Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Hackers attacking my network and doing bad things :o


  • Please log in to reply

#1
blulululuru

blulululuru

    New Member

  • Member
  • Pip
  • 1 posts
I seriously hate sounding like I've just seen ufo's, but I strongly believe my network and computer is being attacked and that I have backdoors/rootkits from whatever payloads.


A couple months ago my firewall suddenly began to block about five ARP requests per second for as long as I'd have my internet up. From that point I began having multiple sessions open in gmail appearing to be my IP, processes were connecting to the internet despite attempts to block them with Comodo, and eventually my privileges dropped to next to nothing. I got remotely shut down only once in a timespan of about a month.


I did a scan with GMER during my first reformat and it flagged trees of my registry that mostly had to do with domains and whatnot, but started to get snagged on something on future scans. I started to boot from a Ubuntu live CD instead of Windows 7 Home Premium after seeing that chunks of my settings and registry would persist after a reformat. Ubuntu soon followed the same trend and would come packaged with more apps after each boot - normally having to do with one type of server or another.


I switched out my CPU, RAM, Hard drive, Motherboard, CD drive, and got a wired cable modem before doing a clean install from a new Windows CD (with my onboard LAN switched off in the bios during the process). I did the pruning of services, updating, firewall rules, etc. Things seemed alright for a time until I noticed my IP was no longer being released and various other junk that had me edging on paranoia.


Reformatted, got firefox, got Pidgin with the Off-the-Record plugin, and a debugger. I opened up pidgin.exe after a day and checked out strings in the memory and saw pieces of conversations that I never had, lines that looked like they came from an IRC server, warnings from OTR that there were multiple sessions open that I never recieved at the time, and other crazy stuff along those lines.


So... yeah, lots of text, lots of problems. I'm stumped. I should be around most of the day so anyone who helps will get a quick response.


DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 8.0.7601.17514
Run by yawn at 10:08:22 on 2013-12-13
#Option Extended Search is enabled.
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4045.3350 [GMT -6:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\Explorer.EXE
C:\Windows\system32\sppsvc.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\explorer.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\mmc.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\mmc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://microsoft.com/
mWinlogon: Userinit = userinit.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
TCP: NameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{E0E641EB-6ADD-4B6E-9787-5E9027E11690} : DHCPNameServer = 209.18.47.61 209.18.47.62
SSODL: WebCheck - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2013-12-13 533096]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
.
=============== Created Last 60 ================
.
2013-12-13 14:51:13 74272 ----a-w- C:\Windows\System32\RtNicProp64.dll
2013-12-13 14:51:13 533096 ----a-w- C:\Windows\System32\drivers\Rt64win7.sys
2013-12-13 14:51:13 107552 ----a-w- C:\Windows\System32\RTNUninst64.dll
2013-12-13 14:51:09 -------- d-----w- C:\Program Files (x86)\Realtek
2013-12-13 14:49:05 24104 ----a-w- C:\Windows\gdrv.sys
2013-12-13 13:10:13 126320922 ----a-w- C:\b.reg
2013-12-13 11:21:40 5126 ----a-w- C:\a.reg
2013-12-13 10:25:47 -------- d-----w- C:\Windows\Panther
2013-12-13 08:40:50 -------- d-----w- C:\Users\yawn\AppData\Local\ElevatedDiagnostics
.
==================== Find6M ====================
.
.
============= FINISH: 10:08:26.71 ===============





No whitelist:

Spoiler


This is from a fresh reformat

Edited by blulululuru, 13 December 2013 - 10:24 AM.

  • 0

Advertisements







Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP