Jump to content

Recommended Posts

I recently upgraded from Win10 to Win 11.  My pc/network were hacked into about 14 months ago.  Since then every new install has had issues.  I immediately ran DISM on the fresh install and it failed and needed to repair.  Today I noticed something has been changing my Firefox profile.  So I created a new folder titled Firefox on my E drive to put the new Firefox profile in.  Shortly later I noticed, that entire folder titled Firefox is gone from my E drive, and the Profile has changed names and moved to my C drive with 2 titles root and local.  Its startling because something deleted my folder from my drive, and somehow moved the Firefox profile files entirely to somewhere else and changed the name.  I want to stress this is not a Firefox bug.  I have never seen entire folders deleted.  I really feel something is hijacking my browser or my files.  I have also experienced times on this new Win11 install where notification connection sounds happen only during times I have the screen turned off, but when I check it shows no notifications.  In the screenshow below for Firefox profiles, It began as E drive, and titled something else.  Shortly later I check E drive, the entire folder is gone, so I check where is my profile and its been moved and changed.  I have never seen FF say root and local before.  I want my system and files and everything to be all local and not shared or sync or copied anywhere else to another pc.  That was originally how I was hacked 14 months ago they were able to duplicate my system on theirs by hijacking the Windows account I believe.  I think they left something tied to my Windows serial #. 

 

profiles.thumb.png.3bcae7c42f21848cd802508c4b40701a.png

 

Thanks in advance.  This is upsetting.

Link to post
Share on other sites

Hello @GANI482 and welcome back:

While you are waiting for the next qualified/approved malware removal expert helper to weigh in on your topic, and even though you may have run one or more of its following procedural steps, please carefully follow the instructions within the following:

I'm infected - What do I do now?

Remember, please be certain to attach (not Copy and Paste) the three (3) resulting report files in your next reply to this topic.

Thank you.

Link to post
Share on other sites

FRST.txtAddition.txtmwb.txt

 

Edit.  I have often wondered what is

(C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_421.20070.625.0_x64__cw5n1h2txyewy\Dashboard\Widgets.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files (x86)\Microsoft\EdgeWebView\Application\105.0.1343.27\msedgewebview2.exe <6>

HKU\S-1-5-21-1797612658-979842438-1703979276-1000\SOFTWARE\Policies\Microsoft\Edge: Restriction <==== ATTENTION

Is it something someone could use to interact with my browsers?  Can/should it be removed.  I did not set it and I do not use Edge.

2022-08-17 18:10 - 2022-08-17 18:10 - 000043960 _____ (SteelSeries ApS) C:\Windows\system32\Drivers\sshid.sys

This file is also older than my installation is. 

2021-06-05 08:08 - 2021-06-05 08:08 - 000000824 _____ C:\Windows\system32\drivers\etc\hosts

The date on this hosts is the date my system was hacked 14 months ago.

42096596_Screenshot2022-09-08102650.png.ff155214f92a42fc9785f55ea2fa9136.png

I think someone has added my pc to a workgroup or something and is accessing my pc and logging on.  There are 30,000 security events in a week.

Thanks again.  I will go back to waiting without further edits. 

Edited by GANI482
Added a question.
  • Like 1
Link to post
Share on other sites

No.  I was able to install Windows onto another drive, updated the SSD firmware using that program, then I secure wiped the SSD with that program, and then I reinstalled Windows back to the SSD.  I didn't really understand why I was being told to replace the entire drive.  I was not positively sure the SSD is the source of any problem, but I knew I wanted to try to secure wipe it.   SMART is active on all drives.  This Win11 install is a week old but shows files going back to the date I was hacked in 2021.

Edited by GANI482
Added info.
Link to post
Share on other sites

  • Root Admin

Did you install using the Microsoft Account or a Local Account?

It is highly unlikely to be the cause, but using a Microsoft Cloud account to install Windows can all syncing of old data.

 

How to install Windows 11 Home without a Microsoft account
https://pureinfotech.com/install-windows-11-home-without-microsoft-account/

 

How to Install Windows 11 Without a Microsoft Account
https://www.tomshardware.com/how-to/install-windows-11-without-microsoft-account

 

Perhaps you try another new, fresh install of Windows based on a LOCAL account?

 

 

 

Link to post
Share on other sites

I set up this Windows 11 with a local account using the rufus method in the article you linked there.  It was installed via a USB stick. 

I have never logged in to any Microsoft Account since being hacked, and have used exclusively local accounts since.

profiles.png.636081295f2869bcdd2a699ee12d4f84.png

 

I must have done at least 5 fresh Windows installs with local accounts since being hacked in 2021.  4 times of Windows 10, and 1 time of Windows 11 now.  Every time it is the same.  I even slow formatted the HDD drives to attempt to wipe anything hiding on them as well.  Seeing as I am already using an install based on a Local Account.  What else should I do or try? 

Link to post
Share on other sites

  • Root Admin

Okay, we'll do some scans, but I have not seen or heard of any type of attack like this on Firefox before.

 

Please download and run the following Kaspersky Virus Removal Tool 2020 and save it to your Desktop.

(Kaspersky Virus Removal Tool version 20.0.10.0 was released on November 9, 2021)

Download: Kaspersky Virus Removal Tool

How to run a scan with Kaspersky Virus Removal Tool 2020
https://support.kaspersky.com/15674

How to run Kaspersky Virus Removal Tool 2020 in the advanced mode
https://support.kaspersky.com/15680

How to restore a file removed during Kaspersky Virus Removal Tool 2020 scan
https://support.kaspersky.com/15681

 


Select the  image.png  Windows Key and R Key together, the "Run" box should open.

user posted image

Drag and Drop KVRT.exe into the Run Box.

user posted image

C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box.

image.png

add -dontencrypt   Note the space between KVRT.exe and -dontencrypt

C:\Users\{your user name}\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box.
 
image.png


That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file.

Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20210123_113021.klr
Right-click direct onto that report, select > open with > Notepad. Save that file and attach it to your reply.

To start the scan select OK in the "Run" box.

A EULA window will open, tick all confirmation boxes then select "Accept"

image.png

In the new window select "Change Parameters"

image.png

In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start...

user posted image

When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue"

user posted image

When complete, or if nothing was found select "Close"

image.png

Attach the report information as previously instructed...
 
Thank you
 
 

 

 

Link to post
Share on other sites

I must say I was completely wrong about the Firefox.  I solved what had happened.  I just have a few more questions.

Tcpip\..\Interfaces\{9272e2bf-6bd5-1513-a95c-605fd4c46776}: [NameServer] 103.86.99.99,103.86.96.96  why 2
Tcpip\..\Interfaces\{d8bda015-f855-442d-a79c-2e9286256421}: [DhcpNameServer] 192.168.40.1

What is this?  Why is it broadcast 2 things?  My system broadcast something called guest network that I never set up.  Sometimes when I visit sites with live counters it counts me as 2 people myself and a guest.

 

I want to remove these accounts.

Administrator (S-1-5-21-1797612658-979842438-1703979276-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-1797612658-979842438-1703979276-503 - Limited - Disabled)
Guest (S-1-5-21-1797612658-979842438-1703979276-501 - Limited - Disabled)

https://github.com/undergroundwires/privacy.sexy/issues/30

https://www.windowschimp.com/defaultuser0-account/

https://superuser.com/questions/1152792/what-is-defaultuser0-and-is-it-safe-to-delete

 

What is this?  Many have no user listed trying to do something.

Error: (09/08/2022 09:29:27 AM) (Source: DCOM) (EventID: 10010) (User: DESKTOP-IAR96BN)
Description: The server {8CFC164F-4BE5-4FDD-94E9-E2AF73ED4A19} did not register with DCOM within the required timeout.

Error: (09/08/2022 08:24:02 AM) (Source: Server) (EventID: 2505) (User: )    < NO user listed
Description: The server could not bind to the transport \Device\NetBT_Tcpip_{9272E2BF-6BD5-1513-A95C-605FD4C46776} because another computer on the network has the same name.  The server could not start.

I have no server.  I should just have basic ethernet internet and nothing more.  

What is all this about?

Error: (09/08/2022 09:26:05 AM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance.  hr = 0x8007045b, A system shutdown is in progress.
.

Error: (09/08/2022 09:26:05 AM) (Source: VSS) (EventID: 13) (User: )
Description: Volume Shadow Copy Service information: The COM Server with CLSID {4e14fba2-2e22-11d1-9964-00c04fbbb345} and name CEventSystem cannot be started. [0x8007045b, A system shutdown is in progress.
]

Error: (09/08/2022 07:58:08 AM) (Source: VSS) (EventID: 13) (User: )
Description: Volume Shadow Copy Service information: The COM Server with CLSID {4e14fba2-2e22-11d1-9964-00c04fbbb345} and name CEventSystem cannot be started. [0x8007045b, A system shutdown is in progress.
]

Error: (09/08/2022 07:54:45 AM) (Source: DSAService) (EventID: 1003) (User: )
Description: DSAService.exe:OnStart Exception: System.ArgumentException: invalid directory handle||Parameter name: value||   at DSAServiceCore.Controllers.Computer.SettingsController.SetDsaDirectory(String value)||   at Intel.DSA.Service.Service.OnStartTask()

 

<Report>
    <Metadata Version="1" PCID="{3BB65C40-CD66-506C-28D7-BA86289F176B}" LastModification="2022.09.09 20:58:41.820" />
    <EventBlocks>
        <Block0 Type="Scan" Processed="292161" Found="0" Neutralized="0">
            <Event0 Action="Scan" Time="133072439778702983" Object="" Info="Started" />
            <Event1 Action="Scan" Time="133072451217986077" Object="" Info="Finished" />
        </Block0>
    </EventBlocks>
</Report>

I have included the scan logs.  I am not so much concerned about viruses.  I am concerned about changes that could have been made to backdoor into my system, or stealing my screen and streaming it.  Things that may have legitimate purposes so they do not show up on malware scanners.  Is everything else in my frst and addition logs completely normal?  My event viewer shows over 30,000 security events like unknown people logging in and impersonation people accessing my credentials manager are all ones I have seen listed. Thank you.

Edited by GANI482
edit
Link to post
Share on other sites

  • Root Admin

Do not, I repeat, DO NOT try to delete those accounts. Stay away from website that espouse that kind of work. Microsoft has been building windows for 30 years and spent billions on extremely smart engineers building a rather fantastic operating system. Having someone that has spent a few years supporting Windows think that you have just remove things without potential issues is not someone I want to trust.

Your Firewall has multiple profiles.

Network building and automation is setup through multiple various means. Hardware detection, PNP (Plug and Play), Specific drivers, etc.

My suggestion is don't mess with what Microsoft has set up in most cases. If someone is abusing the system and adding stuff or removing stuff then yes fix it, but don't just tweak Windows to tweak it. Sooner or later you'll have a non-secure piece of junk on your desk.

 

Run the Kaspersky scan to verify nothing is found. Then review the following for ways to help protect your data and privacy.

 

 

 

Let's go ahead and do some clean-up work and remove the tools and logs we've run.

Please download KpRm by kernel-panik and save it to your desktop.

  • right-click kprm_(version).exe and select Run as Administrator.
  • Read and accept the disclaimer.
  • When the tool opens, ensure all boxes under Actions are checked.
  • Under Delete Quarantines select Delete Now, then click Run.
  • Once complete, click OK.
  • A log will open in Notepad titled kprm-(date).txt.
  • Please attach that file to your next reply. (not compulsory)

 

  1. Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
    https://www.howtogeek.com/240255/password-managers-compared-lastpass-vs-keepass-vs-dashlane-vs-1password/
  2. Make sure you're backing up your files https://forums.malwarebytes.com/topic/136226-backup-software/
  3. Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download
  4. Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2
  5. Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ 
  6. Please consider installing the following Content Blockers for your Web browsers if you haven't done so already. This will help improve overall security

Malwarebytes Browser Guard

uBlock Origin

 

Further reading if you like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/

Hopefully, we've been able to assist you with correcting your system issues.

Thank you for using Malwarebytes

 

Link to post
Share on other sites

I will not mess with the Windows profile things.

 

"Your Firewall has multiple profiles. "

How do I remedy this?  This is a week old Win11 install.  I have not set up any profiles, let alone multiple profiles.  Is this something the hackers could have set up during their time on my system?

Link to post
Share on other sites

A final thought I just had was.  When my passwords were all hacked 14 months ago, they fully took my Microsoft account and Google account.  I no longer am able to, or know how to, access the Microsoft account that was once linked to this computer and Windows key.  As I am using Home edition Win11 that doesn't have remote desktop capabilities.  there should be no way for them to do anything to me anymore because I am not logged in to any form on online syncing?  Right?

Edited by GANI482
Link to post
Share on other sites

  • Root Admin

That is correct. There is no direct link to your system

Follow the advice above as best you can and that should help you to better protect your system and if something does happen to it, allow you to recover a lot faster.

Take care and stay safe out there

 

Link to post
Share on other sites

  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.