please dont suggest safe mode etc

    Tried to boot the laptop using an XP SP 3 disc and it gets to the part where it states to press any key to boot / install xp.....

    so I press any key on the keyboard and then the screen goes blank / black, normally it loads the xp setup with a blue background etc but none of this happens.

    I got the bios updater from Lenovos website and that booted fine and updated the bios but the virus or whatever it is , still resides in the cmos / bios.

    I did do a quick format on the drive in question ( hard drive that is ) but its still the same so I am guessing this did not touch the MBR of said drive.

    Any suggestions on how to clear the cmos safely and get rid of this extra code that is malware / trojan / virus ( should not be there )

    I will try and clear the MBR through an active disk or by having it attached externally on my machine and getting to the recovery console on my machine and doing it that way and see if that helps

    Anything else I can do or try ??

  2. #2
    eddyc's Avatar
    Join Date
    Aug 2008
    Location
    Bristol
    Posts
    438
    Thank Post
    99
    Thanked 47 Times in 43 Posts
    Rep Power
    22
    Sounds like it maybe a rootkit virus. Could you try using the ultimate boot cd and adding the latest combofix onto the disk and running that? Combofix has saved me formating machines so many times and seems to be great at rootkit removal.
    ComboFix Download

  3. #3
    morganw's Avatar
    Join Date
    Apr 2009
    Location
    Cambridge
    Posts
    816
    Thank Post
    46
    Thanked 132 Times in 126 Posts
    Rep Power
    40
    You could try boot a Linux live cd and installing it, it would replace the MBR with an alternate boot loader so if that installs and boots then you know it's something malicious that was in your MBR. If you cannot install it then that would suggest something more serious, i.e. somehow it's got into BIOS but I wouldn't have thought that is likely, particularly if you can re-flash it with no problems.

  4. #4

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,225
    Thank Post
    875
    Thanked 2,717 Times in 2,302 Posts
    Blog Entries
    11
    Rep Power
    780
    It does sound like a hard drive isolated thing, try it with a different drive to make sure. If it still shows up with a different hard drive installed then it may have compromised the firmware, that is a back to factory repair if a BIOS upgrade does not fix it. There are things that can infect the firmware of the keyboard and so even a BIOS upgrade will not cook them but this is unlikely given the lack of error when you boot with no drive.

    I would do a low level format of the HD in question and maybe a boot and nuke wipe an see if the problem persists. If it does try booting with the keyboard detached and using a usb keyboard. The other unlikely scenario is that the hard drive firmware has been compromised, if so it may be worth looking for any HD firmware updates that are avalible in order to reflash the HDs firmware.

    I have never personally encountered any viruses that have compromised the system that thoroughly but they do exist at least in highly targeted proof of concept attacks.

  5. #5


    Join Date
    Feb 2007
    Location
    51.403651, -0.515458
    Posts
    9,063
    Thank Post
    232
    Thanked 2,717 Times in 2,005 Posts
    Rep Power
    795
    First of all download MBRCheck from here and run it on the laptop. This will tell you if the MBR has been modified (green = / red = ). To double-check you can also use GMER.



    If it is a MBR rootkit (Mebroot, Torpig/Sinowal etc.), all you need to do is simply recreate the MBR via the recovery console or the command prompt on a Windows Vista/7 install disc (see below for the commands to use). Symantec also have a removal tool for Mebroot here which rewrites the MBR.

    Just to be sure there aren't any other nasty's lurking on the HDD I would scan it using a bootable anti-virus disc (AntiVir, Kaspersky etc.).

    For XP run fixmbr and with Vista/7 run bootrec.exe /fixmbr. With the latter OSs you can also completely rebuild the BCD but this probably isn't necessary...

    RebuildBCD.cmd
    Code:
    bcdedit /export C:\BCD_Backup
    c:
    cd boot
    attrib bcd -s -h -r
    ren c:\boot\bcd bcd.old
    bootrec /RebuildBcd
    As a last resort you can wipe the HDD using DBAN or HDDErase, but 99% of the time recreating the MBR will kill the rootkit.

    BIOS-level rootkits are extremely rare and it's unlikely to be the HDD or keyboard firmware either.

SHARE:
+ Post New Thread

Similar Threads

  1. CMOS(?) Problem
    By LeMarchand in forum Hardware
    Replies: 7
    Last Post: 30th December 2013, 11:16 AM
  2. Replies: 1
    Last Post: 5th April 2011, 08:55 PM
  3. Replies: 1
    Last Post: 2nd June 2009, 08:54 PM
  4. CMOS battery on laptop
    By ranj in forum Hardware
    Replies: 9
    Last Post: 6th May 2009, 07:51 PM
  5. AUP issue - viewing data on laptops
    By sparkeh in forum School ICT Policies
    Replies: 3
    Last Post: 18th June 2008, 12:22 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •