Hello,

My dell laptop got infected with malware that hides in the bios. I did a full rebuild including a lowlevel hd format. Installed all the windows updates (XP3), sophos AV and endpoint firewall. After the rebuild was complete the problem is back. All the s/w installed came from trusted sources including validated XP.

Not sure what to do to clean this nasty bug. The BIOS is not replaceable.

Anyway here is the HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:47:32 PM, on 17/04/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
c:\Program Files\Sophos\SCFManager.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Sophos\SCFService.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
c:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Sophos\SCFTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\m\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SCFTrayStartUp] c:\Program Files\Sophos\SCFTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: c:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.1 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - c:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Sophos Client Firewall - Sophos Plc - c:\Program Files\Sophos\SCFService.exe
O23 - Service: Sophos Client Firewall Manager - Sophos Plc - c:\Program Files\Sophos\SCFManager.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 5238 bytes

Thanks

What are the problems/symptoms you are having? I have never encountered a BIOS virus. Log looks ok as far as malware goes but that dosnt mean you dont have any. Do you mean master boot record (MBR) maybe?
how did you reformat the HD?

I booted the laptop using a bootable DOS CD then ran a DOS lowlevel format utility to format the drive. Once LL format was complete I installed XP and partitioned the drive then did a XP format on c & d.

I booted the laptop using a bootable DOS CD then ran a DOS lowlevel format utility to format the drive. Once LL format was complete I installed XP and partitioned the drive then did a XP format on c & d.

As to what it does:

1) it chrips the audio output to let you know its active.
2) tries to call home except the endpoint s/w firewall and the h/w firewall is stopping it.

I could install procmon and try find when it chirps the audio output - but I not good enough to sort out the resulting data.

I know you reformatted your HD, but lets get some tools to check for any signs of possible malware including root kits. The first one is MBAM, which you can keep and use. The last one is a root kit tool.

MBAM:

Please download Malwarebytes' Anti-Malware (MBAM) to your desktop:

http://www.malwarebytes.org/mbam.php

Double-click mbam-setup.exe and follow the prompts to install the program.

Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click **Remove Selected.**

**A restart of your computer most likely will be required to remove some items.**

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.
------------------------------------
Please download: RootRepeal

http://rootrepeal.googlepages.com/RootRepeal.zip

Extract the file to your desktop.
Click the icon on your desktop to start.
Click on the Report tab at the bottom of the window
Next, Click on the Scan button
In the Select Scan Window check everything:

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

Click the OK button
In the next dialog window select all the drives that are listed
Click OK to start the scan

May take some time to complete.
When done click the Save Report button.
Save the report to your desktop
To Exit RootRepeal: click File>Exit
Post the report in your reply

logs attached as requested

malware didn't find anything. Need a tool to scan the bios for malware..

nothing there, Still not convinced you have BIOS malware and I know of no tools to scan the BIOS as it is not accessible from within Windows. I think the closest you will get (for a scan) to the boot order of a machine is a scan of the MBR.
If you feel you have malware you could try clearing the CMOS and/or a flash of the BIOS. If you have a commercially purchased machine then doing either of these may not even be possible. consult your computer manuf. website.

What if I could dump the entire BIOS to a file then scan it?

I could dump the entire BIOS to a file
not possible that I know of. you can only access it and upgrade it with a flash utility.
BIOS malware is rare, I think you have something else going on. A beep could mean something else. Normally BIOS beep codes come up during the boot up process. Malware wants to get out unnoticed, not alert you with a beep. BIOSes also have virus protection that if enabled as a option in the BIOS will not allow a utility or virus to write to it.

You said this was a laptop. Laptops can be very proprietary as far as hardware and software goes from one manufacturer to another. You should poke around and check the troubleshooting section for your machine for possible causes and solutions.