Question Possible Bios malware in lenovo thinkpad?

[Meko123]

I recently came across a problem with my yoga 15 bios and I kind of suspect a malware is persistent in the bios or eeprom that prevent proper flashing of bios. Below are the symptoms and I would be very grateful if anyone could help:

1. Few months ago, I flash the bios to latest version, clean the harddrive and reinstall windows, but I was facing a few weird problem's afterwards.

a) When I installed antivirus, it tell me my router is not safe and the DNS might be hijacked.
b) the CPU run hot and fan spin fast when idling and once I open windows 10 task manager I can see either system interrupt or svhost.exe having high cpu usage but after a while its calm again.
c) the laptop face BSOD after exactly 17 to 20 mins and restarts. And loop in a cycle. i suspect its the sleeping property of the laptop causing the problem

1. after the above symptoms i decided to reflash the bios again and reinstall windows 11 on a different harddisk. After reflashing the bios, the veriosn number was correct. however, the previous setting were retained. E.g. the I/O PORT enable/disable choices.
2. afterwards i decided to use the other methods. By using the F9 button (restore to default) and by removing the cmos battery and battery and press the reset key for a while. I discovered that if i press F9, some settings are restored but not the I/O nor the system time. If I remoe the CMOS, the date is reset but again I/O enable selection remain unchanged.

Therefore, i would like to ask if it is normal? And is there any other eeprom chip than bios that is storing the settings and preventing me from factory reset?
Is it possible that some malwares are embedded in the firmware?
Thanks

 

[Lutfij]

Welcome to the forums, newcomer!

clean the harddrive and reinstall windows
Where did you source the installer for your OS?

 

[Meko123]

thanks for the prompt reply, the source of windows installation is from the microsoft official website, so I'm pretty sure its ok. as I installed it in other devices too. However, I tried to reset the bios to default on another thinkpad (e15 gen2) and I realized the same issues with the I/O port accessibility problem (that it doesn't restore to default, or only some of it restore to default). Therefore I am wondering if its a common problem for Lenovo thinkpad or is it that I'm so lucky to get infected on both systems.

 

[hotaru.hino]

If you have a copy of the suspect BIOS update file still and you can obtain an official one from a known good source, compare their MD5 hashes (see https://portal.nutanix.com/page/documents/kbs/details?targetId=kA07V000000LWYqSAO on how to do that). If they're different, then there's reason to suspect the BIOS update file you used was tampered with.

 

[Meko123]

Dear, thanks for the reply. I had found a UEFI reader to read the current suspicious bios. but I am still finding software to read the official one and use hex editor to compare them probably. However, I just tested the bios reset on another ThinkPad from my friend. It seems that F9 button will not reset the I/O port selection, which implies that resetting the CMOS battery will not reset all the bios, which in turn indicate that if there might be elsewhere chip that thinkpad is storing these data, i suspect?

 

[ficler1977]

There is a chance bios battery is flat so it reverts settings back to default
(so it looks like some settings remain unchanged)
Check if there is no update on bios (other users might have same problem)
Check if there is older bios update (you updated to bios19, try downgrade to bios18.
If possible when installing windows DELETE ALL PARTITIONS ON THAT drive. as some partition might contain some data/settings that laptop bloatware goes back into. (bloatware slows down, not a spyware)
Malware in bios are extremely rare.

 

[kerberos_20]

thanks for the prompt reply, the source of windows installation is from the microsoft official website, so I'm pretty sure its ok. as I installed it in other devices too. However, I tried to reset the bios to default on another thinkpad (e15 gen2) and I realized the same issues with the I/O port accessibility problem (that it doesn't restore to default, or only some of it restore to default). Therefore I am wondering if its a common problem for Lenovo thinkpad or is it that I'm so lucky to get infected on both systems.

RTC (clock) and bios settings are two separate things
some settings may not have any default bios value, meaning reseting bios to default can keep some setting with user defined values
can you upload your current bios?

 

[hotaru.hino]

RTC (clock) and bios settings are two separate things
some settings may not have any default bios value, meaning reseting bios to default can keep some setting with user defined values
can you upload your current bios?

Unless it's a completely harmless option, like say RGB settings or custom profiles, it doesn't make sense that some settings that could affect on-board hardware configuration or the startup/boot process (outside of say TPM keys) would be left alone after a "reset" of the settings.

I mean, you're free to tell me what motherboard does this so I can avoid that manufacturer.