Showing results for 
Search instead for 
Did you mean: 
Level 7

Hardware Rootkit

I have been hacked a lot of time ago while i was using a chat, and my computer was infected with something like a hardware rootkit.

I moved this thing from one computer to another in the years and the best thing is i never moved exe files, only hardware like monitors, keyboards, mouse, and only 1 time an external hd with some movies.

It is not a process for sure it is something else and no antivirus is able to detect it, couse, i suppose, it is inside some piece of hardware.

Starting from this, i have been under ddos, hacked, insulted.

They show me they are able to see which servers and which accounts i am using, i suppose they do some hacking but at the bottom there is something like a super virus inside some piece of hardware.

What i have done on this computer and in the past:

zero format hd and flash bios

Looks like this thing survive.

What should i do?

Before you ask: No it is not a friend of mine, not my wireless is not hacked, no i am not using any kind of software which could show me online.

It is about 10 years now i am moving this thing from one computer to another. Changed home, computers, routers, adsl, in all this time.

Sorry if my english is bad!

0 Kudos
6 Replies
Level 21

Re: Hardware Rootkit

What is your operating system and service pack  please?   The usual reason for suspicious activity like you describe is an insecure and/or infected machine. It's unlikely that hardware would have something built in like that unless purposely planted there, but it could be a software rootkit.

Look in the last link in my signature and run the Rootkit Remover, Stinger and then Malwarebytes Free.   You could also run the GetSusp tool that submits suspicious things to McAfee automatically if you like but don't forget to enter your email afddress under Preferences if you wish to get a response.

If they find nothing or don't help, then run Hijackthis and post its log on one of the forums mentioned in that link (That's nearer the bottom).


Message was edited by: Ex_Brit on 18/07/12 6:33:07 EDT AM
0 Kudos
Level 7

Re: Hardware Rootkit

Hello ex_brit, well,  this is not about the operating system i am using, for example, last year, i installed ubuntu with a web server and got hacked (admin password changed, boot loader changed, home directory decrypted).

This have been done while i had firewall on router and firewall on ubuntu with no rules allowing access to it. They simply saw i was using it and ,in some way, they hack me.

After that, i zero format, install windows, gone online to play a game, and i got a message from a guy, "Now you play, and linux?" (No way someone could find me connected to that game if not for hacking, couse i never gave my username to someone).

I have only 1 computer.

I always install all updates when i switch from os to os, and i always have a firewall on and antivirus on . I am paranoid u know. But this is not enough.

It is like a i have a keylogger, sniffer, backdoor, or something sending some kind of signal to them. And i am not installing this, that is for sure.

I will run those tools now and i'll tell you the result.

0 Kudos
Level 21

Re: Hardware Rootkit

OK good luck.   The best people to advise you on this would be those Hijackthis specialist forums.

0 Kudos
Level 11

Re: Hardware Rootkit

Hello -

It`s possibly you have some kind of hardware keylogger or packet sniffer? Does anyone else have access to the PC? It`s also possibly your router has been hacked - wired or wireless - you may need to reset your router - change username and password , and make the password stronger. Consult with your ISP on how to reset your router if your unsure how to go about this, there could also be custom settings that need to be applied as well.

0 Kudos
Level 7

Re: Hardware Rootkit

Sorry for delay, i have been under ddos then i gone online to play a game and a guy sent a message to me (NO WAY HE COULD KNOW I WAS PLAYING THAT GAME AND MY ACCOUNT NAME WITHOUT HACKING), he told me "AHAH IF YOU WANT I TELL YOU WHAT IT IS" (in italian which is my language), then he start writing down what i was just saying to another guy some minutes before, then my network card crash!

I used all this tools:

stinger, getsusp, gmer, tdsskiller, nothing all say FOUND 0.

This is the log of HijackThis v2.0.4:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

F2 - REG:system.ini: UserInit=userinit.exe

O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun

O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')

O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics

O16 - DPF: {C8BC46C7-921C-4102-B67D-F1F7E65FB0BE} (Battlefield Play4Free Updater) -

O17 - HKLM\System\CCS\Services\Tcpip\..\{4BFE0DB7-13C9-4AE1-89A0-4F4988235902}: NameServer =

O17 - HKLM\System\CS1\Services\Tcpip\..\{4BFE0DB7-13C9-4AE1-89A0-4F4988235902}: NameServer =

O17 - HKLM\System\CS2\Services\Tcpip\..\{4BFE0DB7-13C9-4AE1-89A0-4F4988235902}: NameServer =

O20 - AppInit_DLLs: 

O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe

O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)

O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)

O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe

O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)

O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)

O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe

O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)

O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)

O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)

O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)

O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)

O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)

O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)

O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)

O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)

O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)

O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

What have i inside my pc? Is it possible this terrible virus is not found by any product becouse it is not a user space virus? What else could it be?

It is 10 years i have been moving this thing from 1 pc to another help me please.

0 Kudos
Level 21

Re: Hardware Rootkit

The Hijackthis log should be posted somewhere such as BleepingComputer as suggested in my link.   We don't have the resources to analyse them here.  By the way, that HJT log looks incomplete to me.   They are quite long so something is missing.   When you are posting on one of the suggested forums, make sure it's the complete log.

From what is there all I can see that is onbvious is you have Daemon Tools installed, that use to be known to have issues with McAfee, not sure if it still does.

0 Kudos