Jump to content
CallSignChurch

Being Remotely Hacked

Recommended Posts

So I posted another topic a week ago about strange things going on with my computer but let it slide. Some of the things going on was that my computer was turning by itself in the night and my CD tray was opening on its own. Now I just had something today happen that makes me wish I had just listened to my gut and got it done right away. I had someone posting private info in a video game under my username. I think it's safe to say I'm being hacked. I linked my FRST scan. Hope to hear back from everyone soon.

FRST.txt

Addition.txt

Share this post


Link to post
Share on other sites
Hello CallSignChurch and welcome to Malwarebytes,

Continue with the following:

If you do not have Malwarebytes installed do the following:

Download Malwarebytes version 3 from the following link:

https://www.malwarebytes.com/mwb-download/thankyou/

Double click on the installer and follow the prompts. If necessary select the Blue Help tab for video instructions....

When the install completes or Malwarebytes is already installed do the following:

Open Malwarebytes, select > "settings" > "protection tab"

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Go back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes quarantine any found entries...

To get the log from Malwarebytes do the following:
 
  • Click on the Report tab > from main interface.
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


Next,

Download AdwCleaner by Malwarebytes onto your Desktop.

Or from this Mirror
 
  • Right-click on AdwCleaner.exe and select user posted imageRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all the active processes
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply


Next,

Download Sophos Free Virus Removal Tool and save it to your desktop.

If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....

Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours...
 
  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View log file... (bottom left hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found please confirm that result....



The Virus Removal Tool scans the following areas of your computer:
  • Memory, including system memory on 32-bit (x86) versions of Windows
  • The Windows registry
  • All local hard drives, fixed and removable
  • Mapped network drives are not scanned.


Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

Saved logs are found here: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs

Next,

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"

Let me see those logs in your next reply, also tell me if there are any remaining issues or concerns...

Thank you,

Kevin..

Share this post


Link to post
Share on other sites
22 hours ago, kevinf80 said:

Thanks for update, post back whenever you`re ready......

So I did everything you said and scanned the whole computer to no avail. Only found an adware PUP. So I checked the build date and it said the program wasnt updated in a while. I've been using a USB to transfer the program between computers and have been keeping the infected comp in the dark. Turns out that you MUST update the program on the comp you're working with and not on another comp. So I'm redoing all scans again. Will return with then shortly

Share this post


Link to post
Share on other sites

ok...so. slight problem.- Sophos came up with nothing. The only thing that was detected was an adware PUP by adwcleaner. Files linked below. I think that there are vulnerable programs on my PC but i have absolute no clue on how to protect against this. I do not know if the hackers still have access to my compter or not.

malwarebytes scan.txt

Addition 2.txt

AdwCleaner log.txt

FRST 2.txt

Share this post


Link to post
Share on other sites

Thanks for those logs, continue:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Post that log, also let me know if there are any remaining issues or concerns...

Thanks,

Kevin

 

fixlist.txt

Share this post


Link to post
Share on other sites

Hello CalSignChurch,

No obvious malware or infection was found in FRST logs, there was an unsual task setting as follows:

Quote

Task: {EE45E61A-69F6-4D52-86D6-96625F5922B4} - Access Denied.

FRST could not remove the task..

Quote

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EE45E61A-69F6-4D52-86D6-96625F5922B4} => could not remove. ErrorCode1: 0xC000009A

The cause of the "0xc000009a" error can be a failure to correctly run a normal operation by a system or application component. 

Run the following and post the log please..

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Thank you,

Kevin

 

fixlist.txt

Share this post


Link to post
Share on other sites

Run this please:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

How is your PC behaving in general, any odd or erratic behavior, any issues or concerns..

Thanks,

Kevin..

fixlist.txt

Share this post


Link to post
Share on other sites

like i said before, i started to notice erratic behavior just recently when my computer had its CD tray open and closing on its own. Aswell as having the password for my user login for windows being pasted into a search engine as I was AFK. And more recently, having someone post information of mine, as me, in a video game server. So something is clearly backdoored in my computer.  I'll upload fix results in a bit

Share this post


Link to post
Share on other sites
Download BlitzBlank from here: http://www.bleepingcomputer.com/download/blitzblank/dl/108/ and save it to your desktop.

Right click on user posted image Blitzblank.exe select "Run as Administrator"


Click OK at the warning (and take note of it, this is a VERY powerful tool!).

user posted image

Click the Script tab and copy/paste the following text in bold there:

DeleteRegKey:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EE45E61A-69F6-4D52-86D6-96625F5922B4}



user posted image

Click Execute Now. An alert will ask "You are about to delete files, are you sure to proceed" Select OK to proceed

user posted image

A system reboot warning will open, it will say "Please close all running applicatons to avoid data loss" Select OK to proceed

user posted image

Your computer will need to reboot in order to do the fixes...

When done, post me the report created by Blitzblank. you can find it at the root of the drive Normaly C:\

Next,

user posted imageScan with Autoruns

Please download Sysinternals Autoruns from the following link: https://live.sysinternals.com/autoruns.exe save it to your desktop.

Note: If using Windows Vista, Windows 7, Windows 8/8.1 or Windows 10 then you also need to do the following:
 
  • Right-click on Autoruns.exe and select Properties
  • Click on the Compatibility tab
  • Under Privilege Level check the box next to Run this program as an administrator
  • Click on Apply then click OK
     
  • Double-click Autoruns.exe to run it.
  • Once it starts, please press the Esc key on your keyboard.
  • Now that scanning is stopped, click on the Options button at the top of the program and verify that the following are checked, if they are unchecked, check them:

    Hide empty locations
    Hide Windows entries

     
  • Click on the Options button at the top of the program and select Scan Options... then in the Autoruns Scan Options dialog enable/check the following two options:

    Verify code signatures
    Check VirusTotal.com

     
  • Once that's done click the Rescan button at the bottom of the Autoruns Scan Options dialog and this will start the scan again, this time let it finish.
  • When it's finished and says Ready. on the lower left of the program window, please click on the File button at the top of the program and select Save and save the file to your desktop and close Autoruns.
  • Right click on the file on your desktop that you just saved and hover your mouse over Send To and select Compressed (zipped) Folder
  • Attach the ZIP folder you just created to your next reply


Thank you,

Kevin..

Share this post


Link to post
Share on other sites

Try with this syntax:

DeleteRegKey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EE45E61A-69F6-4D52-86D6-96625F5922B4}

Share this post


Link to post
Share on other sites

The user entry does show in FRST logs...

Quote

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 24.10.2018
Ran by Sean (administrator) on SEAN-PC (07-11-2018 02:39:40)
Running from C:\Users\Sean\Desktop

I want you to run the following to have another look at your system....

Read the following link before we continue and run Combofix:

ComboFix usage, Questions, Help? - Look here

Next,

Download Combofix from either of the following links :-

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

http://www.infospyware.net/antimalware/combofix/
 
  • Ensure that Combofix is saved directly to the Desktop <--- Very important
  • Disable all security programs as they will have a negative effect on Combofix, instructions available here http://www.bleepingcomputer.com/forums/topic114351.html if required. Be aware the list may not have all programs listed, if you need more help please ask.
  • Close any open browsers and any other programs you might have running
  • Double click the user posted image icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
  • Instructions for running Combofix available here http://www.bleepingcomputer.com/combofix/how-to-use-combofix if required.
  • If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
  • When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review


****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read here http://thespykiller.co.uk/index.php?page=20 why disabling autoruns is recommended.

*EXTRA NOTES*
  • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
  • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
  • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)


Post the log in next reply please...

Kevin

Share this post


Link to post
Share on other sites

The restart only happens when rootkits etc are found... Do you want to run your system for maybe 12 hours or so, see how it responds, see if any issues show up...

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.