Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

someone remotely changing user access controls


  • Please log in to reply
9 replies to this topic

#1 raymj49

raymj49

  • Members
  • 148 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:26 AM

Posted 30 June 2017 - 08:09 PM

viewing windows even logs, and after trying to run JRT and being denied when it was fine yesterdayt, it is clear some has RA. Guess they were madd I disabled the guest accound? plus there are a MILLIION user names on this thing is you look the right way. help me get rid of this please, thanks


Edited by hamluis, 13 July 2017 - 05:19 PM.
Moved from Win 7 to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 jwoods301

jwoods301

  • Members
  • 1,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:26 PM

Posted 30 June 2017 - 09:04 PM

The first step would be to disable Remote Desktop...

 

https://www.lifewire.com/disable-windows-remote-desktop-153337

 

Second, make sure all Windows security updates are installed.

 

Third, do the following to check for malware...

 

Download and run AdwCleaner -

https://www.bleepingcomputer.com/download/adwcleaner/

Download and run Malwarebytes Anti-Malware -

https://www.malwarebytes.org/antimalware/

Download and run Junkware Removal Tool -

https://www.bleepingcomputer.com/download/junkware-removal-tool/

Create a System Restore point first.
 



#3 raymj49

raymj49
  • Topic Starter

  • Members
  • 148 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:26 AM

Posted 04 July 2017 - 09:36 PM

Hi, already disabled remote desktop previously, but will re check. as is a habit of mine i recently ran adwcleaner, ran a scan w MBAM premium, tried JRT but was denied access today (vs fine yesterday) will try downloading JRT and running it and all the others again anyway, I tihnk the problem is shown in the event logs it says "SUPERUSER" comtrol is changing things while i am NOT awake, things i have not done, or right afteri make a change, and any changes i make are reverted, like blocking User "guest" access and took away access rights, was undone, i had blocked it bc because it was suspicious to me but noq it has free reiugn again. Anothe example: Networking may say other access points are disconnected, but there is data flowing out. anyway I will do as advised but i'm afraid that there may be repurcussions from this person if I try to do anything to take away their acess.

#4 raymj49

raymj49
  • Topic Starter

  • Members
  • 148 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:26 AM

Posted 04 July 2017 - 09:37 PM

Really seems like it iscoming from programs that were built into the computer, that are still there and should be, ffrom 2009 all the way to 2013

#5 jwoods301

jwoods301

  • Members
  • 1,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:26 PM

Posted 05 July 2017 - 01:39 AM

Hi, already disabled remote desktop previously, but will re check. as is a habit of mine i recently ran adwcleaner, ran a scan w MBAM premium, tried JRT but was denied access today (vs fine yesterday) will try downloading JRT and running it and all the others again anyway, I tihnk the problem is shown in the event logs it says "SUPERUSER" comtrol is changing things while i am NOT awake, things i have not done, or right afteri make a change, and any changes i make are reverted, like blocking User "guest" access and took away access rights, was undone, i had blocked it bc because it was suspicious to me but noq it has free reiugn again. Anothe example: Networking may say other access points are disconnected, but there is data flowing out. anyway I will do as advised but i'm afraid that there may be repurcussions from this person if I try to do anything to take away their acess.

 

Post a couple of examples of SUPERUSER entries in your Event logs.

 

What security software do you have running on your system (firewall, antivirus, antimalware, anything else) ?

 

Is the firewall enabled on your router?

 

Are you current on all Windows Updates (especially security updates) ?

 

Do you log on with an Adminstrator account or a Standard user account?

 

How exactly are you "blocking access rights"?

 

Have you ever had a confirmed malware infection in the past?

 

 

Download and run Sysinternals' Process Explorer.

https://technet.microsoft.com/en-us/sysinternals/bb896653

Also, enable the VirusTotal check in Process Explorer by clicking on Options > VirusTotal.com > Check VirusTotal.com

Look for any process that is flagged as suspicious by VirusTotal.

 

Use the built-in Windows Snipping Tool to grab screen shots.

Post the images on a site such as Dropbox, Imgur, etc. and paste the links to the images in the thread.

 

 

Download and run Sysinternals' Autoruns.
 

https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

 

As with Process Explorer, look for any entry that is flagged as suspicious by VirusTotal.

 

Use the built-in Windows Snipping Tool to grab screen shots.

Post the images on a site such as Dropbox, Imgur, etc. and paste the links to the images in the thread.


Edited by jwoods301, 05 July 2017 - 01:45 AM.


#6 raymj49

raymj49
  • Topic Starter

  • Members
  • 148 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:26 AM

Posted 15 July 2017 - 12:25 AM

Hi, so i'll fo things one at a time,

 

Shoul have saved the $SUPERUSER  logs so ill have to find them manually,

I had just disabled the guest account, only to find a log of it being (given access) -right term? again in event logs

I use MBAM premium, windows firewall

 

. wow... no wonder i'm having trouble finding some of those logs, a new account was created and can delete event logs...

 

should i create a non admin account to loginto?



#7 jwoods301

jwoods301

  • Members
  • 1,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:26 PM

Posted 16 July 2017 - 02:27 AM

What version of Windows are you using?

 

Also, when you are feeling up to it -

 

Please review post #5 and provide answers to those questions, and comfirm that you have installed Autoruns and Process Explorer, and looked at the output as mentioned.

 

Thanks!



#8 raymj49

raymj49
  • Topic Starter

  • Members
  • 148 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:26 AM

Posted 24 July 2017 - 10:39 PM

winows 7 pro

 

The Superuser entry logs and other shady ones have mysteriously disappeaered, and their existence seem to have been replaced with an unknown user with a very long string name whos only action is to be able to "delete "  emtries in event logs.

 

router on firewall and winows angaged, modem reset'

 

windows updates up to date

 

i was always using an admin account, but i have only been using a standard account.    Since then- will autoruns and pro explorer only show what programs are running under this user, or the entire computer?

 

i was blocking accress rights but going through whatever program, properties >  security> user rights etc or occasionally the local computer clip in but usually i wont mess with that

 

looking at output...  thanks!



#9 raymj49

raymj49
  • Topic Starter

  • Members
  • 148 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:26 AM

Posted 24 July 2017 - 10:43 PM

i did see a few that said local userregistry handle leaked? not sure what that means but ive been apprehenmsive to log into the admin account



#10 raymj49

raymj49
  • Topic Starter

  • Members
  • 148 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:26 AM

Posted 24 July 2017 - 10:44 PM

is it okay (while logged  in as new standard user) to have the feature enabled that allows me access to afmin rights as long as i put in my password






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users