A VIRUS/ BIOS question – 256 days old

[Troy]

Working on someones Dell computer that had a file recovery virus, http://malwaretips.com/blogs/file-recovery-virus/
I have cleaned all traces of it in windows but it has left a message during the bios startup.
"Hard disk failure is imminent.
Please back up your files and replace.
Hit f2 to continue or f10 to enter setup. "

The computer does not have the SMART disk check and the hard drive passes the Seatools disk checker program.
Is the only way to get rid of the message to flash the bios?
If that is the only way I think I'll just forget about it.
Or is there any other way?
I did reset the cmos but it didn't remove the message.

[floppybootstomp]

Are you sure the message is embedded in the BIOS? maybe it's in the Win startup sequence, that's where a virus/malware is likely to embed itself methinks.

If you just want to get shot of the message might be worth doing a 'msconfig' and seeing if you can disable it in startup options.

Not perfect I grant you but might keep the customer satisfied, as Paul Simon once sang.

I don't like Paul Simon. Why? He got to shag Princess Leia and I didn't. That is SO unfair

[Grogan]

There may not be a setting to turn off the SMART disk check, but it seems to have it. This thing didn't infect or overwrite your bios (that's relatively rare, and a difficult set of conditions for it to be successful). So, flashing the bios wouldn't help.

But... a disk diagnostic program from the hard disk manufacturer should RESET the SMART data if it's been triggered and the drive passes the tests. I don't know about SeaTools specifically, but others certainly do that. (Maybe not, who knows)

Possibly the master boot record (MBR) of the hard disk.

Boot up with appropriate Windows OS CD and follow whatever procedure to start the recovery console. Use the correct commands to rewrite the master boot record, and the boot sector (for good measure).

Windows XP Recovery Console:

fixmbr
fixboot

Windows Vista/7, you start Repair, cancel out of the "startup repair" and get to the advanced recovery options. ("WinRec" environment). Start the command console. The equivalent commands are:

bootrec /fixmbr
bootrec /fixboot

Alternatively, Kaspersky's TDSSKiller usually finds MBR tomfoolery and corrects it, but you'd be relying on its good nature. (I'd probably do the above if it doesn't find anything)

[Troy]

I am sure it's pre-window startup because if I do enter f10 at the message, it goes into the bios settings.
Avira,Malwarebytes and Trojan Remover all show clean and everything is running well.

[Grogan]

I am sure it's pre-window startup because if I do enter f10 at the message, it goes into the bios settings.
Avira,Malwarebytes and Trojan Remover all show clean and everything is running well.

I doubt any of those programs will find subtle alteration of the MBR. It's not viral code in there, but early driver hooks.

High level programs like those are usually unaware of rootkit activity ("rootkit scanners" tend to detect discrepancies)

[Alakazam]

I'm sure Grogan will comment but I've had to use ComboFix a few times on relatives computers, it's always worked. I'm really not great with a lot of software trouble shooting but Gro can give a comment on whether ComboFix will wotk any magic.

[Troy]

TDDS killer didn't find anything nor did the fix mbr fix it.
When I ran Seatool I only ran the short test. They have a long one that I will run next. May be 3 hours or so.
It just may be coincidence the error came up when the file recovery virus hit, but then again you never know what really happened or when, coming from the customer.
Appreciate the input, guys.

[Troy]

The drive is under warranty yet but it did pass the short test which Seagate claims is 90% accurate.
Just read this on the Seagate site.

What tests should I run?
SeaTools has three tests that could give you a failure for warranty return. These are the Short and Long tests, and the SMART Flag check. The Short tests are very accurate and over 90 percent able to detect a bad drive. If the Short test passes you can be confident that the drive is healthy. If you want to eliminate that last 10 percent, run the long test. These tests may take several hours to complete. You might start a test to run overnight for convenience.

So it seems I am getting an error with a most probable, good drive.

[Grogan]

I don't use Combofix, sorry. I'm not placing blind trust in that. I have tested it (in virtual machines, not on customer computers) and it seems to be too much of a black box for me. It used to be that people were discouraged from using it, except for under the direct supervision of its authors and supporters.

I'd like that program better if ALL it did was generate logs for you to manually investigate and remove suspicious things, but it tries to automatically repair some things first.

[Grogan]

Troy there is one thing to keep in mind. Manufacturer's hard disk diagnostics are designed with passing drives in mind, not finding faults. The "long" test is a test of the surface, for bad sectors. Even that is just a quick read test. However, in this day and age of very large hard disks, it's not practical to do thorough tests, it would just take too bloody long. (Imagine how long it would take Spinrite to test a 1 Tb drive. A week?)

So borderline or intermittently unreliable drives often don't get detected as bad, especially if the SMART thresholds haven't been exceeded.

What you do seem to have is a discrepancy between the BIOS reading the drive's SMART data, and the SeaTools program.

I have one idea. Disconnect the drive, and power up the computer without it. It will fail to boot. Shut it off, reconnect the drive and let the BIOS detect it again.

Another thing that might be diagnostic would be to connect another hard disk in its place and see if the BIOS screams SMART failure. (rules out some tomfoolery)

[Bad Haircut]

GMER can be a useful starting point and can point you in the right direction, less invasive than jumping straight into the whole eat your hamster Combofix routine.

[Grogan]

I use GMER sometimes (useless on 64 bit systems though) and it sometimes reports suspiciously modified drivers and stuff and saves me a lot of time when it does. For the rest, you need to know what you're looking at though. Most of the lines it prints are informational, not malicious hooks of any kind. I tend to not let it do the full comparison, for that's usually a waste of time. I've seen what I wanted to see after the first minute or so. (I'm interested in driver hooks with GMER)

The mbr.exe tool they provide finds MBR hooks as well (though I seldom use that anymore because that functionality is provided by Kaspersky's TDSSKiller, which I run anyway)

[Bad Haircut]

thought they'd got round to 64 bit-asizing it. Must be a hard ask to do if they haven't done it already.

[Grogan]

No, all it can do is the discrepancy comparisons.

Rootkits aren't that common on 64 bit Windows anyway though.

[Troy]

After some reading on the net,I have found that others having the same problem would run the seatools in Dos instead of winblows and it would fail the short test.
I tried the same thing and sure enough it failed.
Even though the drive may last for awhile (or not), I got a RMA for it. The warranty would expire in Febuary 2013.
So anyways, the file recovery virus with all its false hard drive errors,had nothing to do with the smart error. It was just coincidence.

[Grogan]

Good! I suspected that SeaTools was being too generous. That makes things a lot easier now.

Note that I've sent drives back for RMA regardless of them passing diagnostics. I KNOW they are bad (i/o errors or other incorrect behaviour). If I MUST supply an error code, I just supply something common like "136 Bad Sector" (western digital)