just caught someone hacking my computer ?

main pc been wiped.
just working through all my passwords now and setting up the 2 stage verification.
router been reset too.

it looks like only my pc was hacked, the lad has a pc and his looks fine but will wipe it too.
 
AHarvey said:
That just shows the dates of the scan, the files could have been compromised days, weeks or months ago.
Click to expand...

Yes, you're correct. Some of the executables at the end of the second pic could have been doing all sorts of nasty things for ages.

I think you were right to wipe it.
 
wedrum said:
main pc been wiped.
just working through all my passwords now and setting up the 2 stage verification.
router been reset too.

it looks like only my pc was hacked, the lad has a pc and his looks fine but will wipe it too.
Click to expand...
These don’t come out of the blue, what dodgy sites you been on?
 
Does Teamviewer allow unassisted access? Every time I've had to use it we've had to input codes to make the connection.
 
wedrum said:
i have the teamviewer log if anyone can see anything off that to help ?
Click to expand...
(could have been falsified) but did the log not show a timeline for when it started ? and when teamviewer got installed ?

Common infection method
PUP.Optional.Mindspark is usually installed by the users themselves, who may be prompted by exaggerated promises of functionality. It provides toolbars and MyWay start pages claiming to offer sweepstakes, app emoticons, and helpful tools for user hobbies and interests.
Avoidance advice:
Be vigilant when installing third-party applications.
  • Do some online checking before you decide to install any helpful toolbars and browser extensions.
  • Carefully reading the EULA and Privacy Policy, however tedious, can also help prevent unwanted consequences.
  • Read up on how to avoid potentially unwanted programs.
..
In usual situation, PUP.Optional.ArcadeFrontier.A is bundled to freeware or shareware applications. In fact, there may be other unwanted programs that are packed to the main software that users preferred to obtain. Authors behind malicious programs are utilizing pay-per-install scheme to deploy their products over the Internet.

There are also instances that malware are being used to deploy PUP.Optional.ArcadeFrontier.A. In this case, the threat can be acquired when visiting malicious web pages, downloading compromised files, or using file-sharing apps. Links from spam emails and social media sites are also one medium consumed by attacker to spread PUP.Optional.ArcadeFrontier.A.
Click to expand...
 
I used to use TeamViewer but had an unknown IP address log into one of the machines that was running it.

I asked TV how this could happen and they said I must have given that IP address access - which I didn't. It was clearly an unknown IP and as it was accessed in the early hours it was fairly obvious TV had allowed access.

TV pretty much stuck to I must have done it not TV so I gave up with them and stopped using it.
 
2017/11/27 20:45:51.329 4024 5244 S0 CBackupController::IsManagedDeviceChanged(): Machine is not a managed device anymore
2017/11/27 20:45:51.329 4024 5244 S0 Activating Router carrier
2017/11/27 20:45:51.337 4024 5244 S0 BonjourDiscoveryWin::DNSServiceHandleEvents: Reloading interfaces.
2017/11/27 20:45:51.362 4024 5244 S0 CToken::GetSystemToken() set session 1
2017/11/27 20:45:51.365 4024 5244 S0 InterProcessNetwork: Loader process started, pid = 4112
2017/11/27 20:45:51.369 4024 5244 S0 CToken::GetSystemToken() set session 1
2017/11/27 20:45:51.372 4024 5244 S0 InterProcessNetwork: Loader process started, pid = 4816
2017/11/27 20:45:51.428 4024 5244 S0 NetWatchdog: Ping successful! Port: 5938
2017/11/27 20:45:51.430 4024 5252 S0 CKeepAliveClientClient::HandlePing(): success
2017/11/27 20:45:51.430 4024 5252 S0 Non-Commercial use
2017/11/27 20:45:51.430 4024 5252 S0 Resource-Language: en
2017/11/27 20:45:51.430 4024 5252 S0 Activating Router carrier
2017/11/27 20:45:51.430 4024 5252 S0 CProcessCommandHandlerMasterConnect[2]::CreateMasterConnect(): master5.teamviewer.com:5938, Connection 2, proxy=''



Start: 2017/11/27 20:45:51.430 (UTC)
Version: 12.0.78716
ID: 215340260
Loglevel: Info (100)
License: 10000
Server: master5.teamviewer.com
IC: 336597982
CPU: Intel64 Family 6 Model 44 Stepping 2, GenuineIntel
CPU extensions: p8
OS: Win_10.0.15063_W (64-bit)
IP: 192.168.1.93
MID: v0000000000000000000000241d7fc0f700241d7fc10725fb9e307bccdab18c7979ffaca7f218<~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~0dd0c5b4e712d7cef7750d93b4e6b006
MIDv: 2
Proxy-Settings: Type=1 IP= User=
IE: 11.726.15063.0
AppPath: C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
UserAccount: SYSTEM
 
that logs seems to be just the session you interrupted.

The date on C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe maybe more significant ?

most of the info here suggest an email attachment may have been responsible
 
seems there was some logins earlier that day too

2017/11/28 12:31:27.279 5080 8816 S0 NetWatchdog: Internet is now connected
2017/11/28 12:31:27.279 5080 5696 S0 CKeepAliveClientClient::HandleStartKeepAlive: doing nothing, online state = 0
2017/11/28 12:31:27.279 5080 5648 S0 RemoteSettingsMDRelationshipWatchDog: DEVICE ISN'T A MANAGED DEVICE
2017/11/28 12:31:27.279 5080 8828 S0 RemoteSettingsStore: Cleanup all policies.
2017/11/28 12:31:27.279 5080 5648 S0 RemoteSettingsStoreListener: Establish connection.
2017/11/28 12:31:27.279 5080 8828 S0 RemoteSettingsStore::LoadLastReceivedPolicies : Storage Entry Remote_Settings_TVClientSetting_Policy empty
2017/11/28 12:31:27.279 5080 8828 S0 RemoteSettingsStore::LoadLastReceivedPolicies : Storage Entry Remote_Settings_Antivirus_Policy empty
2017/11/28 12:31:27.279 5080 8828 S0 RemoteSettingsStore::LoadLastReceivedPolicies : Storage Entry Remote_Settings_Backup_Policy empty
2017/11/28 12:31:27.279 5080 8828 S0 RemoteSettingsStore::LoadLastReceivedPolicies : Storage Entry Remote_Settings_RemoteManagement_Policy empty
2017/11/28 12:31:27.279 5080 8828 S0 RemoteSettingsMDRelationshipWatchDog: DEVICE ISN'T A MANAGED DEVICE
2017/11/28 12:31:27.279 5080 5648 S0 Using IPC-Port 5939
2017/11/28 12:31:27.279 5080 5648 S0 SHMR: Initializing shared memory.
2017/11/28 12:31:27.279 5080 5648 S0 UpdateOnlineState newOnlineValue 0
2017/11/28 12:31:27.482 5080 5648 S0 CTerminalServer::RepeatedlyCheckForUserLogin() Don't start GUI for session 1
2017/11/28 12:31:27.482 5080 5648 S0 ApiServer::IsApiInstalled: The API is not registered with Windows.
2017/11/28 14:26:23.214 5080 5692 S0 CAcceptServer::HandleAccept: new connection from 127.0.0.1:57130
2017/11/28 14:26:23.214 5080 5696 S0!!!IpcStructParser::ParseIpcStruct() Received wrong data size=790, expected 8. Dump:
0000 16 03 01 00 9c 01 00 00 98 03 03 dc 82 8b ce 0d ................
0010 33 15 92 0f f1 b1 b5 89 11 d3 16 60 a6 f4 75 0e 3..........`..u.
0020 77 69 3a a7 76 a8 f3 70 d2 d7 4d 00 00 1c da da wi:.v..p..M.....
0030 c0 2b c0 2f c0 2c c0 30 cc a9 cc a8 c0 13 c0 14 .+./.,.0........
0040 00 9c 00 9d 00 2f 00 35 00 0a 01 00 00 53 8a 8a ...../.5.....S..
0050 00 00 ff 01 00 01 00 00 17 00 00 00 23 00 00 00 ............#...
0060 0d 00 14 00 12 04 03 08 04 04 01 05 03 08 05 05 ................
0070 01 08 06 06 01 02 01 00 05 00 05 01 00 00 00 00 ................
0080 00 12 00 00 75 50 00 00 00 0b 00 02 01 00 00 0a ....uP..........
0090 00 0a 00 08 8a 8a 00 1d 00 17 00 18 ca ca 00 01 ................
00a0 00 .

2017/11/28 14:26:23.214 5080 5696 S0 CTcpProcessConnector::CloseConnection(): PID=0
2017/11/28 14:26:23.214 5080 5696 S0 UpdateOnlineState newOnlineValue 0
2017/11/28 14:26:23.214 5080 5692 S0 CTcpProcessConnector::HandleRead(): Connection broken (PID=0, Error=10058)
2017/11/28 14:26:23.214 5080 5692 S0 CTcpProcessConnector::CloseConnection(): PID=0
2017/11/28 14:30:32.992 5080 5692 S0 CAcceptServer::HandleAccept: new connection from 127.0.0.1:57451
2017/11/28 14:30:32.992 5080 5696 S0!!!IpcStructParser::ParseIpcStruct() Received wrong data size=790, expected 8. Dump:
0000 16 03 01 00 9c 01 00 00 98 03 03 12 e1 f6 a3 88 ................
0010 2f 15 e1 9e a6 2c a0 09 4f df 1d 1b d0 9a 70 c9 /....,..O.....p.
0020 73 6d 0c bd 78 25 f4 7a 15 bd e6 00 00 1c 1a 1a sm..x%.z........
0030 c0 2b c0 2f c0 2c c0 30 cc a9 cc a8 c0 13 c0 14 .+./.,.0........
0040 00 9c 00 9d 00 2f 00 35 00 0a 01 00 00 53 fa fa ...../.5.....S..
0050 00 00 ff 01 00 01 00 00 17 00 00 00 23 00 00 00 ............#...
0060 0d 00 14 00 12 04 03 08 04 04 01 05 03 08 05 05 ................
0070 01 08 06 06 01 02 01 00 05 00 05 01 00 00 00 00 ................
0080 00 12 00 00 75 50 00 00 00 0b 00 02 01 00 00 0a ....uP..........
0090 00 0a 00 08 ea ea 00 1d 00 17 00 18 aa aa 00 01 ................
00a0 00 .

2017/11/28 14:30:32.992 5080 5696 S0 CTcpProcessConnector::CloseConnection(): PID=0
2017/11/28 14:30:32.992 5080 5696 S0 UpdateOnlineState newOnlineValue 0
2017/11/28 14:30:32.992 5080 5692 S0 CTcpProcessConnector::HandleRead(): Connection broken (PID=0, Error=10058)
2017/11/28 14:30:32.992 5080 5692 S0 CTcpProcessConnector::CloseConnection(): PID=0
 
I wonder if he would have ordered it to his own address. Should have left it long enough for him to type it in, then posted it on 4chan :p
 
i was watching him trying to get into my banks.
he had paypal up and logged in, ocuk shop logged in.
google mail logged in.
 
You must log in or register to reply here.
Back
Top Bottom