Jump to content


Photo

Keylogger issue


  • This topic is locked This topic is locked
35 replies to this topic

#1 finob

finob

    Member

  • Full Member
  • Pip
  • 34 posts

Posted 21 September 2016 - 03:40 PM

Last month I got rid of my backdoor intrusion thinking that was my only issue come to find out that there is still an issue. After removing the backdoor issue, and changing all my passwords, I come to learn that someone has my new password info. So, I strongly believe that there is a well hidden key logger on my lap top, hence the cryptic message I RCVD at work (e-mail) from the hacker stating so.

 

I'm exhausted trying to figure out how to remove it...while hacker clown enjoys their pathetic little game.

 

 

Edit: Please read the Instructions and post the requested logs (MBAM, FRST, Security Analysis). We need the information in order to help you.


Edited by Rocket Grannie, 21 September 2016 - 04:22 PM.


#2 finob

finob

    Member

  • Full Member
  • Pip
  • 34 posts

Posted 22 September 2016 - 05:33 PM

1st log as requested...and  addition.txt log attached

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 9/22/2016
Scan Time: 6:29 PM
Logfile: malScan.txt
Administrator: Yes
 
Version: 2.2.1.1043
Malware Database: v2016.09.22.16
Rootkit Database: v2016.08.15.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 10
CPU: x64
File System: NTFS
User: OWNER
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 331049
Time Elapsed: 40 min, 54 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)

 

 

 

2nd log as requested....

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 21-09-2016
Ran by OWNER (administrator) on HP-LAPTOP (22-09-2016 19:13:13)
Running from C:\Users\OWNER\Downloads
Loaded Profiles: OWNER (Available Profiles: OWNER)
Platform: Windows 10 Home Version 1511 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Edge)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
() C:\Program Files\WindowsApps\Microsoft.Messaging_2.15.20002.0_x86__8wekyb3d8bbwe\SkypeHost.exe
(Microsoft Corporation) C:\Windows\System32\sdiagnhost.exe
(Microsoft Corporation) C:\Windows\System32\sdiagnhost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\msdt.exe
(Microsoft Corporation) C:\Windows\SysWOW64\sdiagnhost.exe
(Microsoft Corporation) C:\Windows\System32\sdiagnhost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\sdiagnhost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\sdiagnhost.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Framework\Common\avgsvca.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgcsrva.exe.old
(Microsoft Corporation) C:\Windows\HelpPane.exe
(Piriform Ltd) C:\Program Files\Speccy\Speccy64.exe
(Microsoft Corporation) C:\Windows\ImmersiveControlPanel\SystemSettings.exe
(Microsoft Corporation) C:\Windows\System32\sdiagnhost.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgcsrva.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgidsagenta.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgfwsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgwdsvca.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgnsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgemca.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgrsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgui.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\Taskmgr.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Farbar) C:\Users\OWNER\Downloads\FRST64 (1).exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [3954352 2016-04-28] (Synaptics Incorporated)
HKLM-x32\...\Run: [AvgUi] => C:\Program Files (x86)\AVG\Framework\Common\avguirna.exe [204560 2016-09-07] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [AVG_UI] => C:\Program Files (x86)\AVG\Av\avgui.exe [6718224 2016-08-26] (AVG Technologies CZ, s.r.o.)
HKU\S-1-5-21-1164115143-704000759-1337320220-1002\...\Run: [SpybotPostWindows10UpgradeReInstall] => "C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe"
HKU\S-1-5-21-1164115143-704000759-1337320220-1002\...\RunOnce: [Uninstall C:\Users\OWNER\AppData\Local\Microsoft\OneDrive\17.3.6281.1202_1\amd64] => C:\WINDOWS\system32\cmd.exe /q /c rmdir /s /q "C:\Users\OWNER\AppData\Local\Microsoft\OneDrive\17.3.6281.1202_1\amd64"
HKU\S-1-5-21-1164115143-704000759-1337320220-1002\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1
BootExecute: autocheck autochk * sdnclean64.exe
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{acf8a3b1-0ae7-457c-bf38-3022204fbd45}: [DhcpNameServer] 192.168.0.1
 
Internet Explorer:
==================
SearchScopes: HKLM-x32 -> DefaultScope {0191A6B0-1154-4C22-9182-23A95BBE92D9} URL = hxxp://www.google.com/search?q={searchTerms}
SearchScopes: HKLM-x32 -> {0191A6B0-1154-4C22-9182-23A95BBE92D9} URL = hxxp://www.google.com/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-1164115143-704000759-1337320220-1002 -> {012E1000-F331-11DB-8314-0800200C9A66} URL = hxxp://www.google.com/search?q={searchTerms}
DPF: HKLM-x32 {0E5F0222-96B9-11D3-8997-00104BD12D94} hxxp://files.pcpitstop.com/cab/pcmatic.cab
 
FireFox:
========
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-08-22] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-08-22] (Google Inc.)
 
Chrome: 
=======
CHR Profile: C:\Users\OWNER\AppData\Local\Google\Chrome\User Data\Default [2016-09-22]
CHR Extension: (Google Slides) - C:\Users\OWNER\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-08-20]
CHR Extension: (Google Docs) - C:\Users\OWNER\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-08-20]
CHR Extension: (Google Drive) - C:\Users\OWNER\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-08-20]
CHR Extension: (YouTube) - C:\Users\OWNER\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-08-20]
CHR Extension: (Google Sheets) - C:\Users\OWNER\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-08-20]
CHR Extension: (Google Docs Offline) - C:\Users\OWNER\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-08-20]
CHR Extension: (Chrome Web Store Payments) - C:\Users\OWNER\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-08-20]
CHR Extension: (Gmail) - C:\Users\OWNER\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-08-20]
CHR Extension: (Chrome Media Router) - C:\Users\OWNER\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-09-20]
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [344064 2015-08-21] (Advanced Micro Devices, Inc.) [File not signed]
S3 AvgAMPS; C:\Program Files (x86)\AVG\Av\avgamps.exe [674552 2016-08-26] (AVG Technologies CZ, s.r.o.)
R2 avgfws; C:\Program Files (x86)\AVG\Av\avgfwsa.exe [2048920 2016-08-26] (AVG Technologies CZ, s.r.o.)
R2 AVGIDSAgent; C:\Program Files (x86)\AVG\Av\avgidsagenta.exe [5285344 2016-08-26] (AVG Technologies CZ, s.r.o.)
R2 avgsvc; C:\Program Files (x86)\AVG\Framework\Common\avgsvca.exe [1097488 2016-09-07] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files (x86)\AVG\Av\avgwdsvca.exe [760024 2016-08-26] (AVG Technologies CZ, s.r.o.)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1136608 2016-03-10] (Malwarebytes)
S3 rpcapd; C:\Program Files (x86)\WinPcap\rpcapd.exe [118520 2013-02-28] (Riverbed Technology, Inc.)
S3 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [303360 2015-06-24] (Realtek Semiconductor)
S3 vmicvss; C:\Windows\System32\ICSvc.dll [511488 2015-10-30] (Microsoft Corporation)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [364464 2015-10-30] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [24864 2016-07-01] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 athr; C:\Windows\System32\drivers\athw10x.sys [4320280 2015-11-16] (Qualcomm Atheros Communications, Inc.)
R3 AtiHDAudioService; C:\Windows\system32\drivers\AtihdWT6.sys [102912 2015-05-28] (Advanced Micro Devices)
S0 Avgboota; C:\Windows\System32\DRIVERS\avgboota.sys [21632 2016-01-07] (AVG Technologies CZ, s.r.o.)
R1 Avgdiska; C:\Windows\System32\DRIVERS\avgdiska.sys [163072 2016-05-13] (AVG Technologies CZ, s.r.o.)
R1 Avgfwfd; C:\Windows\system32\DRIVERS\avgfwd6a.sys [73480 2016-06-06] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [310016 2016-08-23] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [272640 2016-07-27] (AVG Technologies CZ, s.r.o.)
R1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [260352 2016-06-01] (AVG Technologies CZ, s.r.o.)
R0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [360736 2016-02-16] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [262400 2016-08-02] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [52992 2016-06-01] (AVG Technologies CZ, s.r.o.)
R0 avguniva; C:\Windows\System32\DRIVERS\avguniva.sys [77056 2016-06-20] (AVG Technologies CZ, s.r.o.)
R1 Avgwfpa; C:\Windows\system32\DRIVERS\avgwfpa.sys [313096 2016-08-04] (AVG Technologies CZ, s.r.o.)
R3 cpuz138; C:\Users\OWNER\AppData\Local\Temp\cpuz138\cpuz138_x64.sys [27320 2016-09-18] (CPUID)
S3 EsgScanner; C:\Windows\System32\DRIVERS\EsgScanner.sys [22704 2016-01-13] ()
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [27008 2016-03-10] (Malwarebytes)
R3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [192216 2016-09-22] (Malwarebytes)
S3 MBAMWebAccessControl; C:\WINDOWS\system32\drivers\mwac.sys [65408 2016-03-10] (Malwarebytes Corporation)
S3 NdisImPlatformMp; C:\Windows\System32\drivers\NdisImPlatform.sys [126976 2015-10-30] (Microsoft Corporation)
R2 NPF; C:\Windows\System32\drivers\npf.sys [36600 2013-02-28] (Riverbed Technology, Inc.)
R3 RSP2STOR; C:\Windows\system32\DRIVERS\RtsP2Stor.sys [310528 2015-06-05] (Realtek Semiconductor Corp.)
R3 rt640x64; C:\Windows\System32\drivers\rt640x64.sys [589824 2015-10-30] (Realtek                                            )
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [44568 2015-10-30] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [293216 2015-10-30] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [118112 2015-10-30] (Microsoft Corporation)
R3 WirelessButtonDriver; C:\Windows\System32\drivers\WirelessButtonDriver64.sys [20800 2013-07-22] (Hewlett-Packard Development Company, L.P.)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-09-22 19:12 - 2016-09-22 19:12 - 00001041 _____ C:\malScan.txt
2016-09-22 18:30 - 2016-09-22 18:31 - 02402816 _____ (Farbar) C:\Users\OWNER\Downloads\FRST64 (1).exe
2016-09-22 18:19 - 2016-09-22 18:25 - 00192216 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2016-09-22 18:18 - 2016-09-22 18:18 - 00001171 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2016-09-22 18:18 - 2016-09-22 18:18 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-09-22 18:18 - 2016-09-22 18:18 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2016-09-22 18:18 - 2016-03-10 14:09 - 00065408 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mwac.sys
2016-09-22 18:18 - 2016-03-10 14:08 - 00140672 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2016-09-22 18:18 - 2016-03-10 14:08 - 00027008 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbam.sys
2016-09-22 18:16 - 2016-09-22 18:17 - 22851472 _____ (Malwarebytes ) C:\Users\OWNER\Downloads\mbam-setup-2.2.1.1043.exe
2016-09-17 14:39 - 2016-09-17 14:43 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2016-09-17 14:39 - 2016-09-17 14:39 - 00000000 ____D C:\ProgramData\SUPERAntiSpyware.com
2016-09-17 14:36 - 2016-09-17 14:38 - 27392664 _____ (SUPERAntiSpyware) C:\Users\OWNER\Downloads\SUPERAntiSpyware.exe
2016-09-12 14:07 - 2016-09-12 14:08 - 00000000 ___HD C:\$WINDOWS.~BT
2016-08-27 20:37 - 2016-08-28 02:22 - 00002332 _____ C:\Users\OWNER\Desktop\Google Chrome.lnk
2016-08-27 20:33 - 2016-08-27 20:34 - 01065376 _____ (Google Inc.) C:\Users\OWNER\Downloads\ChromeSetup.exe
2016-08-23 16:31 - 2016-08-23 16:31 - 00310016 _____ (AVG Technologies CZ, s.r.o.) C:\WINDOWS\system32\Drivers\avgidsdrivera.sys
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-09-22 19:13 - 2016-08-17 21:39 - 00011798 _____ C:\Users\OWNER\Downloads\FRST.txt
2016-09-22 18:48 - 2016-08-22 19:37 - 00000926 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2016-09-22 18:32 - 2016-08-17 21:39 - 00000000 ____D C:\FRST
2016-09-22 18:20 - 2015-10-30 03:24 - 00000000 ___HD C:\Program Files\WindowsApps
2016-09-22 18:19 - 2015-10-30 03:24 - 00000000 ____D C:\WINDOWS\AppReadiness
2016-09-22 18:10 - 2016-05-17 22:12 - 00000000 ____D C:\ProgramData\MFAData
2016-09-22 18:10 - 2015-11-30 20:45 - 00004154 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{B58057C0-0FB6-48D4-BE8B-48778E319688}
2016-09-19 11:47 - 2016-05-17 22:23 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG
2016-09-18 12:51 - 2015-10-30 02:28 - 00032768 ___SH C:\WINDOWS\system32\config\ELAM
2016-09-17 19:55 - 2016-08-22 19:37 - 00000922 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2016-09-17 19:43 - 2015-10-30 03:24 - 00000000 ____D C:\WINDOWS\system32\appraiser
2016-09-17 19:43 - 2015-10-30 03:11 - 00000000 ____D C:\WINDOWS\CbsTemp
2016-09-17 19:41 - 2015-11-18 13:28 - 00000000 ____D C:\WINDOWS\system32\MRT
2016-09-17 19:24 - 2015-11-18 13:28 - 144199024 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2016-09-17 15:05 - 2016-08-22 19:40 - 00002272 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-09-12 14:09 - 2015-12-25 17:00 - 00000000 ___DC C:\WINDOWS\Panther
2016-09-11 16:22 - 2016-02-05 19:07 - 00000000 ____D C:\Users\OWNER\AppData\LocalLow\Temp
2016-09-06 21:00 - 2015-10-30 03:26 - 00828408 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
2016-09-06 21:00 - 2015-10-30 03:26 - 00176632 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl
2016-09-05 16:35 - 2015-10-30 03:24 - 00000000 ____D C:\WINDOWS\system32\NDF
2016-09-01 10:19 - 2016-07-19 19:06 - 00000000 ____D C:\ProgramData\setup
2016-08-31 19:02 - 2015-11-16 20:57 - 00834360 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2016-08-31 19:02 - 2015-10-30 03:21 - 00000000 ____D C:\WINDOWS\INF
2016-08-30 22:03 - 2016-01-05 23:15 - 00007606 _____ C:\Users\OWNER\AppData\Local\Resmon.ResmonCfg
2016-08-27 20:34 - 2016-01-02 23:10 - 00000000 ____D C:\Users\OWNER\AppData\Local\Google
2016-08-27 17:24 - 2016-08-08 17:34 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
2016-08-27 17:24 - 2015-12-25 14:37 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2016-08-27 17:24 - 2015-12-25 14:14 - 00000000 ____D C:\Users\OWNER
 
==================== Files in the root of some directories =======
 
2015-11-28 10:54 - 2016-01-02 22:34 - 0000053 _____ () C:\Users\OWNER\AppData\Roaming\LogFile.txt
2016-01-05 23:15 - 2016-08-30 22:03 - 0007606 _____ () C:\Users\OWNER\AppData\Local\Resmon.ResmonCfg
2016-01-10 19:41 - 2016-01-10 19:41 - 0000057 _____ () C:\ProgramData\Ament.ini
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2016-09-18 16:37
 
==================== End of FRST.txt ============================
 
3rd log requested...
Result of Security Analysis by Rocket Grannie (x86) Updated: 11th September, 2016
Running from:C:\Users\OWNER\Downloads (19:36:47 - 09/22/2016)
***---------------------------------------------------------***
Microsoft Windows 10 Home X64
UAC is Enabled!
Internet Explorer 11
Default Browser: Microsoft Edge
***-----------------Anti-Virus - Firewall-------------------***
Windows Defender (Disabled - Up to Date)
AVG Internet Security (Enabled - Up to Date)
Windows Firewall is Enabled!
Searching for any other Firewall
AVG Internet Security
***----------------AntiSpyware - Miscellaneous---------------***
Adobe Flash Player Plugin is not installed
Java is not installed
Google Chrome (version 53)
Malwarebytes Anti-Malware (version 2.2.1.1043)
 
***----------------Analysis Complete-------------------------***

 

Attached Files



#3 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,533 posts

Posted 24 September 2016 - 04:59 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.


[this is an automated reply]
This is an automated message. It does not count as help.

#4 Android 8888

Android 8888

    SWI Malware Tracker

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,177 posts

Posted 24 September 2016 - 08:38 AM

Hello finob.
Welcome to SpywareInfo Forum.
I'm Android 8888 and I'll be helping you. Please ask questions if anything is unclear.
 

I suggest printing out each set of instructions or copy them to a Notepad file and reading the entire post before proceeding. It will make following them easier.
Please follow the directions in the order listed.


NOTICE: The script below was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Open Notepad (Click the Start button on taskbar to display the menu, and then choose Notepad on it). Please copy the entire contents of the code box below.
To do this highlight the contents of the box and right click on it and select Copy.
Paste this into the open Notepad.
 

Start

CreateRestorePoint:
CloseProcesses:
EmptyTemp:

HKU\S-1-5-21-1164115143-704000759-1337320220-1002\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1
CHR Extension: (Chrome Web Store Payments) - C:\Users\OWNER\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-08-20]
R3 cpuz138; C:\Users\OWNER\AppData\Local\Temp\cpuz138\cpuz138_x64.sys [27320 2016-09-18] (CPUID)
Task: {6B414FE1-34AC-4AB2-A7A1-93BC66C30078} - \avast! Windows 10 Start Menu helper -> No File <==== ATTENTION
C:\Users\OWNER\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda

C:\Users\OWNER\AppData\Local\Temp\cpuz138\cpuz138_x64.sys

End


Save the files as fixlist.txt in to the same folder as FRST64
Run FRST64 and click Fix only once and wait.
When finished FRST64 will generate a log on the Desktop (fixlog.txt). Please post it to your reply.

NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.


Please download AdwCleaner by Xplode and save it to your Desktop.

  • Close all open programs and internet browsers.
  • Right click on the AdwCleaner icon and chose Run as administrator.
  • Click Yes to accept any security warnings that may appear.
  • Click I Agree on the disclaimer to accept the Terms of Use.
  • Click the Scan button to start the scan and wait for the process to complete.
  • Click the Logfile button and the report will open in Notepad.
  • NOTE: If you get an error message, it means that nothing was found. Exit from AdwCleaner.
  • Click on the Clean button and follow the prompts.
  • A log file will automatically open after the scan has finished and the PC has rebooted.
  • Please post the content of that log file in your next reply.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).

 

Please scan your computer with ESET Online Scanner.

  • Click on this link to open ESET Online Scanner in a new window.
    • Click on the Scan Now button to download the esetonlinescanner_enu.exe file. Save it to your Desktop.
    • Close all your programs and browsers.
    • Please disable your antivirus program to avoid potential conflicts, improve the performance and speed up the scan.
    • Double click on esetonlinescanner_enu.exe to start ESET Online Scanner. It will open a window with the Terms of Use.
  • Check mark Download latest version of ESET Online Scanner and click the Accept button.
  • Click Yes to accept any security warnings that may appear.
  • Under Computer scan settings, check mark Enable detection of potentially unwanted applications.
  • Then click Advanced settings and check mark the following options:
    • Enable detection of potentially unsafe applications
    • Clean threats automatically
  • Click the Scan button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats.
  • Click Export, and save the file to your Desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

Note: If nothing is found, it will not produce a log.

Please re-enable your antivirus program.


In your next reply please post the contents of fixlog.txt, the AdwCleaner log and the ESET log (if it produced one).

Let me know what issues are you having in your laptop.


Android 8888
 
Website: http://android8888.comlu.com
 
Tavira - Here's where I live!
 
Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.

#5 finob

finob

    Member

  • Full Member
  • Pip
  • 34 posts

Posted 24 September 2016 - 04:36 PM

Hello Android 8888,



Well, I have the first two logs pending while I had the Eset scan going, 3/4's in it picked up 1 threat. My mom jumped on and next thing, the Eset scan froze. So I started over and the one threat it found is now gone. Also, I couldn't log into spyware considering I had my login credentials remembered, and yet all of sudden they are no longer remembered. I didn't do that. I had to reset my password because some butthole is playing games.

1st log requested...
Fix result of Farbar Recovery Scan Tool (x64) Version: 24-09-2016 02
Ran by OWNER (24-09-2016 12:40:42) Run:3
Running from C:\Users\OWNER\Downloads
Loaded Profiles: OWNER (Available Profiles: OWNER)
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start

CreateRestorePoint:
CloseProcesses:
EmptyTemp:

HKU\S-1-5-21-1164115143-704000759-1337320220-1002\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1
CHR Extension: (Chrome Web Store Payments) - C:\Users\OWNER\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-08-20]
R3 cpuz138; C:\Users\OWNER\AppData\Local\Temp\cpuz138\cpuz138_x64.sys [27320 2016-09-18] (CPUID)
Task: {6B414FE1-34AC-4AB2-A7A1-93BC66C30078} - \avast! Windows 10 Start Menu helper -> No File <==== ATTENTION
C:\Users\OWNER\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
C:\Users\OWNER\AppData\Local\Temp\cpuz138\cpuz138_x64.sys
End
*****************

Restore point was successfully created.
Processes closed successfully.
HKU\S-1-5-21-1164115143-704000759-1337320220-1002\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoLowDiskSpaceChecks => value removed successfully
C:\Users\OWNER\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => moved successfully
cpuz138 => Unable to stop service.
cpuz138 => service removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{6B414FE1-34AC-4AB2-A7A1-93BC66C30078}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6B414FE1-34AC-4AB2-A7A1-93BC66C30078}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\avast! Windows 10 Start Menu helper" => key removed successfully
"C:\Users\OWNER\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda" => not found.
C:\Users\OWNER\AppData\Local\Temp\cpuz138\cpuz138_x64.sys => moved successfully

=========== EmptyTemp: ==========

BITS transfer queue => 3065343 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 9576348 B
Java, Flash, Steam htmlcache => 2369 B
Windows/system/drivers => 13825598 B
Edge => 51917289 B
Chrome => 789746866 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 6530 B
NetworkService => 0 B
OWNER => 38120266 B
PCPitstopSVC => 0 B

RecycleBin => 0 B
EmptyTemp: => 864.3 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 12:44:24 ====


2nd log requested...
# AdwCleaner v6.020 - Logfile created 24/09/2016 at 13:34:46
# Updated on 14/09/2016 by ToolsLib
# Database : 2016-09-24.1 [Server]
# Operating System : Windows 10 Home (X64)
# Username : OWNER - HP-LAPTOP
# Running from : C:\Users\OWNER\Downloads\adwcleaner_6.020.exe
# Mode: Clean
# Support : https://toolslib.net/forum



***** [ Services ] *****



***** [ Folders ] *****



***** [ Files ] *****



***** [ DLL ] *****



***** [ WMI ] *****



***** [ Shortcuts ] *****



***** [ Scheduled Tasks ] *****



***** [ Registry ] *****

[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\search.aol.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\search.aol.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\search.aol.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\search.aol.com


***** [ Web browsers ] *****

[-] [C:\Users\OWNER\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: aol.com
[-] [C:\Users\OWNER\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: ask.com


*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C0].txt - [1675 Bytes] - [18/08/2016 18:39:46]
C:\AdwCleaner\AdwCleaner[C2].txt - [1918 Bytes] - [24/09/2016 13:34:46]
C:\AdwCleaner\AdwCleaner[S0].txt - [1813 Bytes] - [18/08/2016 18:35:29]
C:\AdwCleaner\AdwCleaner[S1].txt - [2267 Bytes] - [24/09/2016 13:33:18]

########## EOF - C:\AdwCleaner\AdwCleaner[C2].txt - [2137 Bytes] ##########

3rd log requested...

eset for some reason froze and when I ran it again, it came up empty yet the previous scan detected one threat.

anyway, SOMEBODY has unauthorized access to my laptop and is enjoying their little games!

#6 Android 8888

Android 8888

    SWI Malware Tracker

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,177 posts

Posted 25 September 2016 - 02:31 PM

Hello finob.
 

eset for some reason froze and when I ran it again, it came up empty yet the previous scan detected one threat.

ESET removed the threat it found in previous scan.
 

Please download RogueKiller 32/64 Bits Installer (setup.exe) by Tigzy and save it to your Desktop.

  • Right click on the file setup.exe and select Run as administrator to install the tool.
  • Click Yes to accept any security warnings that may appear.
  • Choose the installation language and click OK.
  • Checkmark "Install 32 and 64 bits versions" and click Next. Follow the steps to install the tool.
  • Now close all programs and browsers.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • Right-click on the RogueKiller icon and select Run as administrator.
  • Click Yes to accept any security warnings that may appear.
  • Click the Scan tab and then click the Start Scan button.
  • Wait until the scan has finished. This may take some time consuming.
  • Once finished click on Open Report. It will open a new window.
  • Click Export TXT to export the report as a text file, give a name to the file such as RKlog.txt and save it to your Desktop.
  • Close RogueKiller.

Please copy and paste the contents of RKlog.txt to your next reply.
 
Keep me posted on how your computer is running.


Android 8888
 
Website: http://android8888.comlu.com
 
Tavira - Here's where I live!
 
Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.

#7 finob

finob

    Member

  • Full Member
  • Pip
  • 34 posts

Posted 25 September 2016 - 07:47 PM

hi Android 8888,

 

thank you for all your help...I think it's getting there...but still the issue of someone having access and it runs slow. Here's the log...

 

RogueKiller V12.6.3.0 (x64) [Sep 19 2016] (Free) by Adlice Software
 
Operating System : Windows 10 (10.0.10586) 64 bits version
Started in : Normal mode
User : OWNER [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 09/25/2016 20:38:10 (Duration : 00:58:45)
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 8 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {10A707CC-7809-4EF9-B0CE-AD8798AFAFF7} : v2.25|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Users\OWNER\AppData\Local\Temp\7zS5A16.tmp\SymNRT.exe|Name=Norton Removal Tool| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {D46409B6-BC62-4104-B4DB-B06C2B6698F4} : v2.25|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Users\OWNER\AppData\Local\Temp\7zS5A16.tmp\SymNRT.exe|Name=Norton Removal Tool| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {73678368-3B1E-4536-A6D6-77D6D5549DDF} : v2.25|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Users\OWNER\AppData\Local\Temp\7zSDB81.tmp\SymNRT.exe|Name=Norton Removal Tool| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {4B2A5441-DB43-44A0-8C6A-B72BE450878E} : v2.25|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Users\OWNER\AppData\Local\Temp\7zSDB81.tmp\SymNRT.exe|Name=Norton Removal Tool| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {10A707CC-7809-4EF9-B0CE-AD8798AFAFF7} : v2.25|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Users\OWNER\AppData\Local\Temp\7zS5A16.tmp\SymNRT.exe|Name=Norton Removal Tool| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {D46409B6-BC62-4104-B4DB-B06C2B6698F4} : v2.25|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Users\OWNER\AppData\Local\Temp\7zS5A16.tmp\SymNRT.exe|Name=Norton Removal Tool| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {73678368-3B1E-4536-A6D6-77D6D5549DDF} : v2.25|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Users\OWNER\AppData\Local\Temp\7zSDB81.tmp\SymNRT.exe|Name=Norton Removal Tool| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {4B2A5441-DB43-44A0-8C6A-B72BE450878E} : v2.25|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Users\OWNER\AppData\Local\Temp\7zSDB81.tmp\SymNRT.exe|Name=Norton Removal Tool| [x] -> Found
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 0 ¤¤¤
 
¤¤¤ WMI : 0 ¤¤¤
 
¤¤¤ Hosts File : 0 [Too big!] ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD3200BPVT-60JJ5T0 +++++
--- User ---
[MBR] fd9c45f893067b4140b808bdc8664c76
[BSP] f5d2fdebf049248a4e68d20ee572f3c3 : Empty MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 400 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 821248 | Size: 260 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1353728 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 1615872 | Size: 279157 MB
4 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 573331456 | Size: 895 MB
5 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 575164416 | Size: 450 MB
6 - [SYSTEM] Basic data partition | Offset (sectors): 576086016 | Size: 23953 MB
User = LL1 ... OK
User = LL2 ... OK
 
The reason I know someone has access is threefold in that, One: my banking login time and date stamp shows someone has been in my acct AFTER I changed passwords...IN BETWEEN my last and current logins. Two: my e-mail, I notice the spam folder count goes down when I don't ever touch it. It's one thing the number count goes up, but someone and deletes old, adds new ones and opens because the number count was 143/154 now it's 133/143. Again, I don't touch it, I just look at the content and notice the number count GOES down, which means someone is deleting them., which means someone has been IN THE ACCOUNT. AND Three: again, i was sent an email indicative (email handle was name of person in pic I was looking at) of what I did on my laptop (looked at certain pics of relatives, old friends), which means someone either has access to it or there's a key logger giving them the info so they can then throw it back in my face.
 
Also, this bored hacker fool KNOWS that I'm on this board trying to remove them while they continue their silly games.
 
Again, thank you for your continued help, I appreciate it!


#8 finob

finob

    Member

  • Full Member
  • Pip
  • 34 posts

Posted 25 September 2016 - 08:05 PM

Android 8888,

 

Realizing, they SAW the pic I was looking at too because the cryptic indicative email I RCVD, the email address itself had the name of person IN THE PIC and what I was doing, which was looking at it, SO THEY CAN SEE what I SEE!!!  and only too happily stupid to tell me so, the equivalent of what 13 yr. olds would do when they are bored...annoy people for the fun it.

 

Anyway, I await your reply.

 

Finob



#9 Android 8888

Android 8888

    SWI Malware Tracker

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,177 posts

Posted 26 September 2016 - 09:24 AM

Hello finob.

If you can please print this topic as it will make it easier for you to follow the instructions below and complete all of the necessary steps.
Please follow the directions in the order listed.

  • Close all programs and browsers.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • Re-run RogueKiller. Right-click on the RogueKiller icon and select Run as administrator.
  • Click the Scan tab and then click the Start Scan button.
  • Wait until the scan has finished. This may take some time consuming.
  • Once finished select the following Registry entries:

[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {10A707CC-7809-4EF9-B0CE-AD8798AFAFF7} : v2.25|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Users\OWNER\AppData\Local\Temp\7zS5A16.tmp\SymNRT.exe|Name=Norton Removal Tool| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {D46409B6-BC62-4104-B4DB-B06C2B6698F4} : v2.25|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Users\OWNER\AppData\Local\Temp\7zS5A16.tmp\SymNRT.exe|Name=Norton Removal Tool| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {73678368-3B1E-4536-A6D6-77D6D5549DDF} : v2.25|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Users\OWNER\AppData\Local\Temp\7zSDB81.tmp\SymNRT.exe|Name=Norton Removal Tool| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {4B2A5441-DB43-44A0-8C6A-B72BE450878E} : v2.25|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Users\OWNER\AppData\Local\Temp\7zSDB81.tmp\SymNRT.exe|Name=Norton Removal Tool| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {10A707CC-7809-4EF9-B0CE-AD8798AFAFF7} : v2.25|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Users\OWNER\AppData\Local\Temp\7zS5A16.tmp\SymNRT.exe|Name=Norton Removal Tool| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {D46409B6-BC62-4104-B4DB-B06C2B6698F4} : v2.25|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Users\OWNER\AppData\Local\Temp\7zS5A16.tmp\SymNRT.exe|Name=Norton Removal Tool| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {73678368-3B1E-4536-A6D6-77D6D5549DDF} : v2.25|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Users\OWNER\AppData\Local\Temp\7zSDB81.tmp\SymNRT.exe|Name=Norton Removal Tool| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {4B2A5441-DB43-44A0-8C6A-B72BE450878E} : v2.25|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Users\OWNER\AppData\Local\Temp\7zSDB81.tmp\SymNRT.exe|Name=Norton Removal Tool| [x] -> Found

  • Click on Remove Selected button.
  • Click Export TXT to export the report as a text file, give a name to the file such as RKlog.txt and save it to your Desktop.
  • Close RogueKiller.

Please copy and paste the contents of RKlog.txt to your next reply.


Next,
Please download the Zoek tool from here

When the download appears, save it to the Desktop.
Next, temporarily disable your AVG Internet Security Antivirus program so it does not interfere with the scan.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

On the Desktop, right-click the Zoek.exe file and select Run as administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
 

createsrpoint;
autoclean;
emptyclsid;
emptyffcache;
FFdefaults;
emptyiecache;
iedefaults;
emptychrcache;
CHRdefaults;
emptyalltemp;
emptyfolderscheck;delete
ipconfig /flushdns;b


Now close any open Browsers.
Click the Run script button, and wait. It may take some time consuming to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
Note: If a reboot is needed, the log is opened after the reboot.

Please copy and paste the contents of the zoek-results.log to your next reply.
 

Note: Please re-enable your AVG Internet Security Antivirus program.


To summarize please post the contents of:
RKog.txt
Zoek-results.log

Let me know what problems persist in your laptop.


Android 8888
 
Website: http://android8888.comlu.com
 
Tavira - Here's where I live!
 
Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.

#10 finob

finob

    Member

  • Full Member
  • Pip
  • 34 posts

Posted 26 September 2016 - 09:11 PM

Hi Android,

 

Ran both logs as you requested...

RK did not have a log to export txt...so none to post

 

And...

 

Zoek.exe v5.0.0.1 Updated 27-09-2015
Tool run by OWNER on Mon 09/26/2016 at 20:50:00.10.
Microsoft Windows 10 Home 10.0.10586  x64
Running in: Normal Mode No Internet Access Detected
Launched: C:\Users\OWNER\Desktop\shortcuts\zoek.exe [Scan all users] [Script inserted] 
 
==== System Restore Info ======================
 
9/26/2016 8:54:22 PM Zoek.exe System Restore Point Created Successfully.
 
==== Empty Folders Check ======================
 
C:\PROGRA~3\setup deleted successfully
C:\Users\OWNER\AppData\Local\ActiveSync deleted successfully
C:\Users\OWNER\AppData\Local\FSDART deleted successfully
 
==== Deleting CLSID Registry Keys ======================
 
 
==== Deleting CLSID Registry Values ======================
 
 
==== Deleting Services ======================
 
 
==== Batch Command(s) Run By Tool======================
 
 
==== Deleting Files \ Folders ======================
 
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Search.lnk deleted
C:\WINDOWS\wininit.ini deleted
C:\windows\SysNative\GroupPolicy\Machine deleted
C:\windows\SysNative\GroupPolicy\User deleted
 
==== Chromium Look ======================
 
 
Chrome Media Router - OWNER\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm
 
==== Chromium Fix ======================
 
C:\Users\OWNER\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_c.betrad.com_0.localstorage deleted successfully
C:\Users\OWNER\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_c.betrad.com_0.localstorage-journal deleted successfully
C:\Users\OWNER\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_c.betrad.com_0.localstorage deleted successfully
C:\Users\OWNER\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_c.betrad.com_0.localstorage-journal deleted successfully
 
==== Set IE to Default ======================
 
Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
 
New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
 
==== All HKCU SearchScopes ======================
 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
{012E1000-F331-11DB-8314-0800200C9A66} Google  Url="http://www.google.co...={searchTerms}"
{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing  Url="http://www.bing.com/...ox&FORM=IESR02"
 
==== Reset Google Chrome ======================
 
C:\Users\OWNER\AppData\Local\Google\Chrome\User Data\Default\Preferences was reset successfully
C:\Users\OWNER\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences was reset successfully
C:\Users\OWNER\AppData\Local\Google\Chrome\User Data\Default\Web Data was reset successfully
C:\Users\OWNER\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal was reset successfully
 
==== Empty IE Cache ======================
 
C:\WINDOWS\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\OWNER\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\OWNER\AppData\Local\Microsoft\Windows\INetCache\Low\Content.IE5 emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\OWNER\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\Users\OWNER\AppData\Local\Microsoft\Windows\INetCache\Low\IE emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
 
==== Empty FireFox Cache ======================
 
No FireFox Profiles found
 
==== Empty Chrome Cache ======================
 
C:\Users\OWNER\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully
 
==== Empty All Flash Cache ======================
 
No Flash Cache Found
 
==== Empty All Java Cache ======================
 
No Java Cache Found
 
==== C:\zoek_backup content ======================
 
C:\zoek_backup (files=27 folders=25 22961219 bytes)
 
==== Empty Temp Folders ======================
 
C:\WINDOWS\Temp will be emptied at reboot
 
==== After Reboot ======================
 
==== Empty Temp Folders ======================
 
C:\WINDOWS\Temp successfully emptied
C:\Users\OWNER\AppData\Local\Temp successfully emptied
 
==== Empty Recycle Bin ======================
 
C:\$RECYCLE.BIN successfully emptied
 
==== EOF on Mon 09/26/2016 at 22:56:02.04 ======================
 
 
Android, 
Yesterday I changed my password on my laptop and today I couldn't get in, so again, I had to reset.
Somebody got in, deleted spam/added new spam while still dropping the Spam Count (indicative of someone BEING IN my acct call the new spam NEW) and changed my password on me for their pathetic enjoyment! Still taunting as they have nothing better to do with their time. THEY know that I know! so FUJO!!!!
 
With all the deletions of the scripts you and Nasdaq have given me, it seems there were two people w/unauthorized access to my laptop.
One seems to have been removed while the other, mildly annoying, is still here.
After this Zoek log...being the last log to run...I have to see tomorrow if any issues are still pending.
 
One thing though, Nasdaq mentioned changing the password on my router. Don't have a router, just  a modem.
Is this something I should look into...because it makes me go "huh". I looked it up...and find it confusing. He helped me out but whatever is on my laptop is deeply hidden/disguised. I don't know how this hacker is getting my info, and watching what I watch, but THEY ARE! Tell me, w/all the instructions you have given me to run, does it look like it should be gone? I'm exhausted w/these necessary steps.

 

Again, thank you for all your continued help, I appreciate it!

 

What's next?



#11 finob

finob

    Member

  • Full Member
  • Pip
  • 34 posts

Posted 26 September 2016 - 09:17 PM

and now look at this, I cannot change my password on this forum because somebody changed the current password on me!

I have to reset it from the outside instead of changing it from the inside...again, playing games...this is how BORED hacker is...



#12 Android 8888

Android 8888

    SWI Malware Tracker

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,177 posts

Posted 27 September 2016 - 04:27 AM

Hello finob.
 

Tell me, w/all the instructions you have given me to run, does it look like it should be gone?

At this point I can not tell you that for sure. I am still trying to find out. The logs of previous scans show no signs of intrusion. Just some leftovers of Adware.
 

 

One thing though, Nasdaq mentioned changing the password on my router. Don't have a router, just  a modem.
Is this something I should look into...because it makes me go "huh". I looked it up...and find it confusing. and now look at this, I cannot change my password on this forum because somebody changed the current password on me!

Your Modem might be infected. I need you to tell me the Make and Model number of your Modem. Sometimes it is printed on a sticker on the back of the device.


Android 8888
 
Website: http://android8888.comlu.com
 
Tavira - Here's where I live!
 
Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.

#13 finob

finob

    Member

  • Full Member
  • Pip
  • 34 posts

Posted 28 September 2016 - 04:20 PM

Hey Android 8888

 

Finally, I got in!

 

make & model is:

 

Hughes

HT1000



#14 Android 8888

Android 8888

    SWI Malware Tracker

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,177 posts

Posted 29 September 2016 - 07:52 AM

Hello finob.

It seems you have an Internet via a satellite connection.

 

The next thing I advise you to do is reset your Modem.
Please read the following article and see if it can help you.
http://www.hughesnetinternet.net/internet-guide/reset-your-hughesnet-modem/

Then try to log in to the Modem. To do that you must type 192.168.0.1 in the Address bar of your browser and press Enter. Once you get in change the default password to a new strong password.
How to Create a Strong Password
If you don't know the default username and password to log in, please read this article and see if it can help you.

 

Now, change all other passwords that you may have typed to access your bank accounts, e-mail accounts and any others. Be sure to create strong passwords for all of them. I cannot stress enough how important this is.


Please let me know if that helped you and what issues still remain in your computer.


Android 8888
 
Website: http://android8888.comlu.com
 
Tavira - Here's where I live!
 
Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.

#15 finob

finob

    Member

  • Full Member
  • Pip
  • 34 posts

Posted 29 September 2016 - 04:35 PM

hi Android, 

 

well once again, HN was USELESS, they tell me there's no password on the modem.

2nd time I went to them for help and I was roadblocked w/incompetence.

 

during my 1st chat session, hacker clown cut me off and i had to start a 2nd session to which the rep took 4eva to tell me she cannot help me!!! lol I filled out a form stating my two things...and 20 minutes later she's telling to contact support, meanwhile she was through CHAT support! lol

 

so here I am again with the hacker still sticking their hypocritcal Big Nose in my business.

 

where do i go from this point?

 

again, thank you for your support, i appreciate it!

 

Finob



#16 Android 8888

Android 8888

    SWI Malware Tracker

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,177 posts

Posted 01 October 2016 - 05:42 PM

Hello finob.

 

Do you log in from other devices (for example from your place at work or from another location), or do you log in only from your connection at home?

 

Is the connection from your laptop to the modem made via wireless or with an Ethernet cable. If the connection is made via wireless, I suggest you to use an Ethernet cable and physically connect the laptop to the modem and turn off the wireless connection on the modem.

 

Then try to log in and see how it goes. Does the hacker issue remains?


Android 8888
 
Website: http://android8888.comlu.com
 
Tavira - Here's where I live!
 
Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.

#17 finob

finob

    Member

  • Full Member
  • Pip
  • 34 posts

Posted 01 October 2016 - 07:02 PM

No.

I don't do wireless at home, it's Ethernet w/cables.

I only long onto my laptop only when i'm home for any personal accts.

 

At one point it seemed there was wifi connections, but I shut that off.

 

So, getting your previous reply about looking into routers...I will do that.

 

In the meantime, the hacker clown is still popping into my laptop and the ONLY WAY I could stop this clown was to check CMD/Task Mgr and see what Established #'s don't belong and END it!  So far that seems to temporarily kick 'em out, but they always come back. It's really frustrating because at times the hacker clown lies dormant until I'm doing something important and actually getting somewhere and THAT'S when hacker clown X's me out of my window. basically hacker clown is enjoying this little game of theirs, as they are BORED and THIS gives them satisfaction.

 

I will get back to you on the router situation.

 

Again, thanks for your help Android 8888, I really do appreciate it!!!



#18 Android 8888

Android 8888

    SWI Malware Tracker

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,177 posts

Posted 03 October 2016 - 04:11 AM

Hello finob.


Please forget the router for now. I can help you with it later if we can not solve the problem otherwise.

Firstly, try to reset your HughesNet modem.
You’ll find the reset button either on the back or at the base of your modem, depending on which model you have. Because the button is extremely small, you might need to use something pointed to hold the button, such as a toothpick or a ballpoint pen.
Hold the button down until all the lights on the modem turn off and then back on. If your modem model does not have a reset button, simply unplug the modem. Plug it back in after at least one minute.

NOTE: Please DO NOT move on to the next step IF you were not successful resetting your modem with the instructions above.

 

If you were successful resetting your modem, then try the following:

Log into your account here
Usually the default username and password combination for HughesNet (unless you already have changed it) is:
Username: admin
Password: password (or 1234 for old devices).

After logging in please create a new and strong password. Passwords can be discovered through mathematical algorithms. These algorithms are computer programs created to run through the various combinations of a password until they find the right combination. The more different characters a password has more difficult it becomes to find its right combination. A strong password should have a minimum of 10 characters in length and should include Numbers (123...), Symbols (@&*...), Capital Letters (ABC...), and Lower-Case Letters (abc...).

In order to remember it, write down your new password somewhere (e.g.: in a paper), but NEVER on the computer.


Please let me know how successful you were.


Android 8888
 
Website: http://android8888.comlu.com
 
Tavira - Here's where I live!
 
Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.

#19 finob

finob

    Member

  • Full Member
  • Pip
  • 34 posts

Posted 04 October 2016 - 05:35 PM

the latest is I am trying to follow your instructions w/the modem reset come to find out just now that hacker clown changed my credentials on my account. IS HOW BORED hacker clown is!



#20 finob

finob

    Member

  • Full Member
  • Pip
  • 34 posts

Posted 04 October 2016 - 05:48 PM

this is the THIRD time that hacker fool has roadblocked me...making me think THAT THIS is the route they use to get in...



#21 finob

finob

    Member

  • Full Member
  • Pip
  • 34 posts

Posted 04 October 2016 - 06:20 PM

ok done...now what?

 

Wait to see hacker clown play games?



#22 Android 8888

Android 8888

    SWI Malware Tracker

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,177 posts

Posted 05 October 2016 - 09:08 AM

Hi finob.

 

Now, to improve the security of your Internet connection, I can help you in the installation and configuration of a router which can be connected with an Ethernet cable to your HughesNet modem.

 

Please let me know when you are ready to do it.

Let me also know if there has been any intrusions from the hacker since you reset the modem and created the new password.


 


Android 8888
 
Website: http://android8888.comlu.com
 
Tavira - Here's where I live!
 
Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.

#23 finob

finob

    Member

  • Full Member
  • Pip
  • 34 posts

Posted 05 October 2016 - 06:41 PM

Ok... since yesterday, the hacker clown has been back in continuously playing games on this lap top and my desktop at work. I had to reset my password again for this site...so I don't know what to do to keep them OUT!!!

 

Apparently, they don't have much of a life as they live for this, so sad. They make time for me every day and spend a significant amount of energy on ME!, I feel so special. lol so much attention!

 

When Nasdaq helped me he noticed that there was a unauthorized Proxy on my lap top that I or family did not put there.

Seems this FUJO won't stop unless they get very sick or die, (hoping).



#24 finob

finob

    Member

  • Full Member
  • Pip
  • 34 posts

Posted 05 October 2016 - 06:48 PM

and now I cannot get into my modem account, as the password has been messed w/again, and now the stinking site is telling me that I DO NOT EXIST. lol I was on the phone 2x's yesterday w/these idiots and now I do not exist UNTiL they need to get paid for services rendered I'm sure.

 

So sick of this nonsense!



#25 finob

finob

    Member

  • Full Member
  • Pip
  • 34 posts

Posted 05 October 2016 - 06:53 PM

on top of that, FUJO clown sent cryptic emails to my job email indicative of their nonsense.



#26 finob

finob

    Member

  • Full Member
  • Pip
  • 34 posts

Posted 05 October 2016 - 06:57 PM

ok, my acct log in issue has been solved as they updated their log in page...is what threw me off.

But the way I see it, anything that goes wrong w/the computer is because of the hackers, USUALLY.

 

as there are still here bothering me...poor souls!



#27 Android 8888

Android 8888

    SWI Malware Tracker

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,177 posts

Posted 06 October 2016 - 07:52 AM

Hello finob.
 

 

When Nasdaq helped me he noticed that there was a unauthorized Proxy on my lap top that I or family did not put there.

I do not see signs of any unauthorized Proxy in the logs that you previously posted on this topic.
 

 

Ok... since yesterday, the hacker clown has been back in continuously playing games on this lap top and my desktop at work. I had to reset my password again for this site...so I don't know what to do to keep them OUT!!!

Did you created a strong password with a minimum of 10 characters as I suggested?

 

The safety features of most modems do not appear to be sufficiently effective against intrusions. So it would be a good measure of security if you opt for the installation of a router as it will increase an additional protection to your Internet connection.

I can help you in the installation and configuration of a router which can be connected with an Ethernet cable to your HughesNet modem.

Please tell me if you wish to do so and let me know when you are ready to do it.


Android 8888
 
Website: http://android8888.comlu.com
 
Tavira - Here's where I live!
 
Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.

#28 finob

finob

    Member

  • Full Member
  • Pip
  • 34 posts

Posted 06 October 2016 - 04:58 PM

Yes, I created a very strong password more than 10 characters. UPPER, lower, symbols, numeric and still FUJO clown was IN my laptop!

 

Regarding the proxy, Nasdaq helped me remove it, I should've asked you, What would be the reason that someone put it on my laptop? I noticed a huge Media stream in my Social folder in my gmail account, and since Nasdaq helped me remove it, no more social media garbage in my Social folder. Hmm?

 

Yesterday, the hacker clown was playing around as in, again, If I'm reading at the bottom I get tossed to the top of the page and vice versa, or Xed out of the page all together.

 

Today I RCVD an e-mail at work from hacker clown to "blowmyURL." Do IT urself clown!!!

 

Ok, so I need to get a router, will do that and will let you know when ready to proceed w/the hookup, etc. - STAY TUNED.

 

Again, thank you so much for your follow through to see this issue resolved at some point. I appreciate it!

 

Finob



#29 Android 8888

Android 8888

    SWI Malware Tracker

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,177 posts

Posted 07 October 2016 - 07:00 AM

Hi finob.
 

Regarding the proxy, Nasdaq helped me remove it, I should've asked you, What would be the reason that someone put it on my laptop?

Because it is a way to mask the true IP address of the intruder (which means the true intruder identity) and letting him have access to your laptop anonymously.

You said the hacker is continuously playing games in your desktop computer at work, which indicates that your work computer is also infected.

 

At this point I can no longer help you with your laptop because it is pointless to try to secure the laptop until your work computer has been cleaned and secured. So, I suggest you report the issue on your work computer to your company's technical section and ask them to fix it. After your work computer has been cleaned and secured, then I will be able to help you with the router installation and with your laptop.

Do you have any further questions?


Edited by Android 8888, 07 October 2016 - 09:36 AM.

Android 8888
 
Website: http://android8888.comlu.com
 
Tavira - Here's where I live!
 
Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.

#30 finob

finob

    Member

  • Full Member
  • Pip
  • 34 posts

Posted 07 October 2016 - 04:31 PM

My only question is what does my work computer have to do w/my home laptop?

I don't do anything personal on the work computer, as I already stated.

 

Telling IT has been fruitless, they clean up whatever they have to clean...but the thing is, it seems to me the hacker gets wind of me contacting IT and has THE TIME to do what's necessary, I believe, to make it look like there's no intrusion.

 

In my opinion, they hack the desktop, so they can see all that I do on it as well as hear me at my desk through the computer. Also, since I made the mistake of googling the make and model of the business phone, it seems to me that hacker HAS BEEN hacking the business phone too. People say "now way that's crazy". But its TRUE.

 

I called the phone company and anyone else that can check things out...and nothing. So the hacker again, gets wind of me seeking out IT for both computer and phone and had the AHEAD time to clear themselves. IS the WAY I SEE it, is the way that it SEEMS, is the way it FEELS. THEY KNOW that I know and they laugh IS the REASON they continuously get away with it because they know, that IT and phone guy thinks it's a. ridiculous, b. crazy YET it IS happening.

 

Have you seen the movie The Net w/Sandra Bullock? Where the hacker is on her every move no matter what w/help so that she couldn't escape from being under his cyber thumb? He stalked her every move. He was on her like a shadow. She moved, he moved right w/her. I know it's a movie, but IS possible to do to someone, and since I have been having these issues, I googled it and found out that I am NOT the only one w/these problems. Seems there are a lot of hackers out there messing w/people BECAUSE THEY CAN and THEY ENJOY it!

 

Again, what does my work desktop have to do with my home laptop?

Me getting a router and having you help w/configuring is no good at this point?

 

Seems like NOBODY can really help me. I'm supposed to just tolerate their childish nonsense.



#31 Android 8888

Android 8888

    SWI Malware Tracker

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,177 posts

Posted 08 October 2016 - 10:04 AM

Hello finob.
 

My only question is what does my work computer have to do w/my home laptop?

I don't do anything personal on the work computer, as I already stated.

We do not know for sure how the hacker gained access to both your work and home computers. He may have had access to your work computer and from there he managed to steal your login details of the laptop. We do not know.  The problem is that if he is still accessing on both, even if you just try to secure the laptop, there is no guaranty that the hacker would be gone because your work Desktop computer remains infected and the hacker continues to have access to your data from there. That is why it is useless to try to secure your laptop while your work computer is still infected.

I would suggest that you go to an Internet cafe (if possible) and log on to the Internet from there and see if the hacker still has access to your laptop.

Now, before you install a Router I suggest you reset your HughesNet Modem again.
How to Reset your HughesNet Modem

To install and configure a Router please read carefully the instructions below and see if that can help you:

  • Connect an Ethernet cable between the HughesNet Modem and the Router WAN port (in most cases the WAN port of the Router has a different color from the other ports).
  • Connect an Ethernet cable between your laptop and one of the Router LAN ports.
  • Plug in the AC power to the HughesNet Modem and let it fully boot up (about 2 minutes is enough).
  • When the Modem is fully booted, plug in the AC power for the Router and let it fully boot up (about 2 minutes is enough).
  • Start your laptop and log in to your account.
  • Open your Internet browser, type 192.168.0.1 in the address bar and press Enter.
  • If all is well, you should be looking at the HughesNet Modem SCC (System Control Center).
  • Close your Internet browser.
  • Next, again open your browser, type 192.168.1.1 in the address bar and press Enter.
  • See if this ended up as the default address for the Router's login page. If you are in the Router's login page, then everything seems to be correctly installed and now you should be able to log on to your laptop and access the Internet.

 

You can find further information on how to connect a Router to your Modem in the following links:
How To connect a Router to HughesNet
http://www.dslreports.com/forum/r28850956-

When the hacker issue is resolved, you should change all passwords from all your accounts (bank accounts, laptop login account, HughesNet modem account, forums accounts, e-mails, etc.).


Android 8888
 
Website: http://android8888.comlu.com
 
Tavira - Here's where I live!
 
Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.

#32 finob

finob

    Member

  • Full Member
  • Pip
  • 34 posts

Posted 09 October 2016 - 02:24 PM

Well, did like you said, RESET the modem changed it to a very strong password. AND STILL the hacker managed to get into my gmail account (AFTER I gave that a strong new password) and deleted e-mails so the # count dropped AND locked me out of this site AGAIN to which I had to reset it.

 

HOW ARE the getting wind of my info????

 

 

Something has to be on my laptop that WAS MISSED because they keep getting in.

Either a backdoor, keylogger, what??? so tired of this!

 

RCVD e-mails telling me that "jacken w/the acct name that was JACKED!!! so THAT Is the hacker clown taunting like a child, "look what I'm doing, ha ha." like a child!

 

 

I even had the laptop WIPED CLEAN and two days AFTER the warranty ran out, the hacker was back in telling me who I went to to do have it wiped. 

 

SO, what NEEDS to be done to get rid of them for good?



#33 Android 8888

Android 8888

    SWI Malware Tracker

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,177 posts

Posted 10 October 2016 - 03:13 AM

Hello finob.

In the logs that you previously posted in this topic I did not found signs of the type of infection (backdoor, keylogger) that you mentioned in your previous post. I have already provided you instructions and suggestions so that you can try to resolve the issue.

 

At this point I can not help you any further with your laptop until the issue with your work computer is solved.


Edited by Android 8888, 10 October 2016 - 03:20 AM.

Android 8888
 
Website: http://android8888.comlu.com
 
Tavira - Here's where I live!
 
Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.

#34 finob

finob

    Member

  • Full Member
  • Pip
  • 34 posts

Posted 10 October 2016 - 04:35 PM

Android,

 

What about my logs for my previous topic, as I only have two - Unauthorized Hacker/Admin Rights? Can you look at those and tell me if there's something THAT WAS there that Nasdaq helped me remove?

 

 

I don't understand what does my work computer have to do w/home computer, they are separate?

 

I keep RCVing cryptic e-mails telling me:

Asiaeurodate <jacken.hagar@yandex.ru> - jacken.hagar@yandex.ru - I get several of these and Hagar is part of the acct name

stark.arya.stark@yandex.ru

 

mailed by: 

 

 

gator76.hostgator.com

bounce.exacttarget.com

gator953.hostgator.com

 

So clearly, the hacker clown is sending these...and once again CHANGED my credentials on my service provider acct HENCE the jacken.hagar SPOOFED e-mail address, which is indicative of said activity while stupidly telling me so. Are they hacking the service provider site, No?

 

What is another way they CAN SEE my info? If not on this lap top??? Through the service provider? Could they be hacking my IP acct through their site????

 

Even if I got the router and did all you asked, are you telling me they will not be able to get in?

Not even to hack my IP's site?

 



#35 Rocket Grannie

Rocket Grannie

    SWI Australian Rebel

  • Administrators
  • PipPipPipPipPip
  • 7,932 posts

Posted 11 October 2016 - 10:00 AM

Hello finob
 
As Android 8888 has explained to you we can no longer help you. Your computer appears to be clean. All your scans are clear. Your modem has been reset with a strong new password. If it is your opinion that your e-mail account has been compromised then I suggest you close that e-mail account and open a new account with a strong new password. Then you will have to change each of your links to the new address and use a new password for each link. Also, I suggest you contact your Service Provider and discuss the matter with them. Further, I suggest you take screen shots to show to IT.
 
 
Rocket Grannie


a111.gif


 
My help is free, but if you wish to help keep these forums running please consider a donation, see here for details.

#36 Android 8888

Android 8888

    SWI Malware Tracker

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,177 posts

Posted 19 October 2016 - 04:10 PM

Glad we could help. :)

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

Everyone else, please begin a new topic.


Android 8888
 
Website: http://android8888.comlu.com
 
Tavira - Here's where I live!
 
Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.




Member of UNITE
Support SpywareInfo Forum - click the button