Jump to content

Recommended Posts

Now this happened about 3 months ago I have long before reset my PC to windows 10 by now but for some mysterious reason my ABV.bg email has been repeatedly getting hacked every time! even tho last time I changed my password to be unique combination of 30 symbols and letters including the secret question and answer. Its still getting mysteriously hacked and at this point its obvious the information is being leaked from my PC so the trojan/keylogger/hijacker or whatever has not been removed even tho I did repeated Malwarebytes scans and I even scanned with Bitdefender in boot environment still no such luck! Yesterday I saw about total of 74 SVHOST.exe processes in my task manager and I don't wanna say all of them are viruses but I doubt windows needs that many processes to run! So something is definitely up here! As for the virus I had in February that hijacked my browser immediately after I found my email hacked I checked my Temp folder and what do i find multitude of unknown files scattered on about I put them all in a 7zip archieve in case I need them to be give them to a professional for analyzing etc! The hacker had even hijacked my wifi (I even found some chinese characters within the wifi app pointing at some access point in some chinese province) I am pretty sure so at this point I am not even sure if its DNS hijack or browser hijack...or whatever hijack the trojan just keeps appearing and this time he seems to be not leaving any files on HDD so I am not sure if its using fake windows processes or services I need to get rid of the malicious files before trying another clean system install... The FRST.zip logs I have provided are from Safe mode scan today in Windows 10 I included some older ones too from previous months!

FRST.zip temp folder viruses package.7z FRST 09th-05 Logs.zip FRST 27th-04 Logs.zip

Link to post
Share on other sites

  • Root Admin

Hello @Eneitilyn

Let's just see what we can find currently on the system.

 

Please run the following steps and post back the logs as an attachment when ready.

STEP 01

  • If you're already running Malwarebytes then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • If you don't have Malwarebytes installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and select Scan and let it run.
  • Once the scan is completed click on the View Report button, then the Export button and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let me know in your next reply.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Right-click on the program and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan Now.
  • When finished, please click Clean & Repair.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Attach or Copy its content into your next reply.

 

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a checkmark here.
  • Please attach the Additions.txt log to your reply as well.

 

Thanks

Link to post
Share on other sites

Okay I got them I also did couple extra scans with other tools namely Kaspersky virus removal tool and Eset online scanner! And something called Security Check? After making this thread Kaspersky found nothing and Eset found 19 threats that were left over from my previous Windows 7 system before 2020...I had some Malwarebytes files left over before opening this thread that were impossible to delete for some reason because they were locked and "used" by my display drivers/audio drivers etc. I am not sure but I am suspicious it was a impostor program that looked like Malwarebytes! Same thing happened when I installed Bitdefender Total Security(Trial version) too! I installed the program and the next restart it was asking me to install the Bitdefender Free Antivirus version as a "update" then I checked my Task Manager and I found a program that was auto-starting that is literally called "program" sadly I could not discern where it is located in my hard drive because i could not disable it from auto-starting nor could I open its location from task manager so I could not include it in the "virus package" archieve in my previous post but it got removed after I reset/reinstall my PC OS from previous month! I think the only way I could have found it is through the registry but I am not knowledgeable enough to do that manually the problem right now is this time there is nothing else like that in my system (at least I hope so) and my ABV emails are still getting hacked! There is 2 weird things I am concerned about in task manager there is these two programs one is left over from uninstalling Bitdefender today called "Setuplauncher" I checked its location it no longer exists after I restarted from the AdwCleaner app and copy of "Discord" and that program I had manually deleted it after I found it in C:\ProgramData\SquirrelMachineInstalls\ a while ago!

tskmgr.png

FRST.txt Addition.txt AdwCleaner[C02].txt MB Log.txt SecurityCheck.txt

Link to post
Share on other sites

  • Root Admin

Not sure why you're trying to run this out of this folder

Controlled Folder Access blocked D:\DOWNLOADS\SumFolder\mbar\mbar.exe from making changes to memory.
Detection time: 2020-05-23T14:26:43.055Z

You also have some possible hardware issues

System errors:
=============
Error: (05/24/2020 02:11:39 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Windows Push Notifications System Service service terminated with the following error:
The class is configured to run as a security id different from the caller

Error: (05/24/2020 02:11:10 PM) (Source: TPM) (EventID: 27) (User: NT AUTHORITY)
Description: The initializatio

 

This may or may not help correct any of those issues but let's try

fixlist.txt

Thanks

 

Link to post
Share on other sites

  • 2 weeks later...

Sorry for the late reply! I have tried the fixlist it created this log! Fixlog.txt  Meanwhile my email is rampaged by this hacker again =,= I think the .EML extension file he sent me is a exploit so I am not trusting that download! I have also hid anything personal saying on the email pictures...there is a totally suspicious connection from USA that logins with 2 different IP addresses which is probably fake...He has also sent numerous fishing emails from paypal etc I have no clue how to deal with the email problem as this ABV seems like a third rate website there is pretty much no security measures apart from my password protecting my email (no double authentication etc anything) The main problem is all my old accounts that are tied to those emails I have already changed both emails from ABV to have new set of passwords and secret question and answer the problem is is the spyware and possible browser hijack does it still exist in my system or is he straight up bruteforcing the passwords or does he have some kind of client in my PC still that yoinks my password every time because I notice in the Login history it shows Two logins at the same time and both are from my PC when I logged on today then again it shows the same thing for the USA login attempts and those are both from different IP's compared to mine which are all from the same IP...right now the only browser that has my ABV passwords is Firefox and I should have probably noted I was using Brave browser(Chromium variant) initially before getting hacked and all right now I only use Chrome (I have actually managed to recover my old hacked browser data the only problem is the passwords are long gone Chrome cannot recover the hashed passwords and deems them as corrupted but at least I could recover my bookmarks and browsing history! I have also scanned the Browser data with Bitdefender just in case there is anything malicious and have found some kind of "pop under javascript"? it seems to appear on my new browsers too I have scanned them and removed it from them too! I have discovered that the hacker is potentially a Java Developer because well one of my accounts which was accessed by him (namely mega) was accessed using unknown Java client! I have changed the password of the account once I Found out and enabled double authentication. I plan to make a Bitdefender Boot Enviroment scan tonight see if there is anything lurking still. As for the controlled folder access thing I have enabled that when I was using Mbar because i wanted the hacker to not have access to my security tools as I have put them all in that folder I have made sure to not run anything suspicious as administrator mode except from that folder! Since if he still has access to my system he may infiltrate one of those exe's and gain admin access while I try to get rid of malicious threats...

 

 

 

Edited by AdvancedSetup
removed images
Link to post
Share on other sites

  • Root Admin

I have removed the images. You should never post in public your email address as that can lead to increased spam and phishing attempts

I would highly suggest you get your bookmarks then stay away from Chrome and do not use any browser to save passwords. Use an external password manager for that.

We will not be able to fix, repair, etc. your email. Delete any message that look suspicious. Flag as spam any email you did not sign up for and is not from someone you know or if it's trying to get information from you report it as Phishing. Try to keep your email down to only people you know and trust and websites you've signed up for that you trust. The rest of them delete, unsubscribe from etc. I spent a couple of days cleaning my wife's email doing that. I forget how many but she had something like 20K emails unread because she got dozens of emails every day from shopping sites, and spammers, etc. By the time I was finished she maybe had 20 or so valid companies sending her emails plus her friends. All the others were flagged or deleted and marked as spam.

All we can do is check and clean up your computer if it's been attacked.

 

Please download and run the following Kaspersky antivirus scanner to remove any found threats

Kaspersky Virus Removal Tool

Let me know if it finds anything or not

Link to post
Share on other sites

  • Root Admin

Also, Discord has been known to be attacked by malware. Scanning with Malwarebytes and another antivirus should detect and remove. Ads though may always show up and should be ignored.

https://blog.malwarebytes.com/cybercrime/2020/04/discord-users-tempted-by-bots-offering-free-nitro-games/

 

Link to post
Share on other sites

  • 2 weeks later...
  • 4 weeks later...
  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.