Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Someone hijacked my private computer and turned it into a domain


  • Please log in to reply
19 replies to this topic

#1 tink03

tink03

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan
  • Local time:09:09 AM

Posted 09 October 2016 - 12:55 PM

Hi,
My daughter bought an HP 15 (Red Flyer) laptop from Walmart in August, 2015. The computer got a virus and was taken to a computer repair shop. They upgraded it from Windows 8.1 to Windows 10. She made a system image of that, but she has had problems ever since. It was repaired again a month ago, but we noticed the problems happening again. Folder and file Permissions seem to change overnight and her administrator permissions are very limited. I looked at it for her and noticed weird things happening. I could see the mouse moving when I wasn't touching it. The more I looked into things, the more I found wrong. This is what I've found: Her private laptop has been turned into a domain run machine, ipconfig /all showed a Microsoft virtual machine running, when I try and change any network settings, they take out my network (literally disconnect me from it...I have an AT&T router that has been reset too many times to count), subinacl fails due to access is denied, hidden partitions I can't unhide, start up is a mess (I have to start the machine twice before it actually boots), startup programs are hidden somewhere (not a clue where since search gives me limited access and information), programs like msconfig do not work or show the right info, numerous so hosts running that I can't stop (even with autoruns), and not one antivirus or malware program ever shows a problem. Microsoft commands like sfc /scannow and chkdsk always say there were no integrity problems, or nothing is wrong. I've spent more money on this machine repairing it than it cost, but the problems keep returning, which tells me either the problem is in the registry, router, or both. This is not the 1st computer that's been affected by this in this house, so I have a feeling it had to do with AT&T's router/firewall settings. I've contacted them time and time again and they keep telling me the only way it can happen is if someone else is in the house and does this to the computer, which is ridiculous. So here's the thing...I'm a single mom with 3 kids and I can't afford to buy another computer or continue throwing money away on repairs that don't work. My kids need a computer for school, so I'm hoping someone can help me. I'm writing this on my iphone, since the computer is once again resetting (which is another issue...it doesn't actually reset back to factory settings. I know this because when I boot it back up, it still belongs to a domain). Can someone please, PLEASE help me? When I think about how long someone has been watching me and my kids (I now have the camera covered with tape), it makes me feel physically ill!


Edited by hamluis, 09 October 2016 - 01:13 PM.
Moved from W10 Support to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 RolandJS

RolandJS

  • Members
  • 4,552 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin TX metro area
  • Local time:07:09 AM

Posted 09 October 2016 - 01:03 PM

I'm going to risk coming across as a meanie -- however, my question, as kindly as I know how to ask, is:

how do you know that the computers, then and now, are not accidentally being guided by your kids [or by their friends], going to places that lead to the kind of problems you're posting about?


"Take care of thy backups and thy restores shall take care of thee."  -- Ben Franklin revisited.

http://collegecafe.fr.yuku.com/forums/45/Computer-Technologies/

Backup, backup, backup! -- Lady Fitzgerald (w7forums)

Clone or Image often! Backup... -- RockE (WSL)


#3 tink03

tink03
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan
  • Local time:09:09 AM

Posted 09 October 2016 - 01:53 PM

You're not being mean. I know this because since it got the first virus, I haven't let any of them touch it or given them the new password I set on it.

#4 tink03

tink03
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan
  • Local time:09:09 AM

Posted 09 October 2016 - 01:56 PM

Also, just so you know, I have shut down everything I possibly could that has to do with remote connections. Unchecking "Allow Remote Access" does absolutely nothing. I've gone into services and only allowed programs to run that absolutely had to. I'm at a loss..

Edited by tink03, 09 October 2016 - 01:57 PM.


#5 Viper_Security

Viper_Security

  • Members
  • 826 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:06:09 AM

Posted 09 October 2016 - 02:07 PM

you can run Rkill to kill any unwanted services and check for HOST files. 

you can try flushing your DNS and renewing your IP with

 

Ipconfig /flushdns (flushes the domain name server) 

ipconfig / release ( release your current IP)

ipconfig /renew (renew your IP)

 

Also if you're worried about the camera thing you can disable the driver in Device manager and it won't work until you enable it again. 

 

And this sort of thing could happen by just browsing unsafely, eg clicking un-trusted links, clicking an ad, a script could be out of date,etc. there's many possibilities. 


Edited by Viper_Security, 09 October 2016 - 02:08 PM.

    IT Auditor & Security Professional

hQBT2G3.png


#6 tink03

tink03
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan
  • Local time:09:09 AM

Posted 09 October 2016 - 02:14 PM

I'll give both a shot.

#7 tink03

tink03
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan
  • Local time:09:09 AM

Posted 09 October 2016 - 02:20 PM

I started an administrator command prompt, ran the 1st command (ipconfig /flushdns) and it says "Could not flush the DNS Resolver Cache: Function failed during execution."

#8 Viper_Security

Viper_Security

  • Members
  • 826 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:06:09 AM

Posted 09 October 2016 - 02:21 PM

that is odd, in the command prompt window type in "netsh winsock reset"

 and then try it again.


    IT Auditor & Security Professional

hQBT2G3.png


#9 tink03

tink03
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan
  • Local time:09:09 AM

Posted 09 October 2016 - 02:59 PM

Ok, did that and it worked this time. Onto the 2nd step, and I have some errors. How can I attach pictures to a post?

#10 tink03

tink03
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan
  • Local time:09:09 AM

Posted 09 October 2016 - 04:06 PM

Thanks for your time, but nothing is going to work. The monsters have found a way into safe mode and won't let me do anything. I see a command window flash when I go into safe mode, so long matter what I do, they'll just change it anyway. Not sure what I can possibly do here. One more question. How do I completely strip this copy of Windows out of this machine and put in another copy? And if I do that, will the registry change, or is the registry attached to the hard drive? Would I need another hard drive AND another copy of Windows?

#11 Viper_Security

Viper_Security

  • Members
  • 826 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:06:09 AM

Posted 09 October 2016 - 04:46 PM

You shouldn't need another HDD and Windows. just preform a clean install on the machine and wipe all partitions(save data on external drive first) before you click the "install" button.  then you shouldn't see issues anymore, you will have to re-install the programs, and it's best to scan your backup before you put it on the machine again. 


    IT Auditor & Security Professional

hQBT2G3.png


#12 GibFTW

GibFTW

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:09 PM

Posted 09 October 2016 - 05:29 PM

You can probably fix this in your host files. Also make sure to run a lot of virus scans. Doing something like hosting somebody personal files on a domain is just disgusting.



#13 tink03

tink03
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan
  • Local time:09:09 AM

Posted 09 October 2016 - 06:39 PM

@Viper_Security ~ Thank you. I have a question though. If I save my data on an external drive, when I put it back in, will it still be part of a domain? I can't stand that I can't control anything on this laptop. And scans? Not one antivirus or malware program has ever found a problem. The person who has control of this machine are incredibly smart with computers...a hell of a lot better than I am! They've obviously changed registry settings so that nothing gets through.

#14 tink03

tink03
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan
  • Local time:09:09 AM

Posted 09 October 2016 - 06:44 PM

@GIBFTW ~ Thank you for your help. Unfortunately, I don't have a clue how to fix something in host files. Where would I find them? My laptop was just a regular laptop bought at Walmart. It was never part of a domain until this happened. Now because they turned it into a domain, I don't know how to change it back. How do I delete a domain off of something if I don't know their password, or even how they accomplished it? Ugh! Some people are just horrible human beings!

#15 Viper_Security

Viper_Security

  • Members
  • 826 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:06:09 AM

Posted 09 October 2016 - 06:58 PM

@Viper_Security ~ Thank you. I have a question though. If I save my data on an external drive, when I put it back in, will it still be part of a domain? I can't stand that I can't control anything on this laptop. And scans? Not one antivirus or malware program has ever found a problem. The person who has control of this machine are incredibly smart with computers...a hell of a lot better than I am! They've obviously changed registry settings so that nothing gets through.

That's why you scan it before you put it back onto the machine. if it did happen to be one of those files Malwarebytes (or whichever you choose) should find it. :)

 

Also, if you do a clean install it will be like a new system. (same hardware of course) but the OS would be clean. During the part of the install where it asks to install windows, delete all the partitions until is shows one disk at 999/999GB Free. (with 999 being an example of your HDD Size)

then it will do it's thing, let it install updates before you put your data back on there.

 

after you scan your BackUp, if nothing was found, you're good to go ahead and copy it back over. 


    IT Auditor & Security Professional

hQBT2G3.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users