Jump to content

Phishing/Hacked/Embedded


DaLea
 Share

Recommended Posts

hxxp://phishing.eset.com/report/ENU Allowed C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
hxxp://phishing.eset.com/style.css Allowed C:\Windows\SystemApps\

The log goes on and on. It says unknown entity and then allows whoever 8wekyb3d8bbwe is to basically take over my entire computer. Any help would be appreciated. Also, I can't open a topic on any other browser than Microsoft Edge as it will not let me select a from the list of available topics. Any help would be appreciated. It is now spreading to the rest of my home network.

 

Thank you,

Dalea

hipslog.txt

urllog.txt

SysInspector-DESKTOP-I4CU04G-180111-185102.txt

settingsphishing.txt

Link to comment
Share on other sites

  • Administrators

First of all, open the advanced setup -> HIPS -> Advanced options and disable logging of all blocked operations. Also make sure that logging verbosity is set to Informative under Tools -> Log files.

It appears to me that you enabled debug logging and now wondering about what is being logged. Following my advice should stop logging the records that you don't understand and which are only intended for ESET's staff when troubleshooting a particular issue.

Link to comment
Share on other sites

Thank you for the encouraging advice. I know that I am being hacked. It is obvious. Please do not treat someone like an idiot just for asking help. I found and quarantined a mountain of false information on my computer. One, you should know that I am a home user. Two, I have taken a couple of classes. Three, an idiot can see from my end something is wrong.  As I said before, the files that I attached, even when being attached started with C:\Fake.  It doesn't take a brain surgeon to figure that something is wrong in that case. If you can help please, I would love to have some advice based on fact. I can post the real thing on here if you would like? I said I was hacked, and I don't mean just a little virus, I mean it has taken control of everything. I believe that I was able to derive some sort of control after all day and night working on this. I need help, and please don't be condescending. Since, I am unable to upload real data, I will just post it on here for you to see.

 

For instance, does a class C home user use an IP of a 224.0.0.0? I believe, to my limited knowledge that the break between class C and class D IP addresses is 192-223 for class C and 224-240 for a Class D. Here is my IP routing table.

------- -----------------                              -------                                  ----------- -------- -----------
2       255.255.255.255/32                             0.0.0.0                                          256 35       ActiveStore
1       255.255.255.255/32                             0.0.0.0                                          256 75       ActiveStore
2       224.0.0.0/4                                    0.0.0.0                                          256 35       ActiveStore
1       224.0.0.0/4                                    0.0.0.0                                          256 75       ActiveStore
2       192.168.1.255/32                               0.0.0.0                                          256 35       ActiveStore
2       192.168.1.65/32                                0.0.0.0                                          256 35       ActiveStore
2       192.168.1.0/24                                 0.0.0.0                                          256 35       ActiveStore
1       127.255.255.255/32                             0.0.0.0                                          256 75       ActiveStore
1       127.0.0.1/32                                   0.0.0.0                                          256 75       ActiveStore
1       127.0.0.0/8                                    0.0.0.0                                          256 75       ActiveStore
2       0.0.0.0/0                                      192.168.1.254                                      0 35       ActiveStore
2       ff00::/8                                       ::                                               256 35       ActiveStore
1       ff00::/8                                       ::                                               256 75       ActiveStore
2       fe80::885:769e:e6e7:1d99/128                   ::                                               256 35       ActiveStore
2       fe80::/64                                      ::                                               256 35       ActiveStore
2       2600:1700:8f00:2420:89c5:5c64:af45:5829/128    ::                                               256 35       ActiveStore
2       2600:1700:8f00:2420:885:769e:e6e7:1d99/128     ::                                               256 35       ActiveStore
2       2600:1700:8f00:2420::68b/128                   ::                                               256 35       ActiveStore
2       2600:1700:8f00:2420::/64                       ::                                               256 35       ActiveStore
2       2600:1700:8f00:2420::/60                       fe80::d6b2:7aff:fefb:b56d                         16 35       ActiveStore
1       ::1/128                                        ::                                               256 75       ActiveStore
2       ::/0                                           fe80::d6b2:7aff:fefb:b56d                        256 35       ActiveStore

 

This is not a business, government, or any other type of environment, but a home user/home network. The routing table above is not logical following these known guidelines.

Also,  the subnet mask is completely different than a class C.

I know I am hacked. It is not a guess. I have been told by Microsoft that my computer is connected to some unknown domain. Also, this computer was completely wiped???, last Wednesday. I have quarantined some program called Pester? I am unfamiliar with it, maybe you are better equipped to know what that is, but it was quite the programming when I was reading it.  I have sent multiple files to be reviewed, but there is a file called eav_nt64.msi and a from what I read on your site this is not the way that ESET installers are supposed to be, and there is something called a DeslockInstaller.msi file as well. I am being taken to sites that I know are not legitimate for ESET as after I quarantined certain mock programs, I was then able to see that the site I was on was not the real ESET site or at least was not secure. Do I have you convinced yet? Will you help?

I am sorry, but I should not be connected to a VPN, domain, or on a server. Maybe a DNS, but it should be on my network and available, but as we both know that is just to resolve url's for those of us who use words instead of numbers. I am sorry, I really do need help. Can ESET help me or was this just another waste of money. I am tired, I am not capable of doing this myself. I have lost files, had phishing pop ups like they were from Microsoft, and my computer will randomly change to look like a Windows Vista or something. This is crazy, and all I get is I shouldn't be looking at files. Do you know how I can get real help with a real issue if you are not willing?

 

Thank you,

DaLea

 

I would also like to add just part of a scan, do you know what all of these are? Again, there should be no remotely controlled systems in my environment.

1/14/2018 8:03:39 PM    C:\Windows\servicing\Packages\Microsoft-Windows-TerminalServices-UsbRedirector-Package~31bf3856ad364e35~amd64~en-US~10.0.16299.15.cat - is OK
1/14/2018 8:03:39 PM    C:\Windows\servicing\Packages\Microsoft-Windows-TerminalServices-UsbRedirector-Package~31bf3856ad364e35~amd64~en-US~10.0.16299.15.mum - is OK
1/14/2018 8:03:39 PM    C:\Windows\servicing\Packages\Microsoft-Windows-TerminalServices-UsbRedirector-Package~31bf3856ad364e35~amd64~~10.0.16299.15.cat - is OK
1/14/2018 8:03:39 PM    C:\Windows\servicing\Packages\Microsoft-Windows-TerminalServices-UsbRedirector-Package~31bf3856ad364e35~amd64~~10.0.16299.15.mum - is OK
1/14/2018 8:03:39 PM    C:\Windows\servicing\Packages\Microsoft-Windows-TerminalServices-WMIProvider-Package~31bf3856ad364e35~amd64~en-US~10.0.16299.15.cat - is OK
1/14/2018 8:03:39 PM    C:\Windows\servicing\Packages\Microsoft-Windows-TerminalServices-WMIProvider-Package~31bf3856ad364e35~amd64~en-US~10.0.16299.15.mum - is OK
1/14/2018 8:03:39 PM    C:\Windows\servicing\Packages\Microsoft-Windows-TerminalServices-WMIProvider-Package~31bf3856ad364e35~amd64~~10.0.16299.15.cat - is OK
1/14/2018 8:03:39 PM    C:\Windows\servicing\Packages\Microsoft-Windows-TerminalServices-WMIProvider-Package~31bf3856ad364e35~amd64~~10.0.16299.15.mum - is OK
1/14/2018 8:03:39 PM    C:\Windows\servicing\Packages\Microsoft-Windows-TestRoot-and-FlightSigning-Package~31bf3856ad364e35~amd64~~10.0.16299.15.cat - is OK
1/14/2018 8:03:39 PM    C:\Windows\servicing\Packages\Microsoft-Windows-TestRoot-and-FlightSigning-Package~31bf3856ad364e35~amd64~~10.0.16299.15.mum - is OK
1/14/2018 8:03:39 PM    C:\Windows\servicing\Packages\Microsoft-Windows-TestRoot-and-FlightSigning-WOW64-Package~31bf3856ad364e35~amd64~~10.0.16299.15.cat - is OK
1/14/2018 8:03:39 PM    C:\Windows\servicing\Packages\Microsoft-Windows-TestRoot-and-FlightSigning-WOW64-Package~31bf3856ad364e35~amd64~~10.0.16299.15.mum - is OK
1/14/2018 8:03:39 PM    C:\Windows\servicing\Packages\Microsoft-Windows-TextPrediction-Dictionaries-en-Package~31bf3856ad364e35~amd64~~10.0.16299.15.cat - is OK
1/14/2018 8:03:39 PM    C:\Windows\servicing\Packages\Microsoft-Windows-TextPrediction-Dictionaries-en-Package~31bf3856ad364e35~amd64~~10.0.16299.15.mum - is OK
1/14/2018 8:03:39 PM    C:\Windows\servicing\Packages\Microsoft-Windows-TextPrediction-Package~31bf3856ad364e35~amd64~en-US~10.0.16299.15.cat - is OK
1/14/2018 8:03:39 PM    C:\Windows\servicing\Packages\Microsoft-Windows-TextPrediction-Package~31bf3856ad364e35~amd64~en-US~10.0.16299.15.mum - is OK
1/14/2018 8:03:39 PM    C:\Windows\servicing\Packages\Microsoft-Windows-TextPrediction-Package~31bf3856ad364e35~amd64~~10.0.16299.15.cat - is OK
1/14/2018 8:03:39 PM    C:\Windows\servicing\Packages\Microsoft-Windows-TextPrediction-Package~31bf3856ad364e35~amd64~~10.0.16299.15.mum - is OK
1/14/2018 8:03:39 PM    C:\Windows\servicing\Packages\Microsoft-Windows-TFTP-Client-Package~31bf3856ad364e35~amd64~en-US~10.0.16299.15.cat - is OK
1/14/2018 8:03:39 PM    C:\Windows\servicing\Packages\Microsoft-Windows-TFTP-Client-Package~31bf3856ad364e35~amd64~en-US~10.0.16299.15.mum - is OK
1/14/2018 8:03:39 PM    C:\Windows\servicing\Packages\Microsoft-Windows-TFTP-Client-Package~31bf3856ad364e35~amd64~~10.0.16299.15.cat - is OK
1/14/2018 8:03:39 PM    C:\Windows\servicing\Packages\Microsoft-Windows-TFTP-Client-Package~31bf3856ad364e35~amd64~~10.0.16299.15.mum - is OK
1/14/2018 8:03:39 PM    C:\Windows\servicing\Packages\Microsoft-Windows-Virtualization-RemoteFX-User-Mode-Transport-Package~31bf3856ad364e35~amd64~en-US~10.0.16299.15.cat - is OK
1/14/2018 8:03:39 PM    C:\Windows\servicing\Packages\Microsoft-Windows-Virtualization-RemoteFX-User-Mode-Transport-Package~31bf3856ad364e35~amd64~en-US~10.0.16299.15.mum - is OK
1/14/2018 8:03:39 PM    C:\Windows\servicing\Packages\Microsoft-Windows-Virtualization-RemoteFX-User-Mode-Transport-Package~31bf3856ad364e35~amd64~~10.0.16299.15.cat - is OK
1/14/2018 8:03:39 PM    C:\Windows\servicing\Packages\Microsoft-Windows-Virtualization-RemoteFX-User-Mode-Transport-Package~31bf3856ad364e35~amd64~~10.0.16299.15.mum - is OK
1/14/2018 8:03:39 PM    C:\Windows\servicing\Packages\Microsoft-Windows-Virtualization-RemoteFX-User-Mode-Transport-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.16299.15.cat - is OK
1/14/2018 8:03:39 PM    C:\Windows\servicing\Packages\Microsoft-Windows-Virtualization-RemoteFX-User-Mode-Transport-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.16299.15.mum - is OK
1/14/2018 8:03:39 PM    C:\Windows\servicing\Packages\Microsoft-Windows-Virtualization-RemoteFX-User-Mode-Transport-WOW64-Package~31bf3856ad364e35~amd64~~10.0.16299.15.cat - is OK
1/14/2018 8:03:39 PM    C:\Windows\servicing\Packages\Microsoft-Windows-Virtualization-RemoteFX-User-Mode-Transport-WOW64-Package~31bf3856ad364e35~amd64~~10.0.16299.15.mum - is OK
1/14/2018 8:03:39 PM    C:\Windows\servicing\Packages\Microsoft-Windows-WCN-net-Package~31bf3856ad364e35~amd64~en-US~10.0.16299.15.cat - is OK
1/14/2018 8:03:39 PM    C:\Windows\servicing\Packages\Microsoft-Windows-WCN-net-Package~31bf3856ad364e35~amd64~en-US~10.0.16299.15.mum - is OK
1/14/2018 8:03:39 PM    C:\Windows\servicing\Packages\Microsoft-Windows-WCN-net-Package~31bf3856ad364e35~amd64~~10.0.16299.15.cat - is OK
1/14/2018 8:03:39 PM    C:\Windows\servicing\Packages\Microsoft-Windows-WCN-net-Package~31bf3856ad364e35~amd64~~10.0.16299.15.mum - is OK
1/14/2018 8:03:39 PM    C:\Windows\servicing\Packages\Microsoft-Windows-WCN-Package~31bf3856ad364e35~amd64~en-US~10.0.16299.15.cat - is OK
1/14/2018 8:03:39 PM    C:\Windows\servicing\Packages\Microsoft-Windows-WCN-Package~31bf3856ad364e35~amd64~en-US~10.0.16299.15.mum - is OK
1/14/2018 8:03:39 PM    C:\Windows\servicing\Packages\Microsoft-Windows-WCN-Package~31bf3856ad364e35~amd64~~10.0.16299.15.cat - is OK
1/14/2018 8:03:39 PM    C:\Windows\servicing\Packages\Microsoft-Windows-WCN-Package~31bf3856ad364e35~amd64~~10.0.16299.15.mum - is OK
1/14/2018 8:03:39 PM    C:\Windows\servicing\Packages\Microsoft-Windows-WCN-WOW64-net-Package~31bf3856ad364e35~amd64~en-US~10.0.16299.15.cat - is OK
1/14/2018 8:03:39 PM    C:\Windows\servicing\Packages\Microsoft-Windows-WCN-WOW64-net-Package~31bf3856ad364e35~amd64~en-US~10.0.16299.15.mum - is OK
1/14/2018 8:03:39 PM    C:\Windows\servicing\Packages\Microsoft-Windows-WCN-WOW64-net-Package~31bf3856ad364e35~amd64~~10.0.16299.15.cat - is OK
1/14/2018 8:03:39 PM    C:\Windows\servicing\Packages\Microsoft-Windows-WCN-WOW64-net-Package~31bf3856ad364e35~amd64~~10.0.16299.15.mum - is OK
1/14/2018 8:03:39 PM    C:\Windows\servicing\Packages\Microsoft-Windows-WCN-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.16299.15.cat - is OK
1/14/2018 8:03:39 PM    C:\Windows\servicing\Packages\Microsoft-Windows-WCN-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.16299.15.mum - is OK
1/14/2018 8:03:39 PM    C:\Windows\servicing\Packages\Microsoft-Windows-WCN-WOW64-Package~31bf3856ad364e35~amd64~~10.0.16299.15.cat - is OK
1/14/2018 8:03:39 PM    C:\Windows\servicing\Packages\Microsoft-Windows-WCN-WOW64-Package~31bf3856ad364e35~amd64~~10.0.16299.15.mum - is OK
1/14/2018 8:03:39 PM    C:\Windows\servicing\Packages\Microsoft-Windows-WebcamExperience-Package~31bf3856ad364e35~amd64~en-US~10.0.16299.15.cat - is OK
1/14/2018 8:03:39 PM    C:\Windows\servicing\Packages\Microsoft-Windows-WebcamExperience-Package~31bf3856ad364e35~amd64~en-US~10.0.16299.15.mum - is OK
1/14/2018 8:03:39 PM    C:\Windows\servicing\Packages\Microsoft-Windows-WebcamExperience-Package~31bf3856ad364e35~amd64~~10.0.16299.15.cat - is OK
1/14/2018 8:03:39 PM    C:\Windows\servicing\Packages\Microsoft-Windows-WebcamExperience-Package~31bf3856ad364e35~amd64~~10.0.16299.15.mum - is OK
1/14/2018 8:03:39 PM    C:\Windows\servicing\Packages\Microsoft-Windows-WebcamExperience-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.16299.15.cat - is OK
1/14/2018 8:03:39 PM    C:\Windows\servicing\Packages\Microsoft-Windows-WebcamExperience-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.16299.15.mum - is OK
1/14/2018 8:03:39 PM    C:\Windows\servicing\Packages\Microsoft-Windows-WebcamExperience-WOW64-Package~31bf3856ad364e35~amd64~~10.0.16299.15.cat - is OK
1/14/2018 8:03:39 PM    C:\Windows\servicing\Packages\Microsoft-Windows-WebcamExperience-WOW64-Package~31bf3856ad364e35~amd64~~10.0.16299.15.mum - is OK
1/14/2018 8:03:39 PM    C:\Windows\servicing\Packages\Microsoft-Windows-WindowsFoundation-LanguagePack-Package~31bf3856ad364e35~amd64~en-US~10.0.16299.15.cat - is OK
1/14/2018 8:03:39 PM    C:\Windows\servicing\Packages\Microsoft-Windows-WindowsFoundation-LanguagePack-Package~31bf3856ad364e35~amd64~en-US~10.0.16299.15.mum - is OK
1/14/2018 8:03:39 PM    C:\Windows\servicing\Packages\Microsoft-Windows-WindowsMediaPlayer-Troubleshooters-Package~31bf3856ad364e35~amd64~en-US~10.0.16299.15.cat - is OK
1/14/2018 8:03:39 PM    C:\Windows\servicing\Packages\Microsoft-Windows-WindowsMediaPlayer-Troubleshooters-Package~31bf3856ad364e35~amd64~en-US~10.0.16299.15.mum - is OK
1/14/2018 8:03:39 PM    C:\Windows\servicing\Packages\Microsoft-Windows-WindowsMediaPlayer-Troubleshooters-Package~31bf3856ad364e35~amd64~~10.0.16299.15.cat - is OK
1/14/2018 8:03:39 PM    C:\Windows\servicing\Packages\Microsoft-Windows-WindowsMediaPlayer-Troubleshooters-Package~31bf3856ad364e35~amd64~~10.0.16299.15.mum - is OK
1/14/2018 8:03:39 PM    C:\Windows\servicing\Packages\Microsoft-Windows-WinOcr-Package~31bf3856ad364e35~amd64~en-US~10.0.16299.15.cat - is OK
1/14/2018 8:03:39 PM    C:\Windows\servicing\Packages\Microsoft-Windows-WinOcr-Package~31bf3856ad364e35~amd64~en-US~10.0.16299.15.mum - is OK
1/14/2018 8:03:39 PM    C:\Windows\servicing\Packages\Microsoft-Windows-WinOcr-Package~31bf3856ad364e35~amd64~~10.0.16299.15.cat - is OK
 

 

Here is another snip from a scan. Did I mention that I shouldn't be on a server and never should have been. An SQL is a server.

 

1/14/2018 5:35:36 PM    C:\Program Files\Common Files\system\msadc\msadds.dll - is OK
1/14/2018 5:35:36 PM    C:\Program Files\Common Files\system\msadc\msaddsr.dll - is OK
1/14/2018 5:35:36 PM    C:\Program Files\Common Files\system\msadc\msdaprsr.dll - is OK
1/14/2018 5:35:36 PM    C:\Program Files\Common Files\system\msadc\msdaprst.dll - is OK
1/14/2018 5:35:36 PM    C:\Program Files\Common Files\system\msadc\msdarem.dll - is OK
1/14/2018 5:35:36 PM    C:\Program Files\Common Files\system\msadc\msdaremr.dll - is OK
1/14/2018 5:35:36 PM    C:\Program Files\Common Files\system\msadc\msdfmap.dll - is OK
1/14/2018 5:35:36 PM    C:\Program Files\Common Files\system\ole db\en-US\msdasqlr.dll.mui - is OK
1/14/2018 5:35:36 PM    C:\Program Files\Common Files\system\ole db\en-US\oledb32r.dll.mui - is OK
1/14/2018 5:35:36 PM    C:\Program Files\Common Files\system\ole db\en-US\sqloledb.rll.mui - is OK
1/14/2018 5:35:36 PM    C:\Program Files\Common Files\system\ole db\en-US\sqlxmlx.rll.mui - is OK
1/14/2018 5:35:36 PM    C:\Program Files\Common Files\system\ole db\msdaosp.dll - is OK
1/14/2018 5:35:36 PM    C:\Program Files\Common Files\system\ole db\msdaps.dll - is OK
1/14/2018 5:35:36 PM    C:\Program Files\Common Files\system\ole db\msdasql.dll - is OK
1/14/2018 5:35:36 PM    C:\Program Files\Common Files\system\ole db\msdasqlr.dll - is OK
1/14/2018 5:35:36 PM    C:\Program Files\Common Files\system\ole db\msdatl3.dll - is OK
1/14/2018 5:35:36 PM    C:\Program Files\Common Files\system\ole db\msxactps.dll - is OK
1/14/2018 5:35:36 PM    C:\Program Files\Common Files\system\ole db\oledb32.dll - is OK
1/14/2018 5:35:36 PM    C:\Program Files\Common Files\system\ole db\oledb32r.dll - is OK
1/14/2018 5:35:36 PM    C:\Program Files\Common Files\system\ole db\oledbjvs.inc - is OK
1/14/2018 5:35:36 PM    C:\Program Files\Common Files\system\ole db\oledbvbs.inc - is OK
1/14/2018 5:35:36 PM    C:\Program Files\Common Files\system\ole db\sqloledb.dll - is OK
1/14/2018 5:35:36 PM    C:\Program Files\Common Files\system\ole db\sqloledb.rll - is OK
1/14/2018 5:35:36 PM    C:\Program Files\Common Files\system\ole db\sqlxmlx.dll - is OK
1/14/2018 5:35:36 PM    C:\Program Files\Common Files\system\ole db\sqlxmlx.rll - is OK
1/14/2018 5:35:36 PM    C:\Program Files\Common Files\system\wab32.dll - is OK
1/14/2018 5:35:36 PM    C:\Program Files\Common Files\system\wab32res.dll - is OK

Edited by DaLea
addition
Link to comment
Share on other sites

I would suggest you open a trouble ticket with your local ESET support office.

I understand your frustration, but venting your anger towards people you are asking for help is not productive (for anyone).

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...