Jump to content

I have tried everything... need help... SOS


Recommended Posts

Here is my sad story, I am infected as we speak so I am sure whoever is doing this already knows I am posting here. 

This is about 4 months this has been happening, I will list my attempts to stop it and what I have learned, although whatever/whoever this is... is very skilled.

The normal symptoms are, clean wipe, try to secure windows (adjust any options, install AV, close holes) all disconnected from internet with clean USB. Then I will update, I try to do all drivers before getting on the internet so as to not download anything once connected.

I will adjust router settings, firewall before this, then I will usually install my software, which is basically just PC games (only two at this point since I am unable to use others), and that's when it starts. Eventually, stuttering then I hear the hard drive overworking, even if I am idle in Windows, task manager blows up, processes switch.

I dont know if its possible, but once this happens, my gaming experience changes. Seems like each game, I am being trolled, or followed on purpose... same group trolls, basically making it unplayable. After that, my system goes haywire, nothing works as it does in the first hour of a fresh install, it becomes unusable.

Anyway, I am sure I am being targeted specifically at this point (due to the way I am trolled in the game and verybal attacks), so I am here. The last two days, I tried Norton, both times I was sent something called a decompression bomb through the norton update, which basically destroyed my system. 

I saw a computer around that time on Avast, connected to my router, with no Wifi, running something called Unix, and undetected. I was also sent a similar bomb using Malwarebytes, through the update, I could see as well the files were changed in the logs, to mimic MB and norton. 

Here are my logs, for today, I am infected at the moment I cant log in to my router, so I I thought I would send this before the 200th format of this year... Whoever is doing this is really good, or maybe I am just really noob, I really need advice... thanks. 

 

 

 

 

 

scan.txt

FRST.txt

Addition.txt

Link to post
Share on other sites

  • Root Admin

Hello @bookofjob and :welcome:

The FRST logs were not run correctly. You need run them using an Administrator account.

Ran by TJ (ATTENTION: The user is not administrator)

Please log onto the computer with an account that has Admin rights and run it again and post back the new logs.

Thank you

Ron

 

Link to post
Share on other sites

  • Root Admin

The current logs are not showing any real issues as far as malware. Some errors in the Event Log section but that's semi normal for most computers.

We'll go ahead though and run some other scans to check further.

Have you done a full hardware factory reset of your router?

What game are you playing when this happens?

 

Please download the following scanner from Kaspersky and save it to your computer: TDSSkiller

Then watch the following video on how to use the tool and make sure to temporarily disable your security applications before running TDSSkiller.

PC Winvids - How to run Kaspersky TDSSKiller

If any infection is found please make sure to choose SKIP and post back the log in case of a False Positive detection.

Once the tool has completed scanning make sure to re-enable your other security applications.

 

Once that is done then run the following.

 

 

Download PowerTool and save to your Desktop, ensure to get the correct version:

PowerTool for 64-bit systems >> https://malwarebytes.box.com/s/vnp2jdko58ww33bxabbm8zu9764u0tlh

PowerTool for 32-bit systems >> https://malwarebytes.box.com/s/f0bsa1nuzjv994neyzbtrti1au0s98yx

Please follow the instructions below:

Right click on user posted image PowerTool, Select "Run as Administrator"

Windows 8/8.1/10 users may see the following, if so select "More Info"

user posted image

In the next Window select "Run Anyway"

user posted image

Initially click on sq image to enlarge window to full screen (As shown in the image below)
Now click on Kernel tab (No. 1 on the image below)
Then click on Kernel Notify Routine (No. 2 on the image below)
Also click on Path so you sort the list by name (No. 3 on the image below)

user posted image

Right click anywhere on listed items under path (No. 4 on the image above) and select Export.

user posted image

Save exported file to your Desktop, zip up that file and attach to your reply....

user posted image user posted image

Thank you,

Ron......
Link to post
Share on other sites

I ecently  decided to try Malwarebytes with windows defender and after maybe one day, and I would keep it up to date and scan a lot, then the task manager would start acting up...I could see process's that were off with the names,  I manual updated MB and all of a sudden its said "10 updates" came through MB, the processes were different and Malwarebytes was open but it would scan very fast and say nothing detected and freeze when clicking it.

I tried norton with MB's, after about one day, Norton was working okay and showing me login attempts over the router, and then the same thing.... all of a sudden files sent through update, like 20.... and norton stopped working completely and again OS was ruined. I saw the file in nortons folder, it looked similar to the normal update folder but it was not. 

I formatted and reinstalled, same thing Norton and MB, and again the update happened again, same exact method. So I installed Avast when it happened, and I saw through Wifi inspector, there was a computer connected to my router, even though I am hardlined and WIFI was disabled, his IP was like mine with the numbers different at the end, and it said he was running something called "Unix" as his OS. 

I ran a scan with avast and before the OS loaded it scanned and said it found something called a decompression bomb with norton, I took a picture and also Norton said something about GNU BASH as well, and something about blocking attempts to retrieve passwords.

I am forced to reset my router each day, as well as clean format my computer, this will happen between 2-8 hours once the computer is online, and the attacks have gotten worse since I have tried to stop them. Here are the logs, I can upload the pictures if you want as well:

 

 

 

 

notify.zip

TDSSKiller.3.1.0.17_29.06.2018_00.51.15_log.txt

Link to post
Share on other sites

This started to happen to me months ago, I just ignored it, but it has gotten to the point where I cant anymore since my system goes haywire. I have also upgraded my computer to see if that would make a difference but it did not. 

When y a game like Players Unknown battleground, which is very system heavy... I started to really notice it. The processes start to run, I see my FPS drop and stuttering, I will check task manager and see that its going haywire with tasks that were not there before... makes the game unplayable and then yeah I cant use the web and I cant even restore windows, if I create a backup, either its an error or if I use a flash drive it will sometimes transfer the new format. One attack yesterday was called "OS attack: GNU Bash CVE-2014-6271" and it destroyed my system and norton in like a few seconds. 

I ran this program again in case been using the local account, I noticed that slows down the rate of it happening... since I have been on admin for a while i will upload this again. Thanks. 

FRST.txt

Addition.txt

Link to post
Share on other sites

So today I had some more issues, eventually forcing me to reformat, I was able to take pictures and run those logs before I did. My avast would not load, Malwarebytes would not update and was not doing anything, I could not access my router even. Most the processes were disabled with, similar ones running, I had ports which were unknown open at once.

Nothing worked and I was able to bring the log to another computer, which could be infected, since it was a fresh format and as soon as I plugged the usb in, the event viewer went off.

I see that, it is using the ability to update from the AV's, to download whatever and disable things... and I see the system admin account, starts modifying stuff. I don't know what to do, I had to reset my router, could this be the cause?

How can I at least stop the intrusions or have some kind of defense? I am using a router+modem combo, given to me by my ISP, if this has something to do with it... should I purchase a different one? Any advice on anything I can do would really be helpful. Is it possible the usb can still be infected after a diskpart clean all?

Here are the logs before the format, and some pictures:

 

55186134314__15B05FDA-9919-4B0E-8DEC-CA8E8FD8975C.JPEG

55186135649__AF37894B-4EDD-4A91-8699-E93573C88D61.JPEG

Addition.txt

FRST.txt

IMG_0003.JPG

IMG_0007.jpg

IMG_0008.jpg

IMG_0009.jpg

Link to post
Share on other sites

  • Root Admin

A decompression bomb just means a highly compressed file that avast will not unpack and scan. It does not mean it's an infection or threat.

Aside from some minor junk I don't see any threat, or infection in the logs.

Let's do this since you've already installed a few times.

1. Install the boot media for Windows 10 installation.
2. Delete ALL partitions
3. Install Windows
4. DO NOT install Chrome
5. DO NOT install any Games
6. DO NOT install any antivirus, use the built in Windows Defender

Once you have that done then run a new FRST scan on the system and post back those logs.

 

Link to post
Share on other sites

Thanks again for the response, I took some time to try to gather what info I could. Here is some data, I don't know if any of it will help... but I am giving it a try since I have nothing to lose. Last night, I was playing World of Warships and the trolling was present, even some of the names were similar to my title of this post, (EX: sos_44, helpplz). That's the style of the trolling usually, like the signature or whatever...

Anyway... here is whatever I could put together, maybe you can understand it better than I can and at least give me advice on how to prevent an intrusion or remote access, if you don't see any infection.

Those are my logs right before I reinstalled right now per your instructions. I have included my Kaspersky event log, the python is a log from World of Warships, as I can assure you I am being trolled, no matter which match I join, I am not sure how its possible. I don't understand the technical stuff but maybe someone else does, or maybe it will show nothing.

The connection log is in relation to steam, I only have been playing Players Unknown battleground, but the trolling is harder due to the design of the game. I do try to read the logs and its harder for it to happen, but I have noticed similarities especially if I squad vs solo. 

Last night I checked my steam event logs, which I didn't know I could access, and I posted a photo, you can see access from somewhere else happens. The OS is listed as "-400" and sometimes will log from LA, or San Diego, and then log out or stay logged in. I have changed my pass and stuff and contacted Steam but I doubt this will matter. I added that anyway to see if it means anything, even though it may not. I will attach the new Addition and FRST to the bottom post.

Thanks for your time.

 

 

Addition.txt

FRST.txt

KasperskyLog.txt

python.log

connection_log.txt

image3.jpeg

image2.jpeg

Link to post
Share on other sites

The other pic was right before I uninstalled, I was looking at the app by default and I noticed strange apps and some errors trying to find a different default. I don't know if its possible to copy a Microsoft Digital Signature, but I took a photo and noticed some of the programs seemed off and Kaspersky showed me some were not used by many users, always from 50% other countries compared to the normal files. 

FRST.txt

Addition.txt

Link to post
Share on other sites

  • Root Admin

ATTENTION: System Restore is disabled

Windows Defender is having issues updating too. Please check and see if you can get Windows Defender to update and do a full system scan with it.

Next, please run the following for me.

Provide System Specifications:

  • Please download Speccy from here and save the installer to your desktop or another location where you can easily find it.
  • Double-click the file to begin installation and follow the onscreen steps to complete the installation and make sure that the checkbox next to Run Speccy is checked before you click on Finish at the end.
  • Once the program starts it will analyze your system, please be patient as it may take a few moments to complete.
  • Once it finishes and none of the areas say Analyzing click on the File button at the top and select Save Snapshot...
  • Save the file to your desktop and click Ok to confirm
  • Go to your desktop and right click on the file you just created and hover over Send to and select Compressed (zipped) Folder
  • Please attach the zip file you just created to your next post


This one too, and don't install Chrome or any games or applications on this system until we're ready to together.

 

Create an Autoruns Log:

  • Please download Sysinternals Autoruns from here.
  • Save Autoruns.exe to your desktop and double-click it to run it.
  • Once it starts, please press the Esc key on your keyboard.
  • Now that scanning is stopped, click on the Options button at the top of the program and select Verify Code Signatures
  • Once that's done press the F5 key on your keyboard, this will start the scan again, this time let it finish.
  • When it's finished, please click on the File button at the top of the program and select Save and save the Autoruns.arn file to your desktop and close Autoruns.
  • Right click on the Autoruns.arn file on your desktop and hover your mouse over Send To and select Compressed (zipped) Folder
  • Attach the Autoruns.zip folder you just created to your next reply

Thanks

Ron

 

Link to post
Share on other sites

Okay, so here is an update, sorry but its been a bit difficult. Once I received your instructions, I was already on a new format, but I was already infected. I followed your instructions, the scans below are of a fresh install, nothing downloaded except from Windows update, no settings altered, nothing else touched. All run correctly, like you asked, but I have to show what has happened.

I am going to post the same scans, from my last flash of the computer with issues and I included some pictures. One picture was from a fake Microsoft support agent, who I tried to contact and eventually emailed me as Microsoft support, as you can see in the pic that was the e-mail address. I posted a pic of the USB driver installed on my flash, I was attempting to wipe it clean but  think files stayed on it no matter what I did.

I included a picture of my task manager running, while I was being trolled in World of Warships, and when I say trolled I don't mean they are just verbally causing problems. They are joining the game with ships, and throwing the matches... almost like once I search, we all join together. 

This game  I think is developed by a Russian company, I don't know how anyone could do something like this, but in game I mute them. Right before the first match ended, I told them I had muted them, and in the next round, even with the mute on they were able to speak and break the mute, I have a screen shot to prove it. 

After this occurred, I was e-mailed by my ISP about security issues on my account... and before formatting and posting this, as I shut down windows I was told other users would lose data in one screen shot.

The picture and scans before a clean boot, I will post below.. I am doing this because the hard drive they are on is more than likely infected and so I waited to post this first.

I really need some help here, or advice as I don't know why I would be targeted like this. Steam has also informed me that my account is compromised, and the log-ins are still occurring no matter what I do. 

 

Scans.zip

IMG_0002.PNG

IMG_0004.jpg

IMG_0006.JPG

IMG_0008.JPG

IMG_0009.JPG

Link to post
Share on other sites

  • Root Admin

Okay, at this point then you have a couple options as I see it.

1. Take the computer to a reputable computer repair shop and have them fdisk, format, and install a new, clean, fresh installation of Windows for you.
2. You buy a new USB 8GB stick. Download the Windows 7 or Windows 10 installation media directly from Microsoft from another computer at work or friends house. Fdisk (remove all partitions of the drive (make sure all user data is backed up) and install Windows again from scratch. This will require a full license to activate Windows.

Either the USB stick you're using or the installation media appears to be suspect and not original.

Also, it would be a good idea to do a Factory Reset of your router. Then set a strong password on it.
https://lifehacker.com/how-to-create-a-strong-password-1797681069

Example of a Strong Password (do not use, it's only for an example)
 

ueSV>C{R?_47~VJE

With a reset router, and clean installation media it's pretty difficult to infect Windows 10 right away. Windows 7 is a little easier to infect, but still should not be easy unless you go out to various sketchy websites.

 

 

 

 

Edited by AdvancedSetup
Updated information
Link to post
Share on other sites

  • 3 weeks later...
  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.