Go Back   Tech Support Forum > Hardware Support > Motherboards, Bios|UEFI & CPU

User Tag List

BIOS Rootkit?!?!? (by process of elimination)

This is a discussion on BIOS Rootkit?!?!? (by process of elimination) within the Motherboards, Bios|UEFI & CPU forums, part of the Tech Support Forum category. Long story... I have a laptop (Compaq Presario v3000t) which runs Windows XPSP2. I thought I had all my updates


Closed Thread
 
Thread Tools Search this Thread
Old 03-16-2008, 10:09 PM   #1
Guest
 
Join Date: Mar 2008
Posts: 4
OS:


Question

Long story...

I have a laptop (Compaq Presario v3000t) which runs Windows XPSP2. I thought I had all my updates for both OS and apps, but somehow (I think it was the kids getting on the sites they did--gaming and myspace, etc), the laptop got hacked. It was behind a router and software firewall/antivirus suite.

There were assorted trojans and keyloggers on there, which came off after reformat (with recovery disk). However, the laptop now will not allow the install of Mcafee, Norton, ZoneAlarm, or any other security software. It looks like it is installing it, but says it has to reboot, then the security software is no longer installed after reboot. It does the same thing with some of the Windows updates.

I have also tried reformat/reinstall with Windows XP OS disk, as well as XP Recovery Console /fixboot and /fixmbr, all to no avail. I also tried some disk erase utilities on the ubcd (ultimate boot cd), and checked those manually with a hex editor, and the disk was clean, all 0's. Then when I reinstalled Windows xp, the same thing happened with the security suites and the windows updates as happened above.

Just to see what would happen, I installed Ubuntu Gutsy Gibbon, and at first it looked okay, but then it would not let me install any security software either, and eventually started trying to lock me out of various functions. Checking the logs in Ubuntu, I found I had been demoted from Network Admin to Local Machine Admin.

I configured my router to log everything. Through the logs, I found out this computer is trying to "call home" literally every 5 minutes to a certain ip address, (supposedly brand new) registered in Australia, according to whois.

Through process of elimination, I am wondering if this is some type of BIOS rootkit? It survived both Windows and Linux reformats and reinstalls, and if it was in the MBR, /fixmbr should have taken care of it.

Does this sound like a BIOS rootkit (or some type of BIOS malware)? I would like someone else's take on this. I googled BIOS rootkit, and it was a topic of discussion 2 or so years ago and people thought it was science fiction, but it sounds like what I am dealing with!

Thank You in advance for your help!!

Ndnsummer
ndnsummer is offline  
Sponsored Links
Advertisement
 
Old 03-16-2008, 10:11 PM   #2
Guest
 
Join Date: Mar 2008
Posts: 4
OS:



ALSO, I had set BIOS passwords on the laptop, both admin and user when I got it last year, and while working on this, when I went to check on the settings in the BIOS, my passwords had been removed and were blank.
ndnsummer is offline  
Old 03-17-2008, 12:28 AM   #3
dai
TSF Team, Emeritus
 
Join Date: Jul 2004
Location: west australia
Posts: 78,002
OS: win 7 32x 64x rtm



it sounds like it is still infected follow the 5 steps here
https://www.techsupportforum.com/showthread.php?t=15968



dai is offline  
Sponsored Links
Advertisement
 
Old 03-17-2008, 02:06 AM   #4
Guest
 
Join Date: Mar 2008
Posts: 4
OS:



Thank You so much for answering my post!!!

I have Ubuntu on it right now, I should reformat/reinstall back into XP before I take the five steps? I would think so, but just making sure.

Thank You Again,

ndnsummer
ndnsummer is offline  
Old 03-17-2008, 08:55 AM   #5
dai
TSF Team, Emeritus
 
Join Date: Jul 2004
Location: west australia
Posts: 78,002
OS: win 7 32x 64x rtm



if you do the 5 steps you should get away without a format



dai is offline  
Old 03-17-2008, 02:58 PM   #6
Troubled
 
Join Date: Aug 2006
Location: Australia
Posts: 3,394
OS: Windows 7 Enterprise 64 bit

My System


try this too: https://free.grisoft.com/doc/download-free-anti-rootkit/ and this https://free.grisoft.com/doc/5390/us/frt/0?prd=afl
FreoHeaveho is offline  
Closed Thread

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 10:52 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts