Jump to content

I am hacked in very bad way


Go to solution Solved by Maurice Naggar,

Recommended Posts

Hello everyone .. 

thank you so much for taking time to help me

my problem is that i think my laptop has been hacked for over a year and i just recently noticed i always thought the problem was on my social media accounts not in my own laptop but i found out because my Facebook ad manger account which is connected to my visa has been used to do multiple campaigns in Russia from my own laptop which i never did and i get tons of notifications of someone opening all my emails and accounts and i change password every time and that never helped .. anyway i opened task manger and in details i found lots and lots of svchost.exe and deleting them doesn’t help i also noticed when i run on command prompt netstat -a that i found foreign ip’s that i didn’t open or know about please help me what should i do .. i kept searching for my problem trying to solve it without any luck

A76CC5A3-27A6-4C96-B5CF-4F10DF8E374C.jpeg

Link to post
Share on other sites

Hello. :welcome:

Please understand about "svchost".

I'd recommend you not judge having multiple SVCHOST in Task Manager as a "bad" thing nor as "unusual" nor as a possible "malware".

SVCHOST is a middle-man Windows "service" for kicking off programs and also some Windows tasks.

Now, then, also put aside doing lookups with netstat. That is not a means to do a real check for potential malware.

Now then, are you saying that a Visa credit card or bank acount was compromised / stolen off your computer? I am not understanding when you mentioned 

Quote

my visa has been used to do multiple campaigns in Russia

 

Link to post
Share on other sites

Hello. I will guide you.  Help on this forum is one-to-one. 

I will guide you along on looking for potential malware. Lets keep these principles as we go along.

  • Removing malware can be unpredictable
  • Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Only run the tools I guide you to.
  • Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
  • The removal of malware isn't instantaneous, please be patient.
  • Please stick with me until I give you the "all clear".
  • Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.

Your topic will be closed if you haven't replied within 4 days!
If I have not replied to your last post after 36 hours, please then send me a P M.

 

The first thing to do is this:

Please download MiniToolBox save it to your desktop and run it.

Checkmark the following check-boxes:

  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices
  • List Users, Partitions and Memory size.
  • List Minidump Files


Click Go and post the result (MTB.txt). A copy of MTB.txt will be saved in the same directory the tool is run.

Note: When using Reset FF Proxy Settings option Firefox should be closed. 

2 NEXT

Let's do one scan with Malwarebytes Adwcleaner to check for adwares. Just before pressing that "scan" button, be sure that Chrome & Edge, or other web browser are Closed.

It will not take much time,

First download & save it

https://support.malwarebytes.com/hc/en-us/articles/360038520054-Download-and-install-Malwarebytes-AdwCleaner

 

Then be sure to close all web browsers.

Then go to where the EXE file is saved. Start Adwcleaner.  Then do a scan with Adwcleaner

https://support.malwarebytes.com/hc/en-us/articles/360038520114-Malwarebytes-AdwCleaner-scan-and-clean

Attach the clean log.

To send  ( upload)   attachments please click the "ADD Files"  link . Then browse to where your file is located and select it and click the Open button.

 

_mb_attach.jpg

 

Edited by Maurice Naggar
Link to post
Share on other sites

17 minutes ago, Maurice Naggar said:

Hello. :welcome:

Please understand about "svchost".

I'd recommend you not judge having multiple SVCHOST in Task Manager as a "bad" thing nor as "unusual" nor as a possible "malware".

SVCHOST is a middle-man Windows "service" for kicking off programs and also some Windows tasks.

Now, then, also put aside doing lookups with netstat. That is not a means to do a real check for potential malware.

Now then, are you saying that a Visa credit card or bank acount was compromised / stolen off your computer? I am not understanding when you mentioned 

 

My credit card is connected to my facebook ad manger account and i found out that it has been used to do campaigns in russia with my credit card the thing is my facebook account is not the one that is stolen because the campaigns is done from my laptop . Last year the same thing happened to me and i thought it was my account that was stolen but i found out it is not because everything is done from my laptop but for a campaigns in russia and i live in egypt and only do campaigns in egypt , and i only noticed this 5 days ago when my facebook ad manger account got restricted because i didn’t pay for the campaigns that the hacker did because of course my credit card doesn’t have that amount of money. and for the last year there has been always weird activities in all my social media accounts no matter how much i changed the passwords or enabled two way authentication or whatever .

the task manger in my laptop has multiple files of theses files . 

dllhost.exe

csrss.exe

RuntimeBroker.exe

svchost.exe

how can i tell if i am hacked and what should i do ? And i also noticed that all the laptop in my house has the same files in task manger . And also i get weird ip addresses that doesn’t belong to any website (example : 185.185.132.98) i accessed when i do netstat command in command prompt . 
 

please i need you to tell me how can i tell what is going on and how to solve it ? 

Link to post
Share on other sites

Please stop looking on task manager.  Kindly do the report runs I asked for before.  That I need to help & guide you.

As to your credit card, contact your bank & have them either put a hold on it, or else, cancel the account & get your bank to give you a new one.

I need the reports I asked for.

Stop shopping on this machine, stop going to social media or Facebook or twitter for the duration while I am helping you.

I will guide you to hunt for potential malware. We use known security tools to check for infections.  Get me the reports like I listed https://forums.malwarebytes.com/topic/285164-i-am-hacked-in-very-bad-way/?do=findComment&comment=1508783

 

Edited by Maurice Naggar
Link to post
Share on other sites

Thank you. Please continue to follow my guidance. There is much more to do. Even more later after all these.

[ 1 ] 

Please  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

[ 2 ] 

Malwarebytes for Windows  can detect and remove most malware with no further actions required for free.
If this pc does no have Malwarebytes for Windows, go and install Malwarebytes for Windows.
See https://support.malwarebytes.com/hc/en-us/articles/360038479134-Download-and-install-Malwarebytes-for-Windows

[ 3 ] 

After the setup has completed, run a Threat Scan, launch Malwarebytes for Windows and click the blue Scan button.

 [   4   ]

I would like a report set for review.   This is a report only.

Please download MALWAREBYRES MBST Support Tool

Once you start it click Advanced >>> then   Gather Logs

 Have patience till the run has finished.

Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop.

 

  • Please attach  mbst-grab-results.zip    to your reply.
  • Stick with me. More to do after this.
Edited by Maurice Naggar
Link to post
Share on other sites

There were at least 2 trojans + a malicious 'KMSPico /autokms" + some adwares. We need a new run just to be sure those are no longer around. This is what was reported before Trojan.BitCoinMiner.Generic
Trojan.CrthRazy
HackTool.KMSpico
PUM.Optional.DisableChromeUpdates
PUP.Optional.NewTab
HackTool.AutoKMS
PUP.Optional.PushNotifications.Generic

Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center

  • Click the Security Tab. Scroll down to

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".
{ We want that to be set as Off   .... be sure that line's  radio-button selection is all the way to the Left.  thanks. }

This will not affect any real-time protection of the Malwarebytes for Windows    😃.

  • Now click on the GENERAL tab

Do a Check for Update using the Malwarebytes Settings >> General tab.

See this Support Guide https://support.malwarebytes.com/hc/en-us/articles/360042187934-Check-for-updates-in-Malwarebytes-for-Windows

When it shows a new version available, Accept it and let it proceed forward.  Be sure it succeeds.

If prompted to do a Restart, just please follow all directions.

  • Next, the Malwarebytes scan.
  • Next click the blue button marked Scan.

 

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

>>>>>>      👉      You can actually click the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).         <<<<     💢

MB4_scan_tick_ALL.jpg.954dd31097351eba2c305a1321a445d6.jpg

 

Please double verify you have that TOP  check-box tick marked.   and that then, all lines have a tick-mark

 

Then click on Quarantine  button.

MB4_scan_all_Quarantine2.jpg.99b8d9b73d90d347577ae0826ac406b1.jpg

 

Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

There will be more to do. Stick with me, please. There is more yet to do.

Link to post
Share on other sites

Questions: Are you aware that Chrome has all these sites able to PUSH notifications & potentially push unwanted notifications / interuuptions ?

CHR Notifications: Default -> hxxps://captcha-sourcecenter.com; hxxps://drive.google.com; hxxps://learning.edx.org; hxxps://mac.filehorse.com; hxxps://r2qpj.social-network.club; hxxps://social-network.club; hxxps://usersdrive.com; hxxps://web.telegram.org; hxxps://wuzzuf.net; hxxps://www.easeus.com; hxxps://www.facebook.com; hxxps://www.instagram.com

See this article on our Malwarebytes Blog
https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

 

You want to disable the ability of each web browser on this machine from being able to allow "push ads". That means Chrome, Firefox, or Edge browser (on Windows 10), or on Opera.

Scroll down to the tips section "How do I disable them".

Link to post
Share on other sites

Be very sure to Save any work-files you have open at this point. Close & Save any open edits, if any. Next, a custom script to do  checks & some  cleanups.

We will use FRSTENGLISH.exe  on the Downloads folder to run a custom script.    The system will be rebooted after the script has run.

This custom script is for  Heba  only / for this machine only.

 

This custom script has some specific things, plus some general aspect to help the system overall.  Hoping it will not exceed 60 minutes in execute time.

NOTE-1:  This script will  run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. .  It will rebuild the Winsock. It will reset the Windows firewall rules.

NOTE-2: It will insure that the last of "kmspico /kms" is gone.

NOTE-3: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. 

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome,  and Opera  & BRAVE caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

  •  
  • Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 

  • If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.
  • Please save the (attached file named) FIXLIST.txt   to the   Downloads   folder

             <<< - - - - -

Then, Start the Windows Explorer and then, go  to the Downloads   folder.


RIGHT click on FRSTENGLISH.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

  • IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

  • on the FRST window:

Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. 
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity.

Edited by Maurice Naggar
Link to post
Share on other sites

Thank you. The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on Scan Options & select  CUSTOM scan  & then select the C drive to be scanned.

Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be.  

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on screen display.  The only things that count are the End result at the end of the run.
  • Again, any on-screen display about repeat 'infection' is not to be relied on.  Ignore those.
  • We only rely on the end result that is on the log-report-file.

 

This is likely to run for many hours   ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log  

the log will be at  

Windows\debug\msert.log

Please attach that log with your reply. We will do more later.

Link to post
Share on other sites

Alright. This here below is round 2, a small cleanup of some leftovers of kmsauto & one scan run with Microsoft Defender antivirus & removel of one exclusion path in setting for Defender. This is much like the earlier run , except this should be quicker.

Delete the old file named Fixlist.txt on folder Downloads .. the folder C:\Users\hebat\Downloads

Be very sure to Save any work-files you have open at this point. Close & Save any open edits, if any. Next, a custom script to do  checks & some  cleanups.

We will use FRSTENGLISH.exe  on the Downloads folder to run a custom script.    The system will be rebooted after the script has run.

This custom script is for  Heba  only / for this machine only.

 

This custom script has some specific things, plus some general aspect to help the system overall.

  •  
  • Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 

  • If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.
  • Please save the (attached file named) FIXLIST.txt   to the   Downloads   folder

             <<< - - - - -

Then, Start the Windows Explorer and then, go  to the Downloads   folder.


RIGHT click on FRSTENGLISH.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

  • IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

  • on the FRST window:

Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. 
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity.

Edited by Maurice Naggar
Link to post
Share on other sites

Hello. We need to re-run with a new script file. 

Delete the old file named Fixlist.txt on folder Downloads .. the folder C:\Users\hebat\Downloads

Be very sure to Save any work-files you have open at this point. Close & Save any open edits, if any. Next, a custom script to do  checks & some  cleanups.

We will use FRSTENGLISH  on the Downloads folder to run a custom script.    The system will be rebooted after the script has run.

This custom script is for  Heba  only / for this machine only.

 

This custom script has some specific things, plus some general aspect to help the system overall.

  • Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.
  • Please save the (attached file named) FIXLIST.txt   to the   Downloads   folder

             <<< - - - - -

Then, Start the Windows Explorer and then, go  to the Downloads   folder.


RIGHT click on FRSTENGLISH    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

  • IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

  • on the FRST window:

Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. 
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity.

Edited by Maurice Naggar
  • Like 1
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.