Jump to content

Recommended Posts

Sorry for the melodrama but I've been in an endless chase for two months throwing evwrthy I have at this. I think I have a rat and the rat has, changed service drivers to initiate small hidden or encrypted partitions on my hard drive to run, I have formatted my ssds and HD about 20 time only to end up getting the same issues, strange mislabeled tasks running, losing admin rights, having my email and account pawwords changed, I'm even installed win 10 pro to control my settings strictly only to have them taken away after connecting my pc with fresh install and formatted drives to the Internet and losing all everything once again as the screen frooze and crashed with new parimaitora of of hiring CTR alt del to log in. I also think my router is ruinned , it a fios and my cell phone are screwed after getting a new in 2 Days it's full of apps and stuff I didn't download as I didn't set up a single account yet

I really on the verge of giving up, I shot heroin for 9 years and did three in prison and that was no where near as frustrating as this. This is my hobby and has help to keep my clean for  years and now it's gone 

Link to post
Share on other sites

I'm sorry to reply so soon but as Im about to go to work but I did a reinstall of 10 PTO and jumped online and got the antiroot kit beta I was able to run it real quick and  hwkey/windowsNT 5 instances of it.

Before I could get a text log my computer froze and did an updates reboot.  If this helps at all 

Link to post
Share on other sites

Done!
Infected: HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MRT.exe --> [Trojan.Agent]
Infected: HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MsMpEng.exe --> [Security.Hijack]
Infected: HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\svchost.exe --> [Security.Hijack]
Infected: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MRT.exe --> [Trojan.Agent]
Infected: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MsMpEng.exe --> [Security.Hijack]
Infected: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\svchost.exe --> [Security.Hijack]
Scan finished
Creating System Restore point...
Cleaning up...
Removal scheduling successful. System shutdown needed.
System shutdown occurred
=======================================
 

---------------------------------------

system-log.txt

Link to post
Share on other sites

I have formatted my ssds and HD about 20 time

 

It that is the case your router might be infected: Have you rest your router?

 

Let’s try to reset the router to its default configuration.

This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router.
Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds).
You also need to reconfigure any security settings you had in place prior to the reset.
You may also need to consult with your Internet service provider to find out which DNS servers your network should be using.

Note: After resetting your router, it is important to set a non-default password, and if possible, username, on the router. This will assist in eliminating the possibility of the router being hijacked again.

Next:

You might need elevated privileges

Open the Start Menu, (Windows Globe) click on All Programs > Accessories >, right click on Command Prompt, and click on Run as administrator.

In the command prompt window that opens, copy / paste or type the following commands:
Note the spaces between G / it needs to be there.

Click the Microsoft Start logo in the bottom left corner of the screen Type CMD and click Ok.
The MSDOS Window will be displayed. At the command prompt, copy / paste or type the following and press Enter after each line:

**IPCONFIG /release**

**IPCONFIG /flushdns**  

**IPCONFIG /renew**  

**IPCONFIG /registerdns**

**netsh winsock reset**

**netsh int ip reset**

**regsvr32 netshell.dll**

**regsvr32 netcfgx.dll**

**regsvr32 netman.dll**

Type in **Exit**

Restart the computer.

Link to post
Share on other sites

I've done the reset router, changed all settings looked for port forwarding and triggering. I saw that ports were opened and forwarded that I had not done about a month ago, settings would always revert back.  Received a new router from Verizon set up pass right away set up WEP right away. Still have the same issues.

I did the command you called for an on the

**netsh int ip reset** I receive an error

so I did an ipconfig /all

then went to netsh.exe and ran as admin

same error

here's a SN of Ip/all

I ran Farbar Tool earlier yesterday, when I look through it I see a few errors the one that sticks out though is that users listed on the machine are GIVEUP & *a blank space*

Then further down in internet settings I see the same instances of **A blank space** initiating  commands

one is on port 139 I think

I'm a paying Malwarebytes customer

I use Anti-exploit and MWB as well as Bitdefender for security

I had and instance detected 2 months ago and it's been hell since so

Any help is appreciated and if I'm seeing ghosts in the machine that aren't there please feel free to tell me I'm crazy

I also think I see an anomaly in the drives towards the end

Thank you

Paul W Letzelter

 

 

ipcon.PNG

FRST.txt

Link to post
Share on other sites

also here's a Hijack This log

Logfile of Trend Micro HijackThis v2.0.5
Scan saved at 12:04:55 PM, on 8/30/2016
Platform: Unknown Windows (WinNT 6.02.1008)
MSIE: Internet Explorer v11.0 (11.00.10240.17071)
 

Boot mode: Normal
 
Running processes:
C:\Users\GIVE UP\Downloads\HijackThis.exe
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
 
http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
 
http://go.microsoft.com/fwlink/p/?LinkId=255141
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
 
http://go.microsoft.com/fwlink/p/?LinkId=255141
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
 
http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
 
http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
 
http://go.microsoft.com/fwlink/p/?LinkId=255141
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = %11%\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows
 
\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKCU\..\Run: [CCleaner Monitoring] "C:\Program Files\CCleaner\CCleaner64.exe"
 
/MONITOR
O4 - HKCU\..\RunOnce: [Uninstall C:\Users\GIVE UP\AppData\Local\Microsoft\OneDrive
 
\17.3.5892.0626\amd64] C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\GIVE UP
 
\AppData\Local\Microsoft\OneDrive\17.3.5892.0626\amd64"
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O18 - Protocol: tbauth - {14654CA6-5711-491D-B89A-58E571679951} - C:\Windows
 
\SysWOW64\tbauth.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows
 
\System32\alg.exe (file missing)
O23 - Service: @%SystemRoot%\system32\DiagSvcs
 
\DiagnosticsHub.StandardCollector.ServiceRes.dll,-1000
 
(diagnosticshub.standardcollector.service) - Unknown owner - C:\Windows\system32\DiagSvcs
 
\DiagnosticsHub.StandardCollector.Service.exe (file missing)
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows
 
\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows
 
\system32\fxssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ieetwcollectorres.dll,-1000 (IEEtwCollectorService)
 
- Unknown owner - C:\Windows\system32\IEEtwCollector.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe
 
(file missing)
O23 - Service: MBAMScheduler - Malwarebytes - C:\Program Files (x86)\Malwarebytes Anti-
 
Malware\mbamscheduler.exe
O23 - Service: MBAMService - Malwarebytes - C:\Program Files (x86)\Malwarebytes Anti-
 
Malware\mbamservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe
 
(file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:
 
\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\System32\ngcsvc.dll,-100 (NgcSvc) - Unknown owner - C:
 
\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:
 
\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows
 
\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SensorDataService.exe,-101 (SensorDataService) -
 
Unknown owner - C:\Windows\System32\SensorDataService.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:
 
\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:
 
\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:
 
\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:
 
\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:
 
\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows
 
\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows
 
\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:
 
\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Defender\MpAsDesc.dll,-320 (WdNisSvc) - Unknown
 
owner - C:\Program Files (x86)\Windows Defender\NisSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Defender\MpAsDesc.dll,-310 (WinDefend) - Unknown
 
owner - C:\Program Files (x86)\Windows Defender\MsMpEng.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner -
 
C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) -
 
Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
 
--
End of file - 5447 bytes
Link to post
Share on other sites

It's not so much infections as a back door I'm worried about at this point

TCP log

[System Process] 0 TCP 192.168.1.166 53324 tacoda-atwola-prod-mtc-a.evip.aol.com http TIME_WAIT          
[System Process] 0 TCP 192.168.1.166 53325 tacoda-atwola-prod-mtc-a.evip.aol.com http TIME_WAIT          
[System Process] 0 TCP 192.168.1.166 53286 ocsp.comodoca.com http TIME_WAIT          
[System Process] 0 TCP 192.168.1.166 53322 ocsp.comodoca.com http TIME_WAIT          
[System Process] 0 TCP 192.168.1.166 53395 ocsp.comodoca.com http TIME_WAIT          
[System Process] 0 TCP 192.168.1.166 53407 ocsp.comodoca.com http TIME_WAIT          
[System Process] 0 TCP 192.168.1.166 53127 mpr1.ngd.vip.ne1.yahoo.com http TIME_WAIT          
[System Process] 0 TCP 192.168.1.166 53627 mpr1.ngd.vip.ne1.yahoo.com http TIME_WAIT          
[System Process] 0 TCP 192.168.1.166 53031 majorgeeks.com http TIME_WAIT          
[System Process] 0 TCP 192.168.1.166 53409 majorgeeks.com http TIME_WAIT          
[System Process] 0 TCP DESKTOP-OP8E6OO 53654 localhost wsd TIME_WAIT          
[System Process] 0 TCP DESKTOP-OP8E6OO 53656 localhost wsd TIME_WAIT          
[System Process] 0 TCP DESKTOP-OP8E6OO 53657 localhost wsd TIME_WAIT          
svchost.exe 884 TCP DESKTOP-OP8E6OO epmap DESKTOP-OP8E6OO 0 LISTENING          
NvNetworkService.exe 2320 TCP DESKTOP-OP8E6OO 9990 DESKTOP-OP8E6OO 0 LISTENING          
mbamservice.exe 2304 TCP DESKTOP-OP8E6OO 43227 DESKTOP-OP8E6OO 0 LISTENING          
wininit.exe 592 TCP DESKTOP-OP8E6OO 49664 DESKTOP-OP8E6OO 0 LISTENING          
svchost.exe 1156 TCP DESKTOP-OP8E6OO 49665 DESKTOP-OP8E6OO 0 LISTENING          
services.exe 664 TCP DESKTOP-OP8E6OO 49667 DESKTOP-OP8E6OO 0 LISTENING          
lsass.exe 676 TCP DESKTOP-OP8E6OO 49707 DESKTOP-OP8E6OO 0 LISTENING          
svchost.exe 12 TCP DESKTOP-OP8E6OO 49708 DESKTOP-OP8E6OO 0 LISTENING          
System 4 TCP DESKTOP-OP8E6OO microsoft-ds DESKTOP-OP8E6OO 0 LISTENING          
System 4 TCP DESKTOP-OP8E6OO wsd DESKTOP-OP8E6OO 0 LISTENING          
System 4 TCPV6 desktop-op8e6oo microsoft-ds desktop-op8e6oo 0 LISTENING          
System 4 TCPV6 desktop-op8e6oo wsd desktop-op8e6oo 0 LISTENING          
wininit.exe 592 TCPV6 desktop-op8e6oo 49664 desktop-op8e6oo 0 LISTENING          
svchost.exe 1156 TCPV6 desktop-op8e6oo 49665 desktop-op8e6oo 0 LISTENING          
services.exe 664 TCPV6 desktop-op8e6oo 49667 desktop-op8e6oo 0 LISTENING          
lsass.exe 676 TCPV6 desktop-op8e6oo 49707 desktop-op8e6oo 0 LISTENING          
svchost.exe 12 TCPV6 desktop-op8e6oo 49708 desktop-op8e6oo 0 LISTENING          
jhi_service.exe 660 TCPV6 [0:0:0:0:0:0:0:1] 49808 desktop-op8e6oo 0 LISTENING          
spoolsv.exe 6736 TCP DESKTOP-OP8E6OO 52842 DESKTOP-OP8E6OO 0 LISTENING          
spoolsv.exe 6736 TCPV6 desktop-op8e6oo 52842 desktop-op8e6oo 0 LISTENING          
svchost.exe 884 TCPV6 desktop-op8e6oo epmap desktop-op8e6oo 0 LISTENING          
[System Process] 0 TCPV6 [0:0:0:0:0:0:0:1] 53653 [0:0:0:0:0:0:0:1] wsd TIME_WAIT          
[System Process] 0 TCPV6 [0:0:0:0:0:0:0:1] 53655 [0:0:0:0:0:0:0:1] wsd TIME_WAIT          
[System Process] 0 TCPV6 [0:0:0:0:0:0:0:1] 53658 [0:0:0:0:0:0:0:1] wsd TIME_WAIT          
[System Process] 0 TCPV6 [0:0:0:0:0:0:0:1] 53659 [0:0:0:0:0:0:0:1] wsd TIME_WAIT          
[System Process] 0 TCP 192.168.1.166 53341 217.147.88.127 http TIME_WAIT          
[System Process] 0 TCP 192.168.1.166 53351 202.214.2.11 http TIME_WAIT          
[System Process] 0 TCP 192.168.1.166 53130 192.82.242.21 http TIME_WAIT          
[System Process] 0 TCP 192.168.1.166 53131 192.82.242.21 http TIME_WAIT          
[System Process] 0 TCP 192.168.1.166 53291 192.82.242.21 http TIME_WAIT          
[System Process] 0 TCP 192.168.1.166 53292 192.82.242.21 http TIME_WAIT          
[System Process] 0 TCP 192.168.1.166 53293 192.82.242.21 http TIME_WAIT          
[System Process] 0 TCP 192.168.1.166 53639 192.82.242.21 http TIME_WAIT          
[System Process] 0 TCP 192.168.1.166 53587 192.243.250.36 https TIME_WAIT          
[System Process] 0 TCP 192.168.1.166 icslap 192.168.1.1 39128 TIME_WAIT          
[System Process] 0 TCP 192.168.1.166 53328 192.168.1.1 1990 TIME_WAIT          
[System Process] 0 TCP 192.168.1.166 53377 192.168.1.1 1990 TIME_WAIT          
svchost.exe 1956 UDP DESKTOP-OP8E6OO ssdp * *    114 17,123      
svchost.exe 1956 UDP DESKTOP-OP8E6OO ws-discovery * *  36 43,900 227 208,398      
svchost.exe 1956 UDP DESKTOP-OP8E6OO ws-discovery * *           
svchost.exe 1356 UDP DESKTOP-OP8E6OO 5050 * *           
NvBackend.exe 5180 UDP DESKTOP-OP8E6OO 48300 * *           
svchost.exe 1956 UDP DESKTOP-OP8E6OO 60761 * *  90 96,724        
svchost.exe 1956 UDPV6 [0:0:0:0:0:0:0:1] 1900 * *           
svchost.exe 1956 UDPV6 desktop-op8e6oo 3702 * *           
svchost.exe 1956 UDPV6 desktop-op8e6oo 3702 * *           
svchost.exe 1956 UDPV6 desktop-op8e6oo 60762 * *  100 107,504        
nvtray.exe 7756 UDP DESKTOP-OP8E6OO 48301 * *           
svchost.exe 1956 UDP DESKTOP-OP8E6OO 62527 * *  3 407        
svchost.exe 1956 UDPV6 [0:0:0:0:0:0:0:1] 62526 * *  1 1 1 1      
 

I don't have anything installed yet really but it seems as if when I download MSI control center or Nvidia drivers there is a recall process

 

tcp.txt

tcp2.txt

tcp3.txt

Link to post
Share on other sites

https://totalhash.cymru.com/analysis/?14698d6ea04fc2c76fb63ed6db438b644f795fef

There is the other firewall rule, I can use Google too. With you being able to do that too don't you think that if you can do it some one using a rat could as well?

See the thing is I am getting all the telltale signs, I build computers, km very secure I don't file share, I don'tuse tor (anymore) so I can tell when there is something wrong with my baby and she is sick.

As my farbar scan is much different since I've ran the comp a few days

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.