Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


help! fairly sure i've been hacked

  • Please log in to reply
No replies to this topic

#1 MarkCa


  • Members
  • 1 posts

Posted 04 December 2016 - 08:00 PM

as the title states i'm pretty sure i've been hacked and not sure what to do, how to do it. Don't really use the PC much right now as we've been in and out doing christmas shopping etc. My wife talks to her mother and grandmother in bulgaria using skype (we live in N.ireland) and everything was fine today. We had a nice picture of our daughter as the desktop background and tonight I noticed the machine was turned off however we left it on earlier so found it odd. Turned it on to discover the background image was changed to a guy standing over 'rocks' that looked like, well poo to be blunt but polite. I also noticed a few web searches had been done for 'dog poop' then image search looked at / big poop / paypal and a porn site video loaded. Neither of us had done any of those searches or watched any porn so obviously I was angry about the prospect of someone hacking into the computer. Now a few days ago I noticed with my paypal account 16 euros had been spent on something most likely a digital item so i disupted it with paypal and within a few hours they said they were satisfied no one else did it but me so refused to take it further. I called them quite angry about it as I know for sure I hadn't done it (thankfully my card / bank had expired and it was the balance) and after a few seconds the nice guy on the phone decided to double check why it refused and he quite specifically said i'll check IP logons to see whats going on. After another 20 seconds he came back telling me hes right now going to refund £15 to me. He wouldn't really say why but my guess is he obviously seen something and he just kept saying about human error. To me these 2 things MUST be connected somehow. I have changed my paypal password since but haven't had time to change my others but will do now on my wifes kindle tablet.
here are some log files i've done

Can we not post .txt files here? Can't seem to find an option for it


ADWCleaner scan log

***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

Folder Found:  C:\Users\BuggerMe\AppData\Roaming\imminent
Folder Found:  C:\Users\BuggerMe\AppData\Local\Geckofx
Folder Found:  C:\Users\BuggerMe\AppData\Local\Google\Chrome\User Data\Default\Extensions\gngocbkfmikdgphklgmmehbjjlfgdemm

***** [ Files ] *****

File Found:  C:\Users\BuggerMe\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_gngocbkfmikdgphklgmmehbjjlfgdemm_0.localstorage
File Found:  C:\Users\BuggerMe\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_gngocbkfmikdgphklgmmehbjjlfgdemm_0.localstorage-journal

***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious keys found.

***** [ Shortcuts ] *****

No infected shortcut found.

***** [ Scheduled Tasks ] *****

No malicious task found.

***** [ Registry ] *****

Key Found:  HKU\S-1-5-21-4016514153-3046578498-1121318311-1001\Software\APN PIP
Key Found:  HKU\S-1-5-21-4016514153-3046578498-1121318311-1001\Software\distromatic
Key Found:  HKU\S-1-5-21-4016514153-3046578498-1121318311-1001\Software\INSTALLPATH\STATUS
Key Found:  HKCU\Software\APN PIP
Key Found:  HKCU\Software\distromatic
Key Found:  [x64] HKCU\Software\APN PIP
Key Found:  [x64] HKCU\Software\distromatic
Key Found:  [x64] HKCU\Software\INSTALLPATH\STATUS

***** [ Web browsers ] *****

No malicious Firefox based browser items found.
Chrome pref Found:  [C:\Users\BuggerMe\AppData\Local\Chromium\User Data\Default\Web data] - uk.ask.com
Chrome pref Found:  [C:\Users\BuggerMe\AppData\Local\Google\Chrome\User Data\Default\Web data] - uk.ask.com
Chrome pref Found:  [C:\Users\BuggerMe\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences ] - gngocbkfmikdgphklgmmehbjjlfgdemm


C:\AdwCleaner\AdwCleaner[C1].txt - [3828 Bytes] - [02/05/2016 23:08:41]
C:\AdwCleaner\AdwCleaner[S1].txt - [4175 Bytes] - [02/05/2016 23:06:20]
C:\AdwCleaner\AdwCleaner[S2].txt - [2434 Bytes] - [05/12/2016 00:00:08]

########## EOF - C:\AdwCleaner\AdwCleaner[S2].txt - [2507 Bytes] ##########


ADW clean log

[-] Folder deleted: C:\Users\BuggerMe\AppData\Roaming\imminent
[-] Folder deleted: C:\Users\BuggerMe\AppData\Local\Geckofx
[-] Folder deleted: C:\Users\BuggerMe\AppData\Local\Google\Chrome\User Data\Default\Extensions\gngocbkfmikdgphklgmmehbjjlfgdemm

***** [ Files ] *****

[-] File deleted: C:\Users\BuggerMe\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_gngocbkfmikdgphklgmmehbjjlfgdemm_0.localstorage
[-] File deleted: C:\Users\BuggerMe\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_gngocbkfmikdgphklgmmehbjjlfgdemm_0.localstorage-journal

***** [ DLL ] *****

***** [ WMI ] *****

***** [ Shortcuts ] *****

***** [ Scheduled Tasks ] *****

***** [ Registry ] *****

[-] Key deleted: HKU\S-1-5-21-4016514153-3046578498-1121318311-1001\Software\APN PIP
[-] Key deleted: HKU\S-1-5-21-4016514153-3046578498-1121318311-1001\Software\distromatic
[-] Key deleted: HKU\S-1-5-21-4016514153-3046578498-1121318311-1001\Software\INSTALLPATH\STATUS
[#] Key deleted on reboot: HKCU\Software\APN PIP
[#] Key deleted on reboot: HKCU\Software\distromatic
[#] Key deleted on reboot: HKCU\Software\INSTALLPATH\STATUS
[#] Key deleted on reboot: [x64] HKCU\Software\APN PIP
[#] Key deleted on reboot: [x64] HKCU\Software\distromatic
[#] Key deleted on reboot: [x64] HKCU\Software\INSTALLPATH\STATUS

***** [ Web browsers ] *****

[-] [C:\Users\BuggerMe\AppData\Local\Chromium\User Data\Default\Web data] [Search Provider] Deleted: uk.ask.com
[-] [C:\Users\BuggerMe\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: uk.ask.com
[-] [C:\Users\BuggerMe\AppData\Local\Google\Chrome\User Data\Default] [extension] Deleted: gngocbkfmikdgphklgmmehbjjlfgdemm


:: "Tracing" keys deleted
:: Winsock settings cleared


C:\AdwCleaner\AdwCleaner[C1].txt - [3828 Bytes] - [02/05/2016 23:08:41]
C:\AdwCleaner\AdwCleaner[C2].txt - [2396 Bytes] - [05/12/2016 00:09:49]
C:\AdwCleaner\AdwCleaner[S1].txt - [4175 Bytes] - [02/05/2016 23:06:20]
C:\AdwCleaner\AdwCleaner[S2].txt - [2598 Bytes] - [05/12/2016 00:00:08]

########## EOF - C:\AdwCleaner\AdwCleaner[C2].txt - [2615 Bytes] ##########


What other scans should I run? I'm currently running TDS Killer then I'll run the eset online scanner. I have also noticed my comdo av has been disabled (now turned back on) ... Sorry for the long post at the beginning just trying to give as much info as possible. Any way I can start changing passwords without using a tablet (will take forever) can I use the sandbox mode in comodo to do them? I just can't see how any malware would do searches for 'dog poop' and seemingly ONLY change my desktop background image which was located in C:\Users\BuggerMe\AppData\Roaming\Mozilla\Firefox named desktop background.bmp
Also anyway I can look at log files to see if someone has accessed the machine? I don't really know what I'm looking at.


Thanks for any help I badly need it


EDIT just noticed the Imminent folder keeps coming back with a log folder and 1 file. What is that if anyone knows?

Edited by MarkCa, 04 December 2016 - 08:05 PM.

BC AdBot (Login to Remove)


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users