How can I remove the bootkit. I mean it’s enterprise level malware.
I’m assuming I need to somehow figure out how it’s executing, change the code back to normal or reflash the bios manually. It has instructions on getting a backup from somewhere and can also move itself onto RAM.
It affects Linux and Windows. The only way I’ve been able to access anything was loading SystemRescue onto RAM.
It even spread to my router and hosted itself via DLNA and installs as a printer driver to re-infect.
1 PC has altered bios which I’m assuming is basically gone.
2 other pcs are secure boot enabled with TPMS. So I’m assuming they can be recovered.
I wanted to see if anyone would be willing to read over the script and Bios file to see if they can see what was going on or assist in what was altered.
My next plan of attack is reflashing the bios, booting an iso into RAM, running anti-root kit software etc and run firmware updates and go from there. I’ve contacted 4 local IT companies that would even touch any of the machines, one is willing to mess around with it.
Any advice would be great if anyone has any other options.
Well, Asus G10CE, bios region is in static parts a100 % identical to a 330 Asus stock bios region.
Different from Asus stock 330 is - of course - NVRAM and one padding between NVRAM with windows code, machine specific data, eventlog.
NVRAM normally has no executable code but it has the certificates for signing secure boot / bootloaders, so I’d reset that.
ME region has no relevant differences in configuration, never heard of a changed ME firmware for a rootkit.
So I’d recommend to transfer FD, GbE and the padding with machine specific data in bios region from your backup to a stock 330 Asus firmware. You can’t get cleaner than this.