PDA

View Full Version : G73JW-3DE - Virus out of the box? Help would be great.



Seeker
01-20-2011, 12:18 AM
Found this site yesterday after trying to trouble shoot and fix what looks like a MBR Rootkit issue that came with the new system. (Called support, no help other than the news of the F9 key. I don't have the Home versions of Win7 so that was helpful.)

Background:
Unpacked and plugged in 2 days ago. Entered BIOS and shutdown everything but the SATA ports. Setup admin PW.

Booted to OS and completed install...watched cool graphics while I waited.

Was prompted to make recovery disks right away which I thought was great. By disk two it failed. Tried again, then again, and finally again. All failed by disk two. Noticed that the TrustedInstaller was still going crazy in the Task Manager. Started looking around and found registry entries and files being created, replaced, and sevices being added and locking me out.

After 2 days of chasing and trying to remove the best I could do was reach a stale mate. If I go to far it reboots the machine and then reinstalls. Won't boot any of my virus removal disks. Infected a usbkey and my other system when trying to resolve. An old Linux boot disk shows me that the drives and usbkey now have 4 partitions each which I can't remove unless I fubar. As soon as they go back in to be repartitioned they get re-infected. I assume anything I burn will also be infected. A second locked usbkey with AV won't boot either, but will be read once the OS loads.

It seems this bug uses a fake floppy in the MBR and then boots off it. It's infected the hidden partition support told me about but it gives me a few minutes after a reimage to try and get in to stop it. If it can't use it's own boot loader or infect another it won't boot. (I don't think the chips are infected or at risk but this is the newest PC I've had...ACPI injects the virus right away into Linux or Windows installed or run from ramdisks.

As all this happened without my using anything other than the new equipment has anyone else noticed anything like this? The apps and OS downloads I'm getting from here now, but don't know what good they will be since the only machines I have are now infected from trouble shooting and trying to remove the bug. (So much for my AV program on the second machine.)

Failing taking it back to the store does anyone have any advice or ideas? I've pulled one HDD drive out of the G73JW to deal with later and to slow down any re-infection. I have one usbkey that should be uninfected. I have one MS-XP and one MS-Visa store DVDs.

Downloading tools for rootkits and stuff to try on the infected usbkey now. Just pissed off at the waste of time and hassle. Watching the bug using the trustedinstaller to undo my lock-downs and install new services is driving me nuts.

TIA

irdmoose
01-20-2011, 02:50 AM
It sounds like you'll either need to RMA it or get a copy of the factory restore discs from Asus. I didn't have this issue on my G73JW-XA1, so it's possible that someone at the retailer where you purchased it mucked about with the bios before you got it.

What I'd do (short of taking it back to the store) is the following:
1) Wipe out the drive using DBAN on a known good machine
2) Boot to a known good OS and flash it with the latest version of the BIOS from the ASUS website (although you said it was infecting those, so it may be a bios issue)
3) Do a clean install of the OS from the Asus discs (I doubt that was the source of the infection since my install seems to be running just fine)
4) Cross your fingers and pray that the BIOS flash, etc. worked.
5) Use DBAN to on your other machine and do a clean install of the OS there, and use a good antivirus like Eset NOD32 or Microsoft Security Essentials

IF that doesn't work or will take far too long to accomplish, I'd probably either try the return route or RMA it to ASUS since the BIOS itself has most likely become infected (although that's pretty rare these days).

Chastity@ASUS
01-20-2011, 04:22 AM
There are still a few CMOS warheads out there, as I came across one recently. Fortunately NOD32 Firewall isolated it, and all I needed to do was reflash the BIOS.

Anyhoo, irdmoose gave some good advice. I would definitely download a Win 7 OS Install disk and burn to disc, and wipe all the partitions. I would also reflash the BIOS to current 211. Wiping the MBR block is also recommended, as you seem to have already found out. I would make a bootable CD with the tools you need, as the CD cannot get infected once it's burned and closed.

Seeker
01-20-2011, 02:17 PM
Thanks guys. That's pretty much what I thought. Without another PC to make my burns and ensure I have a clean source I guess RMA is the next step. What a PITA!

Is the 211 BIOS for the G73JW? I thought it was for the H when reading your other thread?

When I called ASUS support yesterday they started telling me that my issue wasn't covered under warrenty. When I asked for a supervisor it took 15 minutes and strangely he had the same name as the first guy, Andre. (Funny, every time I was on hold it kept reminding me how great the warrenty was!)

Since my last post I have noticed a few things in the BIOS that I think are strange. The memory shows 8192MB not GB. When I start easy flash without a disk it has a message that says; "Locate Simple File System protocol failly!!, Please press any key to continue."

BIOS version I have is G73Jw 203.
Version 70.06.25.00.0B.N41G73.T15
EC Version b12c1e0203

I'll look up the AV noted above...haven't used it for a few years as I switched to AVG.

Thanks.

Chastity@ASUS
01-20-2011, 07:07 PM
Sorry, 203 is your latest BIOS :)

MarkS
01-20-2011, 07:10 PM
Since my last post I have noticed a few things in the BIOS that I think are strange. The memory shows 8192MB not GB. When I start easy flash without a disk it has a message that says; "Locate Simple File System protocol failly!!, Please press any key to continue."

8192MB == 8GB...that's what you have installed, yes?

Bummer about EZFlash, but it's not going to work if it can't find a file system. Is there any way you can get the BIOS image on a USB stick? Heck, with a 4GB+ USB drive, you could also make it a bootable Windows installation disk.

And I'm curious - why did you "Entered BIOS and shutdown everything but the SATA ports" in the first place? What exactly did you shutdown?

Seeker
01-20-2011, 07:27 PM
Hmm...good point about the MB...just looking for things now and my other BIOS reports in GB.

The usual stuff I turn off is the ports I don't use or need. I also found from imaging PCs in the past that I've had to nuke them and start over because it connected to the internet before I finished and setup AV and a firewall. Just habit now, along with setting a BIOS password. I walk through the settings and as I see what's available I eith open or close. After the install I do the AV and FW and then harden the services. (I build, manage, installers and deployment solutions so tend to make sure my equipment is solid.)

The USB key I used first. It infected my old PC. I've since seen that it also rewrites any ramdisk either linux or windows. I've been able to use the linux tools to see what's going on with the drive and noted the 4 partitions. I've also seen using the Vista 64 disk I have how it's replaced the x: drive code when I boot with a HDD installed. (If I boot just with the Vista disk it stays clean but with out a drive that doesn't help.) Anyway, going to see if the service center can help out so I don't have to do a full RMA or return.

L8r

j00zl33t
01-21-2011, 12:08 AM
Ok im not understanding this...

If its a new rig, why dont you just do a complete format of the HDD, install OS, then reinstall bloatware (if you want).
I dont know what all this talk of BIOS is. Im being serious, so call me ignorant if you wish. Im probably missing something here, but i dont understand why a simple reformat couldnt get rid of a virus?

if anybody wants to educate me, please do.

MarkS
01-21-2011, 12:12 AM
Ok im not understanding this...

If its a new rig, why dont you just do a complete format of the HDD, install OS, then reinstall bloatware (if you want).

Agreed.

My understanding is it's just because there's no second machine available to the OP to burn an OS install disk.

And apparently that USB stick needs to be incinerated :)

j00zl33t
01-21-2011, 02:49 AM
My understanding is it's just because there's no second machine available to the OP to burn an OS install disk.)

Well in that case, download the official windows 7 iso's (http://tinyurl.com/6ceveb8) using a separate (friend's?) PC and either 1.use an uninfected USB at least 4GB and use http://store.microsoft.com/Help/ISO-Tool or 2.Burn the ISO to a DVD.

After OS installation, install drivers, bloatware, etc...