Closed lisaoben45 closed 6 months ago
I have suspected for quite sometime that someone is hacking the wifi, it is slower, there is an unknown device in my network, and strange things on my computer. Someone has used my amazon account for games. I think it's a neighbor but I'm just not sure. Any assistance would be helpful.
Hi and welcome,
Please uninstall PUP
Bonjour
It is useless in Windows system even if you use AppleTV.
It'll be good idea to reset your router to default settings. Don't forget to change the Administrator password to router settings to a complex one.
After that: Please download Farbar Recovery Scan Tool and save it to your Desktop.
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
\<log is deleted>
@lisaoben45 your log is deleted. Please, attach it as a file (paperclip button) instead of pasting raw text.
I attached the files. Thanks so much.
On Mon, Feb 19, 2024, 2:08 PM Alex Dragokas @.***> wrote:
@lisaoben45 https://github.com/lisaoben45 your log is deleted. Please, attach it as a file (paperclip button) instead of pasting raw text.
— Reply to this email directly, view it on GitHub https://github.com/dragokas/hijackthis/issues/244#issuecomment-1953037464, or unsubscribe https://github.com/notifications/unsubscribe-auth/BGIC7AYNGB4XTY5H5SERUADYUOPMDAVCNFSM6AAAAABDOXC35SVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNJTGAZTONBWGQ . You are receiving this because you were mentioned.Message ID: @.***>
Temporarily turn off any antivirus. Highlight following code:
Start::
CreateRestorePoint:
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate: Restriction <==== ATTENTION
U3 aspnet_state; no ImagePath
S1 WinSetupMon; system32\DRIVERS\WinSetupMon.sys [X]
AlternateDataStreams: C:\Users\lisao\Downloads\0FI38_0FI38_3676_20180101_W2Report_W2Report_001.pdf:C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD [231]
AlternateDataStreams: C:\Users\lisao\Downloads\Advanced_IP_Scanner_2.5.4594.1.exe:MBAM.Zone.Identifier [176]
AlternateDataStreams: C:\Users\lisao\Downloads\CharterNetworkInstaller_C-GPVEC-7NV2R-VBGDA-QJMBE-HM9MW_.exe:MBAM.Zone.Identifier [196]
AlternateDataStreams: C:\Users\lisao\Downloads\CharterOnlineScanner.exe:MBAM.Zone.Identifier [140]
AlternateDataStreams: C:\Users\lisao\Downloads\Final_20181099_W-2G Specs_20181231.docx:C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD [153]
AlternateDataStreams: C:\Users\lisao\Downloads\Messenger.200.0.0.24.217.exe:MBAM.Zone.Identifier [366]
AlternateDataStreams: C:\Users\lisao\Downloads\NetworkMiner_2-8-1 (1).zip:C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD [140]
AlternateDataStreams: C:\Users\lisao\Downloads\NetworkMiner_2-8-1.zip:C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD [140]
AlternateDataStreams: C:\Users\lisao\Downloads\nmap-7.70-setup.exe:C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD [121]
AlternateDataStreams: C:\Users\lisao\Downloads\prtg-desktop-offline-23.13.0-64bit.exe:MBAM.Zone.Identifier [296]
AlternateDataStreams: C:\Users\lisao\Downloads\prtg_installer_with_trial_key_000014-YTEKFM-8FFURM-N48KYE-8V8VZ3-X7P2KX-859058-GGAFRA-MJCEQ9-0DWPE8.exe:MBAM.Zone.Identifier [203]
AlternateDataStreams: C:\Users\lisao\Downloads\prtg_installer_with_trial_key_000014-YTEKFM-8FFXBQ-T2N8TG-CPK6BH-9CUW95-PTGGNH-Z8CDTX-0KEZRZ-9XJTC0.exe:MBAM.Zone.Identifier [203]
AlternateDataStreams: C:\Users\lisao\Downloads\SetupPortForwardNetworkUtilities.exe:C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD [201]
AlternateDataStreams: C:\Users\lisao\Downloads\SpiceworksAgentShell_Collection_Agent.msi:C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD [225]
AlternateDataStreams: C:\Users\lisao\Downloads\SpiceworksAgentShell_Scanning_Agent.msi:C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD [223]
AlternateDataStreams: C:\Users\lisao\Downloads\TaxReturn.pdf:C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD [544]
AlternateDataStreams: C:\Users\lisao\Downloads\webrtc_internals_dump.txt:C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD [50]
AlternateDataStreams: C:\Users\lisao\Downloads\wsabbs2 (1).exe:C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD [211]
AlternateDataStreams: C:\Users\lisao\Downloads\wsabbs2.exe:C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD [159]
FirewallRules: [{14048EF4-9EDB-4F61-B4A9-C4E20BDB2601}] => (Allow) LPort=9996
FirewallRules: [{A9C4FD75-F020-4CAE-BF8A-EE2A9BD12C42}] => (Allow) LPort=8061
FirewallRules: [{A2E75A07-575C-4F75-8C07-E2394F3A6D8C}] => (Allow) LPort=69
FirewallRules: [{5F44B11B-1A40-4C51-863B-34C55B5440C8}] => (Allow) LPort=22
FirewallRules: [{292BEAA6-6E01-4305-A7A6-FE7D1D2E5638}] => (Allow) LPort=514
FirewallRules: [{6CFA4510-7771-460C-A174-F88125793F5E}] => (Allow) LPort=519
FirewallRules: [{80A98C44-60FB-4C30-853D-2B82586018F4}] => (Allow) LPort=69
FirewallRules: [{B5FA926E-F21E-48B7-BFA0-9A6E300ACA85}] => (Allow) LPort=22
FirewallRules: [{6A27C336-0F34-4B03-BAD3-82E72282C1C6}] => (Allow) LPort=9090
FirewallRules: [{9B6743DB-3AEE-4DBA-BD94-299374D2AD54}] => (Allow) LPort=8443
EmptyTemp:
Reboot:
End::
Copy highlighted text (right click - Copy). Run FRST (FRST64) as Administrator. Press Fix button once and wait. Program will create (Fixlog.txt). Attach it to the next post.
PC will reboot.
But main thing in my opinion is to reset your router to factory defaults. After that you have to set it up and don't forget to change default password to its settings.
fixlist content:
Start:: CreateRestorePoint: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate: Restriction <==== ATTENTION U3 aspnet_state; no ImagePath S1 WinSetupMon; system32\DRIVERS\WinSetupMon.sys [X] AlternateDataStreams: C:\Users\lisao\Downloads\0FI38_0FI38_3676_20180101_W2Report_W2Report_001.pdf:C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD [231] AlternateDataStreams: C:\Users\lisao\Downloads\Advanced_IP_Scanner_2.5.4594.1.exe:MBAM.Zone.Identifier [176] AlternateDataStreams: C:\Users\lisao\Downloads\CharterNetworkInstallerC-GPVEC-7NV2R-VBGDA-QJMBE-HM9MW.exe:MBAM.Zone.Identifier [196] AlternateDataStreams: C:\Users\lisao\Downloads\CharterOnlineScanner.exe:MBAM.Zone.Identifier [140] AlternateDataStreams: C:\Users\lisao\Downloads\Final_20181099_W-2G Specs_20181231.docx:C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD [153] AlternateDataStreams: C:\Users\lisao\Downloads\Messenger.200.0.0.24.217.exe:MBAM.Zone.Identifier [366] AlternateDataStreams: C:\Users\lisao\Downloads\NetworkMiner_2-8-1 (1).zip:C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD [140] AlternateDataStreams: C:\Users\lisao\Downloads\NetworkMiner_2-8-1.zip:C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD [140] AlternateDataStreams: C:\Users\lisao\Downloads\nmap-7.70-setup.exe:C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD [121] AlternateDataStreams: C:\Users\lisao\Downloads\prtg-desktop-offline-23.13.0-64bit.exe:MBAM.Zone.Identifier [296] AlternateDataStreams: C:\Users\lisao\Downloads\prtg_installer_with_trial_key_000014-YTEKFM-8FFURM-N48KYE-8V8VZ3-X7P2KX-859058-GGAFRA-MJCEQ9-0DWPE8.exe:MBAM.Zone.Identifier [203] AlternateDataStreams: C:\Users\lisao\Downloads\prtg_installer_with_trial_key_000014-YTEKFM-8FFXBQ-T2N8TG-CPK6BH-9CUW95-PTGGNH-Z8CDTX-0KEZRZ-9XJTC0.exe:MBAM.Zone.Identifier [203] AlternateDataStreams: C:\Users\lisao\Downloads\SetupPortForwardNetworkUtilities.exe:C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD [201] AlternateDataStreams: C:\Users\lisao\Downloads\SpiceworksAgentShell_Collection_Agent.msi:C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD [225] AlternateDataStreams: C:\Users\lisao\Downloads\SpiceworksAgentShell_Scanning_Agent.msi:C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD [223] AlternateDataStreams: C:\Users\lisao\Downloads\TaxReturn.pdf:C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD [544] AlternateDataStreams: C:\Users\lisao\Downloads\webrtc_internals_dump.txt:C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD [50] AlternateDataStreams: C:\Users\lisao\Downloads\wsabbs2 (1).exe:C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD [211] AlternateDataStreams: C:\Users\lisao\Downloads\wsabbs2.exe:C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD [159] FirewallRules: [{14048EF4-9EDB-4F61-B4A9-C4E20BDB2601}] => (Allow) LPort=9996 FirewallRules: [{A9C4FD75-F020-4CAE-BF8A-EE2A9BD12C42}] => (Allow) LPort=8061 FirewallRules: [{A2E75A07-575C-4F75-8C07-E2394F3A6D8C}] => (Allow) LPort=69 FirewallRules: [{5F44B11B-1A40-4C51-863B-34C55B5440C8}] => (Allow) LPort=22 FirewallRules: [{292BEAA6-6E01-4305-A7A6-FE7D1D2E5638}] => (Allow) LPort=514 FirewallRules: [{6CFA4510-7771-460C-A174-F88125793F5E}] => (Allow) LPort=519 FirewallRules: [{80A98C44-60FB-4C30-853D-2B82586018F4}] => (Allow) LPort=69 FirewallRules: [{B5FA926E-F21E-48B7-BFA0-9A6E300ACA85}] => (Allow) LPort=22 FirewallRules: [{6A27C336-0F34-4B03-BAD3-82E72282C1C6}] => (Allow) LPort=9090 FirewallRules: [{9B6743DB-3AEE-4DBA-BD94-299374D2AD54}] => (Allow) LPort=8443 EmptyTemp: Reboot: End::
Restore point was successfully created. HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate => removed successfully HKLM\System\CurrentControlSet\Services\aspnet_state => removed successfully aspnet_state => service removed successfully HKLM\System\CurrentControlSet\Services\WinSetupMon => removed successfully WinSetupMon => service removed successfully C:\Users\lisao\Downloads\0FI38_0FI38_3676_20180101_W2Report_W2Report_001.pdf => ":C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD" ADS removed successfully C:\Users\lisao\Downloads\Advanced_IP_Scanner_2.5.4594.1.exe => ":MBAM.Zone.Identifier" ADS removed successfully C:\Users\lisao\Downloads\CharterNetworkInstallerC-GPVEC-7NV2R-VBGDA-QJMBE-HM9MW.exe => ":MBAM.Zone.Identifier" ADS removed successfully C:\Users\lisao\Downloads\CharterOnlineScanner.exe => ":MBAM.Zone.Identifier" ADS removed successfully C:\Users\lisao\Downloads\Final_20181099_W-2G Specs_20181231.docx => ":C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD" ADS removed successfully C:\Users\lisao\Downloads\Messenger.200.0.0.24.217.exe => ":MBAM.Zone.Identifier" ADS removed successfully C:\Users\lisao\Downloads\NetworkMiner_2-8-1 (1).zip => ":C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD" ADS removed successfully C:\Users\lisao\Downloads\NetworkMiner_2-8-1.zip => ":C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD" ADS removed successfully C:\Users\lisao\Downloads\nmap-7.70-setup.exe => ":C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD" ADS removed successfully C:\Users\lisao\Downloads\prtg-desktop-offline-23.13.0-64bit.exe => ":MBAM.Zone.Identifier" ADS removed successfully C:\Users\lisao\Downloads\prtg_installer_with_trial_key_000014-YTEKFM-8FFURM-N48KYE-8V8VZ3-X7P2KX-859058-GGAFRA-MJCEQ9-0DWPE8.exe => ":MBAM.Zone.Identifier" ADS removed successfully C:\Users\lisao\Downloads\prtg_installer_with_trial_key_000014-YTEKFM-8FFXBQ-T2N8TG-CPK6BH-9CUW95-PTGGNH-Z8CDTX-0KEZRZ-9XJTC0.exe => ":MBAM.Zone.Identifier" ADS removed successfully C:\Users\lisao\Downloads\SetupPortForwardNetworkUtilities.exe => ":C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD" ADS removed successfully C:\Users\lisao\Downloads\SpiceworksAgentShell_Collection_Agent.msi => ":C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD" ADS removed successfully C:\Users\lisao\Downloads\SpiceworksAgentShell_Scanning_Agent.msi => ":C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD" ADS removed successfully C:\Users\lisao\Downloads\TaxReturn.pdf => ":C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD" ADS removed successfully C:\Users\lisao\Downloads\webrtc_internals_dump.txt => ":C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD" ADS removed successfully C:\Users\lisao\Downloads\wsabbs2 (1).exe => ":C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD" ADS removed successfully C:\Users\lisao\Downloads\wsabbs2.exe => ":C7140AA6-7976-4D71-9C3A-F8BD5BCEF8DD" ADS removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{14048EF4-9EDB-4F61-B4A9-C4E20BDB2601}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{A9C4FD75-F020-4CAE-BF8A-EE2A9BD12C42}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{A2E75A07-575C-4F75-8C07-E2394F3A6D8C}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{5F44B11B-1A40-4C51-863B-34C55B5440C8}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{292BEAA6-6E01-4305-A7A6-FE7D1D2E5638}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{6CFA4510-7771-460C-A174-F88125793F5E}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{80A98C44-60FB-4C30-853D-2B82586018F4}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{B5FA926E-F21E-48B7-BFA0-9A6E300ACA85}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{6A27C336-0F34-4B03-BAD3-82E72282C1C6}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{9B6743DB-3AEE-4DBA-BD94-299374D2AD54}" => removed successfully
=========== EmptyTemp: ==========
FlushDNS => completed BITS transfer queue => 0 B DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 22393365 B Java, Discord, Steam htmlcache, WinHttpAutoProxySvc/winhttp *.cache => 0 B Windows/system/drivers => 28946241 B Edge => 0 B Firefox => 820961799 B Opera => 0 B
Temp, IE cache, history, cookies, recent: Default => 0 B ProgramData => 0 B Public => 0 B systemprofile => 0 B systemprofile32 => 0 B LocalService => 47196 B NetworkService => 52242 B lisao => 149035646 B
RecycleBin => 5265291168 B EmptyTemp: => 5.9 GB temporary data Removed.
================================
The system needed a reboot.
==== End of Fixlog 21:13:51 ====
Please attach requested logs rather than paste it into the message. Did you reset your router already?
Did you reset your router already?
Please answer the question.
Yes, I did.
On Mon, Feb 26, 2024, 1:29 AM Sandor-Helper @.***> wrote:
Did you reset your router already?
Please answer the question.
— Reply to this email directly, view it on GitHub https://github.com/dragokas/hijackthis/issues/244#issuecomment-1963406448, or unsubscribe https://github.com/notifications/unsubscribe-auth/BGIC7AY5B6XD65DFZLGSQGLYVQTTJAVCNFSM6AAAAABDOXC35SVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNRTGQYDMNBUHA . You are receiving this because you were mentioned.Message ID: @.***>
And how is it going now? Do you still have an issue?
Yes its good. What do you think was going on?
On Tue, Feb 27, 2024, 12:45 AM Sandor-Helper @.***> wrote:
And how is it going now? Do you still have an issue?
— Reply to this email directly, view it on GitHub https://github.com/dragokas/hijackthis/issues/244#issuecomment-1965830942, or unsubscribe https://github.com/notifications/unsubscribe-auth/BGIC7AYM772LIZS2AXJLR5LYVVXG5AVCNFSM6AAAAABDOXC35SVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNRVHAZTAOJUGI . You are receiving this because you were mentioned.Message ID: @.***>
I'm pretty sure that the problem was in the router settings that were changed by some intrusion.
Rename FRST.exe (FRST64.exe) to uninstall.exe and run it. PC will reboot. All other curing tools could be simply deleted.
CollectionLog-2024.02.18-21.50.zip Welcome! Thank you for joining the section of VIRUSNET association support.
BEFORE ASKING HELP, READ CAREFULLY THIS INSTRUCTION:
Step 1: Show us the required logs (for PC cure only):
Read carefully: "How to make a request for help in the PC cure section": https://github.com/dragokas/hijackthis/wiki/How-to-make-a-request-for-help-in-the-PC-cure-section%3F
Attach 'Collection-[Date].zip' log created by "AutoLogger" tool: https://www.safezone.cc/resources/autologger-regist-drongo.59/download
Step 2: Describe your problem in details: