Help!: Probably the scariest rootkit/Virus you will ever hear of

[XDriveRootkit]

test

[The Sloth]

sounds horrifying what are you going to do?  

[Electronics Wizardy]

Restore the backups. 

 

Change all passwords if not already. 

 

Reset router password and setup firewall. 

 

Change public ip. 

 

Use a vpn if you can. 

 

 

[XDriveRootkit]

1 minute ago, nerdslayer1 said:

sounds horrifying what are you going to do?  

I dont know what else can I try, thats why Im asking for help.

[dragoon20005]

contact your ISP they should be able to pull out network logs

 

You also need to contact the Police

 

they seem to hijack your identity along with all you devices

[dragoon20005]

7 minutes ago, XDriveRootkit said:

Hi everyone. First off I want to say that all I'm about to type is true and it is happening right now. Also I didn't know where should I post this since it's a software related issue as well so feel free to move it to the correct subforum.

Last month I installed a Linux VM machine to perform some tests related to a videogame (yes, kinda stupid, I know). On top of that, one of the steps was to create a google cloud account to "connect with a database full of other players research related to the game". Eventually I get stuck at some step for no apparent reason. Like the user and password for this Virtual Machine I created just stopped working.

 

After trying to quickly figure out what the hell was going on, the mouse starts moving by itself and my PC restarts. Once I get back to the desktop I start opening My Documents and checking my other drives and I noticed a lot of my files were being copied and uploaded somewhere (probably the icloud account I just created). I hear the alarm of my Android phone. 16 new updates were installed and I had autoupdates disabled. Same goes for my iPad and my sister's iPhone. Apps getting updated all at the same time.

 

At this point im panicking and first thing I try to do is to check the router settings. I have OpenWRT installed and I see some ports like 443, 80, telnet and netsec were open. This is not looking good. At all.

 

Immediatelly shut everything off. Next day I try to close these ports on OpenWRT and it worked, or at least thats what I thought. I check the modem (Motorola sbg6580) and I see a few plugins installed. I dont even know how they did this. Tried to do factory reset but the plugins were still there opening the ports. Few days later got a new modem, sagemcom 3284. It was even easier for them to ope everything this time since this modem lacks a real bridge option. You can still log into the router and do whatever you want  even in bridge mode and being online (which. afaik, this shouldnt be a thing).

 

To summarize, and a list of things I tried during the last month:

- My security was comprimised like never before.

- All the devices connected to the network at that time were all affected

- A partition called 'Boot (X:)' started showing up

- I tried reinstalling windows several times. Noticed that if I tried to create a bootable USB, the files were corrupted when I transferred em to the USB, making it impossible to make a fresh install.

 - I also tried with an OEM windows 10 DVD, but this doesnt help because of the Boot X partition I mentioned before. Its like this partition waits for an OS to be installed and then installs all the viruses and crap over and over and over again.

- Reinstalled windows at least 20 times this month. Always fresh installs, a lot of times even after using KillDisk.

- I tried with KillDisk, CentOS, Kali Linux, Norton boot recovery tool (lol i know), the windows MBR recovery tool and nothing, I repeat nothing helped so far.

 

Some other creepy and really weird stuff Ive noticed:

- They created three facebook accounts using email accounts I own.

- They can see through my iPad wecam and they interact with me on Twitch chat. I know this sounds totally crazy but it is true. They make references to me failing at fixing this, they mock me, he make references to boot x and UEFI, shell, etc., even when the stream is completely unrelated. My guess is that one of them is restreaming my screen/screens for a bunch of people.

- I made two outlook accounts and used one to re-link my payoneer account to this new one. The outlook account got locked and cant no longer access to it because Microsoft detected a lot of spam coming out of it even tho I only created it to link it to my payoneer account. Same goes to another account that I made to link my paypal account. The other two outlook accounts I made were not locked out, but I didnt link them to anything anyways, maybe thats the reason.

 

So, what can I do? I'm from South America and I don't have too many options here so here I'm asking for help.

So far it seems only Google is kinda listening because Google Cloud was involved but they are asking for a bunch of names and information about what happened but they are not helping me to fix this issue with my PCs and network.

The only smilar post I could find on the whole Internet, is this one http://www.tweaking.com/forums/index.php?topic=3112.0 .

But no fix so far.

 

Any input is (please no "reinstall windows replies) will be appreciated.

 

Thanks.

 

Ps: Tomorrow I could upload some pictures, let me k ow what would you like to see.

why do you need to connect to a database?

 

it may seem like they planted a RAT program on all your devices

[dragoon20005]

not to be rude but if you are still using your compromised devices to post this help question

 

you are exposing yourself to more danger

 

 

 

 

 

[XDriveRootkit]

1 minute ago, Electronics Wizardy said:

Restore the backups. 

 

Change all passwords if not already. 

 

Reset router password and setup firewall. 

 

Change public ip. 

 

Use a vpn if you can. 

 

 

 - That doesnt help. A windows backup/restore wont revert its MBR to its previous condition.

- Already did that. Doesnt do anything, they can still read everything in plain text because the ports on the modem are open and I dont know how to close them. They saved the firmware with those ports open as factory defaults so if I do factory defaults I get ports open.

- Windows is being controlled by them, my PC is part of a Workgroup. Windows firewall does nothing at this point.

 

- If I cant get rid of this ghost partition which I tried to remove with KillDisk (using u.s. military 3 passes option), everything I do is pointless.

Here I took some pictures of this ghost Boot (X:) partition http://imgur.com/a/MudZ8 .

[Bradl79]

buy a new HDD and use that instead

 

lol i ain't clicking on any of ur links, post it as a pic instead of a link

[XDriveRootkit]

On 2/3/2017 at 4:12 AM, Bradl79 said:

buy a new HDD and use that instead

 

lol i ain't clicking on any of ur links, post it as a pic instead of a link

 tr

[dragoon20005]

you should do the same and contact the police and your local ISP

 

stop all devices from connection ask the ISP to block network connection until you are off the grid

[PRTI]

As @dragoon20005 said report it to the police

 

And for sure contact your ISP for there help at stopping the connection and changing your Public IP (Although you can do it alone, judging by your situation better not)

 

For now just shut off all the devices and point that camera at a wall and disconnect the network cables

[XDriveRootkit]

ridk

[XDriveRootkit]

8 minutes ago, dragoon20005 said:

you should do the same and contact the police and your local ISP

 

stop all devices from connection ask the ISP to block network connection until you are off the grid

How can I get this fixed without asking for help on the internet?

I dont know anyone irl able to fix this and my ISP sucks and they told me they cant block ports on their side.

@keNNySOC all the pcs were formatted, everything is disconeccted exept this ipad which was restored to factory, everythhing deleted, cameras covered with tape.

[PRTI]

3 minutes ago, XDriveRootkit said:

So:

Can you delete one of these hidden partitions? Is there anything better than KillDisk?

The hdds are all sdds (including one 1tb one) and those aint cheap down here right now but if theres absolutely no other way I will have to just replace them until a removal tool comes out (probably never).

 

Can you guys do me a favor? If you insert a win10/8.1/7 installation pendrive/dvd into your computer and on the drive selection screen, you click "Examine", does Boot:X show up as a drive like in the first screenshot I posted on my previous post? If so, could you expand and compare whats inside there  vs the content I show on the other screenshots. Maybe Boot:X are the temporal files when you install Windows? Probaly not since I see stuff like Users, Program files and Program Files 86, but just want to make sure.

About the first thing, if you don't want them to try to get the data shut off the PC and just take the SSD's out

[PRTI]

2 minutes ago, XDriveRootkit said:

How can I get this fixed without asking for help on the internet?

I dont know anyone irl able to fix this and my ISP sucks and they told me they cant block ports on their side.

@keNNySOC all the pcs were formatted, everything is disconeccted exept this ipad which was restored to factory, everythhing deleted, cameras covered with tape.

I would change that ISP ASAP...

 

The only thing i can recommend is to just wipe all the data, and from there on use a VPN and not to save sensitive files there and just hope they're gone...

[dragoon20005]

2 minutes ago, XDriveRootkit said:

How can I get this fixed without asking for help on the internet?

I dont know anyone irl able to fix this and my ISP sucks and they told me they cant block ports on their side.

@keNNySOC all the pcs were formatted, everything is disconeccted exept this ipad which was restored to factory, everythhing deleted, cameras covered with tape.

you need to use another PC which is not in the same network your home network

 

if they cant check network logs.

 

i just unplug all your devices and forcefully reset every single devices.

 

 

[XDriveRootkit]

12 minutes ago, keNNySOC said:

About the first thing, if you don't want them to try to get the data shut off the PC and just take the SSD's out

I mean I formatted the ssds and thats all I had connected to the fhem before shutting em off.

@dragoon20005Every ISP is garbage in this shitty country so its whatever.

 

Would a low level format get rid of this partitions? Should I low level format an SSD? Also if someone could check if bootx shows up when installing windows that would be cool.

[PRTI]

10 minutes ago, dragoon20005 said:

you need to use another PC which is not in the same network your home network

 

if they cant check network logs.

 

i just unplug all your devices and forcefully reset every single devices.

 

 

IMO very unlikely, if they have full control of the PC they have control to the router...they can probably just configure it...

 

2 minutes ago, XDriveRootkit said:

I mean I formatted the ssds and thats all I had connected to the fhem before shutting em off.

@dragoon20005Every ISP is garbage in this shitty country so its whatever.

 

Would a low level format get rid of this partitions? Should I low level format an SSD? Also if someone could check if bootx shows up when installing windows that would be cool.

After the format they're still in?

[dragoon20005]

Just now, XDriveRootkit said:

I mean I formatted the ssds and thats all I had connected to the fhem before shutting em off.

@dragoon20005Every ISP is garbage in this shitty country so its whatever.

 

Would a low level format get rid of this partitions? Should I low level format an SSD? Also if someone could check if bootx shows up when installing windows that would be cool.

low level format every single drives and that includes the SSDs

[XDriveRootkit]

On 2/3/2017 at 4:51 AM, keNNySOC said:

IMO very unlikely, if they have full control of the PC they have control to the router...they can probably just configure it...

 

After the format they're still in?

I dont want to sound rude but 

 

On 2/3/2017 at 4:51 AM, dragoon20005 said:

low level format every single drives and that includes the SSDs

Do

[dragoon20005]

Just now, XDriveRootkit said:

I dont want to sound rude but did you read OP? Yes, they are still in because they installed an X partitionhich I think its a Linux one. That partition reinstalls everyhing een after a clean format.

 

Doesnt low level format damage ssds? What program do you reccommend for this?

 

Thanks.

it will not damage SSDs

 

http://hddguru.com/software/HDD-LLF-Low-Level-Format-Tool/

[XDriveRootkit]

2 minutes ago, dragoon20005 said:

it will not damage SSDs

 

http://hddguru.com/software/HDD-LLF-Low-Level-Format-Tool/

Yes, I used this one a few years ago. Will try again tomorrow and report back. Thanks.

[PRTI]

3 minutes ago, XDriveRootkit said:

I dont want to sound rude but did you read OP? Yes, they are still in because they installed an X partitionhich I think its a Linux one. That partition reinstalls everyhing een after a clean format.

 

Doesnt low level format damage ssds? What program do you reccommend for this?

 

Thanks.

Shout...hmmmm...i guess try a low level format, if that does not work idk...

 

Id change out the drives then and changer your router and use a VPN, better safe that sorry

[XDriveRootkit]

6 minutes ago, keNNySOC said:

Shout...hmmmm...i guess try a low level format, if that does not work idk...

 

Id change out the drives then and changer your router and use a VPN, better safe that sorry

As for the router, I might be able to put it in fail-safe mode (rmber i got openwrt), then throuh telnet I mighht go back to full factory defaults, secure the pho connetions with keys so no one else  except me can get a ssh connection to the router, then disable telnet and maybe the luci interface altogether just to be extra careful. All this being done on a windows xp pc notebook with no internet connection. I will save the keys there. If all this doesnt work then idk.