Hacker Attack again

Quick synposis:

We had a major storm come through about a month ago. All of our routers went offline. I could get the main one back up and running but the two ASUS routers with DD-WRT on them would reset back to no security measures. Then I noticed that my server was doing a lot of pings for no reason. Then I found out that my main computer, server, and TV computer were all using file sharing and were sending files like crazy.

I have done all of the steps and even went to the extreme of uninstalling all antimalware, antispyware, and antivirus software and installing Kapersky and running it. Nothing has found a virus, spyware, or malware yet I knew someone was getting onto the systems somehow. I even ran RogueKiller. Nothing. I then removed Kapersky and did clean installs of the original software.

The file sharing had been set up so it automatically reverted to being on each time I rebooted. Finally, I went into the Control Panel->Networking->Wireless->Properties and stopped file sharing and then just uninstalled the file sharing part. This stopped all file sharing immediately.

My question right now is - how can you permanently remove the on-screen keyboard software? It isn't in the Add & Remove components section. I tried just deleting it but it comes right back. I tried renaming it and Windows just popped a new one into the directory. I want to remove this so the hackers can't use it.

Thanks in advance for answering this.

Mark

 

Hmmmm....a second set of eyes on them might not be a bad idea. I have to run off to meet some people and won't be back until after midnight tonight. I'll see about re-running everything and posting the logs. Give me 24 hours.

 

Ok. Just a quick "I'm on it" so you know I haven't forgotten this.

On a side note: I just changed out our Dell Zeno for a WinBook tablet on our media stuff (ie: Movies, music, etc...) The Dell Zeno was a Windows XP Pro platform while the WinBook is a Windows 8.1 system. Anyway - in the past the hackers had gotten on to that system. Under Windows XP nothing weird showed up. But under Windows 8.1 a folder has popped up at the top of the disk drive. It is a bunch of random numbers. Inside of the folder/directory are two files. One is an archive and the other an application program. The owner of the directory and files was a long string of characters like 5-1-5-20-... The account owner was "Unknown". Since I use TighVNC for all of the computers here at the house. I'd have to say these were left-over files from the hacker since I have never made an archive with a "__p" extension. I'm making an archive of these files and then removing them. If anyone is interested in having a copy of them - let me know.

Now off to finish making all of the logs for my computer and posting them. Be back in a few.

 

Finished helping someone else with a virus problem. Unfortunately, their XP Home computer crashed also. Had to do a low-level reformat. Now XP Home is refusing a perfectly good product key. I even called Microsoft earlier, gave them the key and they said it was ok. So something is definitely wrong with their computer.

On my end of things - Malwarebytes is going to take a while to run. I forgot that I have four 2TB disk drives. So it is going to take a while for it to finish. :-( Maybe in a day or two?

So far - Defogger to stop all virtual drives (AnyDVD and AlcoholSoft). Have log.
RogueKiller - Have log
(BTW: RogueKiller says my explorer.exe was pointing to a DLL program. Wasn't a few days ago - but now it is. :-(

Waiting on Malwarebytes to finish.

 

SuperAntiSpyware ran last Sunday and got 40 some odd malware. Malwarebytes just finished (see attached log) and it found something like 48 malwares. Going to the next step but here is the Defogger and Malware and RogueKiller log. This time RogueKiller found that explorer.exe was being redirected to a different location on the hard drive.

Looks like I've got it bad bugsy. I don't think I'm gonna make it.

 

Here are the last two logs. HijackThis died when run.

 

Here is the HiJackThis log. I downloaded and ran it.

 

Ok. This time RogueKiller found several PUPs. I did NOT delete them though. Here is the file and RK log for you.

By the way - I disabled the System Restore. The reason I did this was because a few years ago I had a hacker or virus come through and it infected the System Restore files so it came back with every restore. Now I do my own system restore points on an external disk drive (WinZIP archives). Not that that is any safer - but I like the fact that I can run anti-everything on the zip files and see if there is anything in the backups. That is to say - I like doing it that way better.

 

Hey! I just found two files I never made. These were in c:\Documents and Settings. One of them is called SUPPORT_.... Since I never let anyone onto my systems - this is a bit interesting. Thought you might want to see them.

 

Well - that is a relief. So I will remove the PUPs, RogueKiller reset explorer. I'm working on a program that will show me disk activity so I can more readily tell when and what time people were using my system. Since I go to bed around 1:00am-2:00am I'm hoping to find out days when a lot of early morning usage was done and which files were changed during that time. Hoping to narrow down the times and files the hackers were messing around with.

Thanks for looking to see if they planted something on my system that was malware related. I greatly appreciate it.

I am thinking this thread can be closed now. Thanks again!

 

No. You said to leave everything else alone. They should be in the RogueKiller log. Or do I need just a regular scan->save log? Let me know. Thanks!

 

Here is the RogueKiller Log.

 

Ok. I think I have that malware that make random things double underscored. At first I thought it was major geeks but then I remembered that I got rid of that malware about four months ago. Must be back again. That is what is installing the PUPs. Grrrrrr hate hackers because they always install things you really just don't need or want. :-/

 

Yes. HimanPro is the only thing I know of to get rid of the Conduit virus/malware. Conduit is showing up in HitmanPro. No other anti-virus or anti-malware program that I know if knows how to get rid of Conduit. I went ahead and bought a 1 year license and got rid of Conduit. I'll have to get out and back in to FireFox before it will be cleaned properly.

 

Done.

 

BTW: I really like your avatar. Self Picture? Or from some game/movie?

Onwards: Here is the log. ads.yahoo.com seems to be popping up over and over. My copy of SuperAntiSpywaer started up on its own. I'll see if I can't get it to post me a log I can send you when it finishes. Should I run Malwarebytes again also and post it's log as well? Let me know.

 

Ok. Thanks for the image. It is interesting and disturbing at the same time. Took a nasty fall yesterday. Went to a friend's house for a party. They had this great dragon blow-up in their yard. Unfortunately, I didn't see the guy wires helping to keep it in place. Next thing I know - face down in the grass. Nice new knot on my head.

SuperAntiSpyware does not - as far as I can tell - allow you to create a log file. Well, it will create one but it immediately sends it to SuperAntiSpyware and then deletes the file. :-( I'll investigate further today after I get something to eat and go to Sam's and see if the optometrist can unbend my glasses so more than one eye can look through them at once.

I'm re-running malwarebytes but it will probably take a day (or several hours) before I get the log again.

Off to get something to eat.

 

Malwarebytes died. I think it was trying to look at one of my multi-gigabyte archives. I'll post more once I see the debug information.

 

Ah! I found where it has the scan logs! I was looking for the settings you posted about (SAS updated their interface over the summer and I never sat down and found out where all of the various parts of it were. The new interface only has six buttons and none of them say "settings". Only the pop-up menu in the system tray now says "settings". Oh well. I should have just started clicking buttons to see what they do like I usually do. Just too busy working a 60 hour work week and then helping others over the weekend.)

Oh well. Malwarebytes says there aren't any threats. I'm including the last two scans SAS did (it keeps them for 30 days). I decided to run SAS again and it already says there is one (1) threat found. It is the ads.yahoo.com again but it has a few hours to go.

The ads.yahoo.com is disturbing because I always make sure to not allow anything to install (like the Yahoo! toolbar). I always go through the custom install options, etc.... But more importantly - If SAS is finding these things and everyone else is reporting everything that would put these in are gone - then where are they coming from?

This past week the only places I have gone to are: www.majorgeeks.com, www.sim1.us (my home page), and www.sim-i.com (by SMF BBS). There aren't any ads on my sites and I don't think Major Geeks would have anything like that. The only e-mails I have been getting are from Toshiba because I bought a new laptop for my wife a few months ago and they required you to register with them. >I< am running a Dell. So I'm pretty sure these are genuine Toshiba messages.

Ah! SAS just jumped up to 26 threats. I am going to have to go look at these locations it is giving and see if they are actually removed. Anyway - here are the three logs: Malwarebytes, and two older SAS logs. I'll post the current log once it is through scanning.

 

Here is the new SAS log. I downloaded SQLite. It doesn't have to be installed. I wanted to make sure that SAS was getting rid of the malware/spyware stuff from FireFox's cookies. It actually is. So something is putting them back. Unknown what. Bed time. I think I posted I tripped over a guy wire last night. Still have a knot on my head but greatly reduced. Slept most of today away letting my body heal. Still need more sleep though. Later!

 

Sure. But I am still getting those double underscore links. Like I said before - only going to Major Geeks and my websites presently. Including a snapshot of your last post to show what I mean. But otherwise - yep.

 

Ah. So Major Geeks is probably sticking them back on again as fast as I take them off. Got it. Ok - time for final farewells. Thank you very much for taking the time to look at my problems. Since everything is minor issues now - time for me to move on and let you fight the good fight for someone else.

You know - I used to do this a lot myself (help others) in the 1980s via Usenet and the 1990s but now that I am nearing 60 I've had to concentrate more on just programming and not helping. Maybe when I retire (if I live that long) I can go back and read up on some things and help out more. Right now though - way too many things to deal with.

So I really do appreciate your looking at my problems. Thanks again!