Is my PC hijacked?

[Vuyek 0]

Hello

 

I've been struggling lately with my PC changing IP addresses, installing new devices and updates by itself.

Nothing helped. I was reinstalling different windows 10 and 7 versions and every single time after a while I could notice that in C drive win files unknown accounts were granted control privileges in security tab, I couldn't change some settings like airplane mode or night light. I was getting messages that changes were made to my system and I have to restart PC. To be honest I got really paranoid about this, but everyone was telling me that It's probably Microsoft implementing updates and so on. Today I found another new device installed "NDIS Virtual Network Adapter Enumerator". Yesterday there was no trace of it so I decided to google name and check what this device does and I found this topic:

https://answers.microsoft.com/en-us/windows/forum/windows_10-other_settings/windows-10-home-network-has-been-hijacked-by-an/c91fe5aa-0907-431d-835c-8919076d1d3c

This topic pretty much sums up my issue, I have same devices reinstalling in my windows. Everything looks similar. Is this really an issue or are we all wrong about this?

 

Also in my clipboard history I had this:

 

I NEVER copied this from any source, I didnt write that down, nothing, my PC was turned ON entire night when I was sleeping. I'm in dead end, don't know what to do...

Edited March 5, 2021 by Marcos
Personal data removed to protect your privacy

[Vuyek 0]

As I was writing this down I got security alert from windows. 

It turns out that my reputation-based protection was turned off. 

Never did this of course. 

There's a lot more small things happening for no reason, like my network adapter disabling and enabling multiple times within a minute - sometimes it happens right in front of me So I Can observe it. 

[itman 1,594]

To begin, you didn't state you have an Eset security product installed? Remember this is a forum to support Eset software issues.

Interesting in the TechNet posting linked, no one in a Microsoft capacity denied this type of activity occuring.

All I will state is persistent external intrusions into a local network is a clear sign that perimeter devices; router, gateway, etc.. have been compromised. This can happen for a number of reasons with mis- configuration being at the top of the list. Another reason is one network device was infected with a worm which allowed the rest of the network to be infected.

[shocked 60]

can you upload a couple of pictures with those weird accounts you see in C drive and those devices?

if it's not malware then it;s normal functionality of the operating system. in the linked MS forum post, the user that reports those unknown devices, those exist to my pc as well.

[Vuyek 0]

30 minutes ago, itman said:

To begin, you didn't state you have an Eset security product installed? Remember this is a forum to support Eset software issues.

Interesting in the TechNet posting linked, no one in a Microsoft capacity denied this type of activity occuring.

All I will state is persistent external intrusions into a local network is a clear sign that perimeter devices; router, gateway, etc.. have been compromised. This can happen for a number of reasons with mis- configuration being at the top of the list. Another reason is one network device was infected with a worm which allowed the rest of the network to be infected.

Yes, I have ESET installed. I'm using external wifi network adapter, so maybe that's the reason, but what can I do to deny access and regain control?

25 minutes ago, shocked said:

can you upload a couple of pictures with those weird accounts you see in C drive and those devices?

if it's not malware then it;s normal functionality of the operating system. in the linked MS forum post, the user that reports those unknown devices, those exist to my pc as well.

Not anymore. Yesterday I did another reinstall because each time I unplugged my Wifi adapter I kept getting bluescreens and when I tried to reinstall drivers I got message 'access denied'. 

I will try to capture some screenshots with those messages about restarting my PC when they happen or to record my screen with adapter reenabling. Also I already deleted microsoft network adapter and microsoft kernel network adapter, but here's the screenshot of devices installed at this moment:

 

Edited March 5, 2021 by Vuyek

[shocked 60]

if you remove a device from there it will be reinstalled as the OS sees fit. as far as i can see those images look fine to me. my pc has a similar list. i suppose each version and laptop manufacturer causes the OS to install a slightly different list.

as for the different accounts you see on C, are they named something like this, "defaultuser001" or "defaultuser1"

[Vuyek 0]

They were named "unknown account S-1" + a number of random digits.

Most concerning devices like WAN miniports, Microsoft kernel debug network adapter and Microsoft virtual hosted network adapter I already deleted. But before I deleted them I made this screenshot:

 

 

[itman 1,594]

As far as NDIS Virtual Network Adapter Enumerator, it would be installed when Hyper-V was installed:

Quote

Virtual network adapters typically accompany VMMs such as VMWare Workstation, Virtualbox, and Microsoft Hyper-V. If you installed one of those during the release preview it may have not been uninstalled properly. You can probably safely remove the device.

https://forums.tomshardware.com/threads/ndis-virtual-network-adapter-enumerator.1527447/

I really don't see anything wrong with what is shown in your device manager screen shot.

Are you connect to a public wi-fi network or to a wi-fi connection on your router?

[itman 1,594]

53 minutes ago, Vuyek said:

They were named "unknown account S-1" + a number of random digits.

Refer to this: https://answers.microsoft.com/en-us/windows/forum/windows_vista-security/account-unknowns-1-5-21/097fa4e9-8705-46d4-bf90-fc119da680a7 . The existence of this account is not necessarily malware related.

[Vuyek 0]

On 3/6/2021 at 1:01 AM, itman said:

As far as NDIS Virtual Network Adapter Enumerator, it would be installed when Hyper-V was installed:

https://forums.tomshardware.com/threads/ndis-virtual-network-adapter-enumerator.1527447/

I really don't see anything wrong with what is shown in your device manager screen shot.

Are you connect to a public wi-fi network or to a wi-fi connection on your router?

I share my flat and internet with my neighbours so I guess it's half public half private. I don't know if they have their end of wifi protected.

 

I managed to record some odd stuff happening.

https://mega.nz/folder/5iYwGL7C#2hLOe2HYm6qheB7V4xBGjg

There is record of my wifi suddenly deciding to disable and enable few times. When I click on tcpip4 properties sometimes I have my gateway set as 192.168.1.1 and sometimes it's blank.

Another record shows that I had Cloudflare WARP app to keep my IP private. Yesterday I had notification that an update is available, I clicked to install and my cloudflare app disappeared. Uninstalled. So I decided to download new installer manually but installation process cant go through.

Also today I found out my desktop changed. It's now half in C;/users/public and half C:/users/Z and because of security restrictions I couldn't save my game (gothic 3  ) so something definitely changed without me knowing it. Also in security tab there was unknown account with special permissions to C:/users/public but I deleted it.

 

Answering to questions in linked topic:

It coudn't be account that I created and deleted in the past. Since this windows installation I had only one account, didnt create, edit or delete any.

No I dont. I was using cloudflare app if that one counts but virtual network adapter was before I got that installed.

I didnt install any of hyper-v features, dont know what it is to be honest. It keeps reinstalling with every new win installation.

[itman 1,594]

First, quit fooling around with Win 10 OS installed devices and services. It is the surest way to bork your PC.

On 3/10/2021 at 3:52 AM, Vuyek said:

I share my flat and internet with my neighbours so I guess it's half public half private.

This is about an insecurity network setup that you can get. I assume what you are referring to is a shared router where you and all your neighbors have respective network connections established?

[Vuyek 0]

Yes. And I asked my neighbour lately if he also is having any clues or suspicions and he said he doesn't use any firewall or antivirus software, he just formats everything twice a year after he notices anything unusual

[Vuyek 0]

Just got this:

[itman 1,594]

In Eset GUI Network settings, open Connected networks settings and verify that Protection type is set to Public. If it is not, set it to Public.

Note in this protection mode you won't be able to share files or devices which is exactly what you want on the shared router setup you are using.

[Vuyek 0]

Yes, I set that, so the possible reason for my issue is lack of security in my local network?

 

Still sometimes I get firewall notifications about 'system' or other service is trying to connect to ipv6 device (or address?) it starts with 'fe:". Correct me if I'm wrong but is ipv6 used in local networks? Should I block that? And if yes, how can i restrict access from every device in my local network? Is remote desktop access a thing here? Or some kind of web view bitstreaming like rtp or rstp?

Through all those hours I spent educating myself about internet protocols and windows services I think I might got lost a bit

Thanks for helping me out itman

 

[itman 1,594]

11 minutes ago, Vuyek said:

Still sometimes I get firewall notifications about 'system' or other service is trying to connect to ipv6 device (or address?) it starts with 'fe:". Correct me if I'm wrong but is ipv6 used in local networks?

IPv6 addresses associated with fe80::/64 are associated with your device's local subnet and should not be blocked as a rule. The problem here is one of those fe80 addresses is associated with the IPv6 gateway on the shared router you are connecting to. And there really is nothing you can do about it if your want to connect via IPv6. The same also applies to the IPv4 gateway.

You best security solution is to stop using that shared router connection. Get your own router that connects directly to an ISP you will have to subscribe to.

19 minutes ago, Vuyek said:

 how can i restrict access from every device in my local network?

Use of Eset Public network profile does this automatically.

[Vuyek 0]

Ok. I finally figurę it out. Had to wipe my entire disc. It was a bug or malware in my usb WiFi adapter drivers. I had them on my Hard disc. When I was trying to install drivers my bugged exe file was named athurx and appaerently it was doing something with my DNS server, because each time I was downloading newer/other version I was downloading exact same athurx file in zip archive. 

 

This time when i wiped entire disc I went to my neighbour to download WiFi drivers, and I dont know how, but he downloaded  another zip archive, but with completely different files inside. Same TP link website, same drivers, but inside zip archive were completely different files with setup. Exe So i guess it had to do something with DNS. 

 

 

Edited March 16, 2021 by Vuyek