Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hacked I think.


  • Please log in to reply
36 replies to this topic

#16 jrtitus2017

jrtitus2017
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 09 November 2017 - 08:50 AM

Checking .NET Framework version...
.NET Framework 4.0 Client found, no need to install.
Proceeding with remainder of installation.
Output folder: C:\Program Files (x86)\FileHippo.com
Extract: FileHippo.AppManager.exe
Extract: updater.exe
Created uninstaller: C:\Program Files (x86)\FileHippo.com\Uninstall.exe
Create shortcut: C:\Users\James\Desktop\FileHippo App Manager.lnk
Create shortcut: C:\Users\James\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\FileHippo App Manager.lnk
Completed

BC AdBot (Login to Remove)

 


m

#17 jrtitus2017

jrtitus2017
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 09 November 2017 - 10:22 AM

http://www.msn.com/?pc=EUPP_ and http://www.msn.com/?ocid=iehp&pc=EUPP is what pages come up IE11. Windows 8.1 64 Bit, Dell XPS8700,

#18 jrtitus2017

jrtitus2017
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 09 November 2017 - 11:06 AM

Now MSN changed to this: http://www.msn.com/?pc=EUPP_UE09&ocid=UE09DHP, not sure why keeps changing, weird.



#19 jrtitus2017

jrtitus2017
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 09 November 2017 - 07:44 PM

Do you know any code. Programming code, have something want to share.

#20 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,278 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:03:26 AM

Posted 09 November 2017 - 08:59 PM

Saying things like "none of it looks right" or "all looks wrong" doesn't give me anything to work with.

Your link to MSN page looks completely normal.
You say you're not a programmer but you try to look at pages source. Why since you're not a programmer.

You would have to give me some concrete examples of something being wrong with your computer.

Saying "I think I've been hacked doesn't do anything.


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#21 jrtitus2017

jrtitus2017
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 10 November 2017 - 09:07 AM

https://answers.microsoft.com/en-us/ie/forum/ie8-windows_vista/how-to-fix-msncom-redirected-to-aserusmsncom/f2c36da8-951f-4e2d-9a8b-ff4e4f73951a?auth=1

Found this Forum, Have been reading issues with Registry redirects, found this, read it, looked at the registry, found some things, that takes me to the pages I am getting, looks like something or someone changed it. Not sure what OEM was set at.

#22 jrtitus2017

jrtitus2017
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 10 November 2017 - 09:45 AM

https://answers.microsoft.com/en-us/ie/forum/ie8-windows_vista/how-to-fix-msncom-redirected-to-aserusmsncom/f2c36da8-951f-4e2d-9a8b-ff4e4f73951a?auth=1

Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

Start Page = http://go.microsoft.com/fwlink/p/?LinkId=255141

Start Page Redirect Cache = http://www.msn.com/?ocid=iehp

Start Page Redirect Cache AcceptLangs = en-US

So if you read the link above, to check registry redirects, not sure what the OEM was set at, but seems off to me. I know an older forum, but is the things that seem to open, I didn't change any of them.

#23 jrtitus2017

jrtitus2017
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 10 November 2017 - 10:50 AM

https://social.technet.microsoft.com/Forums/windows/en-US/0e629797-854e-47cb-97ec-76bcc55a6fff/how-to-disable-this-link-httpgomicrosoftlinkid299201?forum=w7itproinstall

Redirect http://go.microsoft.com/fwlink/p/?LinkId=255141

https://www.bleepingcomputer.com/forums/t/662123/hacked-i-think/page-2#entry4377276

Also found this, seems a lot of this. So what do you think. Sorry, seems hopeless.

Edited by jrtitus2017, 10 November 2017 - 10:50 AM.


#24 Unworn_Kilt

Unworn_Kilt

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:10:26 PM

Posted 13 November 2017 - 02:08 AM

Hello,

 

Please excuse me putting in my two cents worth here.

 

I have a question for you "Jrtitus2017":

 

Have you ever, in the past, had a popup come up on your computer saying that your'e infected with some type of virus and asking you to contact Microsoft on a freecall telephone number?

 

If yes will you please advise me of what you did?

 

I'm asking this as I had a similar problem at one point. It was my computer but another person using it. They allowed someone to log into my computer and I had very similar problems to those you describe until I eventually destroyed the computer. I was advised by the police that I had acquired a serious network infector that nobody could seem to locate or identify. 

 

The police advised destroying the computer and changing all  email addresses and other details including my telephone numbers, both landline and cell.

 

During the time I was infected all anti-virus and anti-malware software appeared to be running just fine but in reality all that were running were "facades" of the programs.

 

 

I'd be interested to hear please.

 

 

Good luck and if I find anything out I'll let you know.

 

 

 

Thanks for your time.


Edited by Unworn_Kilt, 13 November 2017 - 02:09 AM.

** Walk Softly and Carry a Big Stick **


#25 jrtitus2017

jrtitus2017
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 13 November 2017 - 07:57 AM

Yeah I did let people use my computers and tablets and cell phones all the time until 8/10/17, but now learned never let anyone use them, with me still logged in and my log ins, and yes had a few of those pop ups with warning and call this number, I closed the window first time, X in right corner of warning like a dummy, then read that you are suppose to shut down system with either power button or as if shutting down with Ctrl/Alt/Delete. Hard to tell if and what the other users of my computer did if it came up, so very well could be something like that, seems all my web pages and same as you said, seems the same issues I have been having too with the virus scanners. So I'm not the only one out there that has had this issue, this is like the worst ever seen, had a lot of viruses and hacked over the years where they had to replace hard drive or computer was to old to fix. So what do you suggest, I am very confused. What to do here. This has been a nightmare. They got into my Google too, it's like a Trojan or as if someone has control of my computer. Besides me. Have had that problem on and off, but changing my passwords use to resolve it seemed, but now that doesn't work. Seems they hack right back in. Think Registry has been changed too. Can they just put a new hard drive in, hope or what. Guess could be a serious network infector. ????????.

Thanks.

Edited by jrtitus2017, 13 November 2017 - 08:01 AM.


#26 Unworn_Kilt

Unworn_Kilt

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:10:26 PM

Posted 13 November 2017 - 08:29 AM

Thanks for getting back to me.

 

 

 

I'm not in any position to be giving advice at that level unfortunately. I'm not a Trained Malware Removal Expert.

 

I'm here at the moment to try to get a similar situation resolved.. I hope.

 

I'd follow the advice of BRONI.  He knows his stuff. If I was as well trained as him I doubt I'd be here now!

 

I'm starting to wonder if there's a new infector in the wild. I've seen a lot of systems go down with similar symptoms recently. Time will tell.

 

I've also seen some signs that suggest an older infector/hack MAY have been re-worked and re-released.

 

I was running quite serious security gear when I noticed the infection. My WMI went crazy and Kaspersky Total 2017 was completely overwhelmed. I was getting warnings faster than I could react. The system I'm using at present isn't my own. It belongs to a friend. Her system is showing similar symptoms to those mine did in the early stages of the Malware. 

 

Regarding my own system, I can't even install Anti-Virus software as the infector seems to recognise it and it is immediately corrupted or refuses to install. I've had to take it off the network for the time being. I have it booked in on the 23rd to have the hardware reworked. I used to build systems and do a tiny amount of programming many years ago.

 

If the guys here can't help you, you might need to think about doing the same thing as me. I can't even flatten my system and do a fresh install of Windows from a DVD as the infector has created its own Windows Image and hooks that rather than mine on the DVD. That implies a problem at boot level. If I wasn't running a laptop I'd drop out the battery from the BIOS and disconnect all the power (after turning off the PC) then try again. I'm too cranky to pull apart laptops. I'm NOT suggesting you try that, as you really do need to know what you're doing or you can BRICK your system.

 

One thing I did work out is that the Malware that dropped my machine can infect pretty much anything from Win95 up. Also, I was connected to a Windows 2000 remote server by an unknown remote Operator or BotNet.

 

Good luck with things and thank you for the information. I'm doing a sort of a survey to see how widespread this stuff is among general users.

 

 

Cheers, and I hope things work out for you too!!

 

:smash:


** Walk Softly and Carry a Big Stick **


#27 jrtitus2017

jrtitus2017
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 13 November 2017 - 08:36 AM

This is what comes up on my Firefox when right click on start page and on the drop down menu that pops open and I click view page source. Doesn't look right, plus can't log into any of my stuff. Yeah tried all Broni said to try, same issues, seems nothing resolved it, think he gave up too.


<?xml version="1.0" encoding="UTF-8"?>

<!-- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/. -->

<!DOCTYPE html [
<!ENTITY % htmlDTD
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"DTD/xhtml1-strict.dtd">
%htmlDTD;
<!ENTITY % globalDTD SYSTEM "chrome://global/locale/global.dtd">
%globalDTD;
<!ENTITY % aboutHomeDTD SYSTEM "chrome://browser/locale/aboutHome.dtd">
%aboutHomeDTD;
<!ENTITY % browserDTD SYSTEM "chrome://browser/locale/browser.dtd" >
%browserDTD;
]>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>&abouthome.pageTitle;</title>

<link rel="icon" type="image/png" id="favicon"
href="chrome://branding/content/icon32.png"/>
<link rel="stylesheet" type="text/css" media="all"
href="chrome://browser/content/contentSearchUI.css"/>
<link rel="stylesheet" type="text/css" media="all" defer="defer"
href="chrome://browser/content/abouthome/aboutHome.css"/>

<script type="text/javascript"
src="chrome://browser/content/abouthome/aboutHome.js"/>
<script type="text/javascript"
src="chrome://browser/content/contentSearchUI.js"/>
</head>

<body dir="&locale.dir;">
<div class="spacer"/>
<div id="topSection">
<div id="brandLogo"></div>

<div id="searchIconAndTextContainer">
<div id="searchIcon"/>
<input type="text" name="q" value="" id="searchText" maxlength="256"
placeholder="&searchInput.placeholder;"
aria-label="&contentSearchInput.label;" autofocus="autofocus"/>
<input id="searchSubmit" type="button" onclick="onSearchSubmit(event)"
title="&contentSearchSubmit.tooltip;"/>
</div>

<div id="snippetContainer">
<div id="defaultSnippets" hidden="true">
<span id="defaultSnippet1">&abouthome.defaultSnippet1.v1;</span>
<span id="defaultSnippet2">&abouthome.defaultSnippet2.v1;</span>
</div>
<span id="rightsSnippet" hidden="true">&abouthome.rightsSnippet;</span>
<div id="snippets"/>
</div>
</div>
<div class="spacer"/>

<div id="launcher">
<button class="launchButton" id="downloads">&abouthome.downloadsButton.label;</button>
<button class="launchButton" id="bookmarks">&abouthome.bookmarksButton.label;</button>
<button class="launchButton" id="history">&abouthome.historyButton.label;</button>
<button class="launchButton" id="addons">&abouthome.addonsButton.label;</button>
<button class="launchButton" id="sync">&abouthome.syncButton.label;</button>
<button class="launchButton" id="settings">&abouthome.preferencesButtonWin.label;</button>
<div id="restorePreviousSessionSeparator"/>
<button class="launchButton" id="restorePreviousSession">&historyRestoreLastSession.label;</button>
</div>

<a id="aboutMozilla" href="https://www.mozilla.org/about/?utm_source=about-home&amp;utm_medium=Referral"
aria-label="&abouthome.aboutMozilla.label;"/>
</body>
</html>

#28 Unworn_Kilt

Unworn_Kilt

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:10:26 PM

Posted 13 November 2017 - 09:00 AM

That is weird.

 

 

I believe BRONI already had you reset your start page in Firefox. I'd suggest you do it if he didn't. I don't have time to re-read the thread at the moment. You could also reset your Internet Settings to default in Control Panel. I'd say that's probably been done already too.

 

That code looks like it's from a very old web page. It refers to HTML1. We're up to at least version 5 these days I believe.

 

Have you tried turning off your router/modem/gateway for a few minutes and powering it back up?

 

Some Routers and the like have a tiny reset hole on them. I can't recommend you do it, but with mine I stick a paperclip into it, it only just fits; that resets my Gateway to factory settings. It's a nuisance to have to set-up the passwords and ISP settings again though. It still didn't sort out my problem.

 

That mention of "Global" and "DTD" is a tiny bit concerning. I've heard some people mention what they call an "E-Tag" containing those on some of their devices. Don't take that as gospel as it's only hearsay and I can't confirm that. It's not what I'd expect to see. I just had a quick look at the first few lines of code for this site and it looks nothing like what you pasted in.

 

I'll do a couple of quick searches for you on that code you pasted in. I reckon global.dtd is part of Google Chrome. I'll let you know if I find anything. I'll be about 20 minutes or so.

 

 

Maybe BRONI will send you over to have some further logs examined. He's been very thorough already though.

 

 

 

Back shortly.....


** Walk Softly and Carry a Big Stick **


#29 Unworn_Kilt

Unworn_Kilt

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:10:26 PM

Posted 13 November 2017 - 09:10 AM

Have a read of this link. It might make you worry a little less.

 

https://www.bleepingcomputer.com/forums/t/615861/should-my-firefox-browser-contain-references-to-chrome/

 

 

I'll re-read the thread.


** Walk Softly and Carry a Big Stick **


#30 jrtitus2017

jrtitus2017
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 13 November 2017 - 09:18 AM

This is part of the MSN page on IE11, can't post whole page source. Line 1 - 13



<!DOCTYPE html><html prefix="og: http://ogp.me/ns# fb: http://ogp.me/ns/fb#" lang="en-US" class="hiperf" dir="ltr" >

<head data-info="v:2.0.6519.2150;a:946e1903-05df-48fc-9040-7cf8666b3936;cn:33;az:{did:be817c76e7924bfa88c6d1161944fb06, rid: 33, sn: eastus-prod-hp, dt: 2017-11-10T00:43:39.8653624Z, bt: 2017-11-06T01:11:57.6323459Z};ddpi:1;dpio:;dpi:1;dg:tmx.pc.ms.ie10plus;th:start;PageName:startPage;m:en-us;cb:;l:en-us;mu:en-us;ud:{cid:,vk:homepage,n:,l:en-us,ck:};xd:BBnbhK2;ovc:f;al:;fxd:f;xdpub:2017-11-09 23:35:31Z;xdmap:2017-11-13 14:15:46Z;axd:;f:muidflt9cf,hpallsam-an,muidflt48cf,muidflt49cf" data-js="{&quot;dpi&quot;:1.0,&quot;ddpi&quot;:1.0,&quot;dpio&quot;:null,&quot;forcedpi&quot;:null,&quot;dms&quot;:6000,&quot;ps&quot;:1000,&quot;bds&quot;:7,&quot;dg&quot;:&quot;tmx.pc.ms.ie10plus&quot;,&quot;ssl&quot;:true,&quot;moduleapi&quot;:&quot;https://www.msn.com/en-us/homepage/api/modules/fetch&quot;,&quot;cdnmoduleapi&quot;:&quot;https://static-global-s-msn-com.akamaized.net/en-us/homepage/api/modules/cdnfetch&quot;,&quot;pdpdeltaupdateapi&quot;:&quot;https://www.msn.com/en-us/homepage/api/pdp/updatepdpdata&quot;,&quot;xd&quot;:&quot;bbnbhk2&quot;,&quot;signedin&quot;:0,&quot;sso&quot;:&quot;https://login.live.com/login.srf?wa=wsignin1.0&amp;rpsnv=13&amp;checkda=1&amp;ct=1510582650&amp;rver=6.7.6643.0&amp;wp=lbi&amp;wreply=https%3a%2f%2fwww.msn.com%2fen-us%2fhomepage%2fsecure%2fsilentpassport%3fsecure%3dtrue&amp;lc=1033&amp;id=1184&amp;mkt=en-us&quot;,&quot;exchangeenabled&quot;:true,&quot;twitterimpenabled&quot;:true,&quot;greenidcallenabled&quot;:false}" data-client-settings="{&quot;geo_country&quot;:&quot;us&quot;,&quot;geo_zip&quot;:&quot;21218&quot;,&quot;geo_ip&quot;:&quot;108.12.161.0&quot;,&quot;os_region&quot;:&quot;&quot;,&quot;apps_locale&quot;:&quot;&quot;,&quot;base_url&quot;:&quot;/en-us/homepage/&quot;,&quot;aid&quot;:&quot;946e190305df48fc90407cf8666b3936&quot;,&quot;sid&quot;:null,&quot;v&quot;:&quot;2.0.6519.2150&quot;,&quot;static_page&quot;:false,&quot;empty_gif&quot;:&quot;//static-global-s-msn-com.akamaized.net/hp-eus/sc/9b/e151e5.gif&quot;,&quot;functionalonly_cookie_experience&quot;:false,&quot;functional_cookies&quot;:&quot;&quot;,&quot;functional_cookie_patterns&quot;:&quot;&quot;,&quot;fbid&quot;:&quot;132970837947&quot;,&quot;lvk&quot;:&quot;homepage&quot;,&quot;vk&quot;:&quot;homepage&quot;,&quot;cat&quot;:null,&quot;autorefresh&quot;:true,&quot;bingssl&quot;:false,&quot;autorefreshsettings&quot;:{&quot;is_market_enabled&quot;:false,&quot;timeout&quot;:0,&quot;idle_enabled&quot;:false,&quot;idle_timeout&quot;:&quot;2&quot;},&quot;uipr&quot;:true,&quot;uiprsettings&quot;:{&quot;enabled&quot;:true,&quot;frequency_minutes&quot;:5,&quot;banner_delay_minutes&quot;:null,&quot;maxfresh_display&quot;:null,&quot;minfresh_count&quot;:&quot;5&quot;,&quot;ajaxtimeoutinseconds&quot;:&quot;60&quot;},&quot;imgsrc&quot;:{&quot;quality_high&quot;:&quot;60&quot;,&quot;quality_low&quot;:&quot;5&quot;,&quot;order_timeout&quot;:&quot;1000&quot;},&quot;adsettings&quot;:{&quot;wait_for_ad_in_sec&quot;:&quot;3&quot;,&quot;retry_for_ad&quot;:&quot;2&quot;},&quot;mecontroluri&quot;:&quot;https://mem.gfx.ms/meversion/?partner=msn&amp;market=en-us&quot;,&quot;lazyload&quot;:{&quot;enabled&quot;:false}}" data-xd-id="BBnbhK2" data-delayed-js="//static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/js/f15f847b-7e75174a/direction=ltr.locales=en-us.themes=start.dpi=resolution1x/4f-3e562d-68ddb2ab/93-3506ab-68ddb2ab?ver=2.0.6519.2150&amp;fdhead=muidflt9cf,hpallsam-an,muidflt48cf,muidflt49cf&amp;csopd=20171109204145&amp;csopdb=20171108231714">

<script>if(window&&(typeof window.performance=="object")){if(typeof window.performance.mark=="function"){window.performance.mark("TimeToHeadStart");}}</script>

<meta charset="utf-8" />



<link rel="preload" href="//static-global-s-msn-com.akamaized.net/hp-eus/sc/b7/da0571.woff2" as="font" type="font/woff2" crossorigin="anonymous"/>
<link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="https://www.bing.com" /><link rel="preconnect" href="//otf.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="https://www.bing.com" /><link rel="dns-prefetch" href="//otf.msn.com" /><link rel="canonical" href="https://www.msn.com/" /><meta name="msapplication-TileColor" content="#224f7b"/><meta name="msapplication-TileImage" content="//static-global-s-msn-com.akamaized.net/hp-eus/sc/1f/08ced4.png"/><meta name="msapplication-config" content="none"/><meta name="robots" content="noydir,noodp"/> <title>MSN.com - Hotmail, Outlook, Skype, Bing, Latest News, Photos &amp; Videos</title>
<meta name="description" content="The new MSN, Your customizable collection of the best in news, sports, entertainment, money, weather, travel, health, and lifestyle, combined with Outlook, Facebook, Twitter, Skype, and more."/>

Edited by jrtitus2017, 13 November 2017 - 09:22 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users