Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Weird problems


  • Please log in to reply
2 replies to this topic

#1 Gorstak

Gorstak

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:11 PM

Posted 05 February 2018 - 07:34 PM

Hi. I've been experiencing weird issues on my pc for about 14 years now. The problem is that I have no malware any kind of security software can find, but my pc behaves as if being controlled by someone else. I start programming, and where I have placed a zero, tomorrow I find number 1. Or, something that I remember saving as important, is tomorrow nowhere on the drive. Or I play need for speed, turn left, but car keeps going straight or even turns right on occassion. I thought it was some issue with the OS, so I did a number of clean installs, and even changed entire computers, the case and even the periferal equipment. I have tried scanning my pc with ALL known security Products, and came up empty. PC clean as a whistle. I monitored this forum and other peoples topics, but none of the tools you guys use managed to help me with my issue. Then I turned to less known Products, and something caught my attention the other day. Aswmbr tool caused a bsod on my pc when it was scanning xinputhid.sys file. After googling, it turned out it was a legitimate Windows service which Controls input Devices, like mouse and keyboard, and then I tried tracing io calls to it in an effort to find out what is using it, and got another BSOD. I concluded that whatever it is, it has some sort of defence mechanism which causes bsod when revealed. Then I accidentaly found out that Star Trek Online game overwrites some xinput*.dll files when it starts itself, I'm guessing to stop hacking of the game. Then I found out that security softwares do not monitor dll files at all and that those can be executed just like a script and even make connections to Internet. I just set software security policy to block execution of rundll32.exe, since it is what starts dll on my system, and I'm not sure if that stopped it all or not, but the malware is still somewhere on my pc, and I fail to find out how I get infected even after changing entire pcs and clean installs. I'm fairly convinced this is some kind of a personal vendetta, and that this malware is written specifically for me.

 

Help?

 

 

Edit: Just remembered. I have a few Devices after clean install of Windows 10 which are without drivers, one of them is called memory controller. Windows installs drivers for those after I connect to Internet. Another thing I noticed is that sometimes Internet apps like lyrics reader from rainmeter fetch data from internet even when my lan cable is disconnected and I am offline. Also, sanitycheck app is reporting that memory compression process is reporting a fake name. And also, my problems persists even on Linux Mint and Debian. 

 

Edit2: I also have two phone lines. one of them is blinking non stop on my router, and the other only when I use my phone, not sure if that is important.

 

edit3: I use secpol.msc to configure my firewall to harden my security. I disallow local rules in group policy firewall, enable it on all connections, block all incoming connections except svchost.exe on port 68 from 67 (dhcp, even tried configuring router to static ip and use my own dhcp server), and outgoing are allowed tcp on port 80 and 443 for web browsing, svchost.exe on port 53 for dns (even tried installing acrylic dns to avoid redirections), tixati outgoing and incoming for torrents, rainmeter outgoing, kodi outgoing and winamp outgoing. I'm not sure if it can get tighter then this.

 

edit4: I also downloaded ad trackers hosts file from somewhere, and I don't use any browser extensions.

 

edit5: I also configured everyone permissions to apply to anonymous users, and then used applocker to forbid everyone from using scripts, and also forbid everyone from network Access to my pc...

 

.P.S I had a good 14 years of developing a decent paranoia :)

 

P.P.S. To conclude, I think I have something active in memory, possibly a device, and all it does is use legit OS files...no malware...


Edited by Gorstak, 06 February 2018 - 09:01 AM.


BC AdBot (Login to Remove)

 


#2 Gorstak

Gorstak
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:11 PM

Posted 09 February 2018 - 01:07 PM

I have tried using the paranoid setting in comodo free Internet security HIPS module recently, and it reported a user Epoch@epoch is using shared Access on my pc and is delegating my credentials. After googling, it seems I am infected with MODPOS for point of sale Systems, or some variant of it, but have no idea how to detect it and remove it. I have googled out a trend micros yara rule to detect ram scraper module of the malware, but as soon as I copied the code to clipboard, I got some weird error message on my screen and couldn't use my keyboard or mouse to paste it.

 

This is a screenie from my credential manager, some weird generic cred appeared and I can't change it's passwordcreds.jpg


Edited by Gorstak, 09 February 2018 - 01:35 PM.


#3 Gorstak

Gorstak
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:11 PM

Posted 15 February 2018 - 05:40 PM

Another edit: I went digging through registry and found these 2 keys:

 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdhid
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\kbdclass
 
Under those 2 were dwords...one fo them indicated output from keyboard is going to internet on all ports, and another is called worknicely, which is what was causing my typos, I think...
 
this was on after clean install from usb created with media creation tool, meaning any password I typed for my account was being sent online.
 
I also found out my mobo bios recognizes I have 3 keyboards and not only one, meaning the screenie above was some weird device, keyboard I assume which let everyone know what I was typing.
I have a total of 5 keyboards in my registry, and only one is physically connected.
 

Edited by Gorstak, 15 February 2018 - 07:10 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users