Mod Edit: Split from http://www.bleepingcomputer.com/forums/t/456776/pc-hijacked/ - Hamluis.
I know this is an old post but I am having a similar problem in that I know absolutely that someone has remote access to my computer. There is no reason for there to be any remote access because this is my home computer. I am on a home network but am not sharing files at this time simply so as not to confuse things. I have had the computer looked at by 3 tech repair companies. They poo-poo my descriptions of the strange things that are happening. They literally ignore what I'm saying. They just say they'll run some scans, etc. I've already run so many scans I lost count. I've deleted security programs so as not to interfere with my curent scan.They all tell me nothing was wrong, just a few settings needed to be "fixed". It's all good. And it was, for a while. Please someone take the time to read my very looonnnngg post. Please!
I'm not sure where to start but hopefully I can make this sound sane. Let's start with the first time I noticed something weird. Now I am not very tech savvy but I do know a little bit about how this thing works. So at first I noticed settings changing like my desktop, screensaver, font and icon size, the usual. Then services were being added and enabled/disabled without my input. I'm talking about virtual networking and remote access type, ones that I had set to "stop", many just because they weren't necessary or they are started/stopped by default. I was pretty familiar with the services information so I knew when changes were being made. I stopped everything virtual and remote access related. I researched tunneling and pnrp, com and dcom, ssdp, etc. (when I asked one of the tech guys what pnrp was he looked confused and said "you mean pnp? That's just plug and play") A few that I wasn't sure of I left alone. Anything security related I turned back on. Next time I get on my computer everything is changed back, and more things have changed only now I am getting error codes if I try to fix them. The generic ones like, this service cannot be stopped, which should not be true at all. So I run my Norton 360 and I find the usual tracking cookies. Then files started to disappear. I'm trying to think of a good example, this was nearly 2 years ago. Anyway, I would find them in weird places like under the user file instead of the windows file, or they would be in the "public" desktop section, but not in Windows. They disappeared from my start menu (I was on windows 7 at that time). I couldn't find them anywhere. I did a lot of windows searches to find them. When entire programs stopped working correctly (like, maybe I could open but not run) I found I no longer had security permissions. My user was still an administrator but I could not get into anything. I just got errors like "access denied". Soon there were very few files I could get into. Not only was access denied but I needed permission from the Trusted Installer. Now all this time my internet got slower and slower until it was unuseable. My Norton 360 kept uninstalling. Every day. I lost my wifi connection every new page I tried to load. I thought maybe it was the distance I was from the router. It didn't help to get closer. At this time NO ONE else was having problems, sometimes 4 computers in the house. I got a wifi extender which helped the dropped connections a little but not the speed. I called the server company and they said it was because we were in a rural area. The rest of my family was in a rural area too. Most times I was the only computer on in the house so I was not sharing bandwidth. Not with my TV or my neighbors either. Unless someone else was always winning the race for bandwidth. I figured since my computer was useless so I could try some trial and error. Some of it worked, some made it much worse I'm sure. Over a couple of months I change a lot of properties settings. That security tab fascinates me. So I started changing permissions. When I was allowed to change fewer and fewer permissions I started changing owners and adding principles, advanced permissions. Along the way I was finding those files that settings would deny access, needed approval from Trusted Installer. In a few weeks every file I went to asked for administrators permission which did not work for me even though I was an administrator. Or I needed Trusted Installer permission. I was completely helpless.
What bothered me though was that there were unknown networks running. Unknown wifi adapters, and my wifi adapter would uninstall or become disabled. The task bar would show I had internet access even though Chrome said I was disconnected. Or the taskbar showed disconnected, but no matter which of my networks I tried they all connected and it showed connected in settings and Network and Sharing. Sometimes the networks suddenly became public in Network and sharing even though all sharing was turned off, all the settings were setup for private. Sometimes it changed back after playing around with settings, properties and services. Around that time I lost access to the device manager settings. Now I was at the mercy of my virtual and tunneling adapters and services. For a while I had an ethernet connection yet I had no ethernet cable and I had disabled ethernet connections long ago. In the Network and Sharing center it still showed disabled. Yeah weird. Many of these things can be explained, but it seems there was so much going on those excuses no longer applied. In my opinion anyway. I called the Norton help center. They wouldn't even listen. "Call Microsoft" they said. All they would have told me would be to reset the whole thing.
So I wiped the whole thing clean, reinstalled Windows, got Windows 8, Ran Norton Internet Security and found 27, yes 27 trojans! Why didn't the scans catch them before??? Now, running fine. So I turned on some file sharing mostly so I could use my wifi printer. (also used to explain away some of the earlier symptoms). Then it all started again, slowly at first and not nearly as aggressive I thought. Then our other Microsoft computers started having problems. (Not the Apple) No one would let me touch their computers because I was already deemed a certified wacko. My husband took his desktop in to be fixed, they said he had some malware and a virus or 2 and he was fine. The next time he took it in because of the same problems they found 32 trojans! yikes! Now sometimes when I was connected directly to the router (not the extender) everything was great, so I thought maybe the extender had become compromised so I ditched it. In the trash it went. The replacement- a much newer, fancy one. I've had it about a year, I haven't had too much trouble connecting to it, just sometimes my connections disappeared (I had 3 but have only been able to find 2. The other computers all have 3). Why did I have 3in the begining? It's just what it gave me on setup. I know one of them says 2Ghtz and one says 5Ghtz, one is just my regular router connection. Every so often I will get a "Netgear" connection. (that's the extender brand) It comes and goes. As of today I have reset the computer and refreshed it twice. I recently wiped it clean again about two-three weeks ago but have started having problems again. I found a good article that addresses this situation pretty well. It gave the name of a great removal tool called "Eset". It's a new one on me, but I can't tell you if it's good because I simply can't get the start scan page to load. The connection seems fine, I switched to the recommended browser (IE) but it gets stuck on loading that one page. In Chrome it asks me if I have configured my proxy. What? Every thing proxy-ish is disabled so I enabled the proxy figuring the thing should configure it itself since it hadn't given me any configuration specs. So that brings me up to date pretty much on that stuff. Now The other half.
After the first time I reset/reinstalled I had 3 new users I had not had before. I guess I was supposed to but didn't always. I've always only had 2. Previously I had 2 main users, we'll call them 'mrhacker' and 'email@example.com'. I had created them both.
Mrhacker is my administrator, firstname.lastname@example.org is standard and a microsoft account. After the reset I had in addition, a mrhacker_2, Default, and Guest. I will not be suspicious of Default and Guest for now, although I have heard numerous times about hackers taking control of the Guest account. I deleted the Guest but couldn't do anything with Default. Is it normal to have a user with a '_2' after resetting? I didn't have a 'mrhacker_3 after the next time I reset. This user was set up with all of the files a normal user would have and need to function and is in the folder C://Users/. Mrhacker is there too with all of the same files, my personal and all the system folders and other programs. So basically they are both listed as individual users. I could not find a Guest or Default user in the C:// folder (Default turned up later but it's empty). So now I have Windows 8.1. no big deal. Just thought I'd mention it. Now if I am logged into mrhacker the users listed in C://Users... are; Administrator; Default; Default.migrated, mrhacker, mrhacker_2; Public.
So far kind of ok. Then I notice that when I am logged into mrhacker, go to Task Manager, under users it says mrhacker_2. Only mrhacker_2. Where is mrhacker? Mrhacker is the user I am logged into. Those are the files I'm using, but there he is mrhacker_2. I was so upset I made a folder in mrhacker titled it 'mrhacker_2 files' and took every folder and file I could out of the one and put it in the folder in the other. This should render the user mrhacker_2 useless, shouldn't it? So this was all after the first reset. Over time, more problems and two refreshes, there are files once again in mrhacker_2. Documents mostly but also some Downloads and empty Picture and music folders. There were files in the Temp folders and under AppData/local and /roaming. I had emptied out almost everything from there.
If I go to 'This PC/pictures', I find my pictures in folder ...mrhacker/mrhacker_2/pictures. Some files don't have the mrhacker_2 in the path. These could be .exe and .dll files but I never noticed. If I go to pictures through C://users/mrhacker/pictures the path is of course normal. I will also send some interesting (I think) screen shots. When I find a list of users or user profiles I have seen a user listed 'Unknown User', or Default and I'll come back to the same spot an hour later and they're not there. There's always different users listed. Sometimes neither one of the mrhackers. Sometimes email@example.com is listed (when logged in as mrhacker). I know this is REALLY a confusing mess! I'll try to very briefly summarize in another post along with my screen shots. :-d
Oh and please understand I NEVER open strange emails (or any), type in trusted links and only download what I trust. I have Norton to help.
Edited by hamluis, 14 June 2015 - 07:00 PM.
Split, PM sent, moved from Internal Hardware to Gen Security - Hamluis.