Unknown Infection - involves remote access, recorded tv, spybot and porn

Supposing this was a targeted attack specifically on my machine to access my material, will these tutorials still have what I need to keep it from being hacked again? I will of course read them all regardless...I've lost so much time wandering around aimlessly trying to get my machine to a point where I can work securely on it again I'll take every tip I can get to make me more aware here. Think my next topic will be internet privacy and security...

 

Thanks for trying oneof4 - I'll let you know when I'm in the clear and that I've made it safely. Looking forward to it. Be well.

 

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

**Topic reopened per user's request**

 

==========

 

Hey Bleedle,

 

Please follow these instructions so we can get a look at your MBR:

 

===================================================

MBR Dump Using Farbar's Recvovery Scan Tool in the Recovery Environment

--------------------

For this step you will need a USB flash drive.

• Press the windows key + r on your keyboard at the same time. Type in notepad and press Enter
• Please copy and paste the contents of the below code box into the open notepad and save it on the flashdrive as fixlist.txt

SaveMbr: Drive=0

• Please download Farbar Recovery Scan Tool and save it to a flash drive. You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
• Plug the flashdrive into the infected PC and follow the 2 step process below to enter the System Recovery Options using one of the three options listed, then running Farbar's Recover Scan Tool

----------

Entering into the System Recovery Options

Option #1

To enter System Recovery Options in Windows 8:

• If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt and skp the next two options.

Option #2

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Select English as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

Option #3

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
• Select English as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next

----------

Running Farbar's Recovery Scan Tool in System Recovery

• Once you are in the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

• Select Command Prompt
• In the command window type in Notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select Computer and find your flash drive letter and close the notepad.
• In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
  • Note: Replace letter e with the drive letter of your flash drive.
• When the tool opens click Yes to disclaimer.
• Press Fix button.
• It will make a log (mbrdump.txt) on the flash drive. Please attach it to your reply. If you open the file you will not be able to read it.

===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.

• Attached mbrdump.txt file

Hello again Oneof4, you've been so nice for sticking with me through all this - I certainly appreciate it.

Short story and quick question before we fire it up here again... 

 

Before receiving your instructions above, I once again ran killdisk and installed Windows from a trusted disk. I chose do not install updates, skipped selecting a network for now, and let it load. The typical suspicious programs started running in task mgr and resource mon. yet again before I tried any internet connections, so I opened event viewer while I still had some authority and watched as group policy loaded, firewall configured, an acct named "WIN"-something with system privileges change my password, log on as me, and change my newly bathed notebook into a workstation. Performance counters for WmiApRpl were removed and new ones were loaded, double event logs were supressed to just show one, the time on my clock was manually changed, shortcuts were created for my files compliments of whatever this is and the windows media sharing frenzy wasted no time passing info through a temp folder in "recorded tv" as the network yet again begins its day without me. I go to search for an image on google and nothing remotely relevant shows up, reminding me my searches have been redirected to the nearest dumpster. So, just more of the same 'ol.

 

This time though I was surprised windows was loading at all, as I had lost my bonkers the night before and tried manually deleting everything off boot drive X:. I wiped out a good lot of it all only to discover that X: is apparently also a legit boot drive and I seriously twonked my harddrive. It's of little concern as it lost usefulness to me almost 3 months ago when it began deleting research files, so I killdisk it, windows it, and watch as the entire computer's history from the past few months restores itself through Winmail, which arrived from out of nowhere and left just the same. 

 

So when I saw you sent the above message was excited to get some direction and that I had a working machine to use it on, but I wanted to make sure I did all I could  do to make this one count before starting. Remembering our media server had been showing up lately in the network with my wifi connection, I ran downstairs to the old man's workshop and told him to disable the media server from the PC - he connects straight to the modem with ethernet - which he stepped aside to let me do.

 

We noticed updates to our router we had a hard time getting to take when we tried installing them a month or two ago. I disabled the media server and the DHCP and ran the available updates - 3 this time instead of just the one. I ran them all and wouldn't you know...the settings took. The router's dashboard lock stopped acting backwards and all the settings I applied stayed put.  

 

The updates had loaded some new programs that were running without us knowing they were there. I disabled media sharers "Twonky" and "Intellistream" (which had always been there but I always made sure they were "off"...really no need to share anything from machine to machine here. Like I said I'm looking for lockdown on my notebook).  Also discovered two new belkin server-type app things for media sharing and printer/file sharing.   

 

When i returned to my upstairs office I noticed the Windows logo at beginning boot up actually came together to form a Window this time. My files weren't shortcuts anymore, settings I set behaved themselves and stayed in one place, I could choose to set whatever I want, and I had more menu choices than I'd ever dreamed of. I still hadn't chosen to connect to the internet, and I looked around for the usual shady connections that connect me to networks like "not connected", which were no longer there. I got to experience full admin privileges for the first time ever I think.

 

I had discovered I fixed my bleeping computer!!!

 

Just one issue was keeping me from cyber diving face first back into business... I couldn't find the wi-fi on my network to connect to. I reasoned it could be because I hid the 5ghz media server and returned to the ethernet pc to let it shine. My old man told me the router updates we did earlier had prompted him to enable Intellistream to fix an issue with his glitchy pandora and he had. Says it works great! So I pet him on the head and tell him nice job baby knowing full well he just threw my machine back into the pit.  Sure enough, every bit of this intrusion came flooding back. (well, except a .net framework that wasn't the right "volume" or "flavor"... harsh.)

 

So the source of my insanity, at least with my laptop, is the media server on my router. Good to know. 

 

Now for questions:

1. should I kill disk and reinstall windows again before proceeding?

2. do you still want me to follow the above instructions? I did do a system repair earlier that said I had a corrupt mbr one time before switching its error to missing system volume info and sticking with that for a while.

 

...so close man, so close. 

Edited by bleedle, 30 April 2016 - 08:49 AM.

No, the mbr dump probably isn't necessary.  Sounds like the concentration needs to be on cleaning up your router first, then maybe reinstalling Windows may not be necessary.

We've cleaned up the router the best we can from our end - changed passwords, renamed networks, and disabled media sharing programs that are a part of its automatic services. Even though we have both the 2 and 5ghz signals set to broadcast, neither appears in my networks to connect to now. Setting it up manually also yields no connection.  There are two listings under my computer's hardware settings called "unknown device" in which drivers cannot be located for or reinstalled... one I believe used to be a "base controller" or something... the third in that group is a "pci simple communication" something or other that also cannot locate drivers. I don't know, this is way out of my league.

 

Any instructions here on BC about router hacks? I closed my online shops today until I can get this under control - devestated and heartbroken.  If nothing else, we will be purchasing a new router in the next week or so as we're switching ISPs and need to - advice on good routers to avoid this issue in the future would be appreciated.

 

Thanks.

after assuring the router was secure (as much as i can make it) to see if I could get the networks to come up in my list of options, I ran killdisk and went to reinstall windows again. I ran "repair your computer" from the windows menu and chose "start up repair". this is what i got:

 

root cause found: MBR is corrupt

repair action: disk metadata repair

result: failed

error code: = 0 x 490

time taken: 652490ms

 

should I do the mbr dump anyway? 

Yes, give it a go.

I will and report back. In the meantime, my old man cleaned up his system today from our ethernet tethered pc (which I've connected to via homegroup), found Win32.2UrFace.bho. Undetectable until he ran hijackthis, some autorun program to see what was launching at startup BEFORE killdisk would launch (redflag - killdisk should be first), then a system scan with spybot. This thing was a malware class 5 in the registry key, hidden in HKCR\CLSID.... and I think he's had it since like 2009. Looks like windows updates has addressed this issue, but having it hijacks the updates so you never get the cure.

 

Whatever mine is seems to be using my machine as a server... we both had media sharing and other similar symptoms, another one being we were both continuously logged into a workgroup. My machine actually became the workgroup? Mine virus seems more aggressive but then again I have the bigger badder machine. I'll let you know what turns up.

I will await your MBR dump.

Are you still with us?  Do you still need help?

Hello yes thanks for waiting - writing you this morning from a borrowed tablet. Since tracing the issue to the newly secured router, we decided to cut out the middle man and hardline the desktop into the modem. This resulted in a dsl connection that wasnt ours appearing on our network calling itself proline rather than verizon in the header of my modem dashboard, using isp and dns numbers that, though theyve become quite familiar to me over the past few months, I now realize arent ours, and no fix to our current hackjob. I have been offline for about a week switching out harddrives, tricking my system into loading the bios menu, restoring defaults, reconfiguring boot orders, banging my head off the desk at the pathetic results I get trying to search for more info... things getting lazy it just tells me now those sites dont exist or lets me stare at a page it wont load.

Seems my machine wont boot unless it can connect to a pxe nic network. Same goes for our hardlined pc. Old man got a tip to pull the bios battery, told me he seemed to be making progress and to pull it on my laptop too. I watched a video that showed me how to do this with my particular notebook. When I popped the keyboard off as instructed, it wasnt there. No cmos battery, no ribbon for it. Nice battery sized square in the plastic wrapping where it used to be, though.

Edited by bleedle, 10 May 2016 - 09:26 AM.

Hey bleedle,

 

Well, I think we're at a stage where we can call our work complete.  Since this is a forum dedicated to malware removal, and you are now free of malware on the machine that we worked on, the time has come to close this particular thread.

 

The issues that you have been describing of late are either Windows problems or network issues.  There are forums dedicated to each of those and the helpers in those forums are specialists in those areas.  I have provided links to each of the forums below:

 

Windows 7 forum

 

Networking forum

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.