Jump to content

Persistent Hack even after reformat and reinstallation of windows 10


Recommended Posts

Hi, so I am at a loss as to what to do about this hacker that keeps gaining access to my windows 10 computer.  Yesterday, I reformatted my laptop hard drive ( for the third time) and reinstalled windows. I installed Malwareybytes,  Kaspersky and spybot immediately upon getting into windows 10.  After an hour or so, upon working on the fresh OS, the first indicator I got that the hacking continued was from Kaspersky total security.  It stated that there was "an error while scanning the encrypted connection with cs.emxdgt.com."   Since then, I have continued to get this message randomly.

Additionally, I logged into the computer tonight and found my main screen had been resized and the bit rate changed to 6-bit.  The hacker quickly saw that i had returned and gave me back access to my monitor.   The windows temp file folder and other new file folders on my c drive is how I have been tracking suspicious activity this evening.  Also, there are all sorts of tell tale sigs of the hack, including:  Office.clicktorun.exe files , office.telemtry.dynamicconfig files disabling windows defender, office telemetry, Winsxs, Reinstallation of internet explorer, Microsoft Framework installation of: ... system.identitymodel, System workflow.activities, System.runtime.serilization, SysWOW64 files being updated, empty notepad logs  FFS, FFS_0, FFS_1, and empty  file folders such as AppReadiness, CbsTemp, and more.... 

The latest file i just found is from a windows update log and I have pasted it below:  

Windows Update logs are now generated using ETW (Event Tracing for Windows).

Please run the Get-WindowsUpdateLog PowerShell command to convert ETW traces into a readable WindowsUpdate.log.
 
For more information, please visit https://go.microsoft.com/fwlink/?LinkId=518345

What is event tracing for windows?  It doesn't sound good.  Nor does "Office.ClickToRun.RepomanLogger", and "officeclicktorun.exe_streamserver(2021030719504711D4)"

It appears that they have given themselves access to special permissions in windows at the root level.  The file folder  {53139AC9-0495-4835-8A1B-3B9E5CBEED43} is of particular interest as i cant open it, change the permissions, or delete it.  

See attached screenshot and the most recent logs from windows temp.

I have followed the steps for google chrome unsync as recommended by Malwarebytes, I have ran the MalwarebytesAds remover & downloaded and ran "Farbar", among other remedies.

I am a novice as it comes to this level of hacking, so I am asking for guidance on how to resolve this permanently.  What steps are recommended?

I'm worried that if I just get a new computer, that the same thing will happen, as I work remotely from home.

To whomever can assist, thanks x 1 million!

 

Services 1.PNG

services 2.PNG

services 3.PNG

Services 4.PNG

Services 5.PNG

Services 6.PNG

Services 7.PNG

Windows temp file I cant access.PNG

DESKTOP-7H9QFH6-20210307-1950 (1).log msedge_installer.log DESKTOP-7H9QFH6-20210306-1629.log

Edited by AlexSmith
Removed background formatting
Link to post
Share on other sites
  • Staff

Greetings,

Please follow the instructions in this topic, skipping any steps you are unable to complete, then create a new topic in our malware removal area by clicking here and a malware removal specialist will guide you in checking and cleaning your system of any threats as well as offering advice on keeping your device free of threats going forward.

Link to post
Share on other sites
  • 4 weeks later...
  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.