Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Laptop hacked remotely, but spread from my iPhone, need help please!


  • This topic is locked This topic is locked
9 replies to this topic

#1 Bearyjuice

Bearyjuice

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:39 PM

Posted 07 July 2018 - 08:14 PM

Hi, I'm at the end of my tether with electronic devices atm.

 

I noticed my iPhone 7 acting strangely about 2 months ago, on my 3rd or 4th contact with Apple, the customer service agent told me that part of the buyers agreement when buying an iOS is having access to iTunes in case of restoring, or updating the iOS!!!!  Very much annoyed, and frustrated ny this time, my husband went out and bought me a used Galaxy A3. Put my SIM card in to find that is was locked to EE UK, so we went out the same day and bought a used Dell :Latitude E5400, just to have the functionality of iTunes.

 

Just one day of hotspoting thee iPhone to the laptop to get iTunes has rendered it useless too, as well as the Galaxy.

 

Its now been about a month that we have had the laptop.  We have reinstalled Windows, different versions, and I have done a new install today of Windows 7. I beleive that all systems arwe being hacked through the network. As soon as I put a fresh OS on today it asked me to give my user a name, and the pc so it could be identified on the network. So my standalone laptop already thinks its part of a network before I even go intoo the desktop.

 

Igot a copy of FRST from the Galaxy and was going to install it from the SD card, but this install the pc isn't even seeing the card when inserted.  The malware or whatever its called seems to learn with your use.  I am barely able to install any software, it wither refuses to start, says its incompatible or refuses to run! Or in the case of all antivirus, malwarebytes etc, do not pick up any problems.

 

Its definately coming from the root, I have been into the registry before and basically destroyed it, but it crashed with only a couple of bad items left and after reinstalling windows, has popped up again.

 

As far as my phone goes I have boiled it down to the network too. Its exploiting the capablility that Apple has to send you updates when on wifi, and on charge, through the lightning cable.  I'm still trying to get Apple to admit they can be hacked and have been told that the only thing left to do is for them to send my phone off for further investigation. One problem being that whem I'm away from home, the problem is noticable less significant.  I think that the hack originally came from physical tampering with mine or my husbands iPhones. But the hack has spread from iOS, to Android, to Windows, to PS4!!

 

I managed to get online after reinstalling tonight and eventually gor a copy of FRST so I attach the 2 reports  that came from the program and hope that someone can help me get rid of this nasty virus,  It has caused no end of grief, upset, arguments, illness, even missed a flight because of the hack.  Please, please help me.

 

Thanks guys

Unable to attach both files so heres the first one

Wouldnt allow me to copy either! Hope I'm able to submit this!!

 

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 20.06.2018
Ran by Juzzy (administrator) on HOPE-PC (08-07-2018 01:15:32)
Running from C:\Users\Juzzy\Desktop
Loaded Profiles: Juzzy (Available Profiles: Juzzy)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 8 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKU\S-1-5-19\...\Run: [Sidebar] => %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
HKU\S-1-5-20\...\Run: [Sidebar] => %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 172.20.10.1
Tcpip\..\Interfaces\{8AEE63A8-6DBE-445A-89E9-5B021E42AF56}: [DhcpNameServer] 172.20.10.1

Internet Explorer:
==================
HKU\S-1-5-21-3310456977-1852635466-3921949137-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.google.com/
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-21] (Microsoft Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-21] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-21] (Microsoft Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-21] (Microsoft Corporation)

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-14] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-07-08 05:34 - 2018-07-07 20:53 - 000000000 ____D C:\Windows\Panther
2018-07-08 05:33 - 2011-02-16 07:04 - 000000028 ___RH C:\Windows\version
2018-07-08 05:33 - 2011-02-16 07:04 - 000000013 ____R C:\Windows\csup.txt
2018-07-08 01:15 - 2018-07-08 01:15 - 000002975 _____ C:\Users\Juzzy\Desktop\FRST.txt
2018-07-08 01:13 - 2018-07-08 01:15 - 000000000 ____D C:\FRST
2018-07-08 01:12 - 2018-07-08 01:12 - 002412544 _____ (Farbar) C:\Users\Juzzy\Desktop\FRST64.exe
2018-07-08 00:54 - 2018-07-08 00:54 - 000001078 _____ C:\Users\Juzzy\Desktop\Documents - Shortcut.lnk
2018-07-07 22:46 - 2018-07-07 22:46 - 000057560 _____ C:\Users\Juzzy\AppData\Local\GDIPFONTCACHEV1.DAT
2018-07-07 21:00 - 2018-07-07 21:00 - 000013139 _____ C:\Users\Juzzy\Documents\going out.txt
2018-07-07 20:57 - 2018-07-07 20:57 - 000010594 _____ C:\Users\Juzzy\Documents\starttupo.txt
2018-07-07 20:54 - 2018-07-07 20:54 - 000001447 _____ C:\Users\Juzzy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2018-07-07 20:54 - 2018-07-07 20:54 - 000001413 _____ C:\Users\Juzzy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
2018-07-07 20:54 - 2018-07-07 20:54 - 000000000 ____D C:\Users\Juzzy\AppData\Local\VirtualStore
2018-07-07 20:53 - 2018-07-08 00:07 - 000000000 ____D C:\Users\Juzzy
2018-07-07 20:53 - 2018-07-07 20:53 - 000000020 ___SH C:\Users\Juzzy\ntuser.ini
2018-07-07 20:53 - 2010-11-21 08:16 - 000000000 ____D C:\Users\Juzzy\AppData\Roaming\Media Center Programs
2018-07-07 07:56 - 2018-07-07 07:56 - 000000000 ____D C:\RegBackup
2018-07-07 07:06 - 2018-07-07 07:50 - 000462120 _____ C:\TDSSKiller.3.1.0.17_07.07.2018_07.06.50_log.txt
2018-07-07 07:00 - 2018-07-07 07:05 - 000173134 _____ C:\TDSSKiller.3.1.0.17_07.07.2018_07.00.37_log.txt
2018-07-07 06:18 - 2018-07-07 06:19 - 000000000 ___SD C:\ComboFix
2018-07-07 06:18 - 2018-07-07 06:19 - 000000000 ____D C:\Qoobox
2018-06-29 12:22 - 2018-06-29 12:22 - 000000000 ____D C:\Intel
2018-06-29 01:35 - 2018-06-29 01:37 - 000000000 ____D C:\Dell
2018-06-28 23:53 - 2018-07-08 05:33 - 000008192 __RSH C:\BOOTSECT.BAK
2018-06-28 23:53 - 2010-11-21 04:23 - 000383786 __RSH C:\bootmgr
2018-06-28 23:52 - 2018-06-28 23:52 - 000000000 ____D C:\Hotfix

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-07-08 05:33 - 2009-07-14 06:32 - 000028672 _____ C:\Windows\system32\config\BCD-Template
2018-07-08 05:33 - 2009-07-14 05:45 - 000000000 ____D C:\Windows\Setup
2018-07-08 05:33 - 2009-07-14 04:20 - 000000000 ____D C:\Windows\system32\oobe
2018-07-08 01:03 - 2009-07-14 06:13 - 000713888 _____ C:\Windows\system32\PerfStringBackup.INI
2018-07-08 01:03 - 2009-07-14 04:20 - 000000000 ____D C:\Windows\inf
2018-07-08 00:59 - 2009-07-14 05:45 - 000020640 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2018-07-08 00:59 - 2009-07-14 05:45 - 000020640 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2018-07-08 00:58 - 2009-07-14 06:08 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2018-07-08 00:57 - 2009-07-14 06:32 - 000000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
2018-07-08 00:57 - 2009-07-14 06:32 - 000000000 ____D C:\Program Files\DVD Maker
2018-07-08 00:57 - 2009-07-14 04:20 - 000000000 ____D C:\Windows\PolicyDefinitions
2018-07-07 20:53 - 2009-07-14 04:20 - 000000000 __RHD C:\Users\Public\Libraries
2018-07-07 20:52 - 2009-07-14 04:20 - 000000000 ____D C:\Windows\rescache
2018-07-07 20:44 - 2009-07-14 05:45 - 000274320 _____ C:\Windows\system32\FNTCACHE.DAT
2018-07-07 20:38 - 2009-07-14 04:20 - 000000000 ____D C:\Windows\system32\sysprep

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2018-07-07 20:35

==================== End of FRST.txt ================

 

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 20.06.2018
Ran by Juzzy (08-07-2018 01:16:08)
Running from C:\Users\Juzzy\Desktop
Windows 7 Home Premium Service Pack 1 (X64) (2018-07-07 19:53:46)
Boot Mode: Normal
==========================================================

==================== Accounts: =============================

Administrator (S-1-5-21-3310456977-1852635466-3921949137-500 - Administrator - Disabled)
Guest (S-1-5-21-3310456977-1852635466-3921949137-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-3310456977-1852635466-3921949137-1002 - Limited - Enabled)
Juzzy (S-1-5-21-3310456977-1852635466-3921949137-1001 - Administrator - Enabled) => C:\Users\Juzzy

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

==================== Shortcuts & WMI ========================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-14 03:34 - 2009-06-10 22:00 - 000000824 _____ C:\Windows\system32\Drivers\etc\hosts

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-3310456977-1852635466-3921949137-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Juzzy\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 172.20.10.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== Restore Points =========================

07-07-2018 21:07:58 Windows Modules Installer

==================== Faulty Device Manager Devices =============

Name: Base System Device
Description: Base System Device
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

==================== Event log errors: =========================

Application errors:
==================
Error: (07/08/2018 01:08:22 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: iexplore.exe, version: 8.0.7601.17514, time stamp: 0x4ce79912
Faulting module name: comctl32.dll, version: 6.10.7601.17514, time stamp: 0x4ce7b71c
Exception code: 0xc0000005
Fault offset: 0x000ac0d6
Faulting process id: 0x948
Faulting application start time: 0x01d4164f4ec95299
Faulting application path: C:\Program Files (x86)\Internet Explorer\iexplore.exe
Faulting module path: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
Report Id: 063fe85b-8243-11e8-af74-bd7ba48da31d

Error: (07/08/2018 01:00:09 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

System errors:
=============
Error: (07/08/2018 12:55:28 AM) (Source: DCOM) (EventID: 10016) (User: Hope-PC)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{48DA6741-1BF0-4A44-8325-293086C79077}
 and APPID
{48DA6741-1BF0-4A44-8325-293086C79077}
 to the user Hope-PC\Juzzy SID (S-1-5-21-3310456977-1852635466-3921949137-1001) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

Error: (07/08/2018 12:55:28 AM) (Source: DCOM) (EventID: 10016) (User: Hope-PC)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{48DA6741-1BF0-4A44-8325-293086C79077}
 and APPID
{48DA6741-1BF0-4A44-8325-293086C79077}
 to the user Hope-PC\Juzzy SID (S-1-5-21-3310456977-1852635466-3921949137-1001) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

Error: (07/08/2018 12:55:28 AM) (Source: DCOM) (EventID: 10016) (User: Hope-PC)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{48DA6741-1BF0-4A44-8325-293086C79077}
 and APPID
{48DA6741-1BF0-4A44-8325-293086C79077}
 to the user Hope-PC\Juzzy SID (S-1-5-21-3310456977-1852635466-3921949137-1001) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

Error: (07/08/2018 12:55:28 AM) (Source: DCOM) (EventID: 10016) (User: Hope-PC)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{48DA6741-1BF0-4A44-8325-293086C79077}
 and APPID
{48DA6741-1BF0-4A44-8325-293086C79077}
 to the user Hope-PC\Juzzy SID (S-1-5-21-3310456977-1852635466-3921949137-1001) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

Error: (07/08/2018 12:55:28 AM) (Source: DCOM) (EventID: 10016) (User: Hope-PC)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{48DA6741-1BF0-4A44-8325-293086C79077}
 and APPID
{48DA6741-1BF0-4A44-8325-293086C79077}
 to the user Hope-PC\Juzzy SID (S-1-5-21-3310456977-1852635466-3921949137-1001) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

==================== Memory info ===========================

Processor: Intel® Core™2 Duo CPU P8700 @ 2.53GHz
Percentage of memory in use: 22%
Total physical RAM: 4051.17 MB
Available physical RAM: 3150.06 MB
Total Virtual: 8100.54 MB
Available Virtual: 7134.31 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:298.09 GB) (Free:282.42 GB) NTFS ==>[drive with boot components (obtained from BCD)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7/8/10) (Size: 298.1 GB) (Disk ID: 83BB94B3)
Partition 1: (Active) - (Size=298.1 GB) - (Type=07 NTFS)

 

 

 



BC AdBot (Login to Remove)

 


#2 Bearyjuice

Bearyjuice
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:39 PM

Posted 10 July 2018 - 01:01 PM

I'd just like to add that me and my husband have been trying to sort out the laptop which is a Dell latitude E5400. It was bought used from a shop and had a Windows 10 on it but it was only a part version. After issues occurring like not installing programs like iTunes, which was what we needed it for to restore phones! He tried to put Windows 7 on it but it wouldn't load so he thought the disk was corrupt, the only other OS he could find was Vista so he installed that.
Problems we were having included not being able to get rid of being in a network, instead of the internet icon showing bars it always had 2 pcs icon and the way all the choices in the left hand side seemed incorrect. The main heading was Desktop then underneath is alibraries, homegroup, Juzzy, Computer, Network,control panel, and recycle bin. So why computer is in desktop I've never seen it like that!


Just switched it on and it said updating registry settings though I have made no alterations and on the user it says 'meta data for some notes had been corrupt, sticky notes has restored them to defaults, and now it's installing device driver software! In the info it says device driver was not successfully installed and in the list Microsoft system management Bios driver, Microsoft virtual driver enumerator driver, both searching preconfigured driver folders. Microsoft ACPI compliant system, PCI bus, intel® core™ dis CPI P8700, ACPI power butto, ACPI Lid, Intel Core duo CPU P8700@2.53ghz, Intel ICH9 family fecprrss root port 5-2948, ACP Slerp button, Intel ICH9 family USB universal host controller 2937, Intel 83801 PCI bridge 2448, SCPI thermal zone, mobile Intel 4 series chipset processor to DRAM controller 240, Intel family USB universal host controller 2938, Intel ICH9M interface controller 2919, mobile Intel 45 express chipset family (Microsoft Corporation WDDM 1.1), Intel ICH9M family USB universal host controller 2939, standard dual channel PCI IDE Controller, mobile Intel 45 chipset family( Microsoft Corp WDDM 1.1), Intel ICH9 family USB2 enhanced host controller 293A, Standard dual channel PCI IDE Controller, Intel ICH9 family USB2 enhanced host controller 293C, Intel I G9 family SMBus controller 2930, High Def audio controller, Intel ICH9 family USB universal host, controller 2934, Intel ICH9 family PCI express root port 1-2940, Intel ICH9 family USB universal host controller 2935, Intel ICH9 family PCI express root port 2-2942, Intel ICH9 family USB universal host controller 2936, USB Root hub x 4, system CMOS real time clock, USB root hub , 4 again, Ricoh R/RL/5C476(II( or compatible card bus controller, ATA Chanel 0, Microsoft ACPI compliant embedded controller, SDA standard compliant SD host controller, ATA channel 1, ATA channel 0, Ricoh 1394 OHCI compliant host controller, PS2 compatible mouse, ATA channel 1, high def audio device, standard PS2 keyboard, Dell wireless 1510 wireless N WLAN Mini card, high def audio device, HL-DT-ST DVD +-RW GT10N ATA device, Dansung HM321HI ATA device, all ready to use. This has been done automatically on start up just now without me omitting a single thing!!!
These drivers seem to be for use for a system connected to my PC. I have tucked No let me choose what to do. Never install driver software from Windows update. The laptop isn't connected to the internet at the moment either! And has been switched if since I posted my first post to you.

We have never put any virtual disks, volumes etc on here, and never joined any groups, networks, even home groups, but when we connect to internet by hotspot from my husbands phone it always asks us what type of network it is, home, or public. When I did this instal I noticed it saying that we were already in a network before it even finished installing!
I have found things which seem to say that that info is being collected.
We cannot instal any anti virus programs and a lot of other programs we try to install to help us resolve this don't install either. We have a trusted installer that appears to heightened privelidges than us and appears as default user and has ownership of all Windows files , making it near impossible to change or delete the user, or get ownership of files. This trusted installer shows up in task manager under services, right now it shows nothing under PID heading, description says Windows module installer, status stopped , group N/A. We also have 6 instances of s chost.exe running in processes, and all I've done is switch the laptop on and started task manager!

#3 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,703 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:39 AM

Posted 12 July 2018 - 08:15 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

 

CLICK THIS LINK >>> https://www.bleepingcomputer.com/logreply/680263 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

 

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new FRST log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

 

  • Download FRST by Farbar from the following link if you no longer have it available and save it to your destop.

    FRST Download Link
     
  • When you go to the above page, there will be 32-bit and 64-bit downloads available. Please click on the appropriate one for your version of Windows. If you are unsure as to whether your Windows is 32-bit or 64-bit, please see this tutorial.
  • Double click on the FRST icon and allow it to run.
  • Agree to the usage agreement and FRST will open. Do not make any changes and click on the Scan button.
  • Notepad will open with the results.
  • Post the new logs as explained in the prep guide.
  • Close the program window, and delete the program from your desktop.


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!


Edited by hamluis, 14 July 2018 - 01:25 PM.


#4 Bearyjuice

Bearyjuice
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:39 PM

Posted 13 July 2018 - 08:37 PM

Thank you very much for your assistance.

Since I first posted my problem, I have updated the OS and added other programs which I thought may help us in fixing things, or point to the path where the problem begins.

My iPhone 7 and my husbands iPhone SE were compromised about 8 weeks ago, I noticed strange behaviours especially within Safari, where connections were failing due to too many redirects, so I took note of all sites I wanted to visit. Around the same time emails asking to verify info or saying that passwords were changed and accounts logged into and if it wasn't us to secure our accounts, seeming to be sent from Gmail, yahoo, apple, Facebook, and other websites that we use regularly. My phone even asked me to input the passcode to unlock the phone.  When this was showing I went into the Apple store here in Liverpool and they said that it was genuine. And tried to say that most of  the emails from them were correct, basically they brushed me off. I have erased manually, through iTunes, updated whilst talking to a Genius on the phone, had diagnostics ran remotely with Apple, as well as Flashing the phones in store. I have not logged in to any email accounts, had no Apple ID signed into for a couple of weeks, whilst every single app possible to delete had been deleted, so running bare boned phone, All apps were switched off except the ones I was using, ie. only Aloha whilst browsing. Or the App store, settings, and safari when I downloaded Network tools.

Still I have redirects, double instances show in history with slight differences in the URL.

So, if you can help with the phones too I'd be very appreciative.

 

Anyway, my husband was sick of me messing with the phone to get rid of the intrusion and bought me a Samsung Galaxy A3 2017, it wouldn't accept my Giffgaff sim, so got an EE the following day. But it got used as a hotspot to this Dell Latitude E5400 that we bought on the same day. The VIRUS is network based, and spread that quick to these devices. We have found that the Android has voided the guarantee so I'm just about to try and flash it with Odin and get it back to an original OS. At the moment, it connects to anything possible as soon as its switched on!!! Never attempted to jailbreak, but that seems like the only option we have with the phone.

 

This laptop, as soon as I reinstalled as new, asked me to name it so it could be found on the network before it had finished the install or got to the desktop!!!  Its currently running Windows 7, version 6.1.7601, Home Premium. I have the disk for it. We have never joined a network, we are a stand alone home laptop, and haven't put any virtual drives, files, volumes on and wouldn't know how to!!!

Programs like Microsoft Autorun shows that a lot of start ups are from a Windows NT OS.

I am including screen shot of the AutoRun program showing both my user logon info, and NT Network service logon info. There are 4 options of users showing.

 

No antivirus will install, I have tried many! I have reinstalled operating systems regularly after altering different things, one time I basically destroyed the registry! My husband has had Windows 10, Vista 32 and 64 bit, and Windows 7 different options from Pro to Basic, etc.

We are constantly on a network, which I have used the cmd.exe to netsh, show mode /offline.

been in diskpart to find the virtual drives with no luck, deleted many drivers which are network based PnP, and emulated. Many, many thins have been tries from following guides on the internet. IE is redirecting or just not connecting to websites.

Our emails are compromised.

Whilst trying to get an account with you, I made a new email with I cloud. Apple said every username was taken and the email was taken. I After inputting a username like b1e2r3y4j5u6i7c8e9@icloud.com which gave the same error, I tried to log on using my current new email profile and successfully logged in. I made a profile with you and the email took hours to arrive to verify my email. All the emails from apple came from ********@email.apple.com  I went on the apple support and they confirmed that after the @ sign it should be apple, so as soon as I made an apple ID it was compromised, intercepted and altered to have malware links, etc included. I only followed the link to verify my email with Apple, and your site. I check all websites and try to input the exact URL I need, but its difficult to get to the real sites to download the correct files. 

 

I'm just in a total mess with all these devices that are collecting 'Images' and violating our privacy in every way! I'm concerned that they have the base info MAC addresses etc, that cannot be altered and once I eventually get out of networks, they will still have access. The lightning cable is the exploit with Apple, and the way that the phones receive updates is the hackers entrance point.

 

I apologise for waffling on, but this has been a constant daily battle with these devices. I have tried so many things, followed many guides, researched lots of bits of data from within logs found. I could ggo on for a long, long time with things I have tries, my husband too. His PS4 was hacked, I think it still is but he's ignoring the issue saying its clean after he sorted it out a month ago. We were supposed to be going abroad to work, but missed flights down to being hacked and the pressure its put on our 20 year relationship! So we have no internet service coming into our home, we are using hotspots to connect the laptop and the PS4. The laptop may have internet switched off for 5 days, but when using it offline there is still evidence that we are online with a network connection only.

 

I really hope you can help me. I'm gonna leave the background at that and willing to answer any queries you have that I haven't covered.

Look forward to hearing from you and following your advice.

 

Attached Files



#5 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,703 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:39 AM

Posted 13 July 2018 - 10:53 PM

You have stated that you no longer need help with this issue, therefore I am closing this topic. If that is not the case and you need or wish to continue with this topic, please send any Moderator a Personal Message (PM) that you would like this topic re-opened.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

 

Mod Edit:  Topic reopened, PM sent OP requesting OP to follow the procedures stated per https://www.bleepingcomputer.com/forums/t/680263/laptop-hacked-remotely-but-spread-from-my-iphone-need-help-please/?p=4531042 - Hamluis.


Edited by hamluis, 18 July 2018 - 07:11 AM.


#6 Bearyjuice

Bearyjuice
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:39 PM

Posted 15 July 2018 - 07:39 AM

Thank you for reopening my post.

I have been checking in daily for a response, as I have no where else to turn, for help with my issues.

I look forward to hearing from you with help to my problem.

Thank you.



#7 Tenis

Tenis

    Bleepin' FX


  • Malware Study Hall Senior
  • 1,234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:05:09 PM

Posted 24 July 2018 - 11:17 PM

Hi Bearyjuice,

 

I will do my best to help you solve this issue.

 

While i'm looking at your log please go through few notes.

  • I am currently in training and analyzing logs takes time.My reply need to be approved by instructor so my responses might be delayed. I will generally reply within 48 hours - if this is not possible, I will let you know.

  • Please do not seek assistance elsewhere without letting me know.

  • Please do not run any malware removal tools unless directed.

  • Make sure to read my instructions fully before attempting a step.

  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you.If you don't reply after 5 days, it'll be closed.

  • Please understand that I am a volunteer, so I may get busy in real life, and that can further delay my responses.

 

Tenis



#8 Tenis

Tenis

    Bleepin' FX


  • Malware Study Hall Senior
  • 1,234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:05:09 PM

Posted 25 July 2018 - 05:02 AM

Bearyjuice, please post a fresh FRST log(FRST.txt and Addition.txt).



#9 Tenis

Tenis

    Bleepin' FX


  • Malware Study Hall Senior
  • 1,234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:05:09 PM

Posted 29 July 2018 - 11:40 PM

Hi,

 

It is been 5 days. Do you still need help?

We will close this thread if we do not get any response in next 24 hours.

 

 

Tenis



#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:39 AM

Posted 31 July 2018 - 07:38 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users