I've Been Hacked & It's Driving Me Crazy

[BigHenny]

Please, please, please someone help me. For the past 6 months I've been trying to get rid of this hacker but I can't! From fresh OS installs to calling windows and nvidia support and being on hold for hours and hours before talking to a "technician" who knows barely anything about the OS, to trying using hyper V to try and spot them... my girlfriend thinks I'm losing my mind and I probably am at this point. I just found this forum and I'm praying to god someone can help.

The first post I clicked on suggested as step 1 to update malwarebytes (which i already have) and reply with the scan. I tried that and the update quit about half way through and said it couldn't be completed... and so now I know maybe I'm not going crazy and feel comfortable enough asking for someone to donate their time in helping me.

Many, many thanks in advance for your help! 

[kevinf80]

Hello BigHenny and welcome to malwarebytes.... Continue with the following: If you do not have Malwarebytes installed do the following: Download Malwarebytes from the following link: https://www.malwarebytes.com/mwb-download/thankyou/ or, https://downloads.malwarebytes.com/file/mb4_offline Double click on the installer and follow the prompts. If necessary select the Blue Help tab for video instructions.... When the install completes or Malwarebytes is already installed do the following: Open Malwarebytes, select > "settings" > "security tab" Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on.... Go back to "DashBoard" select the Blue "Scan Now" tab...... When the scan completes quarantine any found entries... To get the log from Malwarebytes do the following:   Single click on the target sight above scanner window. In the new window select Report Double click on the Scan log which shows the Date and time of the scan just performed. Click Export > From export you have two options: Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply Export toTxt - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply   Please use "Export to Txt" then attach the log to your reply... Next, Download AdwCleaner by Malwarebytes onto your Desktop. Or from this Mirror   Right-click on AdwCleaner.exe and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users) Accept the EULA (I accept), then click on Scan Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Quarantine button. This will kill all the active processes Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply Next, Download Farbar Recovery Scan Tool and save it to your desktop. Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way... Be aware FRST must be run from an account with Administrator status...   Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.) Make sure Addition.txt is checkmarked under "Optional scans"   Press Scan button to run the tool.... It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply. The tool will also make a log named (Addition.txt) Please attach that log to your reply. Let me see those logs in your reply... Thank you, Kevin....

[BigHenny]

Kevin -

A lot of fishy things happened while doing this. The least of which is the return of a new administrator account on my PC that I did not create. 

Attached are the logs. I will be quicker to respond moving forward. Nothing has worked on this, and since the time of this posting I have ran tron script twice to no avail. Also my windows event logs are a mess, along with a crazy amount of scheduled tasks and autoruns .dlls.

I hope you can help, but I fear a fresh OS install is in order... but at this point I'm afraid they are into my firmware.

 

 

MWB.txt AdwCleaner.txt Addition.txt

[kevinf80]

Hello BigHenny,

Can you also post the primary log from FRST "frst.txt" Logs are saved to this folder C:\FRST\Logs

Thank you,

Kevin..

[BigHenny]

Kevin -

Another really weird thing is happening I uncovered last night. I created a fresh administrator account to see what all weird stuff would populate in the file system. A ton of malware looking things popped up in the windows folder and I was able to quickly move them to a usb. In signing on today to check the forum they are all no longer visible, but my system32 folder in windows quickly blinks a bunch of the "toast" related images/apps before going back to looking normal. Also I found a bunch of weird things in the powershell folder along with some vba scripts I had nothing to do with.

There were two items in the logs folder. I have attached both. 

 

Addition_28-08-2020 19.05.15.txt FRST_28-08-2020 19.05.15.txt

[kevinf80]

Hiya BigHenny,

Thanks for those logs, continue:

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from. NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone. Run FRST or FRST64 and press the Fix button just once and wait. If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply. Note: If the tool warned you about an outdated version please download and run the updated version. NOTE-1: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more. NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The following directories are emptied:   Windows Temp Users Temp folders Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History Recently opened files cache Flash Player cache Java cache Steam HTML cache Explorer thumbnail and icon cache BITS transfer queue (qmgr*.dat files) Recycle Bin Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix. The system will be rebooted after the fix has run. Next, Download Sophos Free Virus Removal Tool and save it to your desktop. If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete..... Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours...   Double click the icon and select Run Click Next Select I accept the terms in this license agreement, then click Next twice Click Install Click Finish to launch the program Once the virus database has been updated click Start Scanning If any threats are found click Details, then View log file... (bottom left hand corner) Copy and paste the results in your reply Close the Notepad document, close the Threat Details screen, then click Start cleanup Click Exit to close the program If no threats were found please confirm that result.... The Virus Removal Tool scans the following areas of your computer: Memory, including system memory on 32-bit (x86) versions of Windows The Windows registry All local hard drives, fixed and removable Mapped network drives are not scanned. Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan. Let me see those logs in your reply.... Thank you, Kevin..

fixlist.txt

[BigHenny]

Kevin -

Attached are the logs. When downloading Sophos to my desktop, a bunch of other items were placed on my desktop. 

For instance, a file named ps_rootca.rl that under general properties opens with a dll named crypto shell extensionst that was created in 2011. This OS was intalled back in May of this year. There are several other fishy things now on my desktop after installing Sophos to the desktop. 

Sophos didn't catch anything. It's like anything I download is re-directed to scan a "clean" system. It also completed rather quick.

 

 

 

 

Fixlog.txt

[kevinf80]

Hello BigHenny,

As you still seem to have concerns lets try another indepth scan...

Download ESET Online Scanner and save it to your desktop. Right-click on esetonlinescanner_enu.exe and select Run as Administrator. When the tool opens, click Get Started. Read and accept the license agreement. At the Welcome to ESET Online Scanner window, click Get Started. Select whether you would like to send anonymous data to ESET. Note: if you see the "Welcome Back to ESET Online Scanner" screen, click Computer Scan > Full Scan. Click on the Full Scan option. Select Enable ESET to detect and remove potentially unwanted applications, then click Start scan. ESET will now begin scanning your computer. This may take some time. When the scan is finished and if threats have been detected, select Save scan log. Save it to your desktop as eset.txt. Click on Continue. ESET Online Scanner may ask if you'd like to turn on the Periodic Scan feature. Click on Continue. On the next screen, you can leave feedback about the program if you wish. Check the box for Delete application data on closing. If you left feedback, click Submit and continue. If not, Close without feedback. Open the scan log on your desktop (eset.txt) and copy and paste its contents into your next reply. Thank you, Kevin...

[BigHenny]

Kevin -

To be frank, your lack of concern on how this specific malware is bypassing your products and many others scan is concerning. How can you explain the fact that I have a new administrator account that I haven't created nor have a password to is on my pc? How the fact when I click on the windows system 32 folder a whole other set of apps and images show up briefly before being replaced by normal looking folders? How there are PowerShell scripts relating to the word "Toast" a known malware... and also panther unattend files so that everytime I try to install a fresh OS this malware carries over. 

Honestly I expected more from malwarebytes on helping me with this issue. I guess I will just be spending the hundereds of dollars it will take to bring my PC into a local shop in order for a professional to help.  

[BigHenny]

Attached are images further illustrating that something is not correct. I am in windows safe mode and look at the amount of processes running... when all I have open is edge so that I can reply to this thread. Also, an msconfig image showing two instances of seperate OS's If you need the video of my system 32 folder for more proof I can send that in as well. 

 

 

[kevinf80]

Hiya BigHenny,

I do not see anything unusual in the images you`ve posted. I also fail to understand why you think that I show a lack of concern, I always give 100% when helping anyone here at Malwarebytes forum. In my last reply I have asked that you run ESET AV scan, this is a very indepth scan that can take serveral hour to complete depending on the size of your system.

If you look at the information in my signature you will note that I do not work directly for Malwarebytes, I am just one of several volunteers who gives up their valuable time to offer assistance to anyone seeking help at this section of Malwarebytes forum.

If you have purchased version of Malwarebytes you can raise a ticket with consumer support for professional help...

https://my.malwarebytes.com/en/support

I`m am not saying your system is not infected, I just do not see any major threats in the recent scans. ESET scan will give us more information. If that scan does not indicate anything malicious there are other tools we can use, Obviously working indirectly through a forum does take time and can cause frustration when a quick fix is not happening.

Thank you,

Kevin..

 

[BigHenny]

Thanks Kevin, my apologies. I do sincerely appreciate your help and didn't realize you are helping as a volunteer. I will run the eset scan and post my results. 

[kevinf80]

Hello BigHenny,

No need to apologize, I understand your frustrations. Post ESET log when you are ready, if the ESET log is clean continue with the following:

Scan with Autoruns Please download Sysinternals Autoruns from the following link: https://live.sysinternals.com/autoruns.exe save it to your desktop. Note: If using Windows Vista, Windows 7, Windows 8/8.1 or Windows 10 then you also need to do the following:   Right-click on Autoruns.exe and select Properties Click on the Compatibility tab Under Privilege Level check the box next to Run this program as an administrator Click on Apply then click OK   Double-click Autoruns.exe to run it. Once it starts, please press the Esc key on your keyboard. Now that scanning is stopped, click on the Options button at the top of the program and verify that the following are checked, if they are unchecked, check them: Hide empty locations Hide Windows entries   Click on the Options button at the top of the program and select Scan Options... then in the Autoruns Scan Options dialog enable/check the following two options: Verify code signatures Check VirusTotal.com   Once that's done click the Rescan button at the bottom of the Autoruns Scan Options dialog and this will start the scan again, this time let it finish. When it's finished and says Ready. on the lower left of the program window, please click on the File button at the top of the program and select Save and save the file to your desktop and close Autoruns. Right click on the file on your desktop that you just saved and hover your mouse over Send To and select Compressed (zipped) Folder Attach the ZIP folder you just created to your next reply Regards, Kevin..

[kevinf80]

Any progress...?

[kevinf80]

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks