uefi has ransomware. where and how can i reflash it, and where can i find a file/download?

gmtech
gmtech Member Posts: 6 New User
edited March 2023 in 2017 Archives
I am trying to fix an e-series laptop. it is infected with ransomware. I can clean up the HDD on another machine, but during boot, it does a checkdisk and reinfects the operating system. I think I need to reflash uefi. where can I find this file? thank you, Dave

Answers

  • IronFly
    IronFly ACE Posts: 18,413 Trailblazer
    https://www.acer.com/ac/en/US/content/support
    input your model and click on BIOS, by the way BIOS flash will work only under windows OS.
    I'm not an Acer employee.
  • gmtech
    gmtech Member Posts: 6 New User
    Oh boy, that's going to be a problem. my uefi is infected with ransomware. I can take the drive out, and run software to get rid of it, but it is reinstalled during a "checkdisk", at boot. I can't get to windows.The only other way I see to get around this is replace motherboard or is there a uefi chip I can desolder and replace?
  • gmtech
    gmtech Member Posts: 6 New User
    I should add that before I get to windows screen, I get a system password required. I have not been able to get past that.
  • IronFly
    IronFly ACE Posts: 18,413 Trailblazer
    no other ideas.
    I'm not an Acer employee.
  • JordanB
    JordanB ACE Posts: 3,729 Pathfinder
    edited November 2017
    When you plug the HDD in to a different computer, does it have an EFI partition?  If it doesn't have an EFI partition, then you probably just have an MBR infection.....root kit. 

    If his computer has UEFI, the OS might possibly have been installed in legacy mode.....thus giving you an MBR disk instead of GPT. 
    I'm not an Acer employee.
  • JordanB
    JordanB ACE Posts: 3,729 Pathfinder
    1. Create Windows 10 USB media

    2. Boot the Windows 10 USB

    3. After you select your language, select "repair your computer"

    4.  Navigate to command prompt

    5.  Bootrec /fixmbr
    I'm not an Acer employee.
  • gmtech
    gmtech Member Posts: 6 New User

    I found an article at pc world that is very close to my condition. I might add I tried running sfc /scannow, can't pending disk repair(on every start up) tried all options, including complete factory reset. I can not get in, even in safe mode, a system password has been added. The owner had a pop up, Microsoft tech (I don't think so!) was in the laptop for 30 mins. Now I get stuck with fixing(maybe) it. The desktop I am using to repair this, is a clean win 10 64bit. it has uefi. I can not post links, yet, but the PC world article is 3046626. I am creating a win 10 usb, as I type.

  • JordanB
    JordanB ACE Posts: 3,729 Pathfinder
    edited November 2017
    @gmtech

    If it were my computer, here's what I would do...if I determined it was just an MBR infection.  When you examine the disk in Windows Disk Managment, and it doesn't have an EFI partition, then you will know it's an MBR disk.  You can also determine if the disk is MBR or GPT in diskpart. (check for asterisk)

    1. Connect HDD to other PC to get the important personal files off of it.

    2. Wipe the drive with diskpart clean all  (this might take a few hours to run)

    from a command prompt:

    diskpart
    list disk
    select disk x   (x=the drive you want to clean---be careful)
    clean all
    exit

    3.  Reinstall the operating system

    https://www.microsoft.com/en-us/software-download/windows8

    https://www.microsoft.com/en-us/software-download/windows10

    https://store.acer.com/en-us/extended/recovery/


    Edit: If you're truly gettings a BIOS password request, then you're probably going to have to resolve that first.  I can't help you with that.

    I'm not an Acer employee.
  • gmtech
    gmtech Member Posts: 6 New User
    Thank you JordanB. I gave it a shot, and watched the exact same thing happen again, reboot and a repair took place, and I am back to where I started. I ran ClamWinPortable, Emsisoft Emergency Kit Starter, ClamWin found Trojan, that was removed. Reinstalled drive. While it was open, I found a recovery file, that was empty, 0kb. deleted that, rebooted, caught dos window, blink, scandisk started, gave me option to stop it. I did. it started at recovery window. I have started a full PC reset. It has started, I have my fingers crossed.
  • JordanB
    JordanB ACE Posts: 3,729 Pathfinder
    edited November 2017
    @gmtech

    make sure you use these two commands if you're not yet ready to wipe the drive.

    bootrec /FixMbr

    bootrec /FixBoot


    If you wipe the drive with diskpart clean all, then you don't need to worry about any of this bootrec stuff
    I'm not an Acer employee.
  • gmtech
    gmtech Member Posts: 6 New User
    Update. Can't believe it. everything malware reinstalled. used another  hard drive formatted with Linux, and acer, I think, sent me uefi image. updated uefi with image, re-installed orig. hard drive. performed a factory reset, that worked. This is new to me, and I have been fooling around with windows since 3.1, lol. now to put effective countermeasures in place. defender is not enough. Thank you all for your thoughtful responses.