Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Remote Control Over My entire network


  • This topic is locked This topic is locked
36 replies to this topic

#1 dfred2300

dfred2300

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:12:42 PM

Posted 18 August 2017 - 10:27 PM

wf


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,594 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:42 PM

Posted 19 August 2017 - 10:02 AM

Hi,

If you need help follow these instructions.

https://www.bleepingcomputer.com/forums/t/182397/am-i-infected-what-do-i-do-how-do-i-get-help-who-is-helping-me/

#3 dfred2300

dfred2300
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:12:42 PM

Posted 19 August 2017 - 01:27 PM

Mod Edit:  Merged with existing topic in MRL - Hamluis.

 

I am copy and pasting this ending part which I put in the introductory stage. I live 20 feet from my parents perfectly in range for their router so thats why I know that happened, and I know that because a cable guy told me, along with the fact I can not take it out of bridge mode even when I get a message stating it is in bridge mode, if I click router mode the router will not reset.  But we all have windows 10, and 1 Macbook pro running Sierra along with iPhone and android phones.  This has been going on for over 6-8 months at least.  And there has been fraudulent activities with credit cards and other things.  But I have done some due diligence, for instance lets say I have 3 devices on my own network, not counting my parents, sometimes it will show 6 or 7.  Even if it was counting my parents, if their not home and only my devices are plugged in it'll show 5 or more sometimes.  I have traced ip's to other states connected to my computer, and their is a host proxy 169.254 address that bypasses everything that we never set up.  I have network tools that state their is a man in the middle attack, and ARP spoofing/attack.  I know Mac addresses are spoofed because they will show as ff:ff:ff:ff:ff, or as 01:0f:oo:01:ff things like that. I have zero admin rights over anything of mine connected to the internet, as stated if I give my own MacBook ownership to myself next time I log in it freezes and forces me to format.  I have read only on my MacBook Pro and I am actually categorized under "everyone" because if I were to take everyones privileges before I add myself I could not add myself to the permissions list.  My windows computers like I said I would have to race the remote shutdown once I turned on bit locker, Nvidia drivers or any drivers would install themselves, all of my SSD's besides my main one running windows were added as removable drives and not fixed data drives.  When I took my computer to a friend of mine who is an IT guy for a huge company it actually installed drivers for like the mouse and other things on its own, the razer keyboard drivers which record key clicks almost like a key logger is constantly asked to install if I format in the middle of windows updating that program pops up and is asked to install, my AV trend micro once I switched found it as a virus and removed it, and trend micro also always blocks windows powershell which I have never nor even know how to use from running, in windows 10 settings in update and security where it has developer mode, windows store apps mode, or side load mode, about 10 options get added and one is allow to run as a different user, allow Remote Desktop connections, allow windows powershell script, do not allow computer to sleep, and about 5 more,  which have to do with files, Remote Desktop, or powershell.  and they have boxes next to them with blue checks, and I can't do anything about it.  Now these are added settings in settings on the right side.  But this bridge mode thing boggles my mind too. Anytime you change any router setting it resets the router, but I can not get the router to do anything when I click router mode, their is 4 options bridge, router, ap, and 1 other. I don't even know what the other two are but I want router mode in my house, and in my parents, not to have the two connected together.

 

 

Fing is showing something called Magic Control Technology right now with an ip 192.168.1.8 and a MAC address of 00:05:1B:60:15:C4.  These are what most of the addresses look like lots of 0's and f's

 

This next portion I already put inside of the intro section but it doesn't hurt to add here.

 

Hi guys my name is Dan I am from MA, I need some help to fix an issue with my computer / network.  It's way over my head, but that is what I came here for, and I can explain a little bit in this forum section.

 

Hi as stated previously, I have had an absurd amount of networking issues, I have had to format my computer 5000 times, purchased vpn's encrypted everything bit locker, file vault, you name it.  I live next door to my parents and our routers are stuck in bridge mode, thus creating an even larger network, and it never goes away. I have zero admin rights or permissions on my Mac, pc, or any phones or computers for anyone in our network.  I've gone through at least 30-40 emails because constantly they get changed or the dual authentication phone number is changed, and I can't access it.  I bought a brand new ASUS computer and I was told access denied to the c drive, I logged into the hidden admin account still denied, and then somehow then admin account I was using was no longer an admin account it got every single privilege taken away. I am CLUELESS.  I have network monitors and it says I have an ARP and Man in the middle attack, thus why I have 10 devices showing when I only have 3 lol. Anyways any help from an expert trust me cuz everyone else I bring this to either geek squad or staples laughs and says "I took networking, that is impossible" Really? well you race who ever is remotely shutting off my pc while I type my bit locker password in, until after the 10th remote shut down I type it in quick enough and tell me that isn't a hacker.

Attached Files


Edited by hamluis, 19 August 2017 - 02:12 PM.


#4 dfred2300

dfred2300
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:12:42 PM

Posted 19 August 2017 - 01:29 PM

Oh and actually, I have a screen shot on an HD of mine that has my router as a device, connected to a server, and then 3 devices are on their they all had 192.168.1.5 and was labeled Skype, another 192.168.1.6 also labeled Skype, and then 192.168.1.7 was labeled teredo.  



#5 dfred2300

dfred2300
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:12:42 PM

Posted 19 August 2017 - 02:34 PM

Here are some SS's of random IP's which are Host proxy ip's and their spoofed mac addresses connected on my network. 

Attached Files



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,594 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:42 PM

Posted 20 August 2017 - 08:16 AM

:step1: Please download Malwarebytes Anti-Malware from here
  • Right-click on the MBAM icon and select Run as administrator to run the tool.
  • Click Yes to accept any security warnings that may appear.
  • Once the MBAM dashboard opens, on the right detail pane click on the word "Current" under the Scan Status to update the tool database.
  • On the left menu pane click the Settings tab, and then select the Protection tab on the top.
  • Under the Scan Options, turn on the button Scan for rootkits and Scan within archives.
  • Click the Scan tab on the right detail pane, select Threat Scan and click the Start Scan button
  • Note: The scan may take some time to finish, so please be patient.
  • If potential threats are detected, ensure to checkmark all the listed items, and click the Quarantine Selected button.
  • While still on the Scan tab, click the View Report button, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log can also be viewed by clicking the log to select it, then clicking the View Report button.
Please post the log for my review.

Note: If asked to restart the computer, please do so immediately.
===

:step2: Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

:step3: Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===


Please post the logs.

Wait for further instructions.
==============================

#7 dfred2300

dfred2300
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:12:42 PM

Posted 24 August 2017 - 09:39 PM

I just was messing with my router settings, and this scan it is set to normal, but previously my DHCP table was 192.168.x.x and I wasn't even connected to my own town ISP, my IP address said selco local cable company, but the numbers were way off, and a 169.254 host proxy address always appeared, i manually added the DNS server to use from and thats why I got the results back from this scan, but before my ip, default gateway, and dns server were all 192.168.1.1 anyways here are the results.

 

 

Attached Files



#8 dfred2300

dfred2300
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:12:42 PM

Posted 24 August 2017 - 09:44 PM

To clarify that part of my network issues were that every single thing besides subnet mask, which was 255.255.255.0, my router was set to dhcp server with ip of 192.168.1.1 default gateway the same, and my ip. All 3 ip, gateway, and dhcp were 192.168.1.1-192.168.1.154.  I wasn't even connected to my own ISP company's DNS server.  Once I switched the DNS server manually I got an ip, but its the host proxy ip I have been seeing 169.254/16 address. I have the exact address if it will help.  But this is a fresh install too, reformatted and havnt used ANYTHING. Also, the dcomm server is setup always, I manually shut it off, and take any access to it away too. privledges remote or local.  I don't get it.
 
 
 
Here is Malwarebytes scan attached

Attached Files



#9 dfred2300

dfred2300
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:12:42 PM

Posted 24 August 2017 - 10:02 PM

ROP Detection, from what I read it's pretty bad due to code writing ect..

Attached Files



#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,594 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:42 PM

Posted 25 August 2017 - 07:31 AM

Hi,

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.


Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

R2 Amsp; "C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe" coreFrameworkHost.exe -m=rb -dt=60000 -ad -bt=0 [X]
R2 ibtsiva; %SystemRoot%\system32\ibtsiva [X]
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File

cmd: ipconfig /flushdns
cmd: IPCONFIG /release
cmd: IPCONFIG /renew
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
CMD: bitsadmin /reset /allusers
RemoveProxy:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please let me know what problem persists with this computer.
===

#11 dfred2300

dfred2300
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:12:42 PM

Posted 03 September 2017 - 12:12 PM

how do i leave an active directory i am pretty sure azure ad, but my windows and mac computers / entire subnet is part of a local group or domain i know for a fact due to the 169.254 in network settings that says bypass any proxy or host domain settings, due to that ip which i have in entirety is my host and admin. that is why i do not have admin or permissions on anythiing i use. i think it is an azure ad due to the a248.akamaia.com or something like that replacing everything. for instance ill tty and download my trend micro and it says files.trendmicro.com was replaced by a248.akamaia.com. i have had sql server files and i know the dcomm server is always on, but i am not sure exactly. what is an sql and dcom servers purpose?  and how do i leave this / how will it be easier on my mac or windows computer. simply formatting and reinstalling doesnt work as i have had to do this on each computer even bought knew ones but at least 200-300 times all together. it has been going on for months.  thanks and appreciate a quick response!!



#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,594 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:42 PM

Posted 03 September 2017 - 01:18 PM

Did you execute the fix in post no. 10?

download my trend micro and it says files.trendmicro.com was replaced by a248.akamaia.com


Can be caused by a bad certificate at their ends. Or the Time ad date on hour computer.

Give me the link and I will check it.

#13 dfred2300

dfred2300
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:12:42 PM

Posted 03 September 2017 - 02:44 PM

"This server could not prove that it is download.msi.com; its security certificate is from a248.e.akamai.net. This may be caused by a misconfiguration or an attacker intercepting your connection."

 

I just went to msi.com because I have seen this message for my msi desktop for a long time too, its every single site that i go too.  My ssl certificates are removed too, my event viewer says that.  Trust me its not just one time or random. If I try going to a secure website and I am getting redirected to a non secure website, I have a plugin that gives me that message, but like I said i see this daily. It doesn't matter the website, and every time I go to the dcomm settings and shut it off and shut off remote activation, my entire pc crashes and I get access denied to every single thing on my pc and can not open one file or folder and have to restart.  Even if i go to the net user administrator account I have zero privledges, hence why I have been forced to format so many times.  Similar on my mac, if I give myself privledges and admin rights / ownership my mac crashes and it won't allow me to login once I log out, restart, or anything I have to do that has to do with logging back in.  The apple line just stops 3/4 of the way and sits there so I am forced to format, and it says administrators group, and their is admin where I put my name and take the admin one out.  Somehow every single device in my network has the exact same static ip address too, and I cant even connect to my isp, my router settings can not be changed, if I want to fix or change any settings even that have to do with what I just said it doesn't do anything I still have the same DNS, ip address, gateway, and dns server address.  How can lets say a phone and multiple computers have the same ip address?? Also, what exactly is a dcom server, and what is an sql server?? 


Edited by dfred2300, 03 September 2017 - 02:48 PM.


#14 dfred2300

dfred2300
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:12:42 PM

Posted 03 September 2017 - 02:56 PM

This is from trend's site right now, and I just formatted, this is right out of a fresh format, thats probably the third site I went to.  I did a diagnostic report with sophos and it has a ton of stuff that I don't know really what it is / how to read, but I know that there shouldn't be that many errors and issues, and some of the files I can tell are bad or idk if its files or settings.  But I don't know how a compatability issue could occur on a brand new laptop that isn't even a month old.  What is there to compat with??? adware cleaner always removes that too, the one you told me to go too. 

Attached Files


Edited by dfred2300, 03 September 2017 - 02:57 PM.


#15 dfred2300

dfred2300
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:12:42 PM

Posted 03 September 2017 - 02:59 PM

THAT POST JUST GOT CHANGED, I HAD THE PICTUREOF THE QUOTE I JUST SENT YOU! FROM TREND MICRO






1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users