just caught someone hacking my computer ?

wedrum · 28 Nov 2017 at 21:16

teamviewer was up and someone had control of my computer they had tabs open for my banking and ocuk paypal you name it.

how was this possible ?
i dont ever remember installing teamviewer either ?

i have the teamviewer log if anyone can see anything off that to help ?

wedrum · 28 Nov 2017 at 21:37

said unattended access on the teamviewer

wedrum · 28 Nov 2017 at 21:40

malwarebytes found this lot

wedrum · 28 Nov 2017 at 21:52

its no one messing about

wedrum · 28 Nov 2017 at 21:53

there is some trojans hack tools and trojan stolen data in the malwarebytes

wedrum · 28 Nov 2017 at 22:14

i use the chrome as it stores all my passwords for easy login

wedrum · 28 Nov 2017 at 22:39

I have the TeamViewer logs which should show the IP used ?

wedrum · 28 Nov 2017 at 23:07

main pc been wiped.
just working through all my passwords now and setting up the 2 stage verification.
router been reset too.

it looks like only my pc was hacked, the lad has a pc and his looks fine but will wipe it too.

wedrum · 29 Nov 2017 at 01:20

TheVoice said:
What anti-virus were you using OP?

Just been using the windows defender

wedrum · 29 Nov 2017 at 09:37

2017/11/27 20:45:51.329 4024 5244 S0 CBackupController::IsManagedDeviceChanged(): Machine is not a managed device anymore
2017/11/27 20:45:51.329 4024 5244 S0 Activating Router carrier
2017/11/27 20:45:51.337 4024 5244 S0 BonjourDiscoveryWin:

NSServiceHandleEvents: Reloading interfaces.
2017/11/27 20:45:51.362 4024 5244 S0 CToken::GetSystemToken() set session 1
2017/11/27 20:45:51.365 4024 5244 S0 InterProcessNetwork: Loader process started, pid = 4112
2017/11/27 20:45:51.369 4024 5244 S0 CToken::GetSystemToken() set session 1
2017/11/27 20:45:51.372 4024 5244 S0 InterProcessNetwork: Loader process started, pid = 4816
2017/11/27 20:45:51.428 4024 5244 S0 NetWatchdog: Ping successful! Port: 5938
2017/11/27 20:45:51.430 4024 5252 S0 CKeepAliveClientClient::HandlePing(): success
2017/11/27 20:45:51.430 4024 5252 S0 Non-Commercial use
2017/11/27 20:45:51.430 4024 5252 S0 Resource-Language: en
2017/11/27 20:45:51.430 4024 5252 S0 Activating Router carrier
2017/11/27 20:45:51.430 4024 5252 S0 CProcessCommandHandlerMasterConnect[2]::CreateMasterConnect(): master5.teamviewer.com:5938, Connection 2, proxy=''

Start: 2017/11/27 20:45:51.430 (UTC)
Version: 12.0.78716
ID: 215340260
Loglevel: Info (100)
License: 10000
Server: master5.teamviewer.com
IC: 336597982
CPU: Intel64 Family 6 Model 44 Stepping 2, GenuineIntel
CPU extensions: p8
OS: Win_10.0.15063_W (64-bit)
IP: 192.168.1.93
MID: v0000000000000000000000241d7fc0f700241d7fc10725fb9e307bccdab18c7979ffaca7f218<~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~0dd0c5b4e712d7cef7750d93b4e6b006
MIDv: 2
Proxy-Settings: Type=1 IP= User=
IE: 11.726.15063.0
AppPath: C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
UserAccount: SYSTEM

wedrum · 29 Nov 2017 at 10:08

they logged into my ocuk shop site they were looking at gaming chairs

wedrum · 29 Nov 2017 at 10:14

seems there was some logins earlier that day too

2017/11/28 12:31:27.279 5080 8816 S0 NetWatchdog: Internet is now connected
2017/11/28 12:31:27.279 5080 5696 S0 CKeepAliveClientClient::HandleStartKeepAlive: doing nothing, online state = 0
2017/11/28 12:31:27.279 5080 5648 S0 RemoteSettingsMDRelationshipWatchDog: DEVICE ISN'T A MANAGED DEVICE
2017/11/28 12:31:27.279 5080 8828 S0 RemoteSettingsStore: Cleanup all policies.
2017/11/28 12:31:27.279 5080 5648 S0 RemoteSettingsStoreListener: Establish connection.
2017/11/28 12:31:27.279 5080 8828 S0 RemoteSettingsStore::LoadLastReceivedPolicies : Storage Entry Remote_Settings_TVClientSetting_Policy empty
2017/11/28 12:31:27.279 5080 8828 S0 RemoteSettingsStore::LoadLastReceivedPolicies : Storage Entry Remote_Settings_Antivirus_Policy empty
2017/11/28 12:31:27.279 5080 8828 S0 RemoteSettingsStore::LoadLastReceivedPolicies : Storage Entry Remote_Settings_Backup_Policy empty
2017/11/28 12:31:27.279 5080 8828 S0 RemoteSettingsStore::LoadLastReceivedPolicies : Storage Entry Remote_Settings_RemoteManagement_Policy empty
2017/11/28 12:31:27.279 5080 8828 S0 RemoteSettingsMDRelationshipWatchDog: DEVICE ISN'T A MANAGED DEVICE
2017/11/28 12:31:27.279 5080 5648 S0 Using IPC-Port 5939
2017/11/28 12:31:27.279 5080 5648 S0 SHMR: Initializing shared memory.
2017/11/28 12:31:27.279 5080 5648 S0 UpdateOnlineState newOnlineValue 0
2017/11/28 12:31:27.482 5080 5648 S0 CTerminalServer::RepeatedlyCheckForUserLogin() Don't start GUI for session 1
2017/11/28 12:31:27.482 5080 5648 S0 ApiServer::IsApiInstalled: The API is not registered with Windows.
2017/11/28 14:26:23.214 5080 5692 S0 CAcceptServer::HandleAccept: new connection from 127.0.0.1:57130
2017/11/28 14:26:23.214 5080 5696 S0!!!IpcStructParser:

arseIpcStruct() Received wrong data size=790, expected 8. Dump:
0000 16 03 01 00 9c 01 00 00 98 03 03 dc 82 8b ce 0d ................
0010 33 15 92 0f f1 b1 b5 89 11 d3 16 60 a6 f4 75 0e 3..........`..u.
0020 77 69 3a a7 76 a8 f3 70 d2 d7 4d 00 00 1c da da wi:.v..p..M.....
0030 c0 2b c0 2f c0 2c c0 30 cc a9 cc a8 c0 13 c0 14 .+./.,.0........
0040 00 9c 00 9d 00 2f 00 35 00 0a 01 00 00 53 8a 8a ...../.5.....S..
0050 00 00 ff 01 00 01 00 00 17 00 00 00 23 00 00 00 ............#...
0060 0d 00 14 00 12 04 03 08 04 04 01 05 03 08 05 05 ................
0070 01 08 06 06 01 02 01 00 05 00 05 01 00 00 00 00 ................
0080 00 12 00 00 75 50 00 00 00 0b 00 02 01 00 00 0a ....uP..........
0090 00 0a 00 08 8a 8a 00 1d 00 17 00 18 ca ca 00 01 ................
00a0 00 .

2017/11/28 14:26:23.214 5080 5696 S0 CTcpProcessConnector::CloseConnection(): PID=0
2017/11/28 14:26:23.214 5080 5696 S0 UpdateOnlineState newOnlineValue 0
2017/11/28 14:26:23.214 5080 5692 S0 CTcpProcessConnector::HandleRead(): Connection broken (PID=0, Error=10058)
2017/11/28 14:26:23.214 5080 5692 S0 CTcpProcessConnector::CloseConnection(): PID=0
2017/11/28 14:30:32.992 5080 5692 S0 CAcceptServer::HandleAccept: new connection from 127.0.0.1:57451
2017/11/28 14:30:32.992 5080 5696 S0!!!IpcStructParser:

arseIpcStruct() Received wrong data size=790, expected 8. Dump:
0000 16 03 01 00 9c 01 00 00 98 03 03 12 e1 f6 a3 88 ................
0010 2f 15 e1 9e a6 2c a0 09 4f df 1d 1b d0 9a 70 c9 /....,..O.....p.
0020 73 6d 0c bd 78 25 f4 7a 15 bd e6 00 00 1c 1a 1a sm..x%.z........
0030 c0 2b c0 2f c0 2c c0 30 cc a9 cc a8 c0 13 c0 14 .+./.,.0........
0040 00 9c 00 9d 00 2f 00 35 00 0a 01 00 00 53 fa fa ...../.5.....S..
0050 00 00 ff 01 00 01 00 00 17 00 00 00 23 00 00 00 ............#...
0060 0d 00 14 00 12 04 03 08 04 04 01 05 03 08 05 05 ................
0070 01 08 06 06 01 02 01 00 05 00 05 01 00 00 00 00 ................
0080 00 12 00 00 75 50 00 00 00 0b 00 02 01 00 00 0a ....uP..........
0090 00 0a 00 08 ea ea 00 1d 00 17 00 18 aa aa 00 01 ................
00a0 00 .

2017/11/28 14:30:32.992 5080 5696 S0 CTcpProcessConnector::CloseConnection(): PID=0
2017/11/28 14:30:32.992 5080 5696 S0 UpdateOnlineState newOnlineValue 0
2017/11/28 14:30:32.992 5080 5692 S0 CTcpProcessConnector::HandleRead(): Connection broken (PID=0, Error=10058)
2017/11/28 14:30:32.992 5080 5692 S0 CTcpProcessConnector::CloseConnection(): PID=0

wedrum · 29 Nov 2017 at 10:19

i was watching him trying to get into my banks.
he had paypal up and logged in, ocuk shop logged in.
google mail logged in.

wedrum · 29 Nov 2017 at 12:41

yup just setup lastpass and the 2fa

wedrum · 30 Nov 2017 at 07:25

mmj_uk said:
Finding out how you've been compromised will likely be mission impossible, you might even have been hacked directly? all you can really do is use a clean computer to change all of your passwords and nuke the infected one. Try to be more careful with what you install in the future, keep software up to date etc. I'd also update your router firmware and change wifi passwords just to rule out a neighbour hijacking your network.

Yeh done all of that above except for the router firmware. Been racking my brains if where it came from but no idea. Maybe a torrent.