I think i've been hacked, what should i do?

I have repeatedly scanned my machine for malware and found nothing, i’ve also checked my broadband (Virgin media fibre) and been assured that is all ok. Despite all this, web pages are often slow to load and sometimes appear to reload unexpectedly and my machine sometimes exhibits odd behaviour, especially when starting up. I log on as an admin, yet a number of files and folders will not allow me access and when checking the properties of some files i see that an unknown account with a name which is a string of letters and numbers sometimes shows up in the ‘Security - Permissions’ tab.

I only have a vague knowledge of how to use computers, but something looks a bit suspicious here, what should i do next?

Can you post a screenshot :o :o

Believe me, my ability to use computers is very limited, screen shots are almost beyond me.

Almost , but not quite. Here’s some odd looking stuff. Is there anything in particular you’d like me to try to get pictures of?

Think i may be getting the hang of this screenshot thing, here’s another one…

Check out this page for an explanation:
http://forum.piriform.com/index.php?showtopic=34468

Thanks for your reply, i still don’t understand why that unknown account keeps cropping up, nor why i am locked out of stuff like ‘Documents and Settings’ despite being logged on as an admin. Am i just being thick and paranoid? Wouldn’t be the first time!

(yet another screenshot attached)

if you want a malware check…

follow guide and attach the requested logs (not copy and paste) http://forum.avast.com/index.php?topic=53253.0

run in order listed
AdwCleaner / Malwarebytes / OTL / aswMBR

when done removal experts will be notified and check the logs for infections…

if trouble running any of the Tools, try run from safe mode…

Ok, thanks for your help. I’ve read the instructions in the link you suggested and have attached logs for

AdwCleaner

MBAM

OTL

I’ll attach the aswMBR log in my next reply.

Happy hunting!

ah, looks like only one log attached, i shall try again!

do you also have aswMBR log ?

Just finished scanning with aswMBR, had some trouble posting the log just now, here goes with the second attempt!

Hi,
Additional account can be temporaly created by grafic driver. I don’t see any malware traces. I will run additional checking;

FIRST

Please download Farbar Recovery Scan Tool and save it to your desktop.

[color=green]Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “List BCD” and “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

THEN

Please download GMER, AntiRootkit tool from the link below and save it to your Desktop:

Gmer download link
Note: file will be random named

Double-clicking to run GMER.

[*]Wait for initial scan to finish - if there is any query, click No;
[*]Click Scan button and wait until the full scan is complete;
[*]Click Save … - save the report to the Desktop (named Gmer1 );

[*]Right-click wherever in the GMER’s window and select Options > 3rd party - click the Scan button;
[*]Please wait until the full scan is complete;
[*]Click Save … button and save report to Desktop (named Gmer2 );
note: time scan for Gmer2 log may take some time

[*]Click the >>> and select Autostart card;
[*]After quick scan, click Copy button;
[*]Open notepad and Paste text. Save report to the Desktop (named Gmer3 )

Attach here all Gmer logreports. (Gmer1; Gmer2 and Gmer3)

Im been having the same kind of things, odd behaviour, webpages reloading after a min or 2, sometimes things will close or minimise on there own, but theres no sign of virus, almost seems like theres a remote connection to my pc somewhere, but all remote access as been turned off, im on windows 8 pro 64.

Yes, i strongly suspect someone’s got remote access to my system and is scampering about behind the scenes, taking screenshots and getting up to all sorts of mischief. Which is odd, because i thought remote access was disabled.

One thing that may be relevant: some time ago my ISP was BT and i had big problems with my broadband connection, kept repeatedly dropping out after increasingly short intervals. I spoke to BT tech support in India and they told me to turn off the router firewall. I was a bit nervous about the wisdom of this but they assured me the PC firewall would be sufficient on its own, so i went ahead and disabled the router firewall. The connection didn’t improve much and some time later i started getting odd reports that my firewall was turned off when it appeared to be on, and that the Avast NDS driver (i think, i’m going from memory and mine is less reliable than many) was failing to load. I did two things - first i dumped BT and got a fibre connection with Virgin Media broadband, second i ran Lenovo One Key Recovery and restored the entire system from the original factory back up discs which i burned when i first got this machine (NOT the stuff on the partition on the hard drive). Before i did this i backed up various files (mostly RAW and JPEG photos) to my two external hard drives. This seemed to do the job for a whils, but i slowly noticed odd little things beginning to happen again; when booting up it would often sound like windows had started (the little chime noise) well before i’d finished putting my password in, web pages would load inexplicably slowly at times despite an apparently good broadband speed and videos and other stuff would sometimes hang for a moment or two, as if a screenshot was being taken.

So, after a while, i came here.

Now, Farbar logs are attached (too long to copy and paste), GMER is next once i’ve downloaded and run it.

Happy hunting chaps!

Right, Gmer1 log is attached below, others to follow as they are too large to send all together.

One small point; remember i said i had two external hard drives? well i’d forgotten to plug them in when i ran Farbar, i can run it again if that’s a problem. They were both plugged in and switched on when i ran Gmer.

The other two Gmer logs are attached below.

Happy hunting!

@roadscum

You can relax, because you are malware free. Nothing malicious isn’t loaded on your system.

Re-run OTL and click on CleanUp! button. This will remove all used tools here.

Just for test, go to contol panel > administrative tools > computer managment

In computer managment from the left side under ‘Local users and Computers’ > Users, make a screenshot of right part of the screen.
There you may locate all user and admin accounts.

Find uknown accound > right click > properties. Hid anather screenshot.

Thanks for your help.

i’m afraid i’m not completely reassured. Ok, there’s no malware on my machine, but is it open to remote access? What does that mysterious unknown user account relate to? I am not sure that my computer is properly secure, how do i check this?

I tried to follow your instructions about user and admin accounts and didn’t end up where you suggested i would, a screenshot is attached.

Hi,

Ok, I’ll will rephrase my sentence. ;D
First you have avast antivirus. Then you have been checked with Malwarebytes.
Both of these programs use different routines to detect malware. Your whole system was checked by these two programs.

As additions, you have been run OTL and aswMBR.

OTL is tool that lists varius loading point. If any malware is loaded, it must use some loading point. Computer’s hardware, programs, files, and running environment…etc.
All known loading points are legit. Non of them are malicious origin.

aswMBR is a anti-rootkit scanner and it’s working at the kernel level (the highest system level) that searchs your computer for Rootkits that infect the Master Boot Record.
A rootkit is a malware program that is designed to hide itself or other computer infections on your computer.

How it works on the highest system levelt, it prevalent malware from hiding itself and displays it (so to say).

All logs are clean! Then I spent my extra time and asked additional checks. FRST and Gmer

FRST is powerfull tool that will display detailed information about the Windows Registry loading points, services, driver services, Netsvcs entries, known DLLs, drives, and partition specifications. It will also list some important system files that could be patched by malware. Is similar to the OTL, and that’s why I called it an additional check.

Gmer is the strongest and best anti rootkit tool that exists. None of Gmer should not be hidden. GMER is also anti-rootkit scanner.
Gmer uses a variety of tricks that other tools do not own (driver at kernel) to detect malware. If malware present Gmer make it 99% listed in logs.

This volunteer work I doing this since 2006. I am experienced and when I say that there is no active malware You can be sure.

There is no:

malicious processes
malicious threads
malicious modules
malicious services
malicious files
malicious ADS
malicious registry keys

There is no malicious:
hidden processes
hidden threads
hidden modules
hidden services
hidden files
hidden disk sectors (MBR)
hidden Alternate Data Streams
hidden registry keys
drivers hooking SSDT
drivers hooking IDT
drivers hooking IRP calls
inline hooks

Your system is malware free. :wink:

Hacking that you know only posible at movie. For some bad gay to have control over your computer must have some loaded file ( malware ) that will allow him to remote you.
As I mentioned before, this accaunt is possible leftover for some legitimate software. Not everything malware related.

For example, read this:
http://nvidia.custhelp.com/app/answers/detail/a_id/3067/~/what-is-nvidia-’updatususer’%3F


In screenshot you don’t have loacl users and computers.
You are using Windows 7 Home Premium and this edition does not have the right of checking/creating additional accounts. It’s only available if you have Windows 7 Business or Ultimate.

Thanks for being patient with my paranoia, and thanks for all the hard work. It is reassuring to know there’s nothing on my system that shouldn’t be there.

But…

You have seen how limited my knowledge of computers is; is it possible that i may have some setting or completely legitimate software set up in such a way as to give someone remote access to my machine? For example, i have e-mail accounts with Yahoo, Gmail, Hotmail and Virgin Media, i access all of these via my web browser (firefox on my laptop and whatever my HTC Wildfire S phone uses with Android). I think i remember hearing that it was possible to hack this sort of e-mail and that there was a particular problem with Yahoo, possibly involving Flickr too. Is this something i can check up on? I suppose i should Google it and see what i can find out. If you could point me toward any useful information or websites that would be a great help.

Once again, thanks for your help!