Bios Hijacked

I'm pretty knowledgeble about computers, and I can figure out things pretty fast, but I need help with this one.

I've posted on the forum before, about 3 weeks ago, and I thought my issues were XP related. I have chased my problem down to the very root of my computer using the Ultimate Boot Cd for Dos.

Recently I downloaded the stock firmware for my motherboard, and the Flashing Program has seemed to be different than the stock version. I also remember having a different bios than the one that is loading now. The current Bios running according to my bootup screen is

Phoenix 6.00pg WorkstationBIOS

I tried to reset the bios from software and hardware, but all it did was just give a cmos checksum error and loaded the malware back into place.

Using a program to view the bios and bios extentions, I found the following list:

Found:
Freedos 7.10 running
Advanced Power Management v1.2
Plug and Play-Bios v3.0
IBM/MS int13 Extentions v1.2
System Management-Bios v2.2
Award Modular Bios
__________________________________________
VESA BIOS extentions v2.0
|
-Found VBE Power MGT v1.0
-VBE Accelerator Functions not active or available

Then I used a program called !BIOS to see if I could fix the problem myself by changing the Decimal/Hex manually, and every time I saved the string, the 13th string would automatically revert back to it's old number.

This virus/malware has already spread to 8 other known computers, 4 of which are behind a secure network, and at least one which had Vista on it.

All help given would be greatfully accepted.

Boat~

 

The Black Hat Briefings in Las Vegas are a pointer as to the direction that particular IT trends are going. With six presentations this year dedicated to Rootkits it shows that Rootkits are fast becoming a bigger threat to users.

I live in las vegas. The infection happened in April. I had no firewall or anti-virus/spyware protection. Coincidencial?

*Using Ultimate Boot cd for Dos*

I've tried running a rootkit program, and it's being denied access because I'm pretty much using a virtual computer with this thing hijacking my bios.

*Using Ultimate Boot cd for Win*

I used a program called ServicesPE to show me all the services/devices on the computer, post xp install. The interesting thing to me were the dmboot.sys, dmload.sys, and dmio.sys on the services side. It seemed like all the devices listed were broken versions of the hardware.

I will update info soon.....

 

I have seen my motherboard bus' using a program called PCISniffer on Ultimate Boot CD for win (from nowon called UBCD).

Bus 0 had 1 disabled item, probably because I took out all of my hardware except for my video card, floppy drive, and cdrom drive.

Bus 1 seemed to have all the hardware devices but Irq 10 had the Nvidia port enumerator. There were also others labeled as NOT INSTALLED. There were a few Irq items that had I/O memory.

Hopefully I can get back online later.

 

Chaslang,

I really am thankful for your help. I have been working on this alone for about 1.5 months now, and it's been frustrating.

Yeah, I'm well aware of this. For the longest time, I had no information on my computer that I deemed personal. I was under the assumption that the old modem I was using had a firewall. Assumptions...

Anyway, these files are valid files unless there is a mal-program on your system re-writing everything that the cdrom shoots out. It's also changing the group policy almost imediately after the completion of windows xp pro's installation.

 

I decided to change things up a bit. In my impulsivity, I thought I would try loading a linux boot disk from the UBCD for Dos. Last nite when I used the linux boot disk, I found that everything seemed peaceful; I don't know the program. I did see that I had 2 files locked and 5 sessions open during my experiment. And I've concluded thus far that Linux has access to whatever this malware is, and where it is stored.

In the similiar threads section, I saw this link:

Also, I made a few notes of what seemed enumerated files.
Bitmap blocks ----> linux connection.

I made a search of a certain txt line I thought was interesting, because it seemed to have cause an error. The line I searched for was:
corruption found in superblock <%s=%lu>

I found information on a "Problem.C" which was some type of linux program. Kinda sounds like a malware thing, but I don't know.

As I have experiemented more with the program ServicesPE, I have found that you can run services/devices at startup. I got a crazy idea - If I got some help, maybe I could give the windows system32 directory a "service" program that can run at the time of booting the computer. This service might just be able to be setup as the only service running on boot up.

I know you might not be fimiliar with ServicesPE Chaslang, but what do you think of that idea?

As soon as I can get to an uninfected computer, I will attempt to create this linux boot CD with added motherboard firmware.

Thats the updates for today. Thanks again for your help.

 

When I was booting safe mode xp, (and I had all the cache, prefetch, ect that you suggested be turned off) the first thing that loaded was a nt kernal. There were normal files that had incorrect letter sensitivity, like the dmboot, dmload, and dmio.

I have been using a dos program that manages partitions to try and see all of my hard drive, but it disallowes me to see an odd boot record with a wierd label.

http://72.14.253.104/search?q=cache:lPaIiYikc0gJ:download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/wmi_security.doc+windows+nt+kernel+controlling+bios+false+acpi+firmware&hl=en&ct=clnk&cd=3&gl=us

This seems to explain how a part of my hard drive is denying me access. Ever heard of anything like this explaination before?

 

I just ran into the program "Unhijackme" while searching different things on google.

It has found a trojan called Hackerdefence100. Do you know any info about it?

It has an NT partition that controls the legacy device drivers I think. Either way, whenever I reinstall windows after writing zeros to the drive it reinstalls itself when the windows xp bootdisk starts up the xp install.

Should I move the subject over to the hardware forum?

 

I'm positive this is a cmos issue. I've killed 1 motherboard now because I was careless in my bios-flashing-frustration.

Thanks for your help. If I need more, I'll push on over to hardware.