hi I have been hacked 1 month ago or so, I have formatted 5 times (yes I know) but I just ran novirusthanks desktop discovery 1.0 and I see this: https://s10.postimg.org/gtsuohsux/Untitled.png I am not a complete noob in therms of antivirus software but if this is kernel level hack it's beyond my capabilities (I am not an It specialist). I believe if the hacker got alot of time he could have established some mount points or alternate boots. Maybe its a false positive but it would be cool if u told me what do you think.Also would be cool if u ran this tool from novirusthanks and told me what u see, the same as I? I see this sbox service right now only when I am online. best
as soon as I reformat I have an established connection with tcp port 1234, both tcpview and avz tool from oleg (kaspersky partner) confirm this. I looked at this port and it has a bad fame
What OS? When you say "reformat", do you mean complete reinstall? When you reformat, you leave most of the disk untouched. Maybe something persists. You could try burning the DBAN ISO [0] to a CD, booting with it, and wiping the disk completely. And then install your OS. There are malware that write stuff to firmware. But that's unlikely, unless you've been targeted by someone skilled. 0) https://dban.org/
You have not been hacked, it is normal to have the alternate desktop entry. I also have a sbox_alternate_desktop service showing when I run Desktop Discovery under Windows 10.
@mirimir win 7, by reformat I mean disk wipe with mini tool partition wizard, then full format and disk preparation process. I just left ESP/MSR intact I am not ''interesting enough'' to be targeted by someone skilled (hovewer I mod games and release stuff publicly so I am kind of exposed from time to time). Highly unlikely as u said though. I was a bit paranoid because 1 month ago I saw a trojan appearing on desktop, and antivir bitdefender didn't see it, I uploaded that file immediately to virustotal and it was a 30/60 match as malicious, and even recognized by bitdefender on virustotal as virus (this was a second attempt, first trojan appearing on desktop out of nowhere was blocked by bitdefender). I deleted the file created and shut down Internet. After that formatted 5 times (that many times because at each format I noticed something strange and felt unsafe, now is a tad better because I understand computers a tad more so I don't tag suspicious processes as malicious anymore either). When I was hacked I was running a combo of windows firewall, bitdefender free and vodoo shield @roger_m thanks for checking this I feel much better now. The only think weird would be that port 1234, targeted as Subseven or hotline by avz (I saw that too in the tcpview by sysinternals) and talking to system.exe. However after installing zone alarm I don't see it anymore (just with default windows firewall is back, hmm). Also the ntdll.dll is fully hijacked with hooks - lots of red lines in the avz tool (but maybe it is caused by antivirus, since they behave like rootkits), indeed in safe mode I don't see the hooks and hijacking so it is caused by security systems I believe, in this case avast perhaps Analysis: ntdll.dll, export table found in section .text Function ntdll.dll:NtCreateEvent (244) intercepted, method - APICodeHijack.JmpTo[6F5B2C96] Function ntdll.dll:NtCreateMutant (254) intercepted, method - APICodeHijack.JmpTo[6F5B2F26] Function ntdll.dll:NtCreateSemaphore (265) intercepted, method - APICodeHijack.JmpTo[6F5B31B6] Function ntdll.dll:NtCreateUserProcess (273) intercepted, method - APICodeHijack.JmpTo[6F5B3446] Function ntdll.dll:NtMapViewOfSection (350) intercepted, method - APICodeHijack.JmpTo[6F5B29E6] Function ntdll.dll:NtOpenEvent (359) intercepted, method - APICodeHijack.JmpTo[6F5B2DE6] Function ntdll.dll:NtOpenMutant (369) intercepted, method - APICodeHijack.JmpTo[6F5B3076] Function ntdll.dll:NtOpenSemaphore (377) intercepted, method - APICodeHijack.JmpTo[6F5B3306] Function ntdll.dll:NtQueryInformationProcess (416) intercepted, method - APICodeHijack.JmpTo[6F5B3666] Function ntdll.dll:NtResumeThread (486) intercepted, method - APICodeHijack.JmpTo[6F5B2B86] Function ntdll.dll:NtWriteVirtualMemory (600) intercepted, method - APICodeHijack.JmpTo[6F5B2876] Function ntdll.dll:RtlDecompressBuffer (75 intercepted, method - APICodeHijack.JmpTo[6F5B34F6] Function ntdll.dll:RtlQueryEnvironmentVariable (1105) intercepted, method - APICodeHijack.JmpTo[6F5B35D6] Function ntdll.dll:ZwCreateEvent (1495) intercepted, method - APICodeHijack.JmpTo[6F5B2C96] Function ntdll.dll:ZwCreateMutant (1505) intercepted, method - APICodeHijack.JmpTo[6F5B2F26] Function ntdll.dll:ZwCreateSemaphore (1516) intercepted, method - APICodeHijack.JmpTo[6F5B31B6] Function ntdll.dll:ZwCreateUserProcess (1524) intercepted, method - APICodeHijack.JmpTo[6F5B3446] Function ntdll.dll:ZwMapViewOfSection (1599) intercepted, method - APICodeHijack.JmpTo[6F5B29E6] Function ntdll.dll:ZwOpenEvent (160 intercepted, method - APICodeHijack.JmpTo[6F5B2DE6] Function ntdll.dll:ZwOpenMutant (161 intercepted, method - APICodeHijack.JmpTo[6F5B3076] Function ntdll.dll:ZwOpenSemaphore (1626) intercepted, method - APICodeHijack.JmpTo[6F5B3306] Function ntdll.dll:ZwQueryInformationProcess (1665) intercepted, method - APICodeHijack.JmpTo[6F5B3666] Function ntdll.dll:ZwResumeThread (1735) intercepted, method - APICodeHijack.JmpTo[6F5B2B86] Function ntdll.dll:ZwWriteVirtualMemory (1849) intercepted, method - APICodeHijack.JmpTo[6F5B2876] https://s14.postimg.org/blbq5661d/mutant.png
Based on @roger_m it seems that you have no problem. But hey, I've forgotten most of what I ever knew about Windows
then the only problem would be randoms spawns of testtestesttesttesttesttesttesttesttes from time to time, whenever there is place to write stuff this thing spawns very fast, looks like a macro
