Jump to content

Being Attacked Everywhere


Recommended Posts

Hello all,

I'm getting attacked from every possible angle. In earlier stages Malware Bytes reported it found Trojan BHO.Kettle or something like that, and I removed it, but it did not solve the problem. Malware Bytes is now not finding anything. I've tried all sorts of anti virus programs and rootkit detectors, but they get hijacked themselves. I tried RootRepeal for example and it reported it was being controlled by something else and its drivers were different from the ones in the running kernel.

Everytime I log on it gets worse. It attacks everything: AVG, Wireshark, Avast, Malware Bytes, firewalls, etc. There's no way I can get rid of this thing. Is it possible for Malware Bytes to detect if its being infested with something when it runs? Function hooking and redirecting, that sort of thing, DKOM, comparing its code and data in memory to what's on disk or connecting to the Internet to do a check somehow of whether its compromised? "Live" scanners are reasonable, like sysinternals TcpView. Sysinternals' RootkitRevealer dumps a lot of stuff but in the end is also useless and I can't save anything. Sometimes the window just gets painted black so I can't see a thing, and it tries to keep logging me off the system. I also get something to do with interactive services detection and I get a grey screen where the window is running. I noticed that when I check where it was running from, it was running from a seemingly randomly generated name in a temporary directory. It would sure be a good idea for Microsoft to figure out how to halt the execution of anything in temporary directories. Unfortunately this would break backward-compatability...

I wonder whether it's a good idea to advertise software as A/V or A/Rootkit software. For example, do something with the strings in the binary so they cannot be examined until it runs and shows the strings on Windows controls to the user, and find some way that malware can't do a MD5 or other hash check on the binary (e.g. make the hash different each time it runs). When it runs it may be able to shuffle things around in memory, re-link on the fly, that sort of thing, if you see what I mean. Would that be feasible?

It takes over my modem/router and does a lot of DNS stuff, confuses everything, tries to use bootp (according to Wireshark), and downloads lots of stuff for remote log-ins, scans, etc. It's tracking everything, infecting CDs and DVDs I burn (Linux, BSD, whatever), and more.

As for Linux, as a point of interest in case anyone's come across it, if you check out the wiki on Debian's site and look at the Debian installer project, especially the automated install and pre-seeding, this is obviously how it takes over a Linux or any other UNIX-type system. It runs an auto-install with pre-seeded answers to questions fooling you into thinking you're installing what you want with the responses to questions you put in, saves your root password and user account details, makes sure your crypto is useless, and much more. It has templates for every package, and in the initrd image that takes over and installs I found what appeared to be a file that tells the rootkit controller what he can do and what it might or likely means if something goes wrong. This appears to be a pattern that is not specific to Debian GNU/Linux but much the same thing happens for all flavours of Unixes.

Any help appreciated if you have experienced extreme attacks like this that go on for months and drive you crazy... by the way this thing, whatever it is, can and does flash anything that has firmware and takes over hardware. It also really likes networking.

Link to post
Share on other sites

Hello GotBadMalware,Welcome to Malwarebytes.org

We don't work on Malware removal or diagnostics in the general forums.

Please print out, read, and follow the directions here, skipping any steps you are unable to complete. Then post a NEW topic here.

One of the expert helpers there will give you one-on-one assistance when one becomes available.

After posting your new post make sure under options that you select Track this topic and choose one of the Email options so that you're alerted when someone has replied to your post.

Alternatively, as a paying customer, you can contact the help desk at support@malwarebytes.org

Thank You - :lol:

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.