Jump to content

I suspect someone is remotely accessing my computer.


Recommended Posts

A few examples every time I boot up something called host sync languages hangs and then prevents restarts.  After typing in my windows password every time the screen flashes to black for 2 seconds.  I have found file called netcfg_2022-04-07_14-34-30.dat on my desktop that I have no idea how or why it is there.  I have noticed 3 ipv6 dns servers in screenshot.  My gpu will be hot and show 30% usage when I am idling on desktop.  Someone had for sure had access to my desktop about 1 year ago, and they told me so on a program discord that they got into my windows and showed me screenshots of my stuff to taunt me.  I suspect somehow these people still have a backdoor into my Windows even though I have done several fresh windows installs.  Every fresh windows install i do fails sfc scan and has corrupt files even though I am using the legitimate windows image directly from windows.  I dont know enough but my network some sort of many virtual switches or something as well.  Can we fully investigate if and how these people are accessing my pc?  Thanks in advance.
Edit: Another way is every time I boot up my, type in my windows password, get to my desktop, screen goes black for 1 second as if something is loading up. When I run adwcleaner basic repair, it causes this screen to flicker black as well. As if its resetting whatever it is and making it start over. Every Adwcleaner basic repair makes the screen go black for 1 second same as the startup. I have seen a dialog box on startup before when whatever the thing is errored and failed to start properly. When i clicked stuff on it it didnt do anything for. I added pictures of firewall rules.  


 

Edited by AdvancedSetup
Removed image per request
Link to post
Share on other sites

  • Root Admin

Please post back new logs

 

To begin, please do the following so that we may take a closer look at your installation for troubleshooting:

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply

Thank you

 

Link to post
Share on other sites

I gathered the logs.  The logs file it made would not show up on the attach files thing, so I had to unzip it and put it in a new zip file and now it works.  Every time I log into my Windows account the screen flashes to black like something is starting up or taking control.  I have attached the requested logs.  I have been working on trying to remove the screenshotted entires from the original post as well.  Thanks for helping. 

New folder (3).zip

Link to post
Share on other sites

  • Root Admin

Please exit out of Malwarebytes and run the following scan.

 

 

Microsoft Safety Scanner

Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.   
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well
 

STEP 1

Please set File Explorer to SHOW ALL folders, all files, including hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

STEP 2

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run.
  • The scan will take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware.)

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

Thank you

 

Link to post
Share on other sites

It showed 4 infected files during the scan, but ended showing zero.  I assuming it rechecked them or something.   This one //hklm\software\microsoft\windows defender\\DisableAntiSpyware keeps recurring and I am not setting it. 

msert.log

Edited by GANI482
edit
Link to post
Share on other sites

I got the logs.  I also ran a program called HijackThis.  I have included the log from that program as well because I think it shows malicious entries.  Please look over the hijack this log as well.  There are many unknown user entries that use systemroot, and I think could be evidence of the previous windows malicious take over that I experienced.  Let me know if you think anything of the hijack this log.  Thanks.

mbar-log-2022-06-03 (05-55-22).txt system-log.txt hijackthis.log

Link to post
Share on other sites

  • Root Admin

Please run the following fix. Once it has been completed, attach the FIXLOG.TXT file to your next reply.

 

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

NOTE-3: As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites

  • Root Admin

The log looks good. It reset all of your network settings, cleaned temp folders, and verified that key operating system files are valid and not corrupted.

Let's go ahead and run an ESET antivirus scan to double-check

 

 

Let me have you run a different scanner to double-check. I don't expect it to find anything, but no harm in checking.

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

  • It will start a download of "esetonlinescanner.exe"
  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started. 
  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes 
  • When prompted for scan type, Click on Full scan 
  • Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on the Start scan button.
  • Have patience.  The entire process may take an hour or more. There is an initial update download.
  • There is a progress window display.
  • You should ignore all prompts to get the ESET antivirus software program.   ( e.g. their standard program).   You do not need to buy or get or install anything else.
  • When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
  • Click The blue “Save scan log” to save the log.
  • If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at the bottom).
  • Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

Note: If you do need to do a File Restore from ESET please follow the directions below

[KB2915] Restore files quarantined by the ESET Online Scanner version 3

https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner

 

Link to post
Share on other sites

  • Root Admin

Once the ESET scan has been completed, and if you own your own router you should consider resetting it.

 

 

Please ensure that you have the user manual for your router. Then perform a factory reset.

How To Reset Your Router
https://setuprouter.com/networking/how-to-reset-your-router/

 

Depending on one's preferences and the Router's capabilities please consider the following.

  • Disable acceptance of ICMP Pings
  • Change the Default Router password using a Strong Password
  • Use a Strong WiFi password on WPA2  using AES encryption or Enable WPA3 if it is an option.
  • Disable Remote Management
  • Create separate WiFi networks for groups of devices with similar purposes to prevent an entire network of devices from being compromised if a malicious actor is able to gain unauthorized access to one device or network. Example: Keep IoT devices on one network and mobile devices on another.
  • Change the network name (SSID).  Do not use your; Name, Postal address, or other personal information.  Make it unique or whimsical and known to your family/group.
  • Is the Router Firmware up-to-date?  Updating the firmware mitigates exploitable vulnerabilities.
  • Specifically set Firewall rules to BLOCK;   TCP and UDP ports 135 ~ 139, 445, 1234, 3389 and 5555
  • Document passwords created and store them in a safe but accessible location.

 

 

Link to post
Share on other sites

Here is log.  I did reset router.  This router is rental from isp.  It has no changeable settings for me as the user.  There is a thing called Hidden Network set up that comes from my router.  I have tried before to troubleshoot this.  I am positive the signal originates from my router.  I contacted my isp about this before and they said it is not normal and they have never seen any of their routers do this.  They however blew off my request to change it with a replacement.  I have never been able to remove the hidden network from happening.  Another thing is my information keeps showing up in data leaks.  20 times now nordvpn and haveibeenpwned website both site my email and information keep showing up.  Just this week now again nordvpn has found my information in another leak.  I just dont understand how this keeps happening. 

222.jpg.a31eed237117c33ee3716ac82351abaf.jpg1.thumb.PNG.c6fbebe82780ce3ee82fca1dc3fb563c.PNG

eset.txt

Link to post
Share on other sites

  • Root Admin

Being listed in a breach has nothing to do with your own personal system being attacked or breached. It is the site you have or had an account on that was attacked and your information compromised. There is nothing you can do to stop that. Just make sure you never use the same password on more than one site and use strong passwords via a password manager.

 

The ESET log looks good.

Without buying your own router you're stuck with what your ISP will or will not do for you.

The system is not currently showing signs of an infection.

 

 

  1. Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
    https://www.howtogeek.com/240255/password-managers-compared-lastpass-vs-keepass-vs-dashlane-vs-1password/
  2. Make sure you're backing up your files https://forums.malwarebytes.com/topic/136226-backup-software/
  3. Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download
  4. Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2
  5. Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ 
  6. Please consider installing the following Content Blockers for your Web browsers if you haven't done so already. This will help improve overall security

Malwarebytes Browser Guard

uBlock Origin

 

Further reading if you like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/

Hopefully, we've been able to assist you with correcting your system issues.

Thank you for using Malwarebytes

 

Link to post
Share on other sites

  • Root Admin

Shut everything down. Unplug the power from the computer and monitor.

Then unplug your video cable and then plug it back in on both ends. The computer and Monitor

Then plug it all back in and start it. Then go into the BIOS/UEFI screen and see if it's stable there or not

 

Link to post
Share on other sites

it was stable in the bios screen after a fresh power up. although as soon as it goes to windows it flashes to black every 3 seconds, and carries over in restarts, so if I restart itll now flash at bios. something is triggering it. i had one restart where it waited a minute till istarted doing it. Edited by GANI482
Link to post
Share on other sites

  • Root Admin

Let me get some new logs, please.

 

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

Thank you

 

 

Link to post
Share on other sites

  • Root Admin

It looks like this is faulting

Error: (06/13/2022 09:02:37 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: PrecisionX_x64.exe, version: 1.3.3.0, time stamp: 0x626b745d
Faulting module name: KERNELBASE.dll, version: 10.0.19041.1706, time stamp: 0x458acb5b
Exception code: 0xe0434352
Fault offset: 0x0000000000034fd9
Faulting process id: 0xa20
Faulting application start time: 0x01d87f8a6ce836de
Faulting application path: C:\Program Files\EVGA\Precision X1\PrecisionX_x64.exe
Faulting module path: C:\Windows\System32\KERNELBASE.dll
Report Id: fdb6342d-4033-4ed3-a52f-8d77c458115e
Faulting package full name:
Faulting package-relative application ID:

 

Maybe see if doing an in place upgrade helps

https://www.tenforums.com/tutorials/16397-repair-install-windows-10-place-upgrade.html

 

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.