Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Someone's hacked into my PC, please help me remove?

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Someone's hacked into my PC, please help me remove?

Unread postby jlp007 » January 9th, 2018, 11:04 pm

Please help me, as I think someone who wanted some information off my computer has hacked into my laptop remotely!! I need help identifying if this has happened and how to remove them off of my computer please. Thank you in advance for any help you can provide me! This is my first time on your site & I appreciate any help you can provide. jlp007
You do not have the required permissions to view the files attached to this post.
jlp007
Active Member
 
Posts: 12
Joined: January 9th, 2018, 10:02 pm
Advertisement
Register to Remove

Re: Someone's hacked into my PC, please help me remove?

Unread postby pgmigg » January 10th, 2018, 12:47 pm

Hello jlp007,

Welcome to the forum! :)

I am pgmigg and I'll be helping you with any malware problems.

Before we begin, please read and follow these important guidelines, so things will proceed smoothly.
  1. The instructions being given are for YOUR computer and system only!
    Using these instructions on a different computer can cause damage to that computer and possibly render it inoperable!
  2. You must have Administrator rights, permissions for this computer.
  3. DO NOT run any other fix or removal tools unless instructed to do so!
  4. DO NOT install any other software (or hardware) during the cleaning process until we are done as well as
    DO NOT Remove, or Scan with anything on your system unless I ask. This adds more items to be researched.
    Extra Additions and Removals of files make the analysis more difficult.
  5. Only post your problem at (1) one help site. Applying fixes from multiple help sites can cause problems.
  6. Print each set of instructions if possible - your Internet connection will not be available during some fix processes.
  7. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  8. Only reply to this thread, do not start another one. Please, continue responding, until I give you the "All Clean!" :cheers:
    Absence of symptoms does not mean that everything is clear.

I am currently reviewing your logs and will return, as soon as possible, with additional instructions. In the meantime...

Note: If you haven't done so already, please read this topic ALL USERS OF THIS FORUM MUST READ THIS FIRST where the conditions for receiving help here are explained.

Please read all instructions carefully before executing and perform the steps, in the order given.
lf you have any questions or problems executing these instructions, <<STOP>> do not proceed, post back with the question or problem.

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start


Failure to post replies within 72 hours will result in this thread being closed
User avatar
pgmigg
Admin/Teacher
Admin/Teacher
 
Posts: 5457
Joined: July 8th, 2008, 1:25 pm
Location: GMT-05:00

Re: Someone's hacked into my PC, please help me remove?

Unread postby jlp007 » January 10th, 2018, 12:55 pm

Hi pgmigg,

Thank you for your response & I have already gone in and backed up my files and folders on my computer after sending in this request for help. I appreciate any help you can provide me on this... I hope you are having a great day & I will look forward to your response back to me.

Cheers!
Jlp007
jlp007
Active Member
 
Posts: 12
Joined: January 9th, 2018, 10:02 pm

Re: Someone's hacked into my PC, please help me remove?

Unread postby pgmigg » January 10th, 2018, 1:02 pm

Hello jlp007,

Step 1.
Please tell me in detail why you decided that your computer has hacked by someone.
On what basis did your suspicions appear?
What kind of symptoms and reasons did you observe?

Step 2.
Run CKScanner
  1. Please download CKScanner from Here
  2. Important: - Save it to your Desktop.
  3. Double-click CKScanner.exe and click Search For Files.
  4. After a very short time, when the cursor hourglass disappears, click Save List To File.
  5. A message box will verify the file saved.
  6. Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

Step 3.
TSG - SysInfo utility
  1. Please download SysInfo utility and save it to your Desktop.
  2. Right click on SysInfo.exe, select "Run As Administrator..." to run it... if UAC prompts, please allow it.
  3. Right click, select copy and then paste in your next post.

Step 4.
Run CodeCheck Scan
  1. Please download codecheck from here to your Desktop.
  2. Make sure that codecheck.exe is on the your Desktop before running the application!
  3. Right-click on codecheck.exe and select "Run as administrator..." to run it.
  4. After a very short time a codecheck.txt icon will appear on your Desktop
  5. Double-click on the codecheck.txt icon on your Desktop and copy/paste the contents in your next reply.

Then:
Please tell me is this computer used for business purposes and connected to a business or educational network?
I need to know it - so I can provide the proper instructions.

Please include in your next reply:
  1. Do you have any problems executing the instructions?
  2. Answers to my questions related to your suspicions about hacking.
  3. Contents of CKFiles.txt log file
  4. Contents of SysInfo scan
  5. Contents of a log created by codecheck.txt
  6. Answer to my question related to type of using of your computer

Thanks,
pgmigg

Failure to post replies within 72 hours will result in this thread being closed
User avatar
pgmigg
Admin/Teacher
Admin/Teacher
 
Posts: 5457
Joined: July 8th, 2008, 1:25 pm
Location: GMT-05:00

Re: Someone's hacked into my PC, please help me remove?

Unread postby jlp007 » January 11th, 2018, 1:56 pm

Hi pgmigg,

I had a very close friend of mine (I knew him for 32 years) die on 10/9/17, in his will I inherited his entire wine collection. Unfortunately, the 2 people who stayed with him before he died took a lot of his wines and were selling them online. A short time ago, we found proof that they had taken a lot of these wines & I was looking into it, and verifying what I had suspected all along. About 1 week ago I went into my computer to find some info on these people that I pulled up online about them, which I had previously saved this info on my computer, but when I looked for it I saw that it was all deleted off of my computer when I looked into my file history, and I never deleted it myself. And when I saw the deleted items on my computer I went into my remote access area on my laptop and the box was checked to allow remote access! I unchecked the box, hit apply & ok, then I rebooted my computer. But I think they've already put software on my computer to gain access remotely wherever they are... Also this morning I went into my computer to pull up my word document that I had created last night with proof on it against them, & it's gone! I believe that they have hacked into my computer and are watching everything I do on it, and they have taken over control on the administrator controls as well. I hope I am wrong, but after seeing the things they've deleted, which I never deleted, I know I am right! That's why it's super important that I get them off my computer as soon as possible. The laptop I am on right now was left at my friends house prior to his death too!

THEN: The next answer to your questions are that my laptop is NOT connected to any other business or educational website for any reason. It is my home laptop, used for personal purposes only!

So PLEASE, help me! This is the most horrific experience I've ever encountered in my life! Not only is my best friend dead, but these people are terrorizing me on every level they can to make me give up and just let them get away with everything they've stolen from him, unscathed! In my best friends will it said that "I give to the following persons specific gifts as follows, each person named as a beneficiary are important to me, & my gifts to each is intended to communicate my appreciation for our mutual friendship. With that said, please note as follows:" He then named me as the sole heir to his wine collection. He also scripted out others and what they were supposed to receive. But in the end, these 2 people who lived with him at the end of his life took everything that had a high dollar amount. So again, I beg of you to help me find out what is going on here and help me clear off what they have on my computer so I can fulfill my dear friends wish of giving the people he cared about what is rightfully theirs! I have to prove what they've stolen & stop these evil ones from taking everything dear to him in the end! Sorry if I went into too much detail above, but you asked me why I suspected that someone had hacked my computer... The above is why, I know that it's sad, but it's totally true!

All my love to you from the bottom of my heart for anything you can do to help me on this! As I don't have the money to take it down to a computer repair person to fix it, as I have taken the past 3 months off work to help get his house cleared out and I am so short on funds & I don't have enough to do it on my own right now.

Bless you and I am so thankful for your site and your help on this... I will now do everything you've asked me to do above beyond my explanation here!

jlp007
jlp007
Active Member
 
Posts: 12
Joined: January 9th, 2018, 10:02 pm

Re: Someone's hacked into my PC, please help me remove?

Unread postby pgmigg » January 11th, 2018, 3:00 pm

You are welcome jlp007 and thank you for detailed explanations!

It was your answers for questions of Step 1 and "Then". But there were other Steps from 2 to 4. I am waiting for logs...

Regards,
pgmigg
User avatar
pgmigg
Admin/Teacher
Admin/Teacher
 
Posts: 5457
Joined: July 8th, 2008, 1:25 pm
Location: GMT-05:00

Re: Someone's hacked into my PC, please help me remove?

Unread postby jlp007 » January 11th, 2018, 3:02 pm

Hi pgmigg,

Here's what you asked me to do in your message:

Step 2.
Run CKScanner

CKScanner 2.5 - Additional Security Risks - These are not necessarily bad
scanner sequence 3.MN.11.FMAPGZ
----- EOF -----

Step 3.
TSG - SysInfo utility

Tech Support Guy System Info Utility version 1.0.0.4
OS Version: Microsoft Windows 10 Home, 64 bit
Processor: Intel(R) Core(TM) i7-4700MQ CPU @ 2.40GHz, Intel64 Family 6 Model 60 Stepping 3
Processor Count: 8
RAM: 12220 Mb
Graphics Card: Intel(R) HD Graphics 4600, 1024 Mb
Hard Drives: C: 902 GB (722 GB Free); D: 26 GB (2 GB Free);
Motherboard: Hewlett-Packard, 1965
Antivirus: Windows Defender, Enabled and Updated

Step 4.
Run CodeCheck Scan

Codecheck Version 1.0

01011

Then:
Please tell me is this computer used for business purposes and connected to a business or educational network?
I need to know it - so I can provide the proper instructions.

Please include in your next reply:
Do you have any problems executing the instructions?
Answers to my questions related to your suspicions about hacking.
Contents of CKFiles.txt log file
Contents of SysInfo scan
Contents of a log created by codecheck.txt
Answer to my question related to type of using of your computer

My Answers to the above questions:

I want to post here how my file extensions have changed too, so here's a screen shot of what they look like now where there is a program called "3D Objects" which I never installed. And there are 3 "Desktop" icons now & a "Homegroup" Icon which I never installed either, along with a "Bluetooth" connection link?? It wouldn't let me paste my screen shots, so I uploaded it to you to reflect the file path's that have never been there before! Please don't publish them on this site, if you can help it.. But if I could send you my phone # to do this via phone, I would be happy to do that!!

Sincerely,
jlp007
You do not have the required permissions to view the files attached to this post.
jlp007
Active Member
 
Posts: 12
Joined: January 9th, 2018, 10:02 pm

Re: Someone's hacked into my PC, please help me remove?

Unread postby jlp007 » January 11th, 2018, 3:05 pm

Hi pgmigg,

I just sent the logs and the screen shots too! THANK YOU SO MUCH!!!

Love you & I don't even know your true name!!
jlp007
jlp007
Active Member
 
Posts: 12
Joined: January 9th, 2018, 10:02 pm

Re: Someone's hacked into my PC, please help me remove?

Unread postby jlp007 » January 11th, 2018, 3:31 pm

Hi MY FRIEND!

Here is another screen shot with my Menu Bar at the bottom showing an Icon with "2 People" listed now, and when I put my mouse over it "People" populated, this Icon wasn't there before all this craziness started for me... See what you think??

Love you,
jlp007
You do not have the required permissions to view the files attached to this post.
jlp007
Active Member
 
Posts: 12
Joined: January 9th, 2018, 10:02 pm

Re: Someone's hacked into my PC, please help me remove?

Unread postby pgmigg » January 11th, 2018, 4:41 pm

Hello jlp007,

Platform: Windows 10 Home Version 1709 16299.192 (X64)
Once between mid-September 2017 and the present tense your computer was automatically upgraded to Windows 10 Fall Creators Update (build 1709) which significantly changed a lot in Windows infrastructure.

jlp007 wrote:I want to post here how my file extensions have changed too, so here's a screen shot of what they look like now where there is a program called "3D Objects" which I never installed. And there are 3 "Desktop" icons now & a "Homegroup" Icon which I never installed either, along with a "Bluetooth" connection link??

jlp007 wrote:Here's another screen shot where on the bottom of my screen it shows an icon next to the "Address bar menu" and then the "BLUE ?" about 3/4 of the way through the bottom of my menu bar there is an icon with "2 people" where I put my mouse over it and it says "PEOPLE" over the icon, and this icon was never there before all this started happening ...


You might be wondering what the 3D Object folder in File Explorer is for. The folder contains 3D items that you can use in apps like Paint 3D or Mixed Reality Viewer. Projects you work on in the 3D apps will be saved in the 3D Objects folder by default. When folders are sorted alphabetically it’s the first folder in the list.

The same may be said about People icon, about Bluetooth connection link, about Homegroup icon, and many many other new items from newest incarnation of Windows 10.

There are not any intruders who have infiltrated your computer and install something without your knowledge - it's all done by Microsoft with its latest system updates.
By the way, I strongly recommend you to change the password for the login to the system.

Well, let start our treatment:

Step 1.
Users List
  1. Please type notepad.exe in the Search Windows box and click Enter - a blank Notepad page should open.
    • Copy and Paste the following script into Notepad, but do not include the words Code: Select all.
    • (Click the Select all button next to Code: to select the entire script).
    Code: Select all
    @echo off
    "net user" >> "%userprofile%\Desktop\AllUsers.txt"
    
  2. Save it as userlist.bat (select "All Files (*.*) for Save as type:) on the Desktop and run it by double-click on saved file icon. In a short time the file AllUsers.txt will be created on your Desktop.
  3. Please navigate to your Desktop where you should find AllUsers.txt. Double-click on it and it will be opened in Notepad. Copy and paste the contents in your reply...

Step 2.
Create a Backup With Tweaking.com Registry Backup (TCRB)
There is also a tutorial with pictures available HERE.
  1. Please download TCRB from HERE and save it to your Desktop.
  2. Double-click on tweaking.com_registry_backup_setup.exe and follow the prompts to install TCRB.
  3. Launch TCRB.
  4. Click the Backup Registry tab and make sure all the boxes are checked.
  5. Click on Backup Now.
  6. Once the backup is finished you can now exit the program.
< STOP > Do not proceed any further if you were not able to create a registry backup. Post back with what happened so we can determine why it was unsuccessful.

Step 3.
FRST Fix
  1. Close all your programs.
  2. You should still have FRST64.exe on your Desktop. If not please download it HERE and save it on your Desktop.
  3. Please press the Windows Key + R.
  4. Type notepad.exe into the text box and click OK.
  5. A blank Notepad page should open.
    • Copy and Paste the following script into Notepad, but do not include the words Code: Select all.
    • (Click the Select all button next to Code: to select the entire script).
    Code: Select all
    CreateRestorePoint:
    
    Toolbar: HKU\S-1-5-21-911912479-2911234598-3309385713-1001 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
    CHR Extension: (Norton Security Toolbar) - C:\Users\hp\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\bejnhdlplbjhffionohbdnpcbobfejcc [2015-10-04]
    CHR NewTab: Profile 1 ->  Not-active:"chrome-extension://abkheghpcopcjckpcdmehckmbepkonbb/product.html", Not-active:"chrome-extension://egechnfgfhgcccjdkinlbbaahnbobpok/newtab/newtab.html"
    CHR Extension: (Piggy - Automatic Coupons & Cash Back) - C:\Users\hp\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\hfapbcheiepjppjbnkphkmegjlipojba [2017-12-17]
    CHR Extension: (Norton Identity Safe) - C:\Users\hp\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\iikflkcanblccfahdhdonehdalibjnif [2015-10-04]
    Task: {26A1F2F2-84B2-4D95-A972-84070BE1B9EC} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
    Task: {3A99206C-B99C-4A72-BF02-B3D3AF75DDF9} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
    Task: {40E409CC-786F-4065-A855-2E858E475F4E} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
    Task: {628B723E-1B35-42A7-85CB-EE7F7C5373C2} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
    Task: {83EE8CEA-075A-44A3-80B0-421A546EACF0} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
    Task: {991F7922-FEA7-42C0-9D45-2662B3840506} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION
    Task: {9CC40DA9-47AD-4912-806A-1BC416E18CF6} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
    Task: {BE411AC0-684B-4DB9-BEDA-9C94C3DC64CF} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
    Task: {D7382681-569F-4EAC-8BC7-50E642B160D4} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
    Task: {DADEC4D2-4CE1-403B-9432-9E4547B4E041} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
    Task: {E252A2C0-D72B-4B96-981B-745AF3DAF954} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
    Task: {F2B3759F-1A54-4844-B6AA-45411A49E219} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
    
    EmptyTemp:
    CMD: ipconfig /flushdns
  6. Save it next to FRST64.exe as fixlist.txt.
    Important! fixlist.txt must be saved in the same directory as FRST64.exe to work.
  7. Right click on FRST64.exe and select Run as administrator.
  8. Press the Fix button one time only and wait.
  9. When FRST finishes you will be prompted to reboot your computer. Click OK.
  10. Your computer should now restart. On reboot navigate to your Desktop where you should find Fixlog.txt. Copy and paste the contents in your reply.

Step 4.
AdwCleaner - Scan Only
  1. Please download AdwCleaner (today it is a version 7.0.3.1) and save it to your Desktop.
  2. Close all open programs and windows so that you are at your Desktop.
  3. Right click on adwcleaner.exee and click Run as administrator...
  4. Click on the Scan button.
  5. When the scan finishes, you'll see a message in the AdwCleaner window: "Waiting for action. Please uncheck elements you want to keep." Do not attempt to clean anything at this point!
  6. Click on Logfile button. The Log manager window will be opened.
  7. Double-click on a log file C:\...\AdwCleaner[S0].txt to open it. Copy and paste the contents of that log file in your reply.

Please post each log separately to prevent it being cut off by the forum post size limiter.
Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections...

Don't post anything as attachments unless I will ask you about it specifically!

Please include in your next reply:
  1. Do you have any problems executing the instructions?
  2. Contents of AllUsers.txt log file
  3. Contents of the fixlog.txt log file
  4. Contents of the AdwCleaner[Sn].txt log file
  5. Do you see any changes in computer behavior?

Thanks,
pgmigg

Failure to post replies within 72 hours will result in this thread being closed
User avatar
pgmigg
Admin/Teacher
Admin/Teacher
 
Posts: 5457
Joined: July 8th, 2008, 1:25 pm
Location: GMT-05:00

Re: Someone's hacked into my PC, please help me remove?

Unread postby jlp007 » January 11th, 2018, 5:32 pm

Hi there,

WOW! Thank Goodness you found nothing on my computer!! I wonder where all the info I saved to my computer went when it showed me they were deleted?? I have changed my initial password into my computer and now I am going to do everything you've listed above for me to do!

Thank you so much for your help! It gives me some peace that they haven't hacked into my laptop! I appreciate all you've done for me here... YOU ARE BRILLIANT & I THANK YOU SO MUCH!

I will let you know what the outcome is (step by step as listed above) after I have completed your list above...

Bless you,
jlp007
jlp007
Active Member
 
Posts: 12
Joined: January 9th, 2018, 10:02 pm

Re: Someone's hacked into my PC, please help me remove?

Unread postby jlp007 » January 12th, 2018, 1:47 am

Hi pgmigg,

A. - No problems in executing the instructions.

B. - Step 1. - Users List (AllUsers.txt log list) - NOTHING LISTED ON AllUsers.txt LOG LIST TO COPY AND PASTE HERE, maybe I didn't do it correctly??

Step 2. - Create a Backup With Tweaking.com Registry Backup (TCRB) - SUCCESSFUL ON CREATING THE BACKUP!

C. - Step 3. - FRST Fix (fixlog.txt log file)

Fix result of Farbar Recovery Scan Tool (x64) Version: 02.01.2018
Ran by hp (11-01-2018 21:04:32) Run:1
Running from C:\Users\hp\Desktop
Loaded Profiles: hp (Available Profiles: hp)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:

Toolbar: HKU\S-1-5-21-911912479-2911234598-3309385713-1001 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
CHR Extension: (Norton Security Toolbar) - C:\Users\hp\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\bejnhdlplbjhffionohbdnpcbobfejcc [2015-10-04]
CHR NewTab: Profile 1 -> Not-active:"chrome-extension://abkheghpcopcjckpcdmehckmbepkonbb/product.html", Not-active:"chrome-extension://egechnfgfhgcccjdkinlbbaahnbobpok/newtab/newtab.html"
CHR Extension: (Piggy - Automatic Coupons & Cash Back) - C:\Users\hp\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\hfapbcheiepjppjbnkphkmegjlipojba [2017-12-17]
CHR Extension: (Norton Identity Safe) - C:\Users\hp\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\iikflkcanblccfahdhdonehdalibjnif [2015-10-04]
Task: {26A1F2F2-84B2-4D95-A972-84070BE1B9EC} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {3A99206C-B99C-4A72-BF02-B3D3AF75DDF9} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {40E409CC-786F-4065-A855-2E858E475F4E} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {628B723E-1B35-42A7-85CB-EE7F7C5373C2} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {83EE8CEA-075A-44A3-80B0-421A546EACF0} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {991F7922-FEA7-42C0-9D45-2662B3840506} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION
Task: {9CC40DA9-47AD-4912-806A-1BC416E18CF6} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {BE411AC0-684B-4DB9-BEDA-9C94C3DC64CF} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {D7382681-569F-4EAC-8BC7-50E642B160D4} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {DADEC4D2-4CE1-403B-9432-9E4547B4E041} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {E252A2C0-D72B-4B96-981B-745AF3DAF954} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {F2B3759F-1A54-4844-B6AA-45411A49E219} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION

EmptyTemp:
CMD: ipconfig /flushdns
*****************

Restore point was successfully created.
"HKU\S-1-5-21-911912479-2911234598-3309385713-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}" => removed successfully
HKLM\Software\Classes\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => key not found
CHR Extension: (Norton Security Toolbar) - C:\Users\hp\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\bejnhdlplbjhffionohbdnpcbobfejcc [2015-10-04] => Error: No automatic fix found for this entry.
"Chrome NewTab" => removed successfully
CHR Extension: (Piggy - Automatic Coupons & Cash Back) - C:\Users\hp\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\hfapbcheiepjppjbnkphkmegjlipojba [2017-12-17] => Error: No automatic fix found for this entry.
CHR Extension: (Norton Identity Safe) - C:\Users\hp\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\iikflkcanblccfahdhdonehdalibjnif [2015-10-04] => Error: No automatic fix found for this entry.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{26A1F2F2-84B2-4D95-A972-84070BE1B9EC} => could not remove key. ErrorCode1: 0x00000002
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{26A1F2F2-84B2-4D95-A972-84070BE1B9EC}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfig" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{3A99206C-B99C-4A72-BF02-B3D3AF75DDF9}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3A99206C-B99C-4A72-BF02-B3D3AF75DDF9}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Logon-5d" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{40E409CC-786F-4065-A855-2E858E475F4E}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{40E409CC-786F-4065-A855-2E858E475F4E}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{628B723E-1B35-42A7-85CB-EE7F7C5373C2}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{628B723E-1B35-42A7-85CB-EE7F7C5373C2}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{83EE8CEA-075A-44A3-80B0-421A546EACF0}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{83EE8CEA-075A-44A3-80B0-421A546EACF0}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{991F7922-FEA7-42C0-9D45-2662B3840506}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{991F7922-FEA7-42C0-9D45-2662B3840506}" => removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UNP\RunCampaignManager => key not found
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{9CC40DA9-47AD-4912-806A-1BC416E18CF6}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9CC40DA9-47AD-4912-806A-1BC416E18CF6}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{BE411AC0-684B-4DB9-BEDA-9C94C3DC64CF}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BE411AC0-684B-4DB9-BEDA-9C94C3DC64CF}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{D7382681-569F-4EAC-8BC7-50E642B160D4}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D7382681-569F-4EAC-8BC7-50E642B160D4}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{DADEC4D2-4CE1-403B-9432-9E4547B4E041}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DADEC4D2-4CE1-403B-9432-9E4547B4E041}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxcontent" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{E252A2C0-D72B-4B96-981B-745AF3DAF954}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E252A2C0-D72B-4B96-981B-745AF3DAF954}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\launchtrayprocess" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{F2B3759F-1A54-4844-B6AA-45411A49E219}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F2B3759F-1A54-4844-B6AA-45411A49E219}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Time-5d" => removed successfully

========= ipconfig /flushdns =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========


=========== EmptyTemp: ==========

BITS transfer queue => 7364608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 18108214 B
Java, Flash, Steam htmlcache => 820 B
Windows/system/drivers => 2621242 B
Edge => 1596963 B
Chrome => 789075123 B
Firefox => 9202581 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 0 B
NetworkService => 218066 B
hp => 118541591 B

RecycleBin => 1127812021 B
EmptyTemp: => 1.9 GB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 21:06:38 ====

D. - Step 4. - AdwCleaner - Scan Only

# AdwCleaner 7.0.6.0 - Logfile created on Fri Jan 12 05:28:57 2018
# Updated on 2017/21/12 by Malwarebytes
# Database: 01-10-2018.1
# Running on Windows 10 Home (X64)
# Mode: scan
# Support: https://www.malwarebytes.com/support

***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

No malicious folders found.

***** [ Files ] *****

PUP.Optional.Legacy, C:\Users\hp\Desktop\SysInfo.exe


***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

No malicious tasks found.

***** [ Registry ] *****

No malicious registry entries found.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries.

*************************



########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt ##########

E. - CHANGES IN COMPUTER - YES, IT SEEMS TO RUN FASTER AND BETTER! THANK YOU SO MUCH!!

You're the best pgmigg! I think everything is fine now, thank you for all your help! I will check back tomorrow to see if you want me to do anything else.

Thanks again,
jlp0007
jlp007
Active Member
 
Posts: 12
Joined: January 9th, 2018, 10:02 pm

Re: Someone's hacked into my PC, please help me remove?

Unread postby pgmigg » January 12th, 2018, 2:07 am

Hello jlp007,

We are not finished yet and there are a few more issues which should be scan and fix. Please wait for tomorrow morning and I will prepare a new set of steps for you - now is to late to do anything...

Thank you for your patience,
Pgmigg
User avatar
pgmigg
Admin/Teacher
Admin/Teacher
 
Posts: 5457
Joined: July 8th, 2008, 1:25 pm
Location: GMT-05:00

Re: Someone's hacked into my PC, please help me remove?

Unread postby jlp007 » January 12th, 2018, 11:58 am

Dear Pgmigg,

Thank you for your patience by waiting for me to get all this done yesterday! I had to deal with a few other issues yesterday, so it took me a while to get all this done.

I appreciate all your help and I will be waiting to hear back from you with our next step to conquer!

You're the best and I thank you again for all your direction and help on this issue...

Sincerely,
jlp007
jlp007
Active Member
 
Posts: 12
Joined: January 9th, 2018, 10:02 pm

Re: Someone's hacked into my PC, please help me remove?

Unread postby pgmigg » January 12th, 2018, 12:19 pm

You are welcome jlp007,

jlp007 wrote:E. - CHANGES IN COMPUTER - YES, IT SEEMS TO RUN FASTER AND BETTER!
Actually you a had a lot of temporary files (1.9 GB), the presence and storage of which greatly slows down the computer.

Now please do the following:

Step 1.
TDSSKiller - Rootkit Removal Tool
Please download the TDSSKiller.exe by Kaspersky... save it to your Desktop. <-Important!!!
  1. Right-click on TDSSKiller.exe and select "Run As Administrator...".
    If TDSSKiller does not run... rename it. Right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. ektfhtw.com).
    If you don't see file extensions, please see: How to change the file extension.
  2. Click on Accept button for End User License Agreement.
  3. Click on Decline button for KSN Statement.
  4. Click Change parameters
  5. Under Additional Options CHECK Verify file digital signatures
  6. IMPORTANT: Ensure Detect TDLFS file system remains UNCHECKED.
  7. Click OK if changes were made.
  8. Click Start scan and allow it to scan for Malicious objects. Do not use the computer during the scan!
    • If Malicious objects are detected, the default action will be Cure, ensure SKIP is selected... then click Continue
    • If Suspicious objects are detected, the default action will be Skip, ensure Skip is selected... then click Continue
    • If Unsigned files are detected, the default action will be Skip, ensure Skip is selected... then click Continue
    DO NOT change the default actions, other than CURE to SKIP.
  9. You may be asked to reboot the computer to complete the process. Click on Reboot Now and allow the computer to reboot.
  10. A log will be created on your root drive (usually C:) drive. The log will have a name like Name.Version_Date_Time_log.txt.
    for example, C:\TDSSKiller.2.4.1.2_20.04.2010_15.31.43_log.txt. Please post the contents of the log file in your next reply
  11. If no reboot is required, click on Report. A Report log window should appear - please copy/paste the contents of it in your next reply

Step 2.
ESET Online Scanner
  1. Please close all open programs and windows.
  2. Please go HERE then click on Scan now and save esetonlinescanner_enu.exe on your Desktop.
  3. Double-click on esetsmartinstaller_enu.exe to run it.
  4. Select the option Accept for the Terms of Use and then follow the prompt.
  5. On the next screen please check Enable detection of potentially unwanted applications.
  6. Then click on Advanced Settings and select the following:
    • Enable detection of potentially unsafe applications
    • Enabled detection of suspicion applications
    • Scan archives
    • Enable Anti-Stealth technology
  7. Make sure that the option Clean threats automatically is NOT checked, as well as Use custom proxy settings.
  8. Now click on Scan button.
  9. The Downloading virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  10. Do not touch either the Mouse or Êeyboard during the scan otherwise it may stall.
  11. When completed you will be presented with a list of found threats ....
    • Click on the List of found threats link
    • Click on Export to text file
    • Save as ESET.txt to your Desktop
  12. Exit out of ESET Online Scanner.

Please post each log separately to prevent it being cut off by the forum post size limiter.
Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections....

Please include in your next reply:
  1. Do you have any problems executing the instructions?
  2. Contents of the TDSSKiller_version_dd.mm.yyyy_hh.mm.ss_log.txt log file or the contents of the Report log window
  3. Contents of the ESET.txt log file

Thanks,
pgmigg

Failure to post replies within 72 hours will result in this thread being closed
User avatar
pgmigg
Admin/Teacher
Admin/Teacher
 
Posts: 5457
Joined: July 8th, 2008, 1:25 pm
Location: GMT-05:00
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 296 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware