Jump to content
gdwar

Laptop heavily infected plus hacked remote control?

Recommended Posts

Hi guys, I'll keep my story short. I think my PC is being remotely controlled and infected with Trojans malware ransomware ect... what makes me feel like that? Well my certificates, credentials, passwords, user rights and much more being changed/blocked/deleted. I had to exchange my comcast router, I had a technician coming to my house to do a checkup he found my outside Xfinity box open and the cables were played with. He installed a moca point of entry adapter just in case im a victim of w man of the middle or evil twin attack. I installed ExpressVPN, brand new bitdefender 2019 top security software, changed my security settings within my router to basically max security. Blocked mac addresses... I Recovered my own laptop for the 10th time but somehow someone or something keeps getting access to my laptop. I have extremely high data consumption at night while I sleep even tho my PC is shut down before I go to sleep.

Current status I disabled my wifi adapter within bios and am plugged into ethernet. My antivirus and VPN are broken because they don't work anymore, I can't deinstall certain software anymore like malwarebytes for example.I have weird background tasks running. There is unknown root kit certificates installed by root agency and lots and lots of other stuff happening... I am attaching some pictures for you that looked suspicious to me. I am writing this from my galaxy so which also has a VPN on it because my phone started to act strange.

 

Please, I need an expert like you folks to look into this and tell me what's going on. Much appreciated.

20181003_234119.jpg

20181003_234101.jpg

20181003_234057.jpg

20181003_234029.jpg

20181003_233933.jpg

20181003_233921.jpg

20181003_233133.jpg

20181003_233125.jpg

20181003_223812.jpg

20181003_223801.jpg

Share this post


Link to post
Share on other sites

Hello @gdwar and :welcome:

Let's start out by having you run some scans and post back some logs, please.

 

Please run the following steps and post back the logs as an attachment when ready.

STEP 01

  • If you're already running Malwarebytes 3 then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • If you don't have Malwarebytes 3 installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • Once the scan is completed click on the Export Summary button and save the file as a Text file to your desktop or other location you can find, and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let me know on your next reply.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Right-click on the program and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan Now.
  • When finished, please click Clean & Repair.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Copy its content into your next reply.

 

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
  • Please attach the Additions.txt log to your reply as well.

 

Thanks

Ron

 

Share this post


Link to post
Share on other sites

Hi Ron,

 

first of all thank you for helping me.

 

I have to tell you that in the meantime I had someone coming over and install HitmenPro Alert and HitmenPro and he ran some scans and was able to remove a Ransomware file found in my laptop. I am going to attach that specific hitmanpro alert log file for you as well. 

 

Also we updated and installed the new Win 10 update 1809 and ran more scans that came out.

 

My hitmenpro alert software and windows defender alerted me that the FRST64x had unauthorized files and they had been blocked. however i was still able to run the software after that (with the blocked file/s)

 

So far my laptop looks clean. Not sure about the remote control tho. even tho it "feels" like everything is ok so far...

 

I still went ahead and followed your steps. Here are the results.

 

looking forward in hearing back from you.

 

summary mb.txt

AdwCleaner[C00].txt

FRST.txt

Addition.txt

HitmanPro_20181004_0446.log

Share this post


Link to post
Share on other sites

Hitman Pro and Windows Defender are unable to decode the file FRST64.exe and it does have the ability to do severe damage to your computer so they treat it as a threat. That is a False Positive, the file is written in the AutoIT scripting language and is then converted to an executable by other software that then obfuscates the code so that it cannot be unpacked and read by the antivirus. Hitman and Defender should have exclusions added so that it trusts FRST64.EXE 

Most antivirus doesn't detect cookies as threats like Hitman Pro does. Not dangerous, but was removed so all is good there.
As for the potential ransomware, I highly doubt that it is or was one really. More than likely another false positive. We'd need to get that file restored and then zipped up and sent to me so that we could analyze it. But no harm in removing either. _isres.dll appears to be a module belonging to InstallShield (R) from Macrovision Corporation. It normally is part of an installer. Most current ransomware does not blatantly leave files laying around like that. They generally try to either clean up or hide quite a bit more. It is possible though that it is, or was part of a threat that was orphaned. Orphaned files often are due to partial cleanups. You can read more about that below.

Description  . . . : FLEXnet (R) InstallShield (R) Dialog Resources (normally part of licensed software that uses a dongle to control access or operation of some software applications.)

The complexity of finding, preventing, and cleanup from malware

Let's go ahead and run another scan with Kaspersky antivirus to help double-check we've not missed anything. Please make sure to temporarily disable other security software when running the scan.

 

Please download and run the following Kaspersky antivirus scanner to remove any found threats

Kaspersky Virus Removal Tool

Let me know if it finds anything or not

Cheers, Ron

 

Share this post


Link to post
Share on other sites

Hi Ron,

I have ran Kaspersky and it came out clean!

 

HOWEVER, 

I have found weird scheduled tasks, registry entries, files ect that look suspicious to me and that none of the anti malware software finds. However when I look up these files online they are being mentioned by random people to be potential malware, Trojans, remote control files ect... 

 

For example cc cleaner showed me In My scheduled startup tasks weird powershell.exe tasks with strange codes for my files and drives that I couldn't remove at first because my access had been denied so I've been digging through the web trying to understand what these files do and official forums like the microsoft forum and bleeping computer show people with step by step guides to remove these hidden and suspicious unnatural files that could potentially harm the computer. (Supposedly a powershelle.exe virus)

When I recovered my laptop I also recovered my wife's laptop at the same time. I bought a brand new USB flash drive and downloaded win 10 with the windows media creation tool and wiped each laptops hard drives completely out. But as soon as I start these 2 laptops that have the EXACT SAME corrupted and strange files in the exact same locations. Like that powershell.exe virus mentioned above. 

Like I said I downloaded the windows media creation tool and downloaded windows 10 straight into a fresh and newly bought USB flash drive. 

I wiped both laptops, deleted and formatted all partitions and installed windows 10. 

I am leaving both laptops off the internet on  purpose for now because I got the feeling that as soon as I connect to the internet I trigger one of these strange files and they do their harm... 

The moment I installed a brand new windows 10 I ran sfc /scannow with admin rights and it found corrupted files right away. I had to run it 3 times in order for it to come out clean. How is this possible when I just wiped and installed a fresh windows 10 home?

I also ran Dism /online /clean-image /restorehealth ... twice 

Also I have the wireless network app FING on my phone and my wife's laptop showed up as a NETBIOS file server with ports 135 139 445 open... how can this be? I blocked all ports that could give access to these files for potential remote hackers and took both laptops off the internet for now.

How can it be that a brand new windows 10 installation on wiped and partitioned hard drives will show corrupted files and have strange hidden startup tasks and tasks scheduled within the task scheduler on both laptops like it's being duplicated.

There was 83 tasks scheduled in the windows task scheduler that I found randomly but I was able to bring it down to 10. 

Any way you can analyze my system or is there something you can do to check on it and see? All I can do is show you pictures that I took that looked suspicious to myself. I'll attach them for you 

G

Thanks, G

Screenshot_20181005-104104_Fing.jpg

Screenshot_20181006-154113_Gallery.jpg

Screenshot_20181006-154156_Gallery.jpg

Screenshot_20181006-154209_Gallery.jpg

Screenshot_20181006-154223_Gallery.jpg

Screenshot_20181006-154146_Gallery.jpg

Screenshot_20181006-154231_Gallery.jpg

Screenshot_20181006-154254_Gallery.jpg

Screenshot_20181006-154302_Gallery.jpg

Screenshot_20181006-154310_Gallery.jpg

20181006_042248.jpg

Screenshot_20181006-154330_Gallery.jpg

Screenshot_20181006-154358_Gallery.jpg

Screenshot_20181006-154410_Gallery.jpg

Screenshot_20181006-154546_Gallery.jpg

Screenshot_20181006-154656_Gallery.jpg

Screenshot_20181006-154742_Gallery.jpg

Screenshot_20181006-154802_Gallery.jpg

Screenshot_20181006-154604_Gallery.jpg

Share this post


Link to post
Share on other sites

Ok so here is another update....

I went to settings, updates and security and hit the reset button on both of our laptops. Mine and my wife's. 

 

Both laptops reset fine, both are unplugged from the internet. Everything looked ok and I checked both laptops for the same issues that I had found previously on my own laptop.

I saw the exact same powershell.exe commands and lots of other suspicious and identical commands on both laptops. IDENTICAL!

And something else happend as well... I had to make a phone call to comcast xfi bevause an unknown device connected to my own wifi network. I am the only one who has the wifi key written down on paper. I never gave it away to another person ect. Comcast blocked that users IP and MAC address and escalated it to comcast CSA. 

 

Anyways let's go back to my issues with the laptops.

Since I saw that both of these laptops have the exact identical issues, corrupt files, corrupted registries ect. I decided to plug in my wife's laptop to the internet. 

When I plugged in the ethernet cable into her laptop,oh boy, her laptop went completely HAMMOCK.what I mean by that is CPU usage 100% memory almost maxed out, firewall disabled and completely inaccessible with error 1608 and error code  0x80070437. It's completely off and no way for me to make it work... windows updates don't work. I have strange devices in my device manager that I never saw there before. I mean it's a complete disaster 

I tried to fix corrupted files with SFC AND DISM but these don't work at all anymore. 

SFC /SCANNOW UNAVAILABLE

("Windows resource protection could not start repair service")

 

DISM /ONLINE /CLEAN-UP /SCANHEALTH error0x80004002

dism failed no operation was performed.

/CHECKHEALTH

"The component store cannot be repaired"

 

/RESTOREGEALTH 

"Error 0x80004002 DISM failed no operation performed"

 

After reading a lot online I have a feeling that my system is infected on a deeper level. Could the master boot or even the BIOS be infected? How can I check on that? 

I went to my wife's bios to flash it and I saw 4 ACPI devices with different partition numbers.  I only have an SSD and my harddrive on the laptop and couldn't figure out what the others were. It didn't recognize my USB flash drive and I was not able to flash the bios.

 

I got these weird root devices all over my  device manager and I have no clue what they are for. For example I have 5 INTEL 100 SERIES 230 PCI EXPRESS ROOT PORT #1 -a100  #9 -a118 #15 a11e #5-a114 #14-a11d 

2 display adapters, my nvidia gtx 1060 and a random Intel 530 graphics which was never there before. 

Ect ect.

 

Please tell me what to do? I really need your help... thank you 

 

Share this post


Link to post
Share on other sites

Ok I will do that. These drives shouldn't be failing tho l. My laptop is a Asus Strix GL502VS DB71 Gaming laptop with a SSD and a 1T Hard drive bought at best buy and a my wife's is a MSI  GS63VR. We don't game even tho these are gaming laptops we have barely use them and the chance of both laptops failing at the exact same time is strange. Yes we do have VPNs installed from ExpressVPN. 

 

However I am still going to check with the software you mentioned and see what's up. Thanks for that. 

 

@Ron have you had a chance to analyze and make a game plan? 

 

Thanks to both of you 

Share this post


Link to post
Share on other sites

If I replace the PCIe ssd drive on my laptop which has the OS system installed with a new PCIe NVME  ssd will this cure the issue ?

Share this post


Link to post
Share on other sites

Sorry @gdwar but you appear to be a bit paranoid. Please do not follow the advice of random posters here in this area of the forum. 

Almost everything you've said or show is very normal for Windows. Of the millions of posts on the Internet about malware, Trojans, etc. and people saying what is or is not and how to clean it probably less than 1% is giving good advice. The vast majority of people are just hoping, praying, and throwing out wild ideas of what is wrong or how to fix it.

At this point since the computer has been "reset" you've pretty much undone 100% of the work we've done to this point and nothing is valid any longer.

STEP 1
Stop being paranoid

STEP 2
Stop listening to people that don't have a clue how computers work period.

STEP 3
Get me a new set of FRST logs, please.

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

 

STEP 4
Please let me know specifically what you're concerned about and we'll review and check on it.

Thank you

Ron

 

Share this post


Link to post
Share on other sites

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.