Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Hackers attacking my network and doing bad things :o

Started by blulululuru , Dec 13 2013 10:17 AM

  • Please log in to reply

#1
blulululuru
Posted 13 December 2013 - 10:17 AM

blulululuru

    New Member

  • Member
  • Pip
  • 1 posts
I seriously hate sounding like I've just seen ufo's, but I strongly believe my network and computer is being attacked and that I have backdoors/rootkits from whatever payloads.


A couple months ago my firewall suddenly began to block about five ARP requests per second for as long as I'd have my internet up. From that point I began having multiple sessions open in gmail appearing to be my IP, processes were connecting to the internet despite attempts to block them with Comodo, and eventually my privileges dropped to next to nothing. I got remotely shut down only once in a timespan of about a month.


I did a scan with GMER during my first reformat and it flagged trees of my registry that mostly had to do with domains and whatnot, but started to get snagged on something on future scans. I started to boot from a Ubuntu live CD instead of Windows 7 Home Premium after seeing that chunks of my settings and registry would persist after a reformat. Ubuntu soon followed the same trend and would come packaged with more apps after each boot - normally having to do with one type of server or another.


I switched out my CPU, RAM, Hard drive, Motherboard, CD drive, and got a wired cable modem before doing a clean install from a new Windows CD (with my onboard LAN switched off in the bios during the process). I did the pruning of services, updating, firewall rules, etc. Things seemed alright for a time until I noticed my IP was no longer being released and various other junk that had me edging on paranoia.


Reformatted, got firefox, got Pidgin with the Off-the-Record plugin, and a debugger. I opened up pidgin.exe after a day and checked out strings in the memory and saw pieces of conversations that I never had, lines that looked like they came from an IRC server, warnings from OTR that there were multiple sessions open that I never recieved at the time, and other crazy stuff along those lines.


So... yeah, lots of text, lots of problems. I'm stumped. I should be around most of the day so anyone who helps will get a quick response.


DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 8.0.7601.17514
Run by yawn at 10:08:22 on 2013-12-13
#Option Extended Search is enabled.
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4045.3350 [GMT -6:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\Explorer.EXE
C:\Windows\system32\sppsvc.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\explorer.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\mmc.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\mmc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://microsoft.com/
mWinlogon: Userinit = userinit.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
TCP: NameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{E0E641EB-6ADD-4B6E-9787-5E9027E11690} : DHCPNameServer = 209.18.47.61 209.18.47.62
SSODL: WebCheck - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2013-12-13 533096]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
.
=============== Created Last 60 ================
.
2013-12-13 14:51:13 74272 ----a-w- C:\Windows\System32\RtNicProp64.dll
2013-12-13 14:51:13 533096 ----a-w- C:\Windows\System32\drivers\Rt64win7.sys
2013-12-13 14:51:13 107552 ----a-w- C:\Windows\System32\RTNUninst64.dll
2013-12-13 14:51:09 -------- d-----w- C:\Program Files (x86)\Realtek
2013-12-13 14:49:05 24104 ----a-w- C:\Windows\gdrv.sys
2013-12-13 13:10:13 126320922 ----a-w- C:\b.reg
2013-12-13 11:21:40 5126 ----a-w- C:\a.reg
2013-12-13 10:25:47 -------- d-----w- C:\Windows\Panther
2013-12-13 08:40:50 -------- d-----w- C:\Users\yawn\AppData\Local\ElevatedDiagnostics
.
==================== Find6M ====================
.
.
============= FINISH: 10:08:26.71 ===============





No whitelist:

Spoiler


This is from a fresh reformat

Edited by blulululuru, 13 December 2013 - 10:24 AM.

  • 0

Advertisements

Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP