6 Replies Latest reply on Jul 22, 2012 6:48 AM by Peter M

    Hardware Rootkit

      I have been hacked a lot of time ago while i was using a chat, and my computer was infected with something like a hardware rootkit.

       

      I moved this thing from one computer to another in the years and the best thing is i never moved exe files, only hardware like monitors, keyboards, mouse, and only 1 time an external hd with some movies.

       

      It is not a process for sure it is something else and no antivirus is able to detect it, couse, i suppose, it is inside some piece of hardware.

       

      Starting from this, i have been under ddos, hacked, insulted.

       

      They show me they are able to see which servers and which accounts i am using, i suppose they do some hacking but at the bottom there is something like a super virus inside some piece of hardware.

       

      What i have done on this computer and in the past:

       

      zero format hd and flash bios

       

      Looks like this thing survive.

       

      What should i do?

       

      Before you ask: No it is not a friend of mine, not my wireless is not hacked, no i am not using any kind of software which could show me online.

       

      It is about 10 years now i am moving this thing from one computer to another. Changed home, computers, routers, adsl, in all this time.

       

      Sorry if my english is bad!

        • 1. Re: Hardware Rootkit
          Peter M

          What is your operating system and service pack  please?   The usual reason for suspicious activity like you describe is an insecure and/or infected machine. It's unlikely that hardware would have something built in like that unless purposely planted there, but it could be a software rootkit.

           

          Look in the last link in my signature and run the Rootkit Remover, Stinger and then Malwarebytes Free.   You could also run the GetSusp tool that submits suspicious things to McAfee automatically if you like but don't forget to enter your email afddress under Preferences if you wish to get a response.

           

          If they find nothing or don't help, then run Hijackthis and post its log on one of the forums mentioned in that link (That's nearer the bottom).

           

           

           

           

           

           

           

          .

           

          Message was edited by: Ex_Brit on 18/07/12 6:33:07 EDT AM
          • 2. Re: Hardware Rootkit

            Hello ex_brit, well,  this is not about the operating system i am using, for example, last year, i installed ubuntu with a web server and got hacked (admin password changed, boot loader changed, home directory decrypted).

             

            This have been done while i had firewall on router and firewall on ubuntu with no rules allowing access to it. They simply saw i was using it and ,in some way, they hack me.

             

            After that, i zero format, install windows, gone online to play a game, and i got a message from a guy, "Now you play, and linux?" (No way someone could find me connected to that game if not for hacking, couse i never gave my username to someone).

             

            I have only 1 computer.

             

            I always install all updates when i switch from os to os, and i always have a firewall on and antivirus on . I am paranoid u know. But this is not enough.

             

            It is like a i have a keylogger, sniffer, backdoor, or something sending some kind of signal to them. And i am not installing this, that is for sure.

             

            I will run those tools now and i'll tell you the result.

            • 3. Re: Hardware Rootkit
              Peter M

              OK good luck.   The best people to advise you on this would be those Hijackthis specialist forums.

              • 4. Re: Hardware Rootkit

                Hello -

                 

                It`s possibly you have some kind of hardware keylogger or packet sniffer? Does anyone else have access to the PC? It`s also possibly your router has been hacked - wired or wireless - you may need to reset your router - change username and password , and make the password stronger. Consult with your ISP on how to reset your router if your unsure how to go about this, there could also be custom settings that need to be applied as well.

                • 5. Re: Hardware Rootkit

                  Sorry for delay, i have been under ddos then i gone online to play a game and a guy sent a message to me (NO WAY HE COULD KNOW I WAS PLAYING THAT GAME AND MY ACCOUNT NAME WITHOUT HACKING), he told me "AHAH IF YOU WANT I TELL YOU WHAT IT IS" (in italian which is my language), then he start writing down what i was just saying to another guy some minutes before, then my network card crash!

                   

                  I used all this tools:

                   

                  stinger, getsusp, gmer, tdsskiller, nothing all say FOUND 0.

                   

                  This is the log of HijackThis v2.0.4:

                   

                  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

                  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

                  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

                  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

                  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

                  R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.findeer.com

                  R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

                  R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

                  R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

                  R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

                  F2 - REG:system.ini: UserInit=userinit.exe

                  O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun

                  O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')

                  O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')

                  O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')

                  O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')

                  O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics

                  O16 - DPF: {C8BC46C7-921C-4102-B67D-F1F7E65FB0BE} (Battlefield Play4Free Updater) - https://battlefield.play4free.com/static/updater/BP4FUpdater_1.0.66.2.cab

                  O17 - HKLM\System\CCS\Services\Tcpip\..\{4BFE0DB7-13C9-4AE1-89A0-4F4988235902}: NameServer = 192.168.0.1

                  O17 - HKLM\System\CS1\Services\Tcpip\..\{4BFE0DB7-13C9-4AE1-89A0-4F4988235902}: NameServer = 192.168.0.1

                  O17 - HKLM\System\CS2\Services\Tcpip\..\{4BFE0DB7-13C9-4AE1-89A0-4F4988235902}: NameServer = 192.168.0.1

                  O20 - AppInit_DLLs: 

                  O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe

                  O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)

                  O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)

                  O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe

                  O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)

                  O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

                  O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

                  O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)

                  O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

                  O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe

                  O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

                  O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)

                  O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

                  O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)

                  O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)

                  O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)

                  O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)

                  O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

                  O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)

                  O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)

                  O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)

                  O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)

                  O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)

                  O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

                   

                   

                   

                  What have i inside my pc? Is it possible this terrible virus is not found by any product becouse it is not a user space virus? What else could it be?

                   

                  It is 10 years i have been moving this thing from 1 pc to another help me please.

                  • 6. Re: Hardware Rootkit
                    Peter M

                    The Hijackthis log should be posted somewhere such as BleepingComputer as suggested in my link.   We don't have the resources to analyse them here.  By the way, that HJT log looks incomplete to me.   They are quite long so something is missing.   When you are posting on one of the suggested forums, make sure it's the complete log.

                     

                    From what is there all I can see that is onbvious is you have Daemon Tools installed, that use to be known to have issues with McAfee, not sure if it still does.