New kind of root kit / virus , that overclocked my computer :|

Hi everyone ,

lets talk about my problem
i was running zonealarm security suite

one day zone alarm detected one malware that supposed to be a medium threat , i can't remember its name because my computer didnt gave me the time to read the total decription of the malware (it was a rootkit :|), my computer rebooted alone (more like an instant crash thant a reboot)

i ran zonealarm anti virus and malware tool to find out what happened after that sucpicious crash and what was the name of the threat

nothing detected , so i couldn't find out what happened

it was late , after that i decided to stop computer and go to bed

when i booted my computer the next day , the computer was like crazy on bios loading

my bios told me that i was under overvcloking and settings were not fine to run

the boot sequence was stop by my motherboard security module because of these (dangerous)settings ===>black screen + voice telling me (maydaymayday you're going down)

i was surprised because i never overclocked my computer and if i do this , i can still alway go on setting screen to change values if they are corrupted

i tried to boot up my comp by every possible ways ==>nothing , always the same blackscreen

i tried to go on setting screen : impossible , the computer was totally locked
the only thing i could hear was the voice message of my motherboard telling me that overclock values were bad and dangerous

as my computer decided not to launch because of corrupted settings , i tried to reset em by moving my bios setting jumper on motherboard , but i could'nt find it and lost my motherboard guide with jumpers location

so i decided to remove the bios cell and put it in again

after that my computer booted up , and i could acces my bios settings (everything was reset to default )

finally it started , but on windows xp loading screen i always got a blackscreen (not crashed , more like a freeze)

so i rebooted again in secure mode to look what was bad : i checked every device and a lot of settings but nothing was anormal

so i rebooted normaly ==> impossible to get onto normal windows xp

i rebooted again and used the f8menu to start windows with last good configuration , and it worked

rebooted again withtout doing anything , and this time xp started normally

i am a bit paranoid so after that i decided to find out what happened

so i tried a lot of tools (not at same time because of the problems you get when you install more than one tool who look at you files)

so far i tried ewido /
zonealarm (the av integrated to the firewall)
nod32
8 well known online scans (mcafe / panda / trend / symantec .... etc )

i tried also to find out if a rootkit was running

i tried

gmer (nothing suspect)
darkspy 1.5 (always crash the computer , even with all Av tools completely uninstalled)

i tried also the sysinternal one and found nothing


i have an article from january 2006 saying that future rootkits could have easy acces to bios flash memory because of their new ACPI rewriting possibilities
http://www.securityfocus.com/news/11372



my computer is working fine right now , but i feel its not clean

am i having a new generation of rootkit ?

any ideas on tools to detect something like that ?
(i tried most of the conventional ones)


Thank you in advance for your suggestions
excuse me for my bad english

 

Look at this, it´s not much, if it´s deep hidden, but some hints are always there, e.g. :

http://i15.tinypic.com/2utpwtx.png

If you doubt and think about bios rootkit, use linux from cd check install process behaviour, check windows xp install process behaviour, look about restricted rights, checkboxes tell you, you are not admin but however you are really in admin mode.

For example check also Ndis.sys, check sysfiles that may be replaced, use IAT Hooks Analyzer. Look for Port 0 attacks.

 

Maybe, they're pretty easy to make and implement.
Look up information about your system, bios, motherboard - hardware protection etc and further reading at blackhat.com - making, detection.

Edit : look for clues, logs, debugging. This method is the way in, the bios only offers a small amount of space so look for other clues backdoors etc - look to see what your system is up to in normal use.

 

Another damn hint is, if you formatted your hd and reinstalled a brandnew windows, then you look into HKLM\Software or Services and find old entries of your former Windows Installation (or entries from a cross Win Installation on another Harddisk) without having installed them.

They use a unknown kind of file infection to save their infos via registry to stay persistent.

Another thing that should alarm you: when some of your favorite Apps stop working and quit because of internals BOs.

 

That is a lie. Not true. Most boards nowadays have no jumpers for bios (for example: MSI). Vulnerable from the beginning.

I also would pay attention (to make paranoia perfect) about deleting things, could be possible that they won´t be deleted (only shifted to other areas of your hd) or your shredder is manipulated, anything is possible.

Source

The thing with

sounds cruel.

 

thank you all for fast answers

i am actually checking my files with IAT analyzer

also looked at blackhat but they dont seem to be listing exploits anymore , they are only promoting their conferences

is there something similar to rootshell.com actually ? (just discovered they closed )

@Systemjunkie : what do you mean by checking port 0 attack ?
can i do this with a tool like port explorer ?



am i allowed to post some log files if they are not from hijack this ?
(just read its forbidden for some obscure reason to post hijack logs here now )

 

Port Explorer is a cool tool too, but I am not sure. Outpost Pro shows a good possibility to survey Port 0.

Send via pm if you want and send screens of your IAT results, the red hooked one, e.g. of explorer.exe, taskmgr.exe.

 

im back , i tried RootkitHook analyzer 2.0 and found Two supect thingy

first one is my sptd.sys (file hidden by daemon tool for mouting images against securom and other protections ) this one is normal np prob with it

but i just found a thing that fear me : Sandbox.sys



here are some lines of the log
NtDeleteValueKey, ZwDeleteValueKey 65 0xAAC60530 YES Sandbox.SYS
NtOpenFile, ZwOpenFile 116 0xAAC55AA0 YES Sandbox.SYS
NtQueryDirectoryFile, ZwQueryDirectoryFile 145 0xAAC56FE0 YES Sandbox.SYS
NtUnloadDriver, ZwUnloadDriver 262 0xAAC61420 YES Sandbox.SYS


it has something like 20 Nt commands enabled



Edit : just found out that outpost pro use a sandbox.sys everything is allright im now going to pm systemjunkie if i found any suspect things with IAT analyzer