Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hacker Has Taken Over My Computer!


  • This topic is locked This topic is locked
2 replies to this topic

#1 WantMyLifeBack

WantMyLifeBack

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:00 AM

Posted 06 February 2011 - 07:17 AM

Hi,

I had a hacker in my computer over the summer & worked for 2 months with Bleeping Computer to regain control of my computer, but the hacker won & both our laptop and PC were so corrupted, that we had to junk them (thankfully, we were needing to upgrade our PC!). We bought a new laptop, installed BitDefender antivirus, malwarebytes, and Comodo Firewall. We were extremely careful when surfing the net, had all of the protection programs set at the highest level of security, updated all programs obsessively, and still, the hacker came back! I had my identity stolen, purchases made with my ATM card #, my checking account#, my Amazon.com hacked into & laptops shipped across the country (at my expense) and our email account hacked into and eventually taken over. It's been a nightmare! On Jan. 18th I had a computer technician come & try to clean my computer, but after 5 hours, although it killed him to admit it, he wasn't able to, and so he reformatted our hard drive & re-installed Windows. We have Verizon FIOS for internet & it's WEP protected, so he changed that password & we thought that we were good to go.

However, this past week I've noticed changes in the computer. I've been fighting this since June, so I'm way better at noticing small changes in our computer than I was 8 months ago! When I look at the Program & Windows files, there has been a lot of activity (files added or modified) since January 20th (only 2 days after our computer was wiped clean!). I was able to pull numerous Notepad documents that detailed changes to programs--Windows Updater, BitDefender, Malwarebytes, Comodo--files moved & renamed, and even a 100+ page Notepad document that detailed someone using our computer to download porn! I should also mention that the Computer Tech that reformatted our computer found a program for streaming videos/movies (Turion?) on our router. I've also noticed that my antivirus & antispyware programs were suddenly showing no issues with corrupt files, viruses, etc.

I also need to mention that this hacker was also able to get into my 10 year old's netbook that she just got for Christmas! So, today I contacted Verizon & they disconnected our wireless, so we just have our PC plugged in. But, the changes to my computer & the flood of activity continues! With each hour I'm locked out of more & more files (and where before I could change the permission on the file & either access it or delete it, I now can't.

Can you please, please help me? This has consumed my life for the past 8 months & it's wreaked havoc in every area!
I'm posting my DDS results & attaching the GMER scan. However, I need to note that when I extracted the GMER files & when the screen appeared, many of the options (system, sections, IAT/EAT, devices, modules, processes, threads, libraries, & show all) were not highlighted/checked. So I ran the scan with only the few that were checked!

Thanks in advance for your help!!



DDS (Ver_10-12-12.02) - NTFS_AMD64 NETWORK
Run by HomePC at 2:33:22.52 on Sun 02/06/2011
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.5887.5015 [GMT -8:00]

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Program Files\Comodo\SecureEmail x64\ComodoSE.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Users\HomePC\Downloads\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = www.msn.com
uDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=et1331g&r=17360111g106p0305v145r4881s217
uWindow Title = Microsoft Internet Explorer
mDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=et1331g&r=17360111g106p0305v145r4881s217
mStart Page = about:blank
mWindow Title = Microsoft Internet Explorer
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
uRun: [Global Registration] "C:\Program Files (x86)\eMachines\Registration\GREG.exe" BOOT
uRun: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
mRun: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [BestSpywareScanner.exe] C:\Program Files (x86)\Best Spyware Scanner\BestSpywareScanner.exe
mRun: [BSSHelper.exe] C:\Program Files (x86)\Best Spyware Scanner\BSSHelper.exe -0
mRun: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\HPDIGI~1.LNK - C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File
mRun-x64: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
mRun-x64: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup

================= FIREFOX ===================

FF - ProfilePath - C:\Users\HomePC\AppData\Roaming\Mozilla\Firefox\Profiles\uw3yrcgn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: network.proxy.type - 0
FF - component: C:\Users\HomePC\AppData\Roaming\Mozilla\Firefox\Profiles\uw3yrcgn.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - plugin: C:\Users\HomePC\AppData\Roaming\Mozilla\Firefox\Profiles\uw3yrcgn.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: BitDefender QuickScan: {e001c731-5e37-4538-a5cb-8168736a2360} - %profile%\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}

============= SERVICES / DRIVERS ===============

R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2010-6-29 128752]
S1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2010-2-17 14920]
S1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2010-2-17 12360]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 Greg_Service;GRegService;C:\Program Files (x86)\eMachines\Registration\GregHSRW.exe --> C:\Program Files (x86)\eMachines\Registration\GregHSRW.exe [?]
S2 Updater Service;Updater Service;C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe [2009-8-15 240160]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-1-20 1255736]
S3 WSDPrintDevice;WSD Print Support via UMB;C:\Windows\System32\drivers\WSDPrint.sys [2009-7-13 23040]

=============== Created Last 30 ================

2011-02-06 07:31:30 -------- d-----w- C:\PROGRA~3\Alwil Software
2011-02-06 07:15:19 -------- d-----w- C:\Users\HomePC\AppData\Local\Apps
2011-02-06 05:15:07 -------- d-----w- C:\Users\HomePC\AppData\Roaming\SUPERAntiSpyware.com
2011-02-06 05:15:07 -------- d-----w- C:\PROGRA~3\SUPERAntiSpyware.com
2011-02-06 05:15:01 -------- d-----w- C:\PROGRA~3\!SASCORE
2011-02-06 05:14:59 -------- d-----w- C:\Program Files\SUPERAntiSpyware
2011-02-05 22:42:33 -------- d-----w- C:\Users\HomePC\AppData\Roaming\Uniblue
2011-02-05 22:42:26 -------- dc-h--w- C:\PROGRA~3\~0
2011-02-05 22:42:13 -------- d-----w- C:\Users\HomePC\AppData\Local\PackageAware
2011-02-05 22:16:03 -------- d-----w- C:\Program Files (x86)\Spyware Cease 2011
2011-02-05 21:56:35 -------- d-----w- C:\PROGRA~3\SecTaskMan
2011-02-05 21:56:31 -------- d-----w- C:\Program Files (x86)\Security Task Manager
2011-02-05 20:58:21 -------- d-----w- C:\Users\HomePC\AppData\Local\Citrix
2011-01-25 06:36:05 -------- d-----w- C:\Program Files (x86)\Orbis Software
2011-01-25 06:35:58 306688 ----a-w- C:\Windows\IsUninst.exe
2011-01-22 21:45:29 1141416 ----a-w- C:\Windows\System32\CEmLSP.dll
2011-01-22 21:45:29 -------- d-----w- C:\Program Files\Comodo
2011-01-22 20:59:36 14336 ----a-w- C:\Windows\System32\drivers\sffp_sd.sys
2011-01-21 09:27:50 243712 ----a-w- C:\Windows\System32\drivers\ks.sys
2011-01-21 07:05:08 -------- d-----w- C:\Windows\SysWow64\Wat
2011-01-21 07:05:08 -------- d-----w- C:\Windows\System32\Wat
2011-01-21 06:51:41 99176 ----a-w- C:\Windows\SysWow64\PresentationHostProxy.dll
2011-01-21 06:51:41 49472 ----a-w- C:\Windows\SysWow64\netfxperf.dll
2011-01-21 06:51:41 48960 ----a-w- C:\Windows\System32\netfxperf.dll
2011-01-21 06:51:41 444752 ----a-w- C:\Windows\System32\mscoree.dll
2011-01-21 06:51:41 320352 ----a-w- C:\Windows\System32\PresentationHost.exe
2011-01-21 06:51:41 297808 ----a-w- C:\Windows\SysWow64\mscoree.dll
2011-01-21 06:51:41 295264 ----a-w- C:\Windows\SysWow64\PresentationHost.exe
2011-01-21 06:51:41 1942856 ----a-w- C:\Windows\System32\dfshim.dll
2011-01-21 06:51:41 1130824 ----a-w- C:\Windows\SysWow64\dfshim.dll
2011-01-21 06:51:41 109912 ----a-w- C:\Windows\System32\PresentationHostProxy.dll
2011-01-21 06:49:04 -------- d-----w- C:\Users\HomePC\AppData\Local\Microsoft Help
2011-01-21 06:48:35 311808 ----a-w- C:\Windows\System32\msv1_0.dll
2011-01-21 06:48:35 257024 ----a-w- C:\Windows\SysWow64\msv1_0.dll
2011-01-21 06:42:36 -------- d-----w- C:\Users\HomePC\AppData\Local\Adobe
2011-01-21 06:35:59 861184 ----a-w- C:\Windows\System32\oleaut32.dll
2011-01-21 06:29:50 463360 ----a-w- C:\Windows\System32\drivers\srv.sys
2011-01-21 05:52:31 -------- d-----w- C:\Users\HomePC\AppData\Local\Diagnostics
2011-01-21 05:27:22 -------- d-----w- C:\PROGRA~3\WEBREG
2011-01-21 05:14:38 248320 ----a-w- C:\Windows\System32\Spool\prtprocs\x64\hpfpp70v.dll
2011-01-20 14:58:00 -------- d-----w- C:\Program Files (x86)\Common Files\HP
2011-01-20 14:57:36 -------- d-----w- C:\Program Files (x86)\Common Files\Hewlett-Packard
2011-01-20 14:52:56 880640 ----a-w- C:\Windows\System32\hposwia_p02c.dll
2011-01-20 14:52:56 515072 ----a-w- C:\Windows\System32\hposc_p02a.dll
2011-01-20 14:52:56 1403904 ----a-w- C:\Windows\System32\hpost_p02c.dll
2011-01-20 14:52:43 551424 ----a-w- C:\Windows\System32\hppldcoi.dll
2011-01-20 14:52:35 642360 ----a-w- C:\Windows\System32\hpzids40.dll
2011-01-20 14:52:26 136704 ----a-w- C:\Windows\System32\hpf3l70v.dll
2011-01-20 14:50:11 -------- d-----w- C:\Program Files (x86)\HP
2011-01-18 23:34:37 -------- d-----w- C:\Users\HomePC\AppData\Roaming\Malwarebytes
2011-01-18 23:34:30 24152 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-01-18 23:34:30 -------- d-----w- C:\PROGRA~3\Malwarebytes
2011-01-18 23:00:41 8199504 ----a-w- C:\PROGRA~3\Microsoft\Windows Defender\Definition Updates\{F830D1BD-FF68-4FCB-8F92-3D51A39F0459}\mpengine.dll
2011-01-18 23:00:40 270720 ------w- C:\Windows\System32\MpSigStub.exe
2011-01-18 23:00:18 -------- d-----w- C:\Users\HomePC\AppData\Roaming\QuickScan
2011-01-18 22:59:31 -------- d-----w- C:\Program Files\Common Files\BitDefender
2011-01-18 22:59:04 643872 ----a-w- C:\PROGRA~3\bdinstall.bin
2011-01-18 22:48:48 -------- d-----w- C:\Users\HomePC\AppData\Local\Google
2011-01-18 22:28:12 4398360 ----a-w- C:\Windows\System32\d3dx9_32.dll
2011-01-18 22:28:12 3426072 ----a-w- C:\Windows\SysWow64\d3dx9_32.dll
2011-01-18 22:26:56 74520 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\d0b09f601cbb75e\DSETUP.dll
2011-01-18 22:26:56 484632 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\d0b09f601cbb75e\DXSETUP.exe
2011-01-18 22:26:56 1670936 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\d0b09f601cbb75e\dsetup32.dll
2011-01-18 22:23:43 -------- d-----w- C:\Program Files (x86)\Common Files\Windows Live
2011-01-18 22:22:23 -------- d---a-w- C:\book
2011-01-18 22:22:02 -------- d-----w- C:\Users\HomePC\AppData\Local\VirtualStore
2011-01-18 22:20:08 220672 ----a-w- C:\Windows\System32\wintrust.dll
2011-01-18 22:20:08 172032 ----a-w- C:\Windows\SysWow64\wintrust.dll
2011-01-18 22:20:07 139264 ----a-w- C:\Windows\System32\cabview.dll
2011-01-18 22:20:07 132608 ----a-w- C:\Windows\SysWow64\cabview.dll
2011-01-18 22:18:54 -------- d-sh--w- C:\Recovery

==================== Find3M ====================

2011-01-18 22:14:53 6 ----a-w- C:\Windows\System32\PLD_Framework.cmd

============= FINISH: 2:33:41.85 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:00 AM

Posted 06 February 2011 - 03:33 PM

Good evening. :) (or not, given your situation!)

There are two issues here that need dealing with.

1) Your computers. With any situation such as this where an individual has any form of remote access, there is only one solution that I would entertain if this was my machine - a reformat and reinstall.
There are too many possibilities, what with infected/patched or replaced system files, to guarantee a clean system with anything other than a fresh start.

2) Your wireless connection. I won't bore you with the whys and wherefores, but WEP encryption is almost as bad as no encryption at all. With the right information and tools, and both are freely available online if you know where to look, it is possible to hack into a WEP connection in less time that your machine takes to boot to a state where you can use it - it really is simple for even a relatively unskilled individual to access your internet connection.

No protection less than WPA, and preferably WPA2 if that is available, is worth having if you want to secure a wireless connection. If you don't have that option, either upgrade your kit or go with wired for the peace of mind.

On Jan. 18th I had a computer technician come & try to clean my computer, but after 5 hours, although it killed him to admit it, he wasn't able to, and so he reformatted our hard drive & re-installed Windows. We have Verizon FIOS for internet & it's WEP protected, so he changed that password & we thought that we were good to go.

However, this past week I've noticed changes in the computer. I've been fighting this since June, so I'm way better at noticing small changes in our computer than I was 8 months ago! When I look at the Program & Windows files, there has been a lot of activity (files added or modified) since January 20th (only 2 days after our computer was wiped clean!).

Given that you have lousy encryption, it would make sense that somebody who had hacked your machine once could do so again so quickly if s/he was using your "unprotected" wireless connection as the initial means of entry.
On the plus side, if this is how it is being done, you can narrow it down to somebody within the range of your wireless router, which may be of help to the police - assuming they have been involved.
On the minus side, your "technician" needs a lesson in wireless security if s/he left you with WEP encryption given the nature of the problem you had.

If you have any questions, please feel free to ask.

So long, and thanks for all the fish.

 

 


#3 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:00 AM

Posted 11 February 2011 - 04:07 PM

As there has been no response for five days this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users