GW hacked, modules modified in memory... (according to intezer)

Hi team,

My laptop has been hacked. (my devices hacked since 2018, very long story)
and GW is one of the victim, I want to use GW to monitor strange traffic, but it seemed that (according to intezer memory scan tool. ) some GW modules in memory has been replaced.
meaning monitoring results from GW has been compromised…

I attached screenshots of scan results…

I also cross post this result to malwarebytes and anydesk.
if anyone can help…???

sorry to reply 6 times… i need to upload 6 screenshots…

thanks in advance…

martin…

I don’t see anything that jumps out to me as damning evidence that your GlassWire has been manipulated. All the detections have a really low confidence value, and the GlassWire executables are packed which will always increase detections, the memory replacement indicator is in all likelihood a false detection. I can’t be asked to sign up to Intezer right now, but I wouldn’t be surprised if the exact same thing shows up when scanning a clean VM with just GlassWire installed.

There isn’t much use in messing with GlassWire itself, GlassWire is only as good as the Windows network filtering abilities, Guest VMs like WSL and Hyper-V completely bypass it, and would be more likely paths to exfiltrate data, rather than building this hyper specific tool to hide traffic only in GlassWire, which would need to be kept up to date for every GlassWire update.

If you think that your PC is compromised, just wipe your disk and reinstall your operating system, there is malware that can survive in firmware, but it’s very rare and highly targeted. If you’re such a high value target you should probably get proper IT security consultants.

thank you for your reply mister,

you right regarding installing GW in VM, i tried that already, and intezer still detected memory replaced.

BUT, in the middle of VM setup there was strange “windows update like” when i rebooted my PC.
after to desktop, i couldn’t see any windows update history that just happened.
as if the malware/hacker installing something as well… so that it can access the VM as well.

much appreciated.
all of this happened, it was because of a comment that i made in youtube, back in 2018.
i am not a high value target of anykind, these people just over-reacted on my comment.

at first, they were doing intimidation, attempted extortion, but lately they want to poison me.
it is crazy…

anyways…

in the middle of VM setup there was strange “windows update like” when i rebooted my PC.
after to desktop

That sounds pretty normal, I’ve seen this every time I install Windows.

There might not be any Windows Update history but surely you saw “Installing Updates” in the installer. Between this and getting into the OOTB setup, the PC will reboot once or twice, and show stuff like “Setting up devices”. During this process, the spinner might be a bit glitchy, that’s normal.

Look, this is probably not what you want to hear but I doubt any of this is actually happening, I also saw your thread on the Malwarebytes forums and I have yet to see any evidence of your device being compromised.

What you are suspecting is happening would cost a massive amount of money and resources, while I don’t doubt that some organizations have the capabilities to pull this off, it just doesn’t make sense to blow all these resources on someone like you, even if you said something controversial back in 2018.

What i suspect is that back in 2018, you said something that made some people unhappy, and then you may have caught some some run-of-the-mill malware and spiraled into paranoia.

Why would someone with such capabilities need to compromise your USB devices in a way that shows up in logs, and why would they need to manipulate GlassWire? As I said before, why would someone with these capabilities build a custom solution to suppress their traffic in GlassWire, when they could just bypass it entirely, something which is absolutely possible and I do every time I work with WSL2, there are multiple threads about it here.

For every one person who truly deals with something like this, there are a million who think this is happening to them, but it really isn’t. And of the people who this is really happening to, the vast majority will be known high value targets.

I personally think you’re interpreting the common computer jankiness as something it’s not.

with respect mister,

I have written things (logs) and photos & videos of what they have done and tried to do to me in the past 4 years. (physically i was poisoned 8-10 times, 3 of those i almost died)
i dont want to elaborate it here.

i posted this just to ask for help on my situation if anyone could help (at least in devices hacks), not that i am expecting thou. because i already posted similar problem in asus and snbforum in the past.

secondly, i am out of idea how to get out of my current situation… may be blast this thing to public, hoping someone could help. dunno if this is a good idea or not.

i am not in paranoia of anykind.
Prime95 findings that i mentioned in malwarebytes, it is a clear indication (not direct proof) that malware is in my laptop memory, it reserved 7GB, until i disconnected.
it actually grayed out most of the menus in P95 while it was doing it… yes it has sort like remote desktop capability, of what i see on my desktop…

thanks…

What do you expect? Some magic console command that removes this supposed highly advanced malware that automatically infects everything it touches?

Please run P95 and post a screenshot of the greyed out menus, I’ll check how it looks on my end.

None of any kind? I sure as hell would be at least a little paranoid if I was experiencing what you are describing.

If what you’re saying is real, anything you ever touch will be compromised and monitored, it’s high time to ditch your identity and move to some far away country into the jungle or something.

But, you should understand why I, and pretty much everyone else, think you’re paranoid if you are talking about such an almost “magical” piece of software, you are talking about top-tier capabilities and possible links to your ISP, all while doing unnecessary things like taking up 7GB of RAM (must be pretty bad code, a lot of PCs still have only 8GB or less total), going through the effort of building a VM-entering GlassWire exploit, instead of just bypassing Windows networking entirely, and for some reason manipulating Prime95 of all things.

Our brains can be pretty weird and make us believe things that aren’t actually real, a big one is seeing signs of danger where there aren’t any. I highly suggest consulting with a mental health professional, if you’re right and you want to “blast this thing to the public”, proof of good mental health would be worth gold in proving your credibility.

Edit: Revised wording a little
Edit 2: Revised a little more to touch on some more things.

i don’t want to divert my purpose to post here, just because of this one unknown guy…

anyone from GlassWire or kind soul have something to say?
can anyone kindly test intezer memory scan on their machine with GW installed and compare to mine?
i am very curious… please post your results…

my devices over here are all compromised, presumably

thank you guys in advance…

Ok fine I’ll bite:


Either I caught the super-malware as well or… it’s just a normal false detection.