Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Computer Hacked, Then Hijacked [Closed]


  • This topic is locked This topic is locked

#61
traveler818

traveler818

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 140 posts
I cannot get it to copy. I will try again.
  • 0

Advertisements


#62
traveler818

traveler818

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 140 posts
pppt5gk9.exe
http://www2.gmer.net/download.php?
Show in folderRemove from list

mr14fgpu.exe
http://www2.gmer.net/download.php?
Show in folderRemove from list

1eih987b.exe
http://www2.gmer.net/download.php?
Show in folderRemove from list

That is all I could get to copy--saw no option to download to anywhere. Will try again.
  • 0

#63
traveler818

traveler818

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 140 posts
Polski GMER http://www.gmer.net
all your rootkits are belong to us [*]
Start
Files
News
Rootkits
FAQ
Contact
Start

GMER is an application that detects and removes rootkits .

It scans for:

hidden processes
hidden threads
hidden modules
hidden services
hidden files
hidden disk sectors (MBR)
hidden Alternate Data Streams
hidden registry keys
drivers hooking SSDT
drivers hooking IDT
drivers hooking IRP calls
inline hooks

At a loss--I tried to copy and save the scan but now that it has run, those buttons do nothing. I tried a screenshot but it didn't take. I cannot find the filename area, but have what little I posted previously on the desktop.

GMER says it found system changes due to rootkit activity--with that message over the scan results, I can do almost nothing--keys do not respond. I cannot delete the message or rerun the scan.

When the hacker sees these files, she will go ballistic and take it out on my computer--I know her personally.

I am keeping logmein open minimized for now,but it is risky because it gives her time. She bought me some speakers in an effort to keep the computer on all day (I did not fall for it--by changing this to 32 bits, most music wouldn't play--she will go to any lengths. I suspect she is installing malware too.

Edited by traveler818, 15 January 2013 - 01:27 PM.

  • 0

#64
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
The GMER text file should be where you saved the programme , could you attach that ?
  • 0

#65
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Just re-run it on my system .. When you press the save button it will ask for a location and a name, call the file GMER and save to the desktop
Then attach to your post
  • 0

#66
traveler818

traveler818

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 140 posts
It won't let me save. I believe if I could get rid of the warning box it would but I can't.

If run it from your system means from the above link, that is how I generated the report, but everything on that page except perhaps the menu upper left is frozen. I can't even close the window. save, copy, exit--no response. After trying to close the file, I can no longer turn it blue, though that was no help as ctrl-C and ctrl-V do not work. Copy is unresponsive. I have downloaded this file from every download link I could find--nowhere do I get the option to choose a location, or to create a txt file.

I have tried dragging it here. Won't budge.

I do not know what else to do. I considered deleting and starting over but I can't do that either. Help. I see no more options. Getting frustrated.

when I click on the 2 icons that made it to the desktop, I am asked if I want it to make changes. I click No. They both have different names--random numbers and letters.

Edited by traveler818, 15 January 2013 - 02:46 PM.

  • 0

#67
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK next trick, first I will run combofix to see if it locates anything hidden (it uses a version of GMER)

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks

    Posted Image

    Posted Image
  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
  • 0

#68
traveler818

traveler818

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 140 posts
No luck. I was finally able to disable my protection, but she has blocked all access to my security center and my users page. I am no longer the admin as far as I can tell. She did all she could to disable Norton. I did not see the do not rerun note, and since it didn't run, I tried the second link, then the first once again. I am not doing this to the text. It is either her or malware.
  • 0

#69
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Were you able to download combofix ?
  • 0

#70
traveler818

traveler818

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 140 posts
This post is already outtdated.

I clicked a combofix link but despite having disabled Norton, the scan stopped saying it detected antivirus and firewall. The hacker has been busy. Norton will no lnger take my password--I used it successfully once, and will not disable anything until I can figure out a way in. I find no password reset anywhere. I am beginning to wonder if it is time to wipe the system clean again (for the 3d time).

Or the logmein file is still open--I need to give name & password--the usual--it appears to be Toshiba's version of Logmeinrescue.

I cannot enlarge the type-my guess is she followed me in here--if I leave, I do not know if I can get back.

Edited by traveler818, 16 January 2013 - 11:52 AM.

  • 0

Advertisements


#71
traveler818

traveler818

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 140 posts
No. I have 3 files with numbers and letters in my control panel. I couldn't save it to the desktop. When the system finds a file it doesn't recognize, it removes the save option, so I selected run. The results are posted below.

This woman is smart and fully educated and fully equipped to do damage and willing. She stole food I saved for homeless dogs and a small gift for an elderly lady--thus is her character.

The Toshiba logmein file serves a different purpose. LogmeinRescue IS on this computer but hidden. Should I try rerunning combofix? First I need to see if a system restore took me back to before I created a Norton password. I cannot get to the Norton website as it is now only set to scan but doesn't. I can't access most desktop files from the desktop.

I just learned of a website called AMMY Admin, which appears to be like LogmeinRescue.

Edited by traveler818, 16 January 2013 - 12:33 AM.

  • 0

#72
traveler818

traveler818

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 140 posts
It has been 5 hours and if I shut this down, it may be the end again. We put in a lot of time today. Thank you--a lot. I truly appreciate what you do(those logs are intimidating to me), the time you give, your clear simple instructions, and your stubborn "we will succeed attitude." That makes me feel that we will. :happy:. Things don't always work, especially when programmed not to, but you seem to have a lot of aces up your sleeve.

I am also working the human angle trying to get those who know her to help.

We were both overdue for a break, but if we are interacting, I do not want to miss a word: Would you let me know when you are done with a session? I didn't know how long to wait. We put in a lot of hours, so it was time, but I waited some time to be sure.

The hacker has a full-blown acct as far as I can tell, which makes her undetectable as malware. I found many files in the computer. Each one contained the permissions, but not the full page. She has "Users"--me, "SYSTEM"--the computer's owner, and "Authenticated Users." When I try to remove Authenticated Users, it says someone else may be in there who would also lose due to inherited permissions. A R click is supposed to open it to show who the users are, but it is not working. If I could get in there, I think I might regain my administrator status and remove her. It would be a start but you know a lot, me not much.

Ie COMBOFIX: Before I read the warning not to rerun it, I hopefully didn't because 2 of the 3 times, there was no scan, only the one, that failed to complete. The first ones said it could not scan because it detected antivirus and a firewall. I had disabled both in Norton. It gave me the red AT RISK window, but Combofix detected them and sent me to remove them twice. Then my password to Norton stopped working. I uninstalled the remains of Norton, and downloaded the trial version of Norton 360, which found 2 threats the old Norton missed. Should I also have malwarebytes or antispyware? Anyway with Norton gone, the COMBOFIX scan ran until the window appeared over the scan saying it had detected modifications to the system. I got the impression I had to take action on the spot to unlock anything, but you said not to so I did not explore the site that thoroughly.

Toshiba sends people's computer info (without their knowledge) who refuse their expensive help to a local tech--when an error occurs, he gets a signal, and I get a nasty phone call because I will not allow remote access--though that is how I learned about AMMY Admin. It is similar to LogMeInRescue, which was on this computer but is a logical first one to hide. I don't trust the source for AMMY, but the site could be good.

Edited by traveler818, 16 January 2013 - 06:13 AM.

  • 0

#73
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK lets try something different

I would like you to uninstall Norton
Install Avast Free
And if you are happy I will link to your system via Avast

Let me know how you feel before we progress... As an aside Avast can be password protected

To start Remote Assistance, the person wanting help just opens the avast! user interface and clicks on the “Allow Remote Control” button. This generates a unique code which is sent to the avast! “helper-friend”, enabling the recipient to have remote access to the other computer. The session is routed through the AVAST servers, bypasses potentially blocking firewalls, and can be ended at any time by the initiating person. The only requirement is for both computers to be turned on and have active internet connections.

“People want to be able to get or give help, but they want to make sure they are not creating a security risk at the same time,” said Mr. Steckler. “This is why Remote Assistance can only be triggered by the person wanting help and each code is limited to a single session.”


  • 0

#74
traveler818

traveler818

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 140 posts
How I feel is hopeful. Yes I want to do that. Avast is downloaded, Norton gone, but Avast needs one more step. BRB

PS Avast free does not seem to have a firewall. Should I check/turn on Windows Defender?

Here is the code Avast said to give you: KJYK-7MKC

Edited by traveler818, 16 January 2013 - 12:26 PM.

  • 0

#75
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
No as the windows one is good enough for now

Be right back as I need to get on a system that is not running a beta version
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP