hijackthis icon indicating copy to clipboard operation
hijackthis copied to clipboard

Published 20 hours ago verified publisher icon dragokas

Hijackthis Log | I believe my pc might be hacked ;(

Open AyamBrand opened this issue 1 year ago • 1 comments

<log deleted>

CollectionLog-2024.08.30-15.39.zip

AyamBrand avatar Aug 30 '24 08:08 AyamBrand

Hi, @AyamBrand

  • Please describe the issue more detailed. Why do you think your pc might be hacked?

Also, no need to post raw log.

Please, note that only members of VIRUSNET-Association are allowed to respond to PC cure topics. Ignore any recommendations given by other users, including PM !!!

Assistance is provided free of charge in our free time. If you found our help useful, you can thank us with any amount using this form or you can leave feedback in Guestbook.

dragokas avatar Aug 30 '24 09:08 dragokas

Hi, @AyamBrand

  • Please describe the issue more detailed. Why do you think your pc might be hacked?

Also, no need to post raw log.

Please, note that only members of VIRUSNET-Association are allowed to respond to PC cure topics. Ignore any recommendations given by other users, including PM !!!

Assistance is provided free of charge in our free time. If you found our help useful, you can thank us with any amount using this form or you can leave feedback in Guestbook. Owh, I thought the hijackthis log is the raw log. Where/how I can generate it then?

I thought my pc might be hacked because:

  1. Somebody emailed me with my own email.
  2. There is CMD box auto open with several prompt that I can't read because it just appear in a flash of time. Usually happen few times a day.
  3. I always get notification on my authenticator apps to approve login that I didn't make it.

AyamBrand avatar Sep 02 '24 00:09 AyamBrand

Hi, Lets see more logs:

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Right click to run as administrator. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will produce logs called FRST.txt and Addition.txt in the same directory the tool is run from.
  • Please attach the logs back here.

Sandor-Helper avatar Sep 02 '24 07:09 Sandor-Helper

Hi, Lets see more logs:

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Right click to run as administrator. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will produce logs called FRST.txt and Addition.txt in the same directory the tool is run from.
  • Please attach the logs back here.

Addition.txt FRST.txt Hi, here is the logs. Thanks for your help ;-)

AyamBrand avatar Sep 05 '24 08:09 AyamBrand

Temporarily turn off any antivirus. Highlight following code:

Start::
CloseProcesses:
SystemRestore: On
CreateRestorePoint:
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate: Restriction <==== ATTENTION
HKU\S-1-5-21-4022707727-392590781-2954465641-500\...\Policies\Explorer: [DisallowRun] 0
AlternateShell:  <==== ATTENTION
GroupPolicy: Restriction - Chrome <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Edge: Restriction <==== ATTENTION
S4 WinSetupMon; system32\DRIVERS\WinSetupMon.sys [X]
AV: Kaspersky Endpoint Security for Windows (Enabled - Up to date) {0AB30972-4BAC-7BEE-CBCA-B8F9E68797D8}
FW: Kaspersky Endpoint Security for Windows (Disabled) {32888857-01C3-7AB6-E095-11CC1854D0A3}
AlternateDataStreams: C:\Users\Administrator:com.affinity.designer.2 [151]
AlternateDataStreams: C:\Users\Administrator:com.affinity.designer.3 [197]
FirewallRules: [{E7C3CD3B-1211-4C8B-8E82-ED63576D474F}] => (Allow) LPort=15000
ExportKey: HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions
EmptyTemp:
Reboot:
End::

Copy highlighted text (right click - Copy). Run FRST (FRST64) as Administrator. Press Fix button once and wait. Program will create (Fixlog.txt). Attach it to the next post.

PC will reboot.

3. I always get notification on my authenticator apps to approve login

Please clarify what exactly apps doing this?

Sandor-Helper avatar Sep 05 '24 09:09 Sandor-Helper

Please clarify what exactly apps doing this?

I'm using Microsoft Authenticator apps. There are some of my accounts that request access through these authenticator apps, such as Microsoft email accounts (live.com), Facebook, and Twitter. For my Twitter account, I always get a login code email, someone is trying to log into my twitter account, it can be said that every day I will get a login code email from twitter, even though I didn't request it.

Btw, below is the requested log: Fixlog.txt

AyamBrand avatar Sep 06 '24 00:09 AyamBrand

Thanks for the log. Fix ran well. There is no obvious signs of infection. What we have done is only cleaning some of the trash records. In my opinion you had some kind of password leak. So it'll be good to change all the passwords in the meaning accounts. Or maybe change the type of access to your Authenticator itself.

Sandor-Helper avatar Sep 06 '24 05:09 Sandor-Helper

Alright I will take note for your advice. Thanks again for the help 🫡

AyamBrand avatar Sep 06 '24 08:09 AyamBrand