GRUB2 survives deleting & preventing booting to live CDs - Page 2

figleaf · #16 3rd October 2012, 01:13 AM

I cannot take your advice to retest after removing the internal hard drive. Asus netbooks open from the top. I broke a keyboard trying to take it out so I could get to the motherboard. Instead of paying again for a repairman to open my Asus, I used the internal Secure Erase tool in Erase Disk tool in Parted Magic Magic. Secure Erase wipes the entire drive including HPA. DBAN doesn't wipe HPA. Secure Erase solved the problem of my netbook trying to boot to a "invalid partition table" on the hard drive.

I then reran Navratil on UBCD. Navratil still detected a virus in memory. Thanks for the link to Kaspersky's TDSSKiller which detects MBR rootkits. Since there are no partitions on my internal hard drive, there is no MBR on my hard drive. The rootkit is not a MBR rootkit, it is a firmware rootkit. Thanks for the link to Kaspersky's Rescue CD. The description does not specify whether it scans memory and hidden protected area (HPA) in hard drives and removable media.

Nothing scans BIOS, graphic cards, video cards, external DVD players, etc. where firmware rootkits can infect. Do anyone know of a rootkit scanner that can scan RAM and HPA.

Thanks for recommending looking at rescue linux in Hiren's Boot CD. I will look for it in the menu and try it.

Thanks for recommending a manufacturer's flash for my external DVD players. I will ask Panasonic.

I have not found a tutorial on removing firmware rootkits. Articles on firmware rootkits recommend discarding the infected computer. Netbooks are cheap. I am willing to discard mine. Except my removable media (MP3 players, external DVD players, flashdrives and SDcards are also infected. Previously, I purchased replacements in the hope that the firmware rootkit was gone.

Burning a backup of my files on to DVDs and copying them to new removable media does not seem to be the solution as the DVDs autorun and then my removable media autorun.

sidebrnz · #17 3rd October 2012, 01:36 AM

I'm beginning to get a bad, bad feeling here, for two reasons. One is the fact that you've neither tried rebooting without the external DVD player or explained why this isn't an option. The second is that this is beginning to remind me of something from an old book, Games People Play.

The particular game is, "Why don't you? Yes, but..." The way it's played is that all of us suggest ways to solve whatever problem you have and you win if you can show us that none of them will work. Until I see evidence that this isn't what's happening, such as your reporting what happens when you boot with all external drives and media removed, I'm not playing any more. I have better things to do.

***Dan*** · #18 3rd October 2012, 05:04 AM

Hmmm.

Quote:

Originally Posted by figleaf

... Articles on firmware rootkits recommend discarding the infected computer. Netbooks are cheap. I am willing to discard mine. ...

Okay. It sounds like that would perhaps be the best way to avoid a whole lot more trouble. However, one burning question remains. How is it that you think you managed to acquire this particularly pernicious rootkit in the first place?

That being said, if you are going to dispose of the thing anyway, I strongly recommend boxing it up with a complete and concise report of your efforts and findings, and send it for inspection and diagnosis to: http://www.us-cert.gov/ Address is available on the website, but a lead phone call would certainly help let them know it's coming.

They will be able to determine exactly what the issue is, and therefore be able to warn other folks about it, and perhaps advise how to defeat it.

figleaf · #19 3rd October 2012, 01:52 PM

sidebrnz criticized that I was unwilling to boot up without the external DVD player. If he reread what I wrote, he will realize that I described booting up without an external DVD player twice:

(1) I wrote that booting up with or without my external DVD player, I received an error message: "invalid partition table." I wrote that running internal Secure Erase in Erase Disk tool in Parted Magic fixed getting "invalid partition table" upon booting.

(2) I wrote "there are no partitions on my internal hard drive. . ." When my netbook boots without an external DVD player, error message: "Reboot."

I don't want to reinstall linux on my internal hard drive until the firmware rootkit is removed from my memory, BIOS, graphic card, video card, external DVD players, MP3 players and removable media.

Thanks for recommending linux rescue in Hiren's Boot CD. However, it is merely Parted Magic. Parted Magic is terrific but I have been using it for several years now on its own live CD.

Thanks for recommending : http://www.us-cert.gov/. I will read their website.