Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Was I Hacked/Hijacked ...???


  • This topic is locked This topic is locked
14 replies to this topic

#1 CCfine81

CCfine81

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:34 AM

Posted 28 December 2011 - 07:26 PM

HI, I think my system was hacked into and/or hijacked. numerous symptoms ... fake updates, Notepad switching automatically to OneNote and preventing me from printing, page redirects, slow startup and shutdowns, fake Yahoo pages, fake alerts for security updates, transparent pages. Recently, a person I was e-mailing through Yahoo (they were using Gmail) suggested that they had hacked into my computer. I clicked on numerous You.Tube links they were sending me (spelled YouTu.be), and responded to about 20 of their e-mails. This person appears to have accessed my AOL account and G-mail account, and had detailed information that was stored on my computer.

My system was/is vulnerable/unprotected (as I've recently learned). I have a home network with three computers (2 desktops and a wireless laptop) The router (Xfinity) was never configured (default settings never changed). I recently reset it, changed SSID, etc. (not entirely sure it was done correctly ...) but all computers, including wireless laptop are able to connect to the internet. I did not have a password protected standard account and never created a second administrator's user's account. I have Norton 360 installed. Malwarebytes scan results report 2 infections (infections are related to OneNote). I attempt to remove them, Malwarebytes confirm that that they are removed, yet, the same one's are re-detected/reappear with each new scan. The same infections appear on my desktop computers as well as on the wireless. I have all of this information available ... will await your response/instructions.
I appreciate your help!

BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,699 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:34 AM

Posted 03 January 2012 - 12:05 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/435036 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 CCfine81

CCfine81
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:34 AM

Posted 03 January 2012 - 09:32 PM

Hi, I really need help. I'm pretty sure my account has been hacked/hijacked ... maybe a rootkit. DDS not working: I tried running DDS -- when trying to run, it just displays a notepad page filled with random characters. Gmer is identified as a Trojan by Norton 360 and blocked/contained from running (Norton identifies it as gmer.exe Trojan.Gen.2.

Unusual comp behavior for about 2 months. Sought some help but problem was never resolved.

Malwarebytes detected two infected Registry Data Items -- both related to notepad:

HKEY_CLASSES_ROOT\scrfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" /S) -> No action taken
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: (regedit.exe "%1") -> No action taken

I've tried repeatedly to remove with Malwarebytes but they return/are re-detected with each new scan. These infections are also detected on the wireless laptop and return with each new scan. I reset the home router (Xfinity) which still had default settings -- SSID, etc.

It seems that the tools I try to use to remove/analyze this suspected rootkit/malware are blocked from working.
(for example, the DDS and Gmer as mentioned above)
Notepad mostly fails to open -- immediately opens to OneNote when I've tried to save a logfile online (i.e. hijackthis logs, etc.). I have three computers in the house -- 2 desktops and a wireless laptop.

Fake popup update warnings, fake-looking You.Tube, Yahoo pages. Page redirects, previously noticed unusual temp internet files (including strange GIF temp files with titles like Start_Virus_Over). Computer very slow startups, shutdowns, seems to be working very hard/noisy. Mainly I've tried to stay off of it with the exception of running virus/rootkit scans (I have used numerous of the recommended online/on demand scanners -- Kaspersky AV scanner,TDDS, Sophos, prevx, etc.). No rootkits detected but maybe they have been prevented from operating properly ... I don't know.

I was corresponding/e-mailing someone I did not know very well via my yahoo account (the person was using gmail). At one point, they suggested that they had hacked into my system/hijacked it (they had information about files on my computer). I clicked opn a number of You.Tube links this person had sent via e-mail. This is when I started observing some computer issues. Mainly, the fact that they seemed to have information related to my computer that only I would know is why I am very concerned.

It's possible that they got my AOL password as my AOL account had a number of "sent" emails that I had never sent, deleted e-mails I had never read/opened, etc. Same issues with my Gmail account. My security password retrieval questions were weak and could have been easily guessed by this person (passwords very weak as well). I did not have password protected standard or administrator's accounts set up (have recently setup -- but these passwords may have been cracked too).

I just want to know what's going on ... was I hacked/hijacked ... what to do now? Help ... this problem is really worrying me.
THANKS!

#4 CCfine81

CCfine81
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:34 AM

Posted 05 January 2012 - 12:34 PM

Hi I'm wondering if someone is going to help me with my computer problems -- just want to make sure I gavent fallen through the cracks here (please see previous postings describing my issues).

A bit more information: Did not add that I am using Windows Vista, 32, basic home edition. I do not original CD. I have what appears to be a very solid anti-virus/spyware/fireall program installed (a router, Norton 360 V. 5, regular scans with Malwarebytes, Superantispyware, Kaspersky, etc. Tests (GRC site/Shields Up) confirm I am "invisible" on the internet. It's very likely the person who gained access to my system got my AOL password first (I had my regular e-mail address, cell number, etc. posted online). I received some online support for a few weeks regarding my computer issues (the problems seemed to start roughly around the time I started e-mailing this person through Yahoo) and the notifications from the tech/help site were being delievered directly to my AOL account which the "hacker" had access to and in turn, was also able to read all of my help postings, which of course included detailed information about my computer and the repair process which was taking place. I recently disabled remote viewing features from my computer disabled DEP (both disabled about 4 days ago). Reset router (bc it was previously configure with default settings. Spybot Search & Destroy also found and removed this: {SBI $56D821C1}type library HKEY_CLASSES_ROOT\typelib{602E2CE053F711D2A7F400A0C91110C3} lOARIS Trojan remover detected and removed about 6-7 Trojans from my desktop and the wireless laptop (although, I have found that often LOARIS produces false positives).
- Thanks.

#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,541 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:34 AM

Posted 05 January 2012 - 04:15 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please post the logs requested by the HelpBot for my review. It's the only way I can help you.

#6 CCfine81

CCfine81
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:34 AM

Posted 06 January 2012 - 05:54 PM

I indicated that my computer is blocking me from running DDS and Gmer ... DDS goes to a page filled with random characters and Gmer will not open bc Norton 360 id's as a Trojan. Seems this malware is trying to block me from running malware removal tools. Thanks -- what should I do?

#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,541 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:34 AM

Posted 07 January 2012 - 10:22 AM

Run these tools and post the logs if you can.

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) ( 511KB ) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

===

Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.


#8 CCfine81

CCfine81
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:34 AM

Posted 07 January 2012 - 03:42 PM

Hi. This is what showed up on the aswMBR scan in red: c:/windows/system32/mbamswissarmy.sys *hidden* (I wrote this down as I was unable to save the log and no MBR.dat file appeared on desktop). I searched my computer for aswMBR via advanced search and about 60 documents/desktop items were found for it). Nothing appeared on TDSSKiller scan.

#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,541 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:34 AM

Posted 08 January 2012 - 09:33 AM

I need to find out if your partition table as been modify.

Preferably from a clean computer, I need you to download: gparted-live-0.10.0-3.iso (115.1 MB) and Windows Vista 32-Bit (x86) Recovery Environment

Create a bootable CD, 1 for Gparted and 1 for the Windows Vista Recovery Enviroment, from the ISO images. You can use ImgBurn do this.

This will help you burning the iso image(s) to a CD.
http://www.imgburn.com/index.php?act=screenshots#isowrite
==

Now boot off of the newly created Gparted CD.

Posted Image
You should be here...
Press ENTER

Posted Image
By default, "do not touch keymap" is highlighted. Leave this setting alone and just press ENTER.

Posted Image
Choose your language and press ENTER. English is default [33]

Posted Image
Once again, at this prompt, press ENTER

You will now be taken to the main GUI screen below
Posted Image


I need to see a print screen of this last image.

To do print screen follow these steps:

* Press Alt and Print Screen button on your keyboard
* Open Paint program
* From the menu choose Edit then Paste
* Now save the picture and attach it here for me to review.

#10 CCfine81

CCfine81
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:34 AM

Posted 13 January 2012 - 06:52 PM

Hi, I'm sorry for the delay ... I am working on what you've asked me to do and almost done. A few more strange issues which might help you figure out what to do: I noticed that I have TWO "COMPUTERS" on my system (viewed from start/control panel/system) one is the regular computer/logo you would always see there; The other "computer" is identified as the co(same default MS Windows computer logo, etc.) but it's labled ComboFix (which I have used in the past while seeking help). When I click on this second computer's icon (again, labeled ComboFix) it displays everything that the regular computer displays (lists the same properties, etc.). This is really weird. Also, within the past day or two, the number lock key is activated everytime a computer in the house restarts.

I Set new standard and admin account passwords on a wireless desktop (three computers in the house) and a few hours after saving them, I tried to log in to both the standard and admin accounts using these newly created passwords but they did not work. I tried at least three or four times to gain access but nothing (I had written the passwords down clearly and they were accepted by entering the password twice) so I was definitely entering the correct passwords. The next morning, both passwords were gone/deleted and I created new passwords since I was able to log back onto administrator's account.

Also, I tried accessing Event Viewer -- the Event Viewer screen appeared but a message immediately popped up stating that "Access is Denied (ERROR 5)." I used admin account etc. Same message kept appearing. This malware or whatever it is still seems to be trying to keep me away from certain help sites, anti-virus/malware tools (i.e. difficulties downloading or setting some of these programs up). I did finally manage to get a log of aswMBR (I couldn't generate a log the first time I ran it, but did inform you that one item was detected (swissarmy *hidden* ...).I was finally somehow able to run a Gmer scan which I'm pretty sure generated a log which I can send to you (as well as the aswMBR log) if you still need them. I still had no succcess getting DDS to run.


I did a performance scan on my computer and Windows identified that remains of the paid version of AVG (which I fully uninstalled 3 years ago). Windows reported AVG as a startup which was causing slow performance. I have not seen AVG anywhere on my comp since uninstalling it. This AVG stuff also had the same logo as Secuina. I searched for AVG in an effort to remove and at least 75 separate entries appeared and could not delete. I tried Revo Uninstaller and that did not work either (surprisingly). I eventually tried AVG uninstaller and I think it got rid of most of it.

ANY SUGGESTIONS? PLEASE GIVE ME AN IDEA OF WHAT YOU THINK IS GOING ON WITH MY COMPUTER.

Thanks -- I appreciate your help.

#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,541 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:34 AM

Posted 14 January 2012 - 09:18 AM

I appreciate what you did but if the infection is in a Hidden partition it will be reactivated each time you boot.

Can you post the partition table as requested in my previous post?

#12 CCfine81

CCfine81
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:34 AM

Posted 14 January 2012 - 02:41 PM

Hi, I will be finishing that today. I may have to download the gparted live and Windows Vista Recovery Environment on my infected computer as I currently do not have access to one that I know for sure is clean. The other comps in my home may also be infected since all three users share the same wireless Router (my desktop computer is the only one that is not wireless).

On second thought, I guess I will do the downloading/burning disks on another computer in the house -- I just hope this other computer is not infected (if it is infected, it's probably not as bad as mine is). Will get back to you soon. Thanks again for your time -- I truly appreciate it. Have a great day.

#13 nasdaq

nasdaq

  • Malware Response Team
  • 39,541 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:34 AM

Posted 14 January 2012 - 04:27 PM

The other comps in my home may also be infected since all three users share the same wireless Router (my desktop computer is the only one that is not wireless).



If these computers are not experiencing difficulties I would download from one of them.

#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,541 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:34 AM

Posted 20 January 2012 - 04:08 PM

Are you still with me?

#15 nasdaq

nasdaq

  • Malware Response Team
  • 39,541 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:34 AM

Posted 26 January 2012 - 09:52 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users