Jump to content

hacked and being remotely watched


Recommended Posts

Hello so i have being hacked and i need some help with this..I have took some screenshots about this with tcpview.So first one see last svchost.exe with UDP protocol with no remote address or port.When i try to go to properties it shows this unable to query properties for svchost.exe..i attach all these screenshots if someone can check them and help me to get rid of hacker..

hacker.JPG

hacker1.JPG

hacker2.JPG

hacker3.JPG

hacker4.txt

Link to post
Share on other sites

  • Root Admin

Hello and :welcome:

Please read the following and post back the logs when ready and we'll see about getting you cleaned up.

Before we proceed further, please read all of the following instructions carefully.
If there is anything that you do not understand kindly ask before proceeding.
If needed, please print out these instructions.

  • Please do not post logs using CODE, QUOTE, or FONT tags. Just paste them as direct text.
  • If the log is too large, then you can use attachments by clicking on the More Reply Options button.
  • Please enable your system to show hidden files: How to see hidden files in Windows
  • Make sure you're subscribed to this topic:
  • Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly
  • Removing malware can be unpredictable, it is unlikely, but things can go very wrong! Please make sure you Backup all files that cannot be replaced if something were to happen. You can copy them to a CD/DVD, external drive or a pen drive
  • Please don't run any other scans, download, install or uninstall any programs unless requested by me while I'm working with you.
  • The removal of malware is not instantaneous; please be patient. Often we are also in a different Time Zone.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of the issue.
  • You can check here if you're not sure if your computer is 32-bit or 64-bit
  • Please disable your antivirus while running any requested scanners so that they do not interfere with the scanners.
  • When we are done, I'll give you instructions on how to clean up all the tools and logs
  • Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.
  • Your topic will be closed if you haven't replied within 3 days
  • (If I have not responded within 24 hours, please send me a Private Message as a reminder)

STEP 01
RKill is a program that was developed at BleepingComputer.com that attempts to terminate known malware processes so that your normal security software can then run and clean your computer of infections.
When RKill runs, it will kill malware processes and then removes incorrect executable associations and fixes policies
that stop us from using certain tools. When finished it will display a log file that shows the processes that were
terminated while the program was running.

As RKill only terminates a program's running process and does not delete any files, after running it, you should not reboot
your computer as any malware processes that are configured to start automatically will just be started again.
Instead, after running RKill, you should immediately scan your computer using the requested scans I've included.

Please download Rkill by Grinler from one of the links below and save it to your desktop.

Link 1 | Link 2

  • On Windows XP Double-click on the Rkill desktop icon to run the tool.
  • On Windows Vista/Windows 7 or 8, right-click on the Rkill desktop icon and select Run As Administrator
  • A black DOS box will briefly flash and then disappear, this is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
  • Do not reboot the computer; you will need to run the application again.

 

STEP 02
Please run a Threat Scan with MBAM. If you're unable to run or complete the scan as shown below, please see the following:
MBAM Clean Removal Process 2x
When reinstalling the program, please try the latest version.

Right click and choose "Run as administrator" to open Malwarebytes Anti-Malware and from the Dashboard please Check for Updates by clicking the Update Now... link
Open up Malwarebytes > Settings > Detection and Protection > Enable Scan for rootkit and Under Non Malware Protection set both PUP and PUM to Treat detections as malware.
Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button.
Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply.

Link to post
Share on other sites

hello advancedsetup. im very worried now because i couldnt log in to my account and i had to do password reset someohow someone got my password and its now changed but what if he gets this password again? i pasted logs

 

Rkill 2.8.4 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2016 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 10/13/2016 06:48:08 PM in x64 mode.
Windows Version: Windows 10 Home 

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * Windows Defender Disabled

   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001

Checking Windows Service Integrity: 

 * agp440 [Missing Service]
 * gagp30kx [Missing Service]
 * IEEtwCollectorService [Missing Service]
 * IoQos [Missing Service]
 * nv_agp [Missing Service]
 * TimeBroker [Missing Service]
 * uagp35 [Missing Service]
 * uliagpkx [Missing Service]
 * WcsPlugInService [Missing Service]
 * wpcfltr [Missing Service]
 * WSService [Missing Service]

 * AJRouter => %SystemRoot%\system32\svchost.exe -k LocalServiceNetworkRestricted [Incorrect ImagePath]
 * WpnService => %systemroot%\system32\svchost.exe -k netsvcs [Incorrect ImagePath]

 * vmicrdv => %SystemRoot%\System32\icsvcext.dll [Incorrect ServiceDLL]
 * vmicvss => %SystemRoot%\System32\icsvcext.dll [Incorrect ServiceDLL]

Searching for Missing Digital Signatures: 

 * No issues found.

Checking HOSTS File: 

 * No issues found.

Program finished at: 10/13/2016 06:48:37 PM
Execution time: 0 hours(s), 0 minute(s), and 29 seconds(s)
 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 13.10.2016
Scan Time: 18.53
Logfile: 
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.10.13.09
Rootkit Database: v2016.09.26.02
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 10
CPU: x64
File System: NTFS
User: BBB

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 323783
Time Elapsed: 7 min, 58 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

Link to post
Share on other sites

  • Root Admin

Looks like the box has some broken services or something causing it to look like they are. Let me have you go ahead and run the following scans though to make sure there are no real infections, then we'll look at fixing the computer issues not related to malware.

 

Please restart the computer first and then run the following steps and post back the logs when ready.

STEP 03
Please download Junkware Removal Tool to your desktop.

  • Shutdown your antivirus to avoid any conflicts.
  • Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next reply message
  • When completed make sure to re-enable your antivirus

STEP 04
Let's clean out any adware now: (this will require a reboot so save all your work)

Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
    Vista / Windows 7/8 users right-click and select Run As Administrator
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • When it's done, you'll see: Pending: Please uncheck elements you don't want to be removed.
  • Now click on the Report button and a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • Look at the log especially under Files/Folders for any program you want to save.
  • If there's a program you may want to save, just uncheck it from AdwCleaner.
  • If you're not sure, post the log for review. (all items found are adware/spyware/foistware)
  • If you're ready to clean it all up, click the Clean button.
  • After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
  • Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
  • To restore an item that has been deleted:
  • Go to Tools > Quarantine Manager > check what you want to be restored > now click on Restore.

STEP 05
Download Sophos Free Virus Removal Tool and save it to your desktop.
 

  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View Log file (bottom left-hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found, please confirm that result.

STEP 06
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
  • Please attach the Additions.txt log to your reply as well.

 

Thanks

Link to post
Share on other sites

  • Root Admin

Would have to be a complete coincidence with AdwCleaner and your audio service. AdwCleaner logs show it did not remove anything.

The logs indicate that your Search Service seems to be broken. Please see if you can reset the index on it.

Aside from that, the logs don't indicate any real infections. We'll move onto some other fixes.

Let me have you visit the following site and run the repair to check for and repair issues with your computer.

http://www.windowscentral.com/how-use-dism-command-line-utility-repair-windows-10-image

Once that's completed and there are no issues found anymore let me know.

Thanks

 

Link to post
Share on other sites

  • Root Admin

Yes, I believe I was thinking you were running another Operating System. The entries for RKIll don't apply. Those items are not part of your system.

However, you do thave this Search issue I spoke of before. Were you able to reset that and get it fixed so that it no longer creates an error in the Event Logs.?

You also have this Event shown in the logs.

System errors:
=============
Error: (10/16/2016 06:01:46 PM) (Source: DCOM) (EventID: 10016) (User: NT-hallinta)
Description: Kohteen sovelluskohtainen käyttöoikeusasetukset eivät myönnä käyttäjälle NT-hallinta\SYSTEM, SID-tunnus (S-1-5-18) osoitteesta LocalHost (LRPC käytössä), käyttöoikeutta Paikallinen Aktivointi COM-palvelimen sovellukseen, jonka CLSID-tunnus on
{8D8F4F83-3594-4F07-8369-FC3C3CAE4919}
 ja APPID-tunnus on
{F72671A9-012C-4725-9D2F-2A4D32D65169}
 ja joka suoritetaan sovellussäilössä Ei käytettävissä, SID-tunnus (Ei käytettävissä). Tätä suojauskäyttöoikeutta voi muokata komponenttipalveluiden hallintatyökalulla.

 

There are no other signs in general of an issue especially remotely for the computer. Look at the above and try to fix. Then we can run some other basic commands to look at some accounts and stuff but so far I see no signs of Remote Access to this system.

 

 

 

Link to post
Share on other sites

  • Root Admin
  • Root Admin

You have a few errors going on in the Event Logs that need fixing but do not appear to be malware related. Possibly damage from an infection or just junk build up over time.

It might be best to seek help on a Finish support forum as this appears to be a Finnish installation of Windows which using Google Translate may help but is difficult as I only read and write English.

 

Application errors:
==================
Error: (10/21/2016 5:48:36 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User:)
Description: Cryptographic Services could not handle OnIdentity () - call system kirjoitusobjektissa.

Details:
AddLegacyDriverFiles: Unable to back up Microsoft's image of the binary link layer discovery protocol.

System Error:
Access denied.
.

Error: (10/21/2016 5:12:31 PM) (Source: Windows Search Service) (EventID: 3104) (User:)
Description: User Sessions numbering for the formation of suodatinvarantojen failed.

For more information:
(HRESULT: 0x80040210) (0x80040210)

Error: (10/20/2016 3:30:26 PM) (Source: Windows Search Service) (EventID: 3104) (User:)
Description: User Sessions numbering for the formation of suodatinvarantojen failed.

For more information:
(HRESULT: 0x80040210) (0x80040210)

Error: (10/19/2016 11:27:39 PM) (Source: Windows Search Service) (EventID: 3104) (User:)
Description: User Sessions numbering for the formation of suodatinvarantojen failed.

For more information:
(HRESULT: 0x80040210) (0x80040210)

Error: (10/19/2016 8:27:36 PM) (Source: Windows Search Service) (EventID: 3104) (User:)
Description: User Sessions numbering for the formation of suodatinvarantojen failed.

For more information:
(HRESULT: 0x80040210) (0x80040210)

Error: (10/19/2016 8:07:38 PM) (Source: Microsoft-Windows-Shell-Immersive) (EventID: 5973) (User: DESKTOP-L3UPC30)
Description: Application Microsoft.WindowsMaps_8wekyb3d8bbwe App activation failed, error: -2144927148. Further information about the Microsoft-Windows-TWinUI / Activity Log.

Error: (10/19/2016 7:47:38 PM) (Source: Microsoft-Windows-Shell-Immersive) (EventID: 5973) (User: DESKTOP-L3UPC30)
Description: Application Microsoft.WindowsMaps_8wekyb3d8bbwe App activation failed, error: -2144927148. Further information about the Microsoft-Windows-TWinUI / Activity Log.

Error: (10/19/2016 7:32:37 PM) (Source: Microsoft-Windows-Shell-Immersive) (EventID: 5973) (User: DESKTOP-L3UPC30)
Description: Application Microsoft.WindowsMaps_8wekyb3d8bbwe App activation failed, error: -2144927148. Further information about the Microsoft-Windows-TWinUI / Activity Log.

Error: (10/19/2016 7:27:37 PM) (Source: Windows Search Service) (EventID: 3104) (User:)
Description: User Sessions numbering for the formation of suodatinvarantojen failed.

For more information:
(HRESULT: 0x80040210) (0x80040210)

Error: (10/19/2016 7:27:37 PM) (Source: Windows Search Service) (EventID: 3104) (User:)
Description: User Sessions numbering for the formation of suodatinvarantojen failed.

For more information:
(HRESULT: 0x80040210) (0x80040210)


System errors:
=============
Error: (10/22/2016 2:42:01 PM) (Source: DCOM) (EventID: 10016) (User: NT-management)
Description: Overview of application-specific permission settings do not grant the user management NT \ SYSTEM SID (S-1.5.18) from localhost (LRPC use), access to Local Activation of a COM server application with CLSID is
{8D8F4F83-3594-4F07-8369-FC3C3CAE4919}
 and APPID symbol is
{F72671A9-012C-4725-9D2F-2A4D32D65169}
 and run an application store is not available, the SID (Not available). This security access can edit the Component Services management tool.

Error: (10/22/2016 2:39:11 PM) (Source: DCOM) (EventID: 10016) (User: NT-management)
Description: Overview of application-specific permission settings do not grant the user management NT \ SYSTEM SID (S-1.5.18) from localhost (LRPC use), access to Local Activation of a COM server application with CLSID is
{8D8F4F83-3594-4F07-8369-FC3C3CAE4919}
 and APPID symbol is
{F72671A9-012C-4725-9D2F-2A4D32D65169}
 and run an application store is not available, the SID (Not available). This security access can edit the Component Services management tool.

Error: (10/22/2016 2:31:11 PM) (Source: DCOM) (EventID: 10016) (User: NT-management)
Description: Overview of application-specific permission settings do not grant the user management NT \ SYSTEM SID (S-1.5.18) from localhost (LRPC use), access to Local Activation of a COM server application with CLSID is
{8D8F4F83-3594-4F07-8369-FC3C3CAE4919}
 and APPID symbol is
{F72671A9-012C-4725-9D2F-2A4D32D65169}
 and run an application store is not available, the SID (Not available). This security access can edit the Component Services management tool.

Error: (10/22/2016 12:28:11 AM) (Source: DCOM) (EventID: 10016) (User: NT-management)
Description: Overview of application-specific permission settings do not grant the user management NT \ SYSTEM SID (S-1.5.18) from localhost (LRPC use), access to Local Activation of a COM server application with CLSID is
{8D8F4F83-3594-4F07-8369-FC3C3CAE4919}
 and APPID symbol is
{F72671A9-012C-4725-9D2F-2A4D32D65169}
 and run an application store is not available, the SID (Not available). This security access can edit the Component Services management tool.

Error: (10/21/2016 5:59:08 PM) (Source: DCOM) (EventID: 10016) (User: NT-management)
Description: Overview of application-specific permission settings do not grant the user management NT \ SYSTEM SID (S-1.5.18) from localhost (LRPC use), access to Local Activation of a COM server application with CLSID is
{8D8F4F83-3594-4F07-8369-FC3C3CAE4919}
 and APPID symbol is
{F72671A9-012C-4725-9D2F-2A4D32D65169}
 and run an application store is not available, the SID (Not available). This security access can edit the Component Services management tool.

Error: (10/21/2016 5:11:29 PM) (Source: DCOM) (EventID: 10016) (User: NT-management)
Description: Overview of application-specific permission settings do not grant the user management NT \ SYSTEM SID (S-1.5.18) from localhost (LRPC use), access to Local Activation of a COM server application with CLSID is
{8D8F4F83-3594-4F07-8369-FC3C3CAE4919}
 and APPID symbol is
{F72671A9-012C-4725-9D2F-2A4D32D65169}
 and run an application store is not available, the SID (Not available). This security access can edit the Component Services management tool.

Error: (10/21/2016 2:38:51 AM) (Source: DCOM) (EventID: 10016) (User: NT-management)
Description: Overview of application-specific permission settings do not grant the user management NT \ SYSTEM SID (S-1.5.18) from localhost (LRPC use), access to Local Activation of a COM server application with CLSID is
{8D8F4F83-3594-4F07-8369-FC3C3CAE4919}
 and APPID symbol is
{F72671A9-012C-4725-9D2F-2A4D32D65169}
 and run an application store is not available, the SID (Not available). This security access can edit the Component Services management tool.

Error: (10/20/2016 3:28:51 PM) (Source: DCOM) (EventID: 10016) (User: NT-management)
Description: Overview of application-specific permission settings do not grant the user management NT \ SYSTEM SID (S-1.5.18) from localhost (LRPC use), access to Local Activation of a COM server application with CLSID is
{8D8F4F83-3594-4F07-8369-FC3C3CAE4919}
 and APPID symbol is
{F72671A9-012C-4725-9D2F-2A4D32D65169}
 and run an application store is not available, the SID (Not available). This security access can edit the Component Services management tool.

Error: (10/20/2016 1:40:08 AM) (Source: DCOM) (EventID: 10016) (User: NT-management)
Description: Overview of application-specific permission settings do not grant the user management NT \ SYSTEM SID (S-1.5.18) from localhost (LRPC use), access to Local Activation of a COM server application with CLSID is
{8D8F4F83-3594-4F07-8369-FC3C3CAE4919}
 and APPID symbol is
{F72671A9-012C-4725-9D2F-2A4D32D65169}
 and run an application store is not available, the SID (Not available). This security access can edit the Component Services management tool.

Error: (10/19/2016 9:11:40 PM) (Source: DCOM) (EventID: 10016) (User: NT-management)
Description: Overview of application-specific permission settings do not grant the user management NT \ SYSTEM SID (S-1.5.18) from localhost (LRPC use), access to Local Activation of a COM server application with CLSID is
{8D8F4F83-3594-4F07-8369-FC3C3CAE4919}
 and APPID symbol is
{F72671A9-012C-4725-9D2F-2A4D32D65169}
 and run an application store is not available, the SID (Not available). This security access can edit the Component Services management tool.

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.