Find the answer to your Linux question:
Results 1 to 7 of 7
So...about four weeks ago, I had one crazy day where my Windows 8.1 install started redirecting my searches, then disabled the Defender and firewall programs, and just started acting crazy. ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Feb 2014
    Posts
    3

    Help with log? Possible malware or windows-user's paranoia:


    So...about four weeks ago, I had one crazy day where my Windows 8.1 install started redirecting my searches, then disabled the Defender and firewall programs, and just started acting crazy. Consequently, my Android phone and tablet and wife's laptop went haywire as well. Sure I was facing a rootkit-type malware, I did some standard searching and ran several tools, ultimately donating and installing Parted Magic in order to help assess the situation.

    This being said, I admit I am a complete newbie to Linux, but not computers. I have been able to do a lot of searching for hidden partitions and learning about boot records and such, and have taught myself slowly how to do some fundamentals such as reading some logs and using netstat and lastlogin and the like.

    Then things got weird.

    After a secure erase of a SSD, I essentially started up an install of Windows with only it attached. A reboot later, the Windows Defender shut down and everything started up again. I did make sure that I was not connected to the internet and any networked systems, So paranoid I'd become, I even battery pulled my phone.

    Now...it's been four weeks and I have yet to figure out what's happening. I actually went and bought a brand new hard drive and motherboard. Using only the same keyboard and mouse and careful not to use any rootkits hidden in a USB drive, I installed Windows 7 and the same stuff happened.

    Worse, this time around, I believe what has been affecting my system flashed my bios, as every third boot or so I would see the real bios, yet most of the time it took a while to boot and when it would hang up, I learned that I could hit alt or windows and the f-keys and I would actually see terminals (Linux?) of data and such. I thought I was going crazy for a while, then figured something must be putting itself into my motherboard's SMAP or memory or something. I cleared the CMOS, and did my best to try and pinpoint how to describe what I had seen.

    I then began to worry that my Parted Magic, Hiren's, UBCD, and even other rescue disks were failing due to the live infection. Kaspersky Live CD has yet been able to update. Bit Defender either. Gmer and Combofix, when I can run them will crash.

    I posted a message to Bleeping Computer and was told that if I thought something was affecting multiple OS's that I was an idiot.

    That leads me to this post. As much as I have learned about reading logs and determining malware on a Linux system, I want to make sure I am in a safe environment, and some stuff has happened that has worried me...like seeing strange hidden folders and such. For the most part, when I looked up the names of strange processes, it seemed to be a normal command in Linux.

    I would simply like someone to look at this log and tell me if anything screams 'malware' or rootkit. It looks normal, but when I connect to the internet, it looks like something might be reaching out? Worse, I notice some redirects in the browser and have noticed some sites have been blocked.

    I called SWBell and they assured me my DSL modem had not been compromised.

    My pastebin of the Messages log is here: pastebin dot com/dUpiJ0VS

    The Piglet Secret Stash was my router name. It has ddwrt and I am pretty sure isnt compromised. Am on a tethered wifi phone at the moment.

    Please reassure me or assist if willing and able?

  2. #2
    Linux Guru Rubberman's Avatar
    Join Date
    Apr 2009
    Location
    I can be found either 40 miles west of Chicago, in Chicago, or in a galaxy far, far away.
    Posts
    11,416
    There are a lot of vulnerable routers out there that have been the vector for such hacks. What is the make+model of your home router?
    Sometimes, real fast is almost as good as real time.
    Just remember, Semper Gumbi - always be flexible!

  3. #3
    Just Joined!
    Join Date
    Feb 2014
    Posts
    3
    Quote Originally Posted by Rubberman View Post
    There are a lot of vulnerable routers out there that have been the vector for such hacks. What is the make+model of your home router?

    Well I know enough to have flashed dd wrt to mine and have kept it locked down. Wharever is happening is happening regardless of any net or router being attached to the system. I have been looking through bios files , basically the uefi shell. It shows a fat12 and fat16 driver that loads whatever that may mean. There nothing trying to call out in that message log? I mean it's all above board?

  4. #4
    Linux Engineer docbop's Avatar
    Join Date
    Nov 2009
    Location
    Woodshed, CA
    Posts
    902
    Quote Originally Posted by zenx1 View Post
    Well I know enough to have flashed dd wrt to mine and have kept it locked down. Wharever is happening is happening regardless of any net or router being attached to the system. I have been looking through bios files , basically the uefi shell. It shows a fat12 and fat16 driver that loads whatever that may mean. There nothing trying to call out in that message log? I mean it's all above board?
    If you have changed out everything you say, then I would be suspicious of your copy of Windows itself, sounds like it has been hacked. It sounds like that is the one thing and is a constant in your efforts.

  5. #5
    Just Joined!
    Join Date
    Feb 2014
    Posts
    3
    Quote Originally Posted by docbop View Post
    If you have changed out everything you say, then I would be suspicious of your copy of Windows itself, sounds like it has been hacked. It sounds like that is the one thing and is a constant in your efforts.
    Well, the other constant is my Nvidia GTX card. What is the likelyhood of it having code? One thing I notice is that no matter what I boot, I often see an ISOLINUX menu at the top of the monitor. Do Hiren's and Parted Magic and UBCD all use this? Or have all of these Rescue CD's been running within another system?

  6. #6
    Linux Engineer docbop's Avatar
    Join Date
    Nov 2009
    Location
    Woodshed, CA
    Posts
    902
    Quote Originally Posted by zenx1 View Post
    Well, the other constant is my Nvidia GTX card. What is the likelyhood of it having code? One thing I notice is that no matter what I boot, I often see an ISOLINUX menu at the top of the monitor. Do Hiren's and Parted Magic and UBCD all use this? Or have all of these Rescue CD's been running within another system?
    I've never used any of those tools so can't comment on what they were built on.

    If you're concerned about your video card, most motherboards have basic video built-in. If you mobo has video pull your video card and try an install without it, that will help to elimanate it from your possibilities.

  7. #7
    Linux Engineer
    Join Date
    Dec 2013
    Posts
    1,048
    Quote Originally Posted by zenx1 View Post
    Well, the other constant is my Nvidia GTX card. What is the likelyhood of it having code? One thing I notice is that no matter what I boot, I often see an ISOLINUX menu at the top of the monitor. Do Hiren's and Parted Magic and UBCD all use this? Or have all of these Rescue CD's been running within another system?
    Isolinux is a boot loader for CDROMs so I don't think it would be unusual to see its menu when using a bootable CD. If you've been powering down and unplugging from the wall to allow all the power to drain out of your chips I don't see how anything would survive in the RAM of your video card. The driver would be a different story of course.

    I agree with docbop - your copy of Windows is what jumps out at me. Doesn't MS provide a label of some sort that allows you to check the validity of your disks or something like that? It's been a while since I've done a windows install but I remember something like that.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •