Heba Posted March 27, 2022 ID:1508721 Share Posted March 27, 2022 Hello everyone .. thank you so much for taking time to help me my problem is that i think my laptop has been hacked for over a year and i just recently noticed i always thought the problem was on my social media accounts not in my own laptop but i found out because my Facebook ad manger account which is connected to my visa has been used to do multiple campaigns in Russia from my own laptop which i never did and i get tons of notifications of someone opening all my emails and accounts and i change password every time and that never helped .. anyway i opened task manger and in details i found lots and lots of svchost.exe and deleting them doesn’t help i also noticed when i run on command prompt netstat -a that i found foreign ip’s that i didn’t open or know about please help me what should i do .. i kept searching for my problem trying to solve it without any luck Link to post Share on other sites More sharing options...
Maurice Naggar Posted March 27, 2022 ID:1508779 Share Posted March 27, 2022 Hello. Please understand about "svchost". I'd recommend you not judge having multiple SVCHOST in Task Manager as a "bad" thing nor as "unusual" nor as a possible "malware". SVCHOST is a middle-man Windows "service" for kicking off programs and also some Windows tasks. Now, then, also put aside doing lookups with netstat. That is not a means to do a real check for potential malware. Now then, are you saying that a Visa credit card or bank acount was compromised / stolen off your computer? I am not understanding when you mentioned Quote my visa has been used to do multiple campaigns in Russia Link to post Share on other sites More sharing options...
Maurice Naggar Posted March 27, 2022 ID:1508783 Share Posted March 27, 2022 (edited) Hello. I will guide you. Help on this forum is one-to-one. I will guide you along on looking for potential malware. Lets keep these principles as we go along. Removing malware can be unpredictable Please don't run any other scans, download, install or uninstall any programs while I'm working with you. Only run the tools I guide you to. Do not run online games while case is on-going. Do not do any free-wheeling web-surfing. The removal of malware isn't instantaneous, please be patient. Please stick with me until I give you the "all clear". Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure. Your topic will be closed if you haven't replied within 4 days!If I have not replied to your last post after 36 hours, please then send me a P M. The first thing to do is this: Please download MiniToolBox save it to your desktop and run it. Checkmark the following check-boxes: Flush DNS Report IE Proxy Settings Reset IE Proxy Settings Report FF Proxy Settings Reset FF Proxy Settings List content of Hosts List IP configuration List Winsock Entries List last 10 Event Viewer log List Installed Programs List Devices List Users, Partitions and Memory size. List Minidump Files Click Go and post the result (MTB.txt). A copy of MTB.txt will be saved in the same directory the tool is run. Note: When using Reset FF Proxy Settings option Firefox should be closed. 2 NEXT Let's do one scan with Malwarebytes Adwcleaner to check for adwares. Just before pressing that "scan" button, be sure that Chrome & Edge, or other web browser are Closed. It will not take much time, First download & save it https://support.malwarebytes.com/hc/en-us/articles/360038520054-Download-and-install-Malwarebytes-AdwCleaner Then be sure to close all web browsers. Then go to where the EXE file is saved. Start Adwcleaner. Then do a scan with Adwcleaner https://support.malwarebytes.com/hc/en-us/articles/360038520114-Malwarebytes-AdwCleaner-scan-and-clean Attach the clean log. To send ( upload) attachments please click the "ADD Files" link . Then browse to where your file is located and select it and click the Open button. Edited March 27, 2022 by Maurice Naggar Link to post Share on other sites More sharing options...
Heba Posted March 27, 2022 Author ID:1508787 Share Posted March 27, 2022 17 minutes ago, Maurice Naggar said: Hello. Please understand about "svchost". I'd recommend you not judge having multiple SVCHOST in Task Manager as a "bad" thing nor as "unusual" nor as a possible "malware". SVCHOST is a middle-man Windows "service" for kicking off programs and also some Windows tasks. Now, then, also put aside doing lookups with netstat. That is not a means to do a real check for potential malware. Now then, are you saying that a Visa credit card or bank acount was compromised / stolen off your computer? I am not understanding when you mentioned My credit card is connected to my facebook ad manger account and i found out that it has been used to do campaigns in russia with my credit card the thing is my facebook account is not the one that is stolen because the campaigns is done from my laptop . Last year the same thing happened to me and i thought it was my account that was stolen but i found out it is not because everything is done from my laptop but for a campaigns in russia and i live in egypt and only do campaigns in egypt , and i only noticed this 5 days ago when my facebook ad manger account got restricted because i didn’t pay for the campaigns that the hacker did because of course my credit card doesn’t have that amount of money. and for the last year there has been always weird activities in all my social media accounts no matter how much i changed the passwords or enabled two way authentication or whatever . the task manger in my laptop has multiple files of theses files . dllhost.exe csrss.exe RuntimeBroker.exe svchost.exe how can i tell if i am hacked and what should i do ? And i also noticed that all the laptop in my house has the same files in task manger . And also i get weird ip addresses that doesn’t belong to any website (example : 185.185.132.98) i accessed when i do netstat command in command prompt . please i need you to tell me how can i tell what is going on and how to solve it ? Link to post Share on other sites More sharing options...
Maurice Naggar Posted March 27, 2022 ID:1508797 Share Posted March 27, 2022 (edited) Please stop looking on task manager. Kindly do the report runs I asked for before. That I need to help & guide you. As to your credit card, contact your bank & have them either put a hold on it, or else, cancel the account & get your bank to give you a new one. I need the reports I asked for. Stop shopping on this machine, stop going to social media or Facebook or twitter for the duration while I am helping you. I will guide you to hunt for potential malware. We use known security tools to check for infections. Get me the reports like I listed https://forums.malwarebytes.com/topic/285164-i-am-hacked-in-very-bad-way/?do=findComment&comment=1508783 Edited March 27, 2022 by Maurice Naggar Link to post Share on other sites More sharing options...
Heba Posted March 27, 2022 Author ID:1508801 Share Posted March 27, 2022 ok thank you so much .. I attached the three files the MTB.TXT And the files in clean log MTB.txt AdwCleaner[C00].txt AdwCleaner[S00].txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted March 27, 2022 ID:1508803 Share Posted March 27, 2022 (edited) Thank you. Please continue to follow my guidance. There is much more to do. Even more later after all these. [ 1 ] Please set File Explorer to SHOW ALL folders, all files, including Hidden ones. Use OPTION ONE or TWO of this article https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html [ 2 ] Malwarebytes for Windows can detect and remove most malware with no further actions required for free. If this pc does no have Malwarebytes for Windows, go and install Malwarebytes for Windows. See https://support.malwarebytes.com/hc/en-us/articles/360038479134-Download-and-install-Malwarebytes-for-Windows [ 3 ] After the setup has completed, run a Threat Scan, launch Malwarebytes for Windows and click the blue Scan button. [ 4 ] I would like a report set for review. This is a report only. Please download MALWAREBYRES MBST Support Tool Once you start it click Advanced >>> then Gather Logs Have patience till the run has finished. Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop. Please attach mbst-grab-results.zip to your reply. Stick with me. More to do after this. Edited March 27, 2022 by Maurice Naggar Link to post Share on other sites More sharing options...
Heba Posted March 27, 2022 Author ID:1508806 Share Posted March 27, 2022 ok thank you so much .. I downloaded Malwarebytes for Windows and clicked scan and it finished should I click blue Quarantine button ? and I attached the attach mbst-grab-results.zip . mbst-grab-results.zip Link to post Share on other sites More sharing options...
Maurice Naggar Posted March 27, 2022 ID:1508807 Share Posted March 27, 2022 YES make very very sure that ALL tagged lines are ticked & Quarantined !! Confirm that when done. Link to post Share on other sites More sharing options...
Heba Posted March 27, 2022 Author ID:1508809 Share Posted March 27, 2022 I clicked Quarantine button and it finished Link to post Share on other sites More sharing options...
Maurice Naggar Posted March 27, 2022 ID:1508810 Share Posted March 27, 2022 There were at least 2 trojans + a malicious 'KMSPico /autokms" + some adwares. We need a new run just to be sure those are no longer around. This is what was reported before Trojan.BitCoinMiner.Generic Trojan.CrthRazy HackTool.KMSpico PUM.Optional.DisableChromeUpdates PUP.Optional.NewTab HackTool.AutoKMS PUP.Optional.PushNotifications.Generic Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center Click the Security Tab. Scroll down to "Windows Security Center" Click the selection to the left for the line "Always register Malwarebytes in the Windows Security Center". { We want that to be set as Off .... be sure that line's radio-button selection is all the way to the Left. thanks. } This will not affect any real-time protection of the Malwarebytes for Windows 😃. Now click on the GENERAL tab Do a Check for Update using the Malwarebytes Settings >> General tab. See this Support Guide https://support.malwarebytes.com/hc/en-us/articles/360042187934-Check-for-updates-in-Malwarebytes-for-Windows When it shows a new version available, Accept it and let it proceed forward. Be sure it succeeds. If prompted to do a Restart, just please follow all directions. Next, the Malwarebytes scan. Next click the blue button marked Scan. When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical. >>>>>> 👉 You can actually click the topmost left check-box on the very top line to get ALL lines ticked ( all selected). <<<< 💢 Please double verify you have that TOP check-box tick marked. and that then, all lines have a tick-mark Then click on Quarantine button. Then, locate the Scan run report; export out a copy; & then attach in with your reply.See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4 There will be more to do. Stick with me, please. There is more yet to do. Link to post Share on other sites More sharing options...
Maurice Naggar Posted March 27, 2022 ID:1508812 Share Posted March 27, 2022 Questions: Are you aware that Chrome has all these sites able to PUSH notifications & potentially push unwanted notifications / interuuptions ? CHR Notifications: Default -> hxxps://captcha-sourcecenter.com; hxxps://drive.google.com; hxxps://learning.edx.org; hxxps://mac.filehorse.com; hxxps://r2qpj.social-network.club; hxxps://social-network.club; hxxps://usersdrive.com; hxxps://web.telegram.org; hxxps://wuzzuf.net; hxxps://www.easeus.com; hxxps://www.facebook.com; hxxps://www.instagram.com See this article on our Malwarebytes Bloghttps://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/ You want to disable the ability of each web browser on this machine from being able to allow "push ads". That means Chrome, Firefox, or Edge browser (on Windows 10), or on Opera. Scroll down to the tips section "How do I disable them". Link to post Share on other sites More sharing options...
Heba Posted March 27, 2022 Author ID:1508813 Share Posted March 27, 2022 thank you so much .. I attached the scan run report report.txt Link to post Share on other sites More sharing options...
Heba Posted March 27, 2022 Author ID:1508814 Share Posted March 27, 2022 ok thank you .. I disabled PUSH notifications from chrome ,edge and Firefox Link to post Share on other sites More sharing options...
Maurice Naggar Posted March 27, 2022 ID:1508816 Share Posted March 27, 2022 (edited) Be very sure to Save any work-files you have open at this point. Close & Save any open edits, if any. Next, a custom script to do checks & some cleanups. We will use FRSTENGLISH.exe on the Downloads folder to run a custom script. The system will be rebooted after the script has run. This custom script is for Heba only / for this machine only. This custom script has some specific things, plus some general aspect to help the system overall. Hoping it will not exceed 60 minutes in execute time. NOTE-1: This script will run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. . It will rebuild the Winsock. It will reset the Windows firewall rules. NOTE-2: It will insure that the last of "kmspico /kms" is gone. NOTE-3: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. The following directories are emptied: Windows Temp Users Temp folders Edge, IE, FF, Chrome, and Opera & BRAVE caches, HTML5 storages, Cookies and History Recently opened files cache Flash Player cache Java cache Steam HTML cache Explorer thumbnail and icon cache Recycle Bin Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix. Please be sure to Close any open work files, documents, any apps you started yourself before starting this. If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached, please disconnect any of those. Please save the (attached file named) FIXLIST.txt to the Downloads folder <<< - - - - - Then, Start the Windows Explorer and then, go to the Downloads folder. RIGHT click on FRSTENGLISH.exe and select RUN as Administrator and allow it to proceed. Reply YES when prompted to allow to run. to run the tool. If the tool warns you the version is outdated, please download and run the updated version. IF Windows prompts you about running this, select YES to allow it to proceed. IF you get a block message from Windows about this tool...... click line More info information on that screen and click button Run anyway on next screen. on the FRST window: Click the Fix button just once, and wait. PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. If you receive a message that a reboot is required, please make sure you allow it to restart normally. The tool will complete its run after restart. When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run. Please attach the FIXLOG.txt with your next reply later, at your next opportunity. Edited April 1, 2022 by Maurice Naggar Link to post Share on other sites More sharing options...
Heba Posted March 27, 2022 Author ID:1508819 Share Posted March 27, 2022 Sorry fir asking but I can’t find FRSTENGLISH.exe where can i download it ? Link to post Share on other sites More sharing options...
Maurice Naggar Posted March 27, 2022 ID:1508820 Share Posted March 27, 2022 On the folder C:\Users\hebat\Downloads Look closely for FRSTENGLISH That is the one. Link to post Share on other sites More sharing options...
Heba Posted March 27, 2022 Author ID:1508822 Share Posted March 27, 2022 Ok I found it thank you so much and i clicked fix and i will wait until it finishes and send you the file .. Link to post Share on other sites More sharing options...
Heba Posted March 27, 2022 Author ID:1508823 Share Posted March 27, 2022 thank you .. it finished and I attached the Fixlog file . Fixlog.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted March 27, 2022 ID:1508824 Share Posted March 27, 2022 Thank you. The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. The download links & the how-to-run-the tool are at this link at Microsoft https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download Look on Scan Options & select CUSTOM scan & then select the C drive to be scanned. Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be. Once you see it has started, take a long long break; walk away. Do not pay credence if you see some intermediate early flash messages on screen display. The only things that count are the End result at the end of the run. Again, any on-screen display about repeat 'infection' is not to be relied on. Ignore those. We only rely on the end result that is on the log-report-file. This is likely to run for many hours ( depending on number of files on your machine & the speed of hardware.) The log is named MSERT.log the log will be at Windows\debug\msert.log Please attach that log with your reply. We will do more later. Link to post Share on other sites More sharing options...
Heba Posted March 27, 2022 Author ID:1508837 Share Posted March 27, 2022 thank you so much .. it finished and I attached the MSERT.log file msert.log Link to post Share on other sites More sharing options...
Maurice Naggar Posted March 27, 2022 ID:1508840 Share Posted March 27, 2022 (edited) Alright. This here below is round 2, a small cleanup of some leftovers of kmsauto & one scan run with Microsoft Defender antivirus & removel of one exclusion path in setting for Defender. This is much like the earlier run , except this should be quicker. Delete the old file named Fixlist.txt on folder Downloads .. the folder C:\Users\hebat\Downloads Be very sure to Save any work-files you have open at this point. Close & Save any open edits, if any. Next, a custom script to do checks & some cleanups. We will use FRSTENGLISH.exe on the Downloads folder to run a custom script. The system will be rebooted after the script has run. This custom script is for Heba only / for this machine only. This custom script has some specific things, plus some general aspect to help the system overall. Please be sure to Close any open work files, documents, any apps you started yourself before starting this. If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached, please disconnect any of those. Please save the (attached file named) FIXLIST.txt to the Downloads folder <<< - - - - - Then, Start the Windows Explorer and then, go to the Downloads folder. RIGHT click on FRSTENGLISH.exe and select RUN as Administrator and allow it to proceed. Reply YES when prompted to allow to run. to run the tool. If the tool warns you the version is outdated, please download and run the updated version. IF Windows prompts you about running this, select YES to allow it to proceed. IF you get a block message from Windows about this tool...... click line More info information on that screen and click button Run anyway on next screen. on the FRST window: Click the Fix button just once, and wait. PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. If you receive a message that a reboot is required, please make sure you allow it to restart normally. The tool will complete its run after restart. When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run. Please attach the FIXLOG.txt with your next reply later, at your next opportunity. Edited April 1, 2022 by Maurice Naggar Link to post Share on other sites More sharing options...
Heba Posted March 28, 2022 Author ID:1508841 Share Posted March 28, 2022 thank you .. I attached the fixlog.txt Fixlog.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted March 28, 2022 ID:1508896 Share Posted March 28, 2022 (edited) Hello. We need to re-run with a new script file. Delete the old file named Fixlist.txt on folder Downloads .. the folder C:\Users\hebat\Downloads Be very sure to Save any work-files you have open at this point. Close & Save any open edits, if any. Next, a custom script to do checks & some cleanups. We will use FRSTENGLISH on the Downloads folder to run a custom script. The system will be rebooted after the script has run. This custom script is for Heba only / for this machine only. This custom script has some specific things, plus some general aspect to help the system overall. Please be sure to Close any open work files, documents, any apps you started yourself before starting this. Please save the (attached file named) FIXLIST.txt to the Downloads folder <<< - - - - - Then, Start the Windows Explorer and then, go to the Downloads folder. RIGHT click on FRSTENGLISH and select RUN as Administrator and allow it to proceed. Reply YES when prompted to allow to run. to run the tool. If the tool warns you the version is outdated, please download and run the updated version. IF Windows prompts you about running this, select YES to allow it to proceed. IF you get a block message from Windows about this tool...... click line More info information on that screen and click button Run anyway on next screen. on the FRST window: Click the Fix button just once, and wait. PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. If you receive a message that a reboot is required, please make sure you allow it to restart normally. The tool will complete its run after restart. When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run. Please attach the FIXLOG.txt with your next reply later, at your next opportunity. Edited April 1, 2022 by Maurice Naggar 1 Link to post Share on other sites More sharing options...
Heba Posted March 28, 2022 Author ID:1508903 Share Posted March 28, 2022 okay thank you .. I attached the file Fixlog.txt Link to post Share on other sites More sharing options...
Recommended Posts