Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Generic User Avatar

Virus changed Hard Disk Drive Firmware???


  • This topic is locked This topic is locked
1 reply to this topic

#1 rtomkins

rtomkins

  •  Avatar image
  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:30 AM

Posted 12 October 2016 - 04:43 PM

My computer is a HP SFF 8300, running Windows 10 Pro upgraded from Windows 7 Pro with a 500GB boot disk and a second 2.5" 500GB disk recovered from my failed laptop, strictly to easily pull files when needed.

 

I have been bringing a SuperMicro SuperServer to life in the back room of the house.

I installed Windows Refurbished 7/SP1 from a Microsoft DVD and used the Windows 7 Pro license from the side of the HP SFF 8300 to install Windows 7 Pro. I used WSUS Offline to get all the updates into the SuperServer to get Microsoft Windows Update working, and yes, finally success. My intent was to get the SuperServer to a point where I could run the Microsoft Windows 10 compatibility tool on it as I would prefer to be running Windows 10 Pro to use the system as a workstation. Unfortunately, tere is no such thing so I used the Media Creation tool to download an ISO image and RUFUS to burn that to a 4GB flash Drive.

 

I went to the front of the house, and sent my youngster an email from Thunderbird email client on my HP SFF 8300, and I left Thunderbird running and probably Microsoft Edge and Firefox as well.

 

I went back the SuperServer and whiel waiting for RUFUS to finish was looking at the commands available with SLMGR.exe.

The Computer properties changed from stating 3 days until automatic activation of Windows to 2 days until automatic activation of Windows and I wanted to stop that from happening so I could finish working on the Windows 10 installation. I ran a command prompt as an administrator and type "SLMGR /REARM" and rebooted the system. This reset the license system abd after the reboot I confirmed that the Computer properties again said 3 days until automatic activation of Windows. While I had been reading about SLMGR, I saw that "SLMGR /ATO" would activate the Windows License. I tried it an it activated Windows, and I was surprised.

 

I went back to the HP SFF 8300 to skype a friend and ask him if he had any thoughts on this Windows activation that I had not expected to work.

 

Sitting down in front of the HP SFF 8300, I was greeted by the text, "FreeDOS", in the upper left of the screen. I have never seen this before. I pressed CTRL-ALT-DEL and the system restarted and came back to the same text. I saw that at the bottom of the screen there was a message about pressing ESC to enter setup. Again, CTRL-ALT-DEL and then pressed ESC and was presented with a menu that looked just like the HP menu screen to enter the BIOS, Choose a boot device and other stuff. I entered the BIOS and it was the BIOS.

 

I believe thta what I saw was the UEFI boot system from the disk I had removed from the failed laptop, and every time I tried to boot SATA0 I got the FreeDOS banner. I decided to boot SATA1 and founjd that the system booting the Windows 7 Home Premium that had been in the failed laptop. I logged in and ran disk partition to see what was going on.

 

The laptop disk partitions looked fine, four partitions, the Boot partition, the recovery partition, the diagnostic partition and UEFI partition. The HP SFF 8300 disk did not appear.

 

I removed the 500Gb disk from the HP SFF 8300 and took it to the SuperServer I had been working on, and using a USB to SATA device, I again ran disk partition. The drive that has "FAILED", shows up with a 500GB partition, and the storage on the graphic says that, but the text on upper section of the Disk Partition program says that the partition is 1MB in size.

 

I installed Seatools as the disk is a st500md002-1bd142 and the disk shows up as unknown, the firmware shows up as unknown. Very Strange. The Seatools Quick Self Test passes and the Generic Disk Test also passes, thus, telling me that the disk is probably OK.

 

Now you may ask, why mention the SuperServer and the license activity. I told the whole story as this is everything that transpired up to the failure and is everything I have done since the failure and maybe, something is important to figuring this failure out. In any event, rather than stretch the whole thing out in dribs and drabs, I always feel it best to describe everything that has happened.

 

So, has a virus gotten into the firmware of my hard disk and changed the LBA structure? Has anyone seen this kind of failure before?

 

Thank you for your ideas and thoughts on what has gone wrong.

 

 

Update 1, added pictures

 

Hard Disk Data pictures, note the anomaly in Seagate Tools, note the anomalies in disk partition and diskpart. It would appear that the FreeDOS is coming from the buggered disk, ODD! 

 

 

Update 2, added more information about first FreeDOS sighting

 

I recall that when I first saw the FreeDOS text banner in the upper left corner of the screen, my first reaction was to press CTRL-ALT-DEL. This may have been the wrong thing to do. During what appeared to be a reboot, the system ran CHKDSK. The CHKDSK run looked legitimate, but maybe it wasn't. Maybe the first FreeDOS text banner was some full screen JavaScript that appeared on the monitor, having just been doing some work with FreeDOS a week ago, my complacency said OK, hit CTRL-ALT-DEL. I had thought that CTRL-ALT-DEL cannot be intercepted on a Windows system, and that nothing should have happened, that reboot may also not have been real, but could have been some JavaScript running and once it got going it installed something and masked it's viral activities with a fake CHKDSK and it was at that time it messed up my disk and the firmware in it???????

 

A lot of folks have read this entry, no one has offered up their thoughts and I would seriously love to hear from anyone on what they think or even how I might be able to recover, if at all.

 

I have a two week old backup, so I could go back to that if I have to, but am reluctant, two weeks of work is a lot to loose.


Edited by rtomkins, 12 October 2016 - 07:29 PM.


BC AdBot (Login to Remove)

 


#2 Trexula

Trexula

  •  Avatar image
  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US - East Coast
  • Local time:10:30 PM

Posted 16 June 2018 - 06:06 PM

This reply is a couple years too late... and I'm not even part of this site's support team, but I CAN tell you that ... at this point in time, there's slim to no hope in eliminating malicious code injected to the hard drive firmware. With all the time that's passed, you have probably researched this and discovered for yourself, but the information I've learned is unsettling, to say the least.

Apparently, a sect of the NSA called Equation (also seen spelled Equat10n) is a hacking group dedicated to developing relentlessly persistent malware/viruses. Unfortunately for people like you and me, one of them.. a single guy wi




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users