Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BIG PROBLEM--Hacker/spyware/malware problem. Please help


  • Please log in to reply
10 replies to this topic

#1 Tyler071

Tyler071

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 03 February 2016 - 06:34 AM

For the last couple weeks, I've noticed a lot of things happening on my computer and have seen a crazy amount of different IP addresses connected on command prompt. My knowledge is minimal-decent when it comes to the configuration and processes of the PC so I'm limited on what I can do. It's been a constant battle to stay online over the past couple weeks. Programs keep randomly shutting down, media files constantly being sent out, etc. Please help. I'll give my #, e-mail, whatever out in order to make this happen quicker. I'd like to be able to actually be online without worrying about which basic program or service is about to shut down that I'll have to boot back up in a few minutes. More than anything, I'm sure a lotttttt of personal information has been compromised. I've got Zone Alarm running now, but I constantly have to keep changing the settings back because they will be changed or certain IP's will be allowed, etc.


Edited by hamluis, 03 February 2016 - 08:28 AM.
Moved from Win 7 to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:11:55 PM

Posted 03 February 2016 - 09:46 AM

Please download and run RKill
 
RKill is an easy to use tool that kills known processes and removes Windows Registry entries that stop a user from using their normal security applications.  These settings will remain until the computer is rebooted, for this reason you must run your security applications before the computer is rebooted.  
 
Please download RKill and install it.
 
When RKill is run it will display a console screen similar to the one below:
 
RKill_zps2e34d4b8.png
 
When RKill has finished running a log will be displayed showing all of the processes that were terminated by RKill.
 
Attention:  At this time you need to run your security applications listed below.
 
While RKill is running you may see a message from the malware stating that the program could not be run because it is a virus or is infected.  This is the malware trying to protect itself.  Two methods that you can try to get past this and allow RKill to run are:
 
1)  Rename Rkill so that it has a .com extension.
 
2)  Download a version that is already renamed as files that are commonly white-listed by malware. The main Rkill download page contains individual links to renamed versions.  
 
After the application has run successfully you should reboot the computer to restore the processes and Windows Registry entries. 
 
================
 
Please run TDSSKiller.
 
Please download TDSSKiller from here and save it to your Desktop.
 
The log for the TDSSKiller can be very long.  If you go to the bottom of the log to where you find Scan finished you will see the results of the scan.  If it shows Detected object count: 0 and Actual detected object count: 0, this means that nothing malicious was found and you will not need to post the log.
 
1.  Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
 
tdss1_zps90132559.png
 
2.  Check Loaded Modules, Verify Driver Digital Signature, and Detect TDLFS file system.
 
If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now.
 
tdsskillermultiple_zps472c18eb.png
 
3.  Click Start Scan and allow the scan process to run.
 
tdss4_zps6792a13c.png
 
4.  If threats are detected select Cure (if available) for all of them unless otherwise instructed.
 
***Do NOT select Delete!
 
Click on Continue.
 
tdss5_zps98fc5887.png
 
5.  Click on Reboot computer.
 
Please copy the TDSSKiller.[Version]_[Date]_[Time]_log.txt file found in your root directory (typically c:\) and paste it into your next reply.
 
Note:  The log may be very long.  You may need to break it into parts to post the whole log.
 
Do not post the log at a host website where it will have to be downloaded.  I will not download anything to my computer unless I know exactly what it contains.
 
================
 
Please run Malwarebytes AntiMalware
 
Please download Malwarebytes Anti-Malware
 
1)  Double-click on mbam-setup.exe, then click on Run to install the application, follow the prompts through the installation.
 
2)  Malwarebytes will automatically open.  If this is the first time you have run this version of Malwarbytes you will see an image like the one below.
 
mbam1_zps95cc812c.png
 
Click on Update Now, after Malwarebytes is updated click on Scan.
 
If this isn't the first time you have run this version, then you will see an image like the one below.  Click on Scan
 
mbam1_zps98e7fba9.png
 
You will be prompted to update Malwarebytes, to do so click on Update Now.
 
 mbam2_zps85f38f0c.png
 
3)  The scan will automatically run now.
 
malwarerun_zps9abd4ef1.png
 
4)  When the scan is complete the results will be displayed.  Click on Delete All.
 
malwarenew_zps34b58fdc.png
 
5)  Please post the Malwarebytes log.
 
To find your Malwarebytes log,download mbam-check.exe from here and save it to your desktop.
 
To open the log double click on mbam-check.exe on your desktop.  Copy and paste the log in your topic.
 
=================

Emsisoft Emergency Kit

Please download Emsisoft Emergency Kit and save it to your desktop. Double click on the EmsisoftEmergencyKit file you downloaded to extract its contents and create a shortcut on the desktop. Leave all settings as they are and click the Extract button at the bottom. A folder named EEK will be created in the root of the drive (usually c:\).

  • After extraction please double-click on the new Start Emsisoft Emergency Kit icon on your desktop.
  • The first time you launch it, Emsisoft Emergency Kit will recommend that you allow it to download updates. Please click Yes so that it downloads the latest database updates.
  • When update is complete, click Malware Scan. When asked if you want the scanner to scan for Potentially Unwanted Programs, click Yes. Emsisoft Emergency Kit will start scanning.
  • When the scan is completed click Quarantine selected objects. Note: This option is only available if malicious objects were detected during the scan. If this is the case select Delete selected.
  • When the threats have been quarantined, click the View report button in the lower-right corner, and the scan log will be opened in Notepad.
  • Please save the log in Notepad on your desktop and post the contents in your next reply.
  • When you close Emsisoft Emergency Kit, it will give you an option to sign up for a newsletter. This is optional, and is not necessary for the malware removal process.

Edited by dc3, 03 February 2016 - 09:48 AM.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#3 TazzyOpz

TazzyOpz

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:55 AM

Posted 04 February 2016 - 01:23 AM

Were you able to get this resolved? Running what "Arachibutyrophobia" commented above should put most of your worries aside as far as being infected goes.



#4 tyler0712

tyler0712

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 05 February 2016 - 11:54 PM

Hey yall im back. Somehow my password changed......lol. Anyway, ive been on this nonstop and i think I not only figured out whats going on, but also who could be doing it. Many times, i come across folders full of good stuff, aka it seems like stuff i catch someone trying to collect and steal... Mainly logs of what im doing on my laptop and cell phone. Also its always something to do with better/faster devices or programs for transferring files. I think i already mentioned that it seems like hes making an extra of every program and changing it barely. Like Theres always duplicates being made. I came across a log on my PC of my new phone.. It was a log set up to monitor my Zone Alarm on my phone.. But it was saved to my google drive that ive NEVER touched. In that log, right before it got deleted, i saw Nemo36 giving a command. I documented it with all my other data ive been collecting. Later on i started revising all this data and google nemo36. I come across a programmer networking guy in a message board talking about a "keepalive" program hes working on. Google keepalive. Thats exactly whats going on.... You can check out the specs if you google "cpu and display keepalive and scheduling library." he changed his name in a previous post and gave that link. I think its ba_________. Bunch of numbers. Thoughts?

#5 tyler0712

tyler0712

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 06 February 2016 - 12:12 AM

No dude. Something is happening. Where are all the fake ip's, duplicate programs, signatures, logs,new drivers, and devices specifically for mass virutal file sharing with top security settings. And these new internet protocol versions, 4 and 6, that "add a degree of reliability to multicast applications." there were some layering or later devices attached to the network adapters too but i got rid of them. I also got a glimpse of something named "applewebkit" that was typed in a log but it deleted right after. After googling it, i found a site with who's connected to them for today and the recent past. Coincidentally, Atlanta, jersey and were the top 3. Atlanta and jersey were most all of the ip's that i was documenting and screenshotting since the beginning. I have that saved too. Hell of a lot of coincidences if im wrong

#6 tyler0712

tyler0712

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 06 February 2016 - 12:13 AM

I meant to say where are they coming from. Sry new phone, tiny buttons, and big fingers dont work in ny favor.

#7 tyler0712

tyler0712

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 06 February 2016 - 12:17 AM

Oh and i ran all of the above programs. Nothing but like 2 or 3 little issues and they got fixed. I really have been using malwarebytes and Zone Alarm Extreme nonstop. Im getting alerts from gmail and others to verify my identity because im logging in from diff states. Google tells me im in Navarre, FL. I live in Alabama... Theres a long list of stuff.

#8 TazzyOpz

TazzyOpz

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:55 AM

Posted 06 February 2016 - 12:32 AM

Oh and i ran all of the above programs. Nothing but like 2 or 3 little issues and they got fixed. I really have been using malwarebytes and Zone Alarm Extreme nonstop. Im getting alerts from gmail and others to verify my identity because im logging in from diff states. Google tells me im in Navarre, FL. I live in Alabama... Theres a long list of stuff.

 

Okay, if you have ran what Arachibutyrophobia has provided above let's try some other things targeted more towards Anti-Spyware.
It is very important to Run these scans and after the removal process to change your passwords.

Do you login to your accounts from any other computer that could be infected?

 
 
[-Running NoBot-]
Download NoBot from here or here and save it to your Desktop.
 
• Double-click NoBot.exe
Go to File -> Settings and make sure the following are checked
• Detect Suspicious File Paths
• Scan Registry
• Detect Dropped Files
Spoiler
• Then Click the Scan button. 
• Once the scan is finished You can view the Scan log by going to File -> Scan Logs. Then copy and paste the scan log here.
It is recommend to post the scan log here before removing any files detected unless you know for sure the file found is infected.
 
[-Running RogueKiller-]
Download RogueKiller from here Or here and save it to your Desktop.
 
• Double-click RogueKiller.exe
• Click the Scan button.
• Once the scan is finished You can view the Scan log by clicking the Report button. Then copy and paste the scan log here.
It is recommend to post the scan log here before removing any files detected unless you know for sure the file found is infected.
 
[-Running SuperAntiSpyware-]
Download SAS from here Or here and save it to your Desktop.
 
• Double-click SUPERAntiSpyware.exe
• Proceed through the Install.
• Click the Scan This Computer button.
• Then Click the Complete Scan button. (This will do a full scan of your computer)
•Once the scan is finished remove what it finds.

Edited by TazzyOpz, 06 February 2016 - 12:54 AM.


#9 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:11:55 PM

Posted 06 February 2016 - 09:34 AM

Please post the logs for the scans you ran.  Do this in the order the scan was requested.


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#10 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:11:55 PM

Posted 06 February 2016 - 09:51 AM



[-Running RogueKiller-]


Download RogueKiller from here Or here and save it to your Desktop.
 
• Double-click RogueKiller.exe
• Click the Scan button.
• Once the scan is finished You can view the Scan log by clicking the Report button. Then copy and paste the scan log here.
It is recommend to post the scan log here before removing any files detected unless you know for sure the file found is infected.

RougueKiller cannot be run in the Am I Infected forum.

 

AII forum posting rules listed below can be found here.

 

Posting instructions for the use of the following by non-staff members is prohibited in this area, as well as in ALL other areas of the BC forums. This list contains tools and procedures that are forbidden, the instructions for using similar tools or procedures should not be posted here, or elsewhere on Bleeping Computer forums, without prior Staff approval.
 
ComboFix instructions.
HiJackThis, DDS, OTL, ZOEK, RSIT, RogueKiller instructions.
FRST (Farbar Recovery Scan Tool).
Manual rootkit removal using non-automated and advanced ARK tools (MBRCheck, MBR.exe and Esage Bootkit Remover).
Automated registry cleaners.
Advanced Registry instruction. Simple registry fixes are permitted but they must be accompanied with a warning to back up the registry first.
The BC staff will monitor (review) registry fixes and if we determine they are dangerous or incorrect, the instructions will be removed.
Custom scripts, batch files.
Other specialized fix tools the BC Staff deems untrained members should not recommend for use.
 
Note: This list is not limited and we may add to it as necessary. These restrictions are in place to ensure that only safe and effective methods are given to members seeking help with a malware problem.
 
WHY are these tools restricted? Most of these tools require guidance and supervision by trained experts. Failure to follow the proper removal process can and will cause serious damage to a machine. Recovery of the machine may be difficult, if not impossible

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#11 tyler0712

tyler0712

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 08 February 2016 - 09:29 AM

Lol ive really done everything and he keeps coming back. Hes got ahold of my phone and put crap in it too. I found a few diff apps recording my calls and texts, as well as gps a bunch of urls that are sketchy as can be. So it seems to be a situation that wont be resolved until hes found.so im hiring a hacker to do the same and ill be showing up at his house and likely committing multiple felonies. That is all :)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users