Jump to content

Problem not solved


Waldek

Recommended Posts

Hello.

I am new to this forum so I will introduce myself quickly. My name is Waldek. I am 24yo and I live in UK. I have been playing same MMORPG - Tibia for about 12years.

Okay, so basically I have got a problem with my laptop and few other devices at home - but lets forget them now and concentrate on my laptop only.

The problem is that one day someone, somehow got my IP address. I was never being pinged or anything like that. So, one day after I pressed shutdown button my Win7 started doing some updates. After I turned it back ON it was continuing to install them (about 42.000 files/items). When my windows loaded I could see new icon on my desktop - Remote Desktop App (mstsc.exe located in system32). That is when I realized something is not okay. I unticked the ticked box under Remote settings, so it is not allowed anymore. This thing appeared on the other device connected through same WIFI router aswell. Basically I realized someone has done something to my PC and despite all protection I have had at this moment, it has been done because this setting was ON.

So I will try to come to conclusion or I will try to explain what is my problem now (I mean I will try, because I dont know what the problem is, or I am just not that "computer literate". Basically I can provide with all the information or screenshots upon request).

Okay, so things that draw my attention the most after this thing happened were:

- I could not reinstall Win10 on the other device (HP laptop), when I tried this setting from boot menu>fully reinstalling windows(deleting all the files aswell), because the reinstall always stopped at 43% and a message in blue window appeared saying "Trusted Modules Installer requested (something)". I could allow it or reject it. I was told to reject it, so I did. Then system was going off and back on, but this time in more Windows installing interface - not BIOS. So when I finished installation in Windows/Cortana my windows was carrying out a bunch of processes (most of them under process tiworker.exe) it also updates and then system automatically restarts, without even asking me if I agree.

- I have lots of Application Extensions for both my browsers Internet Explorer and Google Chrome. I cannot delete these files from my folders because I am not allowed to do so.

- I realised I have a bunch of devices or/and drivers in my Device Manager that I never had before, same as Inbound and Outbound rules in Windows Firewall. Most of them, if not all relate to each other (I mean Driver from device manager relates to Inbound/Outbound rule in Firewall). I am really not sure if that is the way it should be, therefore I can provide a screenshot if requested, or I can export both Inbound and Outboung rules into a notepad and copy>paste them here for you guys.

-My disc C changed its form into NTFS file system (in this laptop which is Win7, Compaq)

Seriously there is so many things I could list here that I dont even know where do I start and where do I finish, therefore I think it would be easier if someone ask me a question and I will try to provide with answer or a screenshot. However, thing that draw my attention the most is when I open Resource Monitor in my task manager. For example today I boot my laptop in safemode, it loaded a bunch of drivers, and then it said safe mode only loads essential drivers. When I had my wifi button off and icon was off aswell, i could see a one thing under Network Processes in Resource monitor, that had IP adress, port and it was rending and reciving B (around 100/sec).

So I leave it with you guys, and I only write it here because I did full (recomended) scan with malwarebytes througs Safe Mode with wifi (even router) off and it did not found anything. I guess my laptop is not mine anymore. If you thing I should run my scan one more time but with custom settings please let me know. Thank you!

PS. I have had malwarebytes ON when that thing happened, it was PREMIUM TRIAL version. Today my trial expires and I am not sure if I want to pay for it or not.

PS2. On one computer forum I was simply told, that I was DOOMED and I can burn my devices and router and buy new ones.

 

 

 

Link to post
Share on other sites

Okay, so I thought it might be useful and helpful for you guys to help me, therefore I did FRST scan.

ps. I have done it on my Win7 Compaq laptop which was bought 2nd hand so I am not even sure if the Windows itself is original or not.

Anyway, I have attachAddition_20-09-2017 22.29.12.txted the logs below.

ThanksFRST_20-09-2017 22.29.12.txt

Link to post
Share on other sites

8 hours ago, Waldek said:

Hello.

I am new to this forum so I will introduce myself quickly. My name is Waldek. I am 24yo and I live in UK. I have been playing same MMORPG - Tibia for about 12years.

Okay, so basically I have got a problem with my laptop and few other devices at home - but lets forget them now and concentrate on my laptop only.

The problem is that one day someone, somehow got my IP address. I was never being pinged or anything like that. So, one day after I pressed shutdown button my Win7 started doing some updates. After I turned it back ON it was continuing to install them (about 42.000 files/items). When my windows loaded I could see new icon on my desktop - Remote Desktop App (mstsc.exe located in system32). That is when I realized something is not okay. I unticked the ticked box under Remote settings, so it is not allowed anymore. This thing appeared on the other device connected through same WIFI router aswell. Basically I realized someone has done something to my PC and despite all protection I have had at this moment, it has been done because this setting was ON.

So I will try to come to conclusion or I will try to explain what is my problem now (I mean I will try, because I dont know what the problem is, or I am just not that "computer literate". Basically I can provide with all the information or screenshots upon request).

Okay, so things that draw my attention the most after this thing happened were:

- I could not reinstall Win10 on the other device (HP laptop), when I tried this setting from boot menu>fully reinstalling windows(deleting all the files aswell), because the reinstall always stopped at 43% and a message in blue window appeared saying "Trusted Modules Installer requested (something)". I could allow it or reject it. I was told to reject it, so I did. Then system was going off and back on, but this time in more Windows installing interface - not BIOS. So when I finished installation in Windows/Cortana my windows was carrying out a bunch of processes (most of them under process tiworker.exe) it also updates and then system automatically restarts, without even asking me if I agree.

- I have lots of Application Extensions for both my browsers Internet Explorer and Google Chrome. I cannot delete these files from my folders because I am not allowed to do so.

- I realised I have a bunch of devices or/and drivers in my Device Manager that I never had before, same as Inbound and Outbound rules in Windows Firewall. Most of them, if not all relate to each other (I mean Driver from device manager relates to Inbound/Outbound rule in Firewall). I am really not sure if that is the way it should be, therefore I can provide a screenshot if requested, or I can export both Inbound and Outboung rules into a notepad and copy>paste them here for you guys.

-My disc C changed its form into NTFS file system (in this laptop which is Win7, Compaq)

Seriously there is so many things I could list here that I dont even know where do I start and where do I finish, therefore I think it would be easier if someone ask me a question and I will try to provide with answer or a screenshot. However, thing that draw my attention the most is when I open Resource Monitor in my task manager. For example today I boot my laptop in safemode, it loaded a bunch of drivers, and then it said safe mode only loads essential drivers. When I had my wifi button off and icon was off aswell, i could see a one thing under Network Processes in Resource monitor, that had IP adress, port and it was rending and reciving B (around 100/sec).

So I leave it with you guys, and I only write it here because I did full (recomended) scan with malwarebytes througs Safe Mode with wifi (even router) off and it did not found anything. I guess my laptop is not mine anymore. If you thing I should run my scan one more time but with custom settings please let me know. Thank you!

PS. I have had malwarebytes ON when that thing happened, it was PREMIUM TRIAL version. Today my trial expires and I am not sure if I want to pay for it or not.

PS2. On one computer forum I was simply told, that I was DOOMED and I can burn my devices and router and buy new ones.

*I did check - my Windows 7 is activated and it is genuine. 

Quote

 

 

 

 

Link to post
Share on other sites

  • Root Admin

Hello @Waldek and :welcome:

The logs are not showing anything obvious as far as an infection. A couple minor things that are common problems with computers. We can run some other scans though to make sure.

Please temporarily disable your antivirus and run the following. It's quite late here for me so I'm heading out, but will check back on you again sometime tomorrow.

 

Please visit this web page and read the ComboFix User's Guide:

  • Once you've read the article and are ready to use the program you can download it directly from the link below.
  • Important! - Please make sure you save combofix to your desktop and do not run it from your browser
  • Direct download link for: ComboFix.exe
  • Please make sure you disable your security applications before running ComboFix.
  • Once Combofix has completed it will produce and open a log file.  Please be patient as it can take some time to load.
  • Please attach that log file to your next reply.
  • If needed the file can be located here:  C:\combofix.txt
  • NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.

 

Thanks

Ron

 

Link to post
Share on other sites

I did have a quick look on the report, and I can see Windows Defender Enabled/Updated.

However, I tried my best to turn off all protection at the time and tbh, I could not see any windows defender icon or process - and I still cannot.

I am also pretty sure my Computer and Internet Properties (especially user accounts and settings/premissions) are messed up (part of it could be my fault, when I was desperately trying to avoid the issue, I may have changed some settings in the wrong way).

I am also willing and able to provide screenshots/or settings(how they are being set/whats ON/OFF) if specified which ones you want Sir.

Link to post
Share on other sites

  • Root Admin

So far nothing malware related is being found. Let's go ahead though and run another standalone rootkit scanner and see if it finds anything or not.

Please read the directions from this topic and run the scanner. However, keep all check marks enabled. Do Not uncheck any items. Then run the scanner.

Thanks

Ron

 

Link to post
Share on other sites

Good Morning Sir.

I have done the scan that you requested me to do. I attach the log file below and I am about to run full Malwarebytes scan now. Thanks

(ps. I tried drag and drop attach option but my cursor its on kinda STOP sign and I have to attach them through >Drag files here to attach.) <nvm

 

 

mbar-log-2017-09-21 (18-27-20).txt

system-log.txt

Link to post
Share on other sites

  • Root Admin

Again, nothing found. Let's try one more antivirus scan from Kaspersky. At this time whatever issue you're having does not appear to be due to malware.

 

Please download and run the following tool to remove any found threats

Kaspersky Virus Removal Tool

 

Let me know if it finds anything

 

Link to post
Share on other sites

Ok boss. As requested; a full scan by KVRT.exe was run. It said everything is fine, although when I opened results - this appeared *see attachment1 (kaspersky1.png)

I also attach the logs below. 

>OK. Tell me what to do now *see attached file 2 (kas77.png)

If you don't need them lets just proceed then i guess.

 

 

Edited by Waldek
Link to post
Share on other sites

  • Root Admin

No, that is nothing.

Okay, let's do a browser reset. Just to make sure nothing odd there.

 

Please visit each of the following sites and let's reset all of your browsers back to defaults to prevent unexpected issues.
If you are not using one of the browsers but it is installed then you may want to consider uninstalling it as older versions of some software can pose an increase in the potential for an infection to get in.

Internet Explorer
How to reset Internet Explorer settings

Microsoft Edge
How to Reset Microsoft Edge in Windows 10

Firefox
Click on Help / Troubleshooting Information then click on the Refresh Firefox button.

Chrome
Reset Chrome back to defaults to completely clear out issues with Chrome.

  • First, go to >> Google Sync << and sign into your account. Make sure you know your password as this will clear it from the browser.
  • Scroll down until you see the  reset_chrome_sync.png "reset sync" button to clear your data from the server and remove your passphrase.
  • Now, close all Chrome windows. Chrome cannot be running for the next step. If needed, print this information or use another browser to read the information.
  • Press the Windows key + R at the same time, to bring up the run dialog box.
    • run_command.png
  • Type in (or copy/paste) the following and press Enter:     %localappdata%\Google\Chrome\User Data\Default\
  1. Press Ctrl + A to select all the files and folders.
  2. Hold down Ctrl + A and click once on the files "Bookmarks" and "Bookmarks.bak". This will unselect them.
  3. With all the files selected (except for your Bookmarks), press the Delete key and click Yes to delete the files and folders.
  4. Example of all files and folders selected, except Bookmarks

chrome_files_folders.png

 

Restart your computer now and make sure there are no longer any redirects or other browser issues. 

 

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.