Jump to content

Google account hacked


Go to solution Solved by Maurice Naggar,

Recommended Posts

Need assistance in removing temp files in driver/store that have my curiosity piqued (see details below). I found these files when I ran a scan with Revo for junk files. These files showed up dated Sept. 8 in the early morning hours. Recently, I discovered a hack of my google account. When I investigated, I discovered three phone accounts with names I didn't recognize nor did I own, or have I ever owned, so I removed them from my google account, used a "send erase" request and changed my password. Hopefully now, they wont return.

Two of those sign in dates for the intruders correspond nicely with the date of those errant temp driver store files. The other one signed in back in June, followed several months by the others. I've scanned of course with mbam and as usual, nothing found.

Now, I cant say with certainty that these files resulted from anything nefarious, but I've not run across any temp driver files before that I couldn't remove. I suspect these files are left over from some uninstalled game driver probably related to bluestacks, although I haven't been able to nail that down. Only other coincidence is the google hack.

My laptop is a Dell inspiron 15 running windows 11. I've only had it for these past several months.

Anyone with suggestions is appreciated.
Thanks!

vet

Details:
Driver/Store temp files:
C:\Windows|System32\DriverStore\Temp\DEL66F7.tmp
C:\Windows|System32\DriverStore\Temp\DEL6727.tmp
C:\Windows|System32\DriverStore\Temp\DEL6738.tmp
C:\Windows|System32\DriverStore\Temp\DEL6748.tmp

Intruders:
Galaxy S21 Ultra 5G
Crystal City, MO, USA
Last activity: Yesterday, 5:10 AM
Signed out
First sign-in: Sep 7

Galaxy S22
Crystal City, MO, USA
Last activity: September 7, 6:27 AM
Signed out
First sign-in: Sep 6
This session was used only briefly, and not recently. It’s already ended and has no access to your account.

OnePlus5
Crystal City, MO, USA
Last activity: September 5, 5:03 AM
Signed out
First sign-in: Jun 12

...by the way, Crystal City is a neighboring town. I live just about three miles from there.

Link to post
Share on other sites

Howdy. I hope you are doing well. Let me first start by remarking that those 4 .TMP files in the TEMP section of driver store are fair game for deletion. You have most likely used Cleanmgr before. I suggest you start with running that. 

Open an elevated Command-prompt window i.e. run Command Prompt as an administrator .

On the Taskbar Search box, type in

cmd.exe


click the line for "run as administrator"


On that Command-prompt,  Copy & Paste this command

cleanmgr.exe

press Enter-key on keyboard   and watch & write down the result


on the tab "Disk Cleanup"
then on the scrollable window marked "Files to Delete"
be sure to UN-tick the box on the line "Downloaded Program files"

DO tick the check boxes on these lines:
Windows Update Cleanup
Windows upgrade log files
Temporary Internet Files
Recycle Bin
Temporary files

Any other lines you can un-tick. 

then click OK to proceed

you will get a "Are you sure" prompt
click on "Delete Files" button

One other procedure as to the hardware router. Secure your router by resetting it and then setting a strong password to sign into the router, and a strong wireless key to sign into your network. You can find your router manual by googling the exact model (on bottom) to follow the reset instructions, set the password and wireless key, optimize Security and Performance per these articles:
https://www.lifewire.com/resetting-a-home-network-router-818061
https://www.techradar.com/broadband/how-to-change-your-router-password

 

It will show a progress window. When it finished, it will auto-close its window.
 

Link to post
Share on other sites

Try what follows in normal mode  ( if no joy, repeat while in Safe mode).  Needs to be done in an elevated Powershell.

we need to enter a pair of lines

$Folder = "C:\Windows\System32\DriverStore\Temp\"

Get-ChildItem $Folder | Remove-Item –recurse -Force

Link to post
Share on other sites

again, no joy, I'm baffled. I have several entries similar to these:

    + FullyQualifiedErrorId : RemoveFileSystemItemArgumentError,Microsoft.PowerShell.Commands.RemoveItemCommand
Remove-Item : Cannot remove item C:\Windows\System32\DriverStore\Temp\DEL66F7.tmp: Access to the path is denied.
At line:3 char:25

...and now I found I have another one. These files obviously are being generated by some active process but I am hard pressed to find out what it is.

Link to post
Share on other sites

"Access denied".  hummh. Let's see about getting a couple of diagnostic reports.

I would recommend getting a readout report as to update status of some key apps.
Temporarily disable Microsoft SmartScreen to download the next software below 

Download SecurityCheck by glax24 from here

and save the tool on the desktop.

                   If Windows's  SmartScreen block that with a message-window, then
                         Click on the MORE INFO spot and over-ride that and allow it to proceed.

                             This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

download & save a new copy of the tool FRST64.exe from this link

https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/

We will use that. Go to Downloads folder. RIGHT-click on FRST64 and select 

Run as Administrator

and tap ENTER. And reply YES to allow to proceed.  

  •  When the tool opens click Yes to the disclaimer.  And be very sure to TICK the box for Addition.txt
  • Press the Scan button.

_frst_scan.jpg

  • It will make a log (FRST.txt & Addition.txt) in the same directory the tool is run
  • Have patience since the run may take something like 10 or so minutes  (less depending on your hardware speed)
  • Close Notepad IF those show up on Notepad.
  • Just please Attach the 2 files FRST.txt +Addition.txt  with your next reply.  You may enclose the 2 into a ZIP file  & attach same.

 

Link to post
Share on other sites

  • Solution

Thank you. I need for you to do these 2 important steps.

Do these 2 steps so that ALL folders & Files are set to SHOW, plus also, Turn OFF Windows Fast start.
Show-Hidden-Folders-Files-Extensions
https://forums.malwarebytes.com/topic/299345-show-hidden-folders-files-extensions/

Disable-Fast-Startup
https://forums.malwarebytes.com/topic/299350-disable-fast-startup/

 

Next is the first round. We will do a 2nd round later to take care of MS Defender ( which needs help for update failures). This round we hope to get details on ownership of those TMP files in the subject folder. The procedure will also do a SFC scannow & a DISM scanhealth to check system. It also will give another attempt to delete the .tmp

Please Close all open work before you actually do begin this run.

Please download the attached fixlist.txt file and save it to Desktop

Fixlist.txt <- < - - - -

NOTE. It's important that both files, FRST64, and fixlist.txt are in the same location or the fix will not work.

Right-click with your mouse on  FRST64 and select "Run as Administrator" and reply Yes and allow it to proceed when prompted. That is important.

next, press the Fix button just once and wait.

You will see a green-color scroll display while FRST is running.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop folder (Fixlog.txt) . Please attach or post it to your next reply.

Link to post
Share on other sites

This is a round for helping the updating of MS defender, as per my earlier note. It needs a touch of help. This is a new script.

Please Close all open work before you actually do begin this run.

Please download the attached fixlist.txt file and save it to Desktop

Fixlist.txt <- < - - - -

NOTE. It's important that both files, FRST64, and fixlist.txt are in the same location or the fix will not work.

Right-click with your mouse on  FRST64 and select "Run as Administrator" and reply Yes and allow it to proceed when prompted. That is important.

next, press the Fix button just once and wait.

You will see a green-color scroll display while FRST is running.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop folder (Fixlog.txt) . Please attach or post it to your next reply.

Link to post
Share on other sites

Hi. Thanks. One adjustment so that we have Microsoft Defender to run alongside Malwarebytes.
Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center

Click the Security Tab. Scroll down to

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".
{ We want that to be set as Off   .... be sure that line's  radio-button selection is all the way to the Left.  thanks. }

This will not affect any real-time protection of the Malwarebytes for Windows    😃.

Close Malwarebytes.

( 2 ) 

Download   Farbar's Service Scanner utility

and Save to your Desktop.

Right-Click on fss.exe and select Run As Administrator.

Answer Yes to ok when prompted.

If your firewall then puts out a prompt, again, allow it to run.

Once FSS is on-screen, be sure the following items are check-marked:

  • Internet Services
    Windows Firewall
    System Restore
    Security Center/Action Center
    Windows Update
    Windows Defender
    Other services

  

Click on "Scan".

It will create a log (FSS.txt) in the same directory the tool is run.   Please attach that file.  

( 3 ) 

Want to visually look at MS Defender status & summary. ( sorry for over-wordy direction)

From the Windows Start menu, select Settings, then select Update and Security.

Next, look at the left-side menu & select Windows Security

Next, In Windows Security section: Click on the grey button Open Windows Security

Now, click on the shield Virus and threat protection

Look to see that Microsoft Defender is shown & available for use.  I surmise that MS Ddefender is the resident antivirus.

One other separate thing. Check that MS Edge is the latest release.Microsoft

Edge v.116.0.1938.81   advisory Download Update

Edited by Maurice Naggar
Link to post
Share on other sites

Thanks Maurice for taking the time. The files are still present for whatever reason, but not causing any harm. Enough of your time has been spent chasing this ghost, but I do appreciate the time and attention.

Good to know you're still working. As you might be able to tell from my profile, I haven't been active on these forums for about nine years now. My last big hurrah was the final five years I spent on the   help sites as Microsoft MVP along with you and all the others.

It was good, those years ago but time has been more precious and less available for me. Thanks again, and many good wishes for your future endeavors!

vet

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.