search

dragokas / hijackthis

A free utility that finds malware, adware and other security threats
http://hjt.sf.net
GNU General Public License v2.0
692 stars 109 forks source link

I think my computer, tv, wifi is being hacked possibly by a neighbor #244

Closed lisaoben45 closed 6 months ago

lisaoben45 commented 7 months ago

CollectionLog-2024.02.18-21.50.zip Welcome! Thank you for joining the section of VIRUSNET association support.

BEFORE ASKING HELP, READ CAREFULLY THIS INSTRUCTION:

Step 1: Show us the required logs (for PC cure only):

Step 2: Describe your problem in details:

  1. What did you done before the problem occurs: _tried to figure out if there was an issue but checking the activity log.___
  2. What programs (browsers) affected by the problem: there are auto logons and new user groups____
  3. Steps to reproduce: _downloaded windows 11____
  4. Expected behavior: _to be able to clean things up____
  5. If applicable, add screenshots to help explain your problem.
lisaoben45 commented 7 months ago

I have suspected for quite sometime that someone is hacking the wifi, it is slower, there is an unknown device in my network, and strange things on my computer. Someone has used my amazon account for games. I think it's a neighbor but I'm just not sure. Any assistance would be helpful.

Sandor-Helper commented 7 months ago

Hi and welcome,

Please uninstall PUP Bonjour It is useless in Windows system even if you use AppleTV.

It'll be good idea to reset your router to default settings. Don't forget to change the Administrator password to router settings to a complex one.

After that: Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

lisaoben45 commented 7 months ago

\<log is deleted>

dragokas commented 7 months ago

@lisaoben45 your log is deleted. Please, attach it as a file (paperclip button) instead of pasting raw text.

lisaoben45 commented 7 months ago

FRST.txt Addition.txt

lisaoben45 commented 7 months ago

I attached the files. Thanks so much.

On Mon, Feb 19, 2024, 2:08 PM Alex Dragokas @.***> wrote:

@lisaoben45 https://github.com/lisaoben45 your log is deleted. Please, attach it as a file (paperclip button) instead of pasting raw text.

— Reply to this email directly, view it on GitHub https://github.com/dragokas/hijackthis/issues/244#issuecomment-1953037464, or unsubscribe https://github.com/notifications/unsubscribe-auth/BGIC7AYNGB4XTY5H5SERUADYUOPMDAVCNFSM6AAAAABDOXC35SVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNJTGAZTONBWGQ . You are receiving this because you were mentioned.Message ID: @.***>

Sandor-Helper commented 7 months ago

Temporarily turn off any antivirus. Highlight following code:

Start::
CreateRestorePoint:
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate: Restriction <==== ATTENTION
U3 aspnet_state; no ImagePath
S1 WinSetupMon; system32\DRIVERS\WinSetupMon.sys [X]
AlternateDataStreams: C:\Users\lisao\Downloads\0FI38_0FI38_3676_20180101_W2Report_W2Report_001.pdf:C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD [231]
AlternateDataStreams: C:\Users\lisao\Downloads\Advanced_IP_Scanner_2.5.4594.1.exe:MBAM.Zone.Identifier [176]
AlternateDataStreams: C:\Users\lisao\Downloads\CharterNetworkInstaller_C-GPVEC-7NV2R-VBGDA-QJMBE-HM9MW_.exe:MBAM.Zone.Identifier [196]
AlternateDataStreams: C:\Users\lisao\Downloads\CharterOnlineScanner.exe:MBAM.Zone.Identifier [140]
AlternateDataStreams: C:\Users\lisao\Downloads\Final_20181099_W-2G Specs_20181231.docx:C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD [153]
AlternateDataStreams: C:\Users\lisao\Downloads\Messenger.200.0.0.24.217.exe:MBAM.Zone.Identifier [366]
AlternateDataStreams: C:\Users\lisao\Downloads\NetworkMiner_2-8-1 (1).zip:C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD [140]
AlternateDataStreams: C:\Users\lisao\Downloads\NetworkMiner_2-8-1.zip:C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD [140]
AlternateDataStreams: C:\Users\lisao\Downloads\nmap-7.70-setup.exe:C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD [121]
AlternateDataStreams: C:\Users\lisao\Downloads\prtg-desktop-offline-23.13.0-64bit.exe:MBAM.Zone.Identifier [296]
AlternateDataStreams: C:\Users\lisao\Downloads\prtg_installer_with_trial_key_000014-YTEKFM-8FFURM-N48KYE-8V8VZ3-X7P2KX-859058-GGAFRA-MJCEQ9-0DWPE8.exe:MBAM.Zone.Identifier [203]
AlternateDataStreams: C:\Users\lisao\Downloads\prtg_installer_with_trial_key_000014-YTEKFM-8FFXBQ-T2N8TG-CPK6BH-9CUW95-PTGGNH-Z8CDTX-0KEZRZ-9XJTC0.exe:MBAM.Zone.Identifier [203]
AlternateDataStreams: C:\Users\lisao\Downloads\SetupPortForwardNetworkUtilities.exe:C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD [201]
AlternateDataStreams: C:\Users\lisao\Downloads\SpiceworksAgentShell_Collection_Agent.msi:C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD [225]
AlternateDataStreams: C:\Users\lisao\Downloads\SpiceworksAgentShell_Scanning_Agent.msi:C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD [223]
AlternateDataStreams: C:\Users\lisao\Downloads\TaxReturn.pdf:C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD [544]
AlternateDataStreams: C:\Users\lisao\Downloads\webrtc_internals_dump.txt:C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD [50]
AlternateDataStreams: C:\Users\lisao\Downloads\wsabbs2 (1).exe:C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD [211]
AlternateDataStreams: C:\Users\lisao\Downloads\wsabbs2.exe:C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD [159]
FirewallRules: [{14048EF4-9EDB-4F61-B4A9-C4E20BDB2601}] => (Allow) LPort=9996
FirewallRules: [{A9C4FD75-F020-4CAE-BF8A-EE2A9BD12C42}] => (Allow) LPort=8061
FirewallRules: [{A2E75A07-575C-4F75-8C07-E2394F3A6D8C}] => (Allow) LPort=69
FirewallRules: [{5F44B11B-1A40-4C51-863B-34C55B5440C8}] => (Allow) LPort=22
FirewallRules: [{292BEAA6-6E01-4305-A7A6-FE7D1D2E5638}] => (Allow) LPort=514
FirewallRules: [{6CFA4510-7771-460C-A174-F88125793F5E}] => (Allow) LPort=519
FirewallRules: [{80A98C44-60FB-4C30-853D-2B82586018F4}] => (Allow) LPort=69
FirewallRules: [{B5FA926E-F21E-48B7-BFA0-9A6E300ACA85}] => (Allow) LPort=22
FirewallRules: [{6A27C336-0F34-4B03-BAD3-82E72282C1C6}] => (Allow) LPort=9090
FirewallRules: [{9B6743DB-3AEE-4DBA-BD94-299374D2AD54}] => (Allow) LPort=8443
EmptyTemp:
Reboot:
End::

Copy highlighted text (right click - Copy). Run FRST (FRST64) as Administrator. Press Fix button once and wait. Program will create (Fixlog.txt). Attach it to the next post.

PC will reboot.

But main thing in my opinion is to reset your router to factory defaults. After that you have to set it up and don't forget to change default password to its settings.

lisaoben45 commented 7 months ago

Fix result of Farbar Recovery Scan Tool (x64) Version: 23.02.2024 Ran by lisao (24-02-2024 21:07:29) Run:1 Running from C:\Users\lisao\Downloads Loaded Profiles: lisao Boot Mode: Normal

fixlist content:

Start:: CreateRestorePoint: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate: Restriction <==== ATTENTION U3 aspnet_state; no ImagePath S1 WinSetupMon; system32\DRIVERS\WinSetupMon.sys [X] AlternateDataStreams: C:\Users\lisao\Downloads\0FI38_0FI38_3676_20180101_W2Report_W2Report_001.pdf:C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD [231] AlternateDataStreams: C:\Users\lisao\Downloads\Advanced_IP_Scanner_2.5.4594.1.exe:MBAM.Zone.Identifier [176] AlternateDataStreams: C:\Users\lisao\Downloads\CharterNetworkInstallerC-GPVEC-7NV2R-VBGDA-QJMBE-HM9MW.exe:MBAM.Zone.Identifier [196] AlternateDataStreams: C:\Users\lisao\Downloads\CharterOnlineScanner.exe:MBAM.Zone.Identifier [140] AlternateDataStreams: C:\Users\lisao\Downloads\Final_20181099_W-2G Specs_20181231.docx:C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD [153] AlternateDataStreams: C:\Users\lisao\Downloads\Messenger.200.0.0.24.217.exe:MBAM.Zone.Identifier [366] AlternateDataStreams: C:\Users\lisao\Downloads\NetworkMiner_2-8-1 (1).zip:C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD [140] AlternateDataStreams: C:\Users\lisao\Downloads\NetworkMiner_2-8-1.zip:C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD [140] AlternateDataStreams: C:\Users\lisao\Downloads\nmap-7.70-setup.exe:C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD [121] AlternateDataStreams: C:\Users\lisao\Downloads\prtg-desktop-offline-23.13.0-64bit.exe:MBAM.Zone.Identifier [296] AlternateDataStreams: C:\Users\lisao\Downloads\prtg_installer_with_trial_key_000014-YTEKFM-8FFURM-N48KYE-8V8VZ3-X7P2KX-859058-GGAFRA-MJCEQ9-0DWPE8.exe:MBAM.Zone.Identifier [203] AlternateDataStreams: C:\Users\lisao\Downloads\prtg_installer_with_trial_key_000014-YTEKFM-8FFXBQ-T2N8TG-CPK6BH-9CUW95-PTGGNH-Z8CDTX-0KEZRZ-9XJTC0.exe:MBAM.Zone.Identifier [203] AlternateDataStreams: C:\Users\lisao\Downloads\SetupPortForwardNetworkUtilities.exe:C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD [201] AlternateDataStreams: C:\Users\lisao\Downloads\SpiceworksAgentShell_Collection_Agent.msi:C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD [225] AlternateDataStreams: C:\Users\lisao\Downloads\SpiceworksAgentShell_Scanning_Agent.msi:C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD [223] AlternateDataStreams: C:\Users\lisao\Downloads\TaxReturn.pdf:C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD [544] AlternateDataStreams: C:\Users\lisao\Downloads\webrtc_internals_dump.txt:C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD [50] AlternateDataStreams: C:\Users\lisao\Downloads\wsabbs2 (1).exe:C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD [211] AlternateDataStreams: C:\Users\lisao\Downloads\wsabbs2.exe:C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD [159] FirewallRules: [{14048EF4-9EDB-4F61-B4A9-C4E20BDB2601}] => (Allow) LPort=9996 FirewallRules: [{A9C4FD75-F020-4CAE-BF8A-EE2A9BD12C42}] => (Allow) LPort=8061 FirewallRules: [{A2E75A07-575C-4F75-8C07-E2394F3A6D8C}] => (Allow) LPort=69 FirewallRules: [{5F44B11B-1A40-4C51-863B-34C55B5440C8}] => (Allow) LPort=22 FirewallRules: [{292BEAA6-6E01-4305-A7A6-FE7D1D2E5638}] => (Allow) LPort=514 FirewallRules: [{6CFA4510-7771-460C-A174-F88125793F5E}] => (Allow) LPort=519 FirewallRules: [{80A98C44-60FB-4C30-853D-2B82586018F4}] => (Allow) LPort=69 FirewallRules: [{B5FA926E-F21E-48B7-BFA0-9A6E300ACA85}] => (Allow) LPort=22 FirewallRules: [{6A27C336-0F34-4B03-BAD3-82E72282C1C6}] => (Allow) LPort=9090 FirewallRules: [{9B6743DB-3AEE-4DBA-BD94-299374D2AD54}] => (Allow) LPort=8443 EmptyTemp: Reboot: End::

Restore point was successfully created. HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate => removed successfully HKLM\System\CurrentControlSet\Services\aspnet_state => removed successfully aspnet_state => service removed successfully HKLM\System\CurrentControlSet\Services\WinSetupMon => removed successfully WinSetupMon => service removed successfully C:\Users\lisao\Downloads\0FI38_0FI38_3676_20180101_W2Report_W2Report_001.pdf => ":C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD" ADS removed successfully C:\Users\lisao\Downloads\Advanced_IP_Scanner_2.5.4594.1.exe => ":MBAM.Zone.Identifier" ADS removed successfully C:\Users\lisao\Downloads\CharterNetworkInstallerC-GPVEC-7NV2R-VBGDA-QJMBE-HM9MW.exe => ":MBAM.Zone.Identifier" ADS removed successfully C:\Users\lisao\Downloads\CharterOnlineScanner.exe => ":MBAM.Zone.Identifier" ADS removed successfully C:\Users\lisao\Downloads\Final_20181099_W-2G Specs_20181231.docx => ":C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD" ADS removed successfully C:\Users\lisao\Downloads\Messenger.200.0.0.24.217.exe => ":MBAM.Zone.Identifier" ADS removed successfully C:\Users\lisao\Downloads\NetworkMiner_2-8-1 (1).zip => ":C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD" ADS removed successfully C:\Users\lisao\Downloads\NetworkMiner_2-8-1.zip => ":C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD" ADS removed successfully C:\Users\lisao\Downloads\nmap-7.70-setup.exe => ":C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD" ADS removed successfully C:\Users\lisao\Downloads\prtg-desktop-offline-23.13.0-64bit.exe => ":MBAM.Zone.Identifier" ADS removed successfully C:\Users\lisao\Downloads\prtg_installer_with_trial_key_000014-YTEKFM-8FFURM-N48KYE-8V8VZ3-X7P2KX-859058-GGAFRA-MJCEQ9-0DWPE8.exe => ":MBAM.Zone.Identifier" ADS removed successfully C:\Users\lisao\Downloads\prtg_installer_with_trial_key_000014-YTEKFM-8FFXBQ-T2N8TG-CPK6BH-9CUW95-PTGGNH-Z8CDTX-0KEZRZ-9XJTC0.exe => ":MBAM.Zone.Identifier" ADS removed successfully C:\Users\lisao\Downloads\SetupPortForwardNetworkUtilities.exe => ":C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD" ADS removed successfully C:\Users\lisao\Downloads\SpiceworksAgentShell_Collection_Agent.msi => ":C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD" ADS removed successfully C:\Users\lisao\Downloads\SpiceworksAgentShell_Scanning_Agent.msi => ":C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD" ADS removed successfully C:\Users\lisao\Downloads\TaxReturn.pdf => ":C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD" ADS removed successfully C:\Users\lisao\Downloads\webrtc_internals_dump.txt => ":C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD" ADS removed successfully C:\Users\lisao\Downloads\wsabbs2 (1).exe => ":C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD" ADS removed successfully C:\Users\lisao\Downloads\wsabbs2.exe => ":C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD" ADS removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{14048EF4-9EDB-4F61-B4A9-C4E20BDB2601}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{A9C4FD75-F020-4CAE-BF8A-EE2A9BD12C42}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{A2E75A07-575C-4F75-8C07-E2394F3A6D8C}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{5F44B11B-1A40-4C51-863B-34C55B5440C8}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{292BEAA6-6E01-4305-A7A6-FE7D1D2E5638}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{6CFA4510-7771-460C-A174-F88125793F5E}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{80A98C44-60FB-4C30-853D-2B82586018F4}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{B5FA926E-F21E-48B7-BFA0-9A6E300ACA85}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{6A27C336-0F34-4B03-BAD3-82E72282C1C6}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{9B6743DB-3AEE-4DBA-BD94-299374D2AD54}" => removed successfully

=========== EmptyTemp: ==========

FlushDNS => completed BITS transfer queue => 0 B DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 22393365 B Java, Discord, Steam htmlcache, WinHttpAutoProxySvc/winhttp *.cache => 0 B Windows/system/drivers => 28946241 B Edge => 0 B Firefox => 820961799 B Opera => 0 B

Temp, IE cache, history, cookies, recent: Default => 0 B ProgramData => 0 B Public => 0 B systemprofile => 0 B systemprofile32 => 0 B LocalService => 47196 B NetworkService => 52242 B lisao => 149035646 B

RecycleBin => 5265291168 B EmptyTemp: => 5.9 GB temporary data Removed.

================================

The system needed a reboot.

==== End of Fixlog 21:13:51 ====

Sandor-Helper commented 7 months ago

Please attach requested logs rather than paste it into the message. Did you reset your router already?

lisaoben45 commented 7 months ago

Fixlog.txt

Sandor-Helper commented 7 months ago

Did you reset your router already?

Please answer the question.

lisaoben45 commented 7 months ago

Yes, I did.

On Mon, Feb 26, 2024, 1:29 AM Sandor-Helper @.***> wrote:

Did you reset your router already?

Please answer the question.

— Reply to this email directly, view it on GitHub https://github.com/dragokas/hijackthis/issues/244#issuecomment-1963406448, or unsubscribe https://github.com/notifications/unsubscribe-auth/BGIC7AY5B6XD65DFZLGSQGLYVQTTJAVCNFSM6AAAAABDOXC35SVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNRTGQYDMNBUHA . You are receiving this because you were mentioned.Message ID: @.***>

Sandor-Helper commented 7 months ago

And how is it going now? Do you still have an issue?

lisaoben45 commented 7 months ago

Yes its good. What do you think was going on?

On Tue, Feb 27, 2024, 12:45 AM Sandor-Helper @.***> wrote:

And how is it going now? Do you still have an issue?

— Reply to this email directly, view it on GitHub https://github.com/dragokas/hijackthis/issues/244#issuecomment-1965830942, or unsubscribe https://github.com/notifications/unsubscribe-auth/BGIC7AYM772LIZS2AXJLR5LYVVXG5AVCNFSM6AAAAABDOXC35SVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNRVHAZTAOJUGI . You are receiving this because you were mentioned.Message ID: @.***>

Sandor-Helper commented 7 months ago

I'm pretty sure that the problem was in the router settings that were changed by some intrusion.

Rename FRST.exe (FRST64.exe) to uninstall.exe and run it. PC will reboot. All other curing tools could be simply deleted.