Victim of a hack

Solved
Matteoz Posted messages 21 Status Member -  
Matteoz Posted messages 21 Status Member -
Hello, I’m presenting my problem (pretty big I think). First of all, I’m not a genius with computers; I have some basics but not in this specific area. So here it is: I was on my PC and I see in the status bar that a software is launching (a program that isn’t installed on my PC). A window opens, with no close button, and the program in question doesn’t appear in the Task Manager. It’s a window titled "service client chat" that looks quite like a terminal, the hacker writes in green, and I can only reply to him. He fully controls my PC, opens/closes windows, I suppose he also has access to my webcam. He asks me to pay him 2 Allopass or they attack my PC. Of course I don’t intend to obey. I turned off my PC, turned it back on, he was still there. So I turned off my PC, started it in airplane mode because I suppose such a hack can only come from an internet connection. I run Windows Defender, it scans, it finds nothing. I then delete two quarantined files dated two days ago, I uninstall all programs whose developer isn’t certified (even some games). I think I’m then safe, but 10 minutes later after disabling airplane mode, the window reappears with a message from the bandit (^^) telling me he’s still there. I tell him I have nothing to give him; he then closed all my windows and I hurried to shut down my PC. What should I do? I think I must have installed a malicious program inadvertently, but it must be hidden. I must also have a good little keylogger installed, so I don’t dare to turn it on anymore. I hope you can help me quickly—it's my PC for studies (oh right, I forgot, I’m in a student residence where everyone is connected to the same wifi network; maybe the attack comes from someone in the building). I really don’t know what to do, thank you.

9 answers

  1. Malekal_morte- Posted messages 178136 Registration date   Status Moderator, Security Contributor Last intervention   24 712
     
    Hello,

    It looks like malware of the RAT (Remote Access Tools) type.

    Follow the FRST tutorial.
    (and take the time to read carefully to apply correctly - everything is explained there).
    Download and run the FRST scan, it will generate three FRST reports:
    • FRST.txt
    • Shortcut.txt
    • Additionnal.txt


    Send, as explained, these three reports to the site http://pjjoint.malekal.com and in return provide the three pjjoint links that lead to these reports here in a new reply so that we can review them.

    Like the angel you are, you laugh creating a lightness in my chest,
    Your eyes they penetrate me,
    (Your answer's always 'maybe')
    That's when I got up and left
    0
    1. Matteoz Posted messages 21 Status Member
       
      I therefore need to activate my internet connection, I’m not sure I can do all of that before it takes back control.
      0
    2. Malekal_morte- Posted messages 178136 Registration date   Status Moderator, Security Contributor Last intervention   24 712
       
      and yes...

      I will tell you to do that properly via USB key with another PC over the internet, but some of these variants can spread via USB key.
      0
    3. Matteoz Posted messages 21 Status Member
       
      There isn't a radical way to deratize it (a format of the PC doesn't bother me, but if hacking goes through the fixed IP, that wouldn't change anything, would it?)
      0
    4. Malekal_morte- Posted messages 178136 Registration date   Status Moderator, Security Contributor Last intervention   24 712
       
      well give it a try, it costs nothing =)
      0
    5. Matteoz Posted messages 21 Status Member
       
      Yes / no?
      0
  2. Malekal_morte- Posted messages 178136 Registration date   Status Moderator, Security Contributor Last intervention   24 712
     
    Here is the translation into English:

    Here is the fix to perform with FRST. You can refer to this explanatory note with screenshots to help you: https://www.malekal.com/tutoriel-farbar-recovery-scan-tool-frst/#fix

    Open Notepad: Windows key + R, in the Run dialog, type notepad and OK.
    Copy/paste the following into it:

    HKU\S-1-5-21-2410802138-1843743717-2592594231-1001\...\RunOnce: [Adobe Reader] => C:\Users\Mattéo\AppData\Roaming\plugin.exe [994816 2015-09-13] ()
    CHR StartupUrls: Default -> "hxxp://www.google.com/","hxxp://search.certified-toolbar.com/?si=41460&home=true&tid=592","hxxp://www.trovi.com/?gd=&ctid=CT3318522&octid=EB_ORIGINAL_CTID&ISID=M65B5789D-B679-436B-9C8C-AFEC1B5E9798&SearchSource=55&CUI=&UM=6&UP=SPA73219B6-C7D5-4B77-8BAF-B3DDA538F2AA&SSPV=","hxxp://www.mystartsearch.com/?type=hppp&ts=1422559123&from=wpc&uid=TOSHIBAXMK3276GSX_Y2L3P19JTXXY2L3P19JT","hxxp://www.","hxxp://www.?type=hppppppppppppppppppppppppppppppppppp","hxxp://www.istartsurf.com/?type=hp&ts=1426963047&from=smt&uid=TOSHIBAXMK3276GSX_Y2L3P19JTXXY2L3P19JT","hxxp://www.istartsurf.com/?type=hppp&ts=1426963084&from=smt&uid=TOSHIBAXMK3276GSX_Y2L3P19JTXXY2L3P19JT","hxxp://www.?type=hppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp"
    2015-09-15 13:03 - 2015-09-13 11:22 - 00994816 __RSH C:\Users\Mattéo\AppData\Roaming\plugin.exe

    Once the text is pasted into Notepad.
    File menu -> Save As.
    On the left, go to Desktop.
    In the bottom field, file name enter: fixlist.txt
    Click Save - this will create a fixlist.txt file on the desktop.

    Relaunch FRST and click the Fix button.
    Depending on what happens, a restart may be necessary (not mandatory).
    A text file will appear; copy/paste its contents here in a new message.

    Restart the computer

    Then Open My Computer
    then the C drive
    Open the FRST folder.
    Inside is the Quarantine folder
    Right-click it and send to compressed (zipped) folder.
    Upload the zip to http://upload.malekal.com


    Like the angel you are, you laugh creating a lightness in my chest,
    Your eyes they penetrate me,
    (Your answer's always 'maybe')
    That's when I got up and left
    0
    1. Matteoz Posted messages 21 Status Member
       
      it's done "quarantaine.zip"
      0
  3. Malekal_morte- Posted messages 178136 Registration date   Status Moderator, Security Contributor Last intervention   24 712
     
    Received, thanks,

    Not great detection: https://www.virustotal.com/gui/file/138c7afd9f221bd9b310175eccc9d56a6db9ea311eb502795fd9010d78b62b21

    SHA256: 138c7afd9f221bd9b310175eccc9d56a6db9ea311eb502795fd9010d78b62b21
    File name: plugin.exe.xBAD
    Detection ratio: 5 / 56
    Analysis date: 2015-09-15 19:33:01 UTC (1 minute ago)

    Antivirus Result Update
    Bkav W32.HfsAtSTIL.877F 20150915
    CMC Trojan.Win32.Generic!O 20150910
    Jiangmin Trojan/Generic.blxop 20150914
    Symantec SAPE.Heur.97BE7 20150915
    nProtect Trojan-PWS/W32.Fareit.994816 20150915

    The guy is in Amiens:

    adwarddns.no-ip.org has address 109.219.144.104 (AAmiens-652-1-281-104.w109-219.abo.wanadoo.fr
    port 1114

    ~~

    Change all your passwords

    Like the angel you are, you laugh creating a lightness in my chest,
    Your eyes they penetrate me,
    (Your answer's always 'maybe')
    That's when I got up and left
    0
  4. Matteoz Posted messages 21 Status Member
     
    The chat screen no longer appears and I’m no longer bothered by those sudden window open/close pop-ups since the scan, strange. Do you think he still has access to my computer, passwords, etc.? In any case, thanks a lot

    --
    Posted from CCM Live forum for Android
    0
    1. Malekal_morte- Posted messages 178136 Registration date   Status Moderator, Security Contributor Last intervention   24 712
       
      What windows popping up all the time from what?
      Which program?
      Ads?
      0
  5. Matteoz Posted messages 21 Status Member
     
    no he was having fun opening internet pages continuously and closing the pages I opened, he was opening Internet Explorer in a loop

    --
    Posted from CCM Live forum for Android
    0
    1. Malekal_morte- Posted messages 178136 Registration date   Status Moderator, Security Contributor Last intervention   24 712
       
      Redo a FRST scan and provide the reports via pjjoint.
      0
  6. Malekal_morte- Posted messages 178136 Registration date   Status Moderator, Security Contributor Last intervention   24 712
     
    For me there is nothing abnormal,

    Change your passwords,

    What you can do:

    install Avast! : https://www.malekal.com/tutoriel-antivirus-avast/
    (Be sure to enable LPIs detections to detect parasite and adware programs)

    and tomorrow,

    Download and install Malwarebytes.
    There is a free version that allows you to clean your computer (uncheck the Premium trial proposition at the end of the installation) :

    And run scans in the coming days with it.

    Like the angel you are, you laugh creating a lightness in my chest,
    Your eyes they penetrate me,
    (Your answer's always 'maybe')
    That's when I got up and left
    0
  7. Matteoz Posted messages 21 Status Member
     
    ok in any case thanks for everything, your patience, your speed of responses and your efficiency, have a good evening, again thanks, bye ;)

    --
    Posted from CCM Live forum for Android
    0
  8. Malekal_morte- Posted messages 178136 Registration date   Status Moderator, Security Contributor Last intervention   24 712
     
    PS: Seen here RatDecoders - copying to removable media is active.
    We did well not to use a USB key =)

    You have two links to report to the authorities, I invite you to do it.

    Like the angel you are, you laugh creating a lightness in my chest,
    Your eyes they penetrate me,
    (Your answer's always 'maybe')
    That's when I got up and left
    0
    1. Matteoz Posted messages 21 Status Member
       
      Thank you, I have to explain to them as I did with you? Should I also forward the reports?

      --
      0
    2. Malekal_morte- Posted messages 178136 Registration date   Status Moderator, Security Contributor Last intervention   24 712
       
      Explain to them what happened (task window and attempt to exhortation from the background with blackmail [allopass] and you give them the link here)
      0
  9. Matteoz Posted messages 21 Status Member
     
    Okay, thanks, I should have taken a screenshot but I didn’t think of it at the moment, so I’ll explain to them and give the link from here, does that work

    --
    0