Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer hijacked via NetSupport??


  • This topic is locked This topic is locked
9 replies to this topic

#1 rileyj223

rileyj223

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:07 AM

Posted 07 June 2015 - 02:13 PM

Yesterday I accidentally downloaded and ran a .exe file that installed the desired program(ESL Wire) among other things. The download was part of a Steam Trading scam that I was unaware of that involved me downloading an "anticheat" to join this guy's esea game so I could play as a ringer. I have run several antivirus scans in Malwarebytes which deleted some registry entries but none of the files i am suspicious of were deleted. This is because the files I'm suspicious of are from a legitimate company, Netsupport Ltd. I found this out by tracing a suspicious process named "clock.exe" that led me to a nearly empty folder called "Schema". The only file there was a .txt file that was a log of my keystrokes, mainly my Steam password. Because the folder was hidden, I went into the folder settings and had it unhidden which revealed the "clock.exe" app among several .dll and .ini files, all of which belonged to NetSupport. I'm not entirely sure how he got into my computer using only Netsupport but I think that Netsupport was downloaded in the background during the installation of ESL Wire, as the timestamps of some files match up to the ESL wire installation timestamps. I don't know what I'm missing and I don't really care right now about what happens to my steam items, I just want to make sure that this can't happen again on my computer.

 

Also, I'm running Windows 7 Home Premium SP1 64-bit and I forgot to include that I found a few loose files in my AppData folder that were suspicious as well. There was a text file with just my IP and a "clocker.exe" whose description is "Into darkness" and a copyright of "Forever alone insider". There is also an "insider.exe" and a text document with my google chrome's remembered passwords. In any file's security/permissions tab, there is an "unknown user" listed which makes me believe that he somehow used only netsupport to hijack my computer. Is that even possible?


Edited by rileyj223, 07 June 2015 - 02:25 PM.


BC AdBot (Login to Remove)

 


m

#2 severac

severac

  • Members
  • 872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:11:07 AM

Posted 07 June 2015 - 02:21 PM

Do you have antivirus program? You should definitely check your system. 


I would like to help you to remove malware. Let's look inside.   :busy:

But I don't know to solve all PC problems.  :smash: 

 


#3 rileyj223

rileyj223
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:07 AM

Posted 07 June 2015 - 02:24 PM

Do you have antivirus program? You should definitely check your system. 

Yes, I stated in my problem that I ran scans with Malwarebytes 



#4 severac

severac

  • Members
  • 872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:11:07 AM

Posted 07 June 2015 - 02:43 PM

Sorry, I missed that. I think that your computer needs detailed inspection. 

 

Maybe you should post here (read forum rules for that part of forum first):

http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/


I would like to help you to remove malware. Let's look inside.   :busy:

But I don't know to solve all PC problems.  :smash: 

 


#5 rileyj223

rileyj223
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:07 AM

Posted 07 June 2015 - 02:57 PM

Honestly I think that only NetSupport was used to hijack my computer and his only objective was to steal my steam items. He didn't even reset any passwords even though he had my steam password(he didn't try to reset it). My email was already open and he had to use that to transfer the items so he didn't have to steal my email's password. If someone could just tell me how to uninstall a discreetly installed NetSupport client completely then I'm sure that would solve my problem.



#6 severac

severac

  • Members
  • 872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:11:07 AM

Posted 07 June 2015 - 03:00 PM

I am not allowed to talk in the name of any from anti-malware team, so I hope that someone of them will answer. ;)


I would like to help you to remove malware. Let's look inside.   :busy:

But I don't know to solve all PC problems.  :smash: 

 


#7 Queen-Evie

Queen-Evie

    Official Bleepin' G.R.I.T.S. (and proud of it)


  • Staff Emeritus
  • 16,485 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:My own little corner of the universe (somewhere in Alabama). It's OK, they know me here
  • Local time:04:07 AM

Posted 08 June 2015 - 10:39 AM

Sorry, I missed that. I think that your computer needs detailed inspection. 
 
Maybe you should post here (read forum rules for that part of forum first):
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

 
rileyj223, It is your choice whether to continue receiving help here in Am I Infected or post in Malware Removal Logs. If you choose to do it in this topic and your helper thinks more advanced tools are needed you will be directed to Malware Removal Logs forum.
I have contacted someone who does help in AII and asked if he can help you with this.
 

I am not allowed to talk in the name of any from anti-malware team, so I hope that someone of them will answer. ;)


serverac, Am I Infected? forum is open for anyone to help in. It is not restricted to the Malware Removal Team. If you look through Am I Infected? you will see that those who help here are either Bleeping Computer staff or regular members.
More information on this can be found here http://www.bleepingcomputer.com/forums/t/182397/am-i-infected-what-do-i-do-how-do-i-get-help-who-is-helping-me/

Edited by Queen-Evie, 08 June 2015 - 10:48 AM.


#8 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,203 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:04:07 AM

Posted 08 June 2015 - 11:03 AM

Hi rileyj223 :)

Due to the nature of the infection, it would be better for you to receive assistance in the malware removal area for it as it will involve the usage of tools that aren't allowed to be used here (in AII). There you'll be assisted by a trained malware removal helper that will help you get rid of every infection on your system as well as the current one. In order to do that, you have to post a thread in the Virus, Trojan, Spyware, and Malware Removal Logs section. You have to follow the instructions in the preparation guide prior to posting your thread, since it contains the steps to follow when posting it

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#9 Queen-Evie

Queen-Evie

    Official Bleepin' G.R.I.T.S. (and proud of it)


  • Staff Emeritus
  • 16,485 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:My own little corner of the universe (somewhere in Alabama). It's OK, they know me here
  • Local time:04:07 AM

Posted 08 June 2015 - 11:50 AM

And there you have it by one of our frequent Am I Infected? helpers.

Please post in Malware Removal Logs in order to receive the help you need.

After posting there, come back to THIS topic and link to your MRL topic so this one can be closed.

#10 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,720 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:04:07 AM

Posted 08 June 2015 - 01:13 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/578823/removing-remnants-of-netsupport-hijacking/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :cherry:


Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users