Hacked computer

Page 1 of 3 123 LastLast

  1. Posts : 1
    Windows 10
       #1

    Hacked computer


    Hi,

    My computer has been hacked and the hacker has installed these files on the computer.

    C-Program-Rempl
    Logs
    CTAC.json
    disktoast
    osrrb
    reminthndlers.dll
    rempl
    sedlauncher
    sedplugins.dll
    sedsvc
    ServiceStackHardening
    strgsnsaddons.dll
    toastlogo

    In the folder "logs", the following files are installed:
    LauncherRemediation001.etl
    Remediation.001.etl
    Remediation.002.etl
    Service.Remediation.001.etl

    The folder "logs" contained more files earlier, but these have been erased. I believe that the hacker is trying to erase the traces since he realizes that I know that the computer is hacked.

    What is the purpose of these files?

    Thankful for your comments on this. I can e-mail you a printscreen of the files, but it was not possible to attach this file in this message.

    Best regards
    Johanna Pettersson
      My Computer


  2. Posts : 31,470
    10 Home x64 (22H2) (10 Pro on 2nd pc)
       #2

    JohannaPetterss said:
    My computer has been hacked and the hacker has installed these files on the computer....
    Welcome to TenForums.

    Relax, you are not being 'hacked'. The files you list were installed by Microsoft as part of the update KB4023057. The purpose of this update is to help prepare your PC for updating to the next version of Windows 10.

    KB4023057 Update to Windows 10 for update reliability - January 15 Windows Update - Windows 10 Forums

    Microsoft said:
    Update to Windows 10, versions 1507, 1511, 1607, 1703, 1709, and 1803 for update reliability
    This update includes files and resources that address issues that affect the update processes in Windows 10 that may prevent important Windows updates from being installed. These improvements help make sure that updates are installed seamlessly on your device, and they help improve the reliability and security of devices that are running Windows 10...


    Microsoft said:
    ....The English (United States) version of this software update installs files that have the attributes that are listed in the following tables....

    X64
    File name File version File size Date Time
    Ctac.json Not Applicable 14,529 27-Mar-2019 17:51
    Disktoast.exe 10.0.15063.1475 92,664 16-Mar-2019 14:04
    Osrrb.exe 10.0.15063.1173 76,984 16-Mar-2019 14:04
    Reminthndlers.dll 10.0.17134.1003 633,352 30-Mar-2019 15:04
    Rempl.xml Not Applicable 3,798 16-Mar-2019 14:02
    Sedlauncher.exe 10.0.17134.1003 328,504 30-Mar-2019 15:01
    Sedplugins.dll 10.0.17134.1003 1,126,920 30-Mar-2019 15:02
    Sedsvc.exe 10.0.17134.1003 338,744 30-Mar-2019 15:02
    Servicestackhardening.inf Not Applicable 34,696 16-Mar-2019 14:04
    Strgsnsaddons.dll 10.0.17134.1003 550,192 30-Mar-2019 15:03
    Toastlogo.png Not Applicable 570 16-Mar-2019 14:04
    https://support.microsoft.com/en-us/...nd-1803-for-up
      My Computers


  3. Posts : 12
    All
       #3

    Hang on a sec. There might be something to what this person is saying. I just opened the ctac.json file. There is some interesting code that I've found in the copy on my computer that's making me curious. It could be possible to manipulate some of that update into uploading something malicious. There's several configs that seem odd to me.

    - - - Updated - - -

    I just found a string in it that substitutes any installed macafee key in the registry with a completely different key.

    - - - Updated - - -

    Yeah the more I look at this the more it doesn't make sense. That file when I open it in notepad or visual studio is analyzing to see if their are legit entries in the registry for security, camera, virtualization, windows update, drivers of various items and services, and makes it either rollback to only approved updates in the background or modifies legit keys to pre-installed keys that give a 3rd party control over pretty serious functions. It's talking about root, bios and efi functions being monitored and modified if certain conditions are detected by the ctac.json file stings. There is something incredibly malicious about this. Another thing I'm noticing it modify is the function of the feedback hub windows has built in, which notifies Microsoft through internet update checks of irregularities. It's modifying security software completely for some wu rootkit. Ive been chasing a rootkit on my system that I couldn't identify for a while and have isolated this file as its not configured to work with windows 11 it seems. It's monitoring keystrokes in the .json strings. It's changing the registry of known major and minor security software including web root.

    This ctac.json copy I located is blocking access to my camera if I request It's use through a bios modification. I'm on my phone in a browser window otherwise I'd upload pics of these strings because this is not legit.

    - - - Updated - - -

    JohannaPetterss said:
    Hi,

    My computer has been hacked and the hacker has installed these files on the computer.

    C-Program-Rempl
    Logs
    CTAC.json
    disktoast
    osrrb
    reminthndlers.dll
    rempl
    sedlauncher
    sedplugins.dll
    sedsvc
    ServiceStackHardening
    strgsnsaddons.dll
    toastlogo

    In the folder "logs", the following files are installed:
    LauncherRemediation001.etl
    Remediation.001.etl
    Remediation.002.etl
    Service.Remediation.001.etl

    The folder "logs" contained more files earlier, but these have been erased. I believe that the hacker is trying to erase the traces since he realizes that I know that the computer is hacked.

    What is the purpose of these files?

    Thankful for your comments on this. I can e-mail you a printscreen of the files, but it was not possible to attach this file in this message.

    Best regards
    Johanna Pettersson
    Are you aware of CVE-2020-0867? What makes you think it's hacked personally? I'm looking through the file after noticing something weird about in via visual studio. It's not compatible with windows 11 mostly so it's something I've never seen before today. It's modifying security and update stuff on my pc if I was still on windows 10 via the registry and covering it's tracks. This is not something windows would put out. It also changes stuff in relation to virtualization, camera, keyboard, bios and powerstates, and appears to make it so it only displays certain things(I couldn't see hidden files until windows 11). Did you buy your system refurbished?
      My Computer


  4. Posts : 18,424
    Windows 11 Pro
       #4

    Bree said:
    Welcome to TenForums.

    Relax, you are not being 'hacked'. The files you list were installed by Microsoft as part of the update KB4023057. The purpose of this update is to help prepare your PC for updating to the next version of Windows 10.
    A few posters on here would disagree with you, @Bree. They consider Microsoft's updates to be hacking, and Microsoft's telemetry to be spying.
      My Computer


  5. Posts : 2,800
    Windows 7 Pro
       #5

    Yes MS is lurking for sure... But keep in mind that if MS is updating their boot code / startup programs they must Update the keys in Your TPM or Secure boot will prevent the computer from restarting the next time... I didn't start to compare boot loaders but I'm sure these keys have to be updated at some point... As of the software keys changes they are probably part of a key rotation scheme as part of any strong encryption process.

    But...There's that.

    One of the Internet’s most aggressive threats could take UEFI malware mainstream | Ars Technica
      My Computers


  6. Posts : 12
    All
       #6

    NavyLCDR said:
    A few posters on here would disagree with you, @Bree. They consider Microsoft's updates to be hacking, and Microsoft's telemetry to be spying.
    This isnt Microsofts doing. This is a variation of trojan.badur. When I upgraded to windows 11, the update and reporting locations in the registry were redone, so it couldn't update anymore, but the drivers were still affected. I could also start seeing hidden files after, and the functionality that I lost had been restored. Literally the only reason I'm able to confirm what it is is because of how different the windows 11 registry is.

    When I pulled a lot of files that were hidden, they had given domains and ips in China as sources to connect to. Kaspersky has already confirmed this is a variant of badur, but my personal opinion is this may be a state made variant given its complexity in behavior and just how incredibly dug in it got.

    It's designed to hide itself. It will only work with certain drivers on your system. It has specific links for both Lenovo branded products and hp products, both companies that have some Chinese ties(Lenovo is Chinese owned while HP has invested deeply in china). It will display information making you think it's running whatever you've updated to most recently, while in the background it rolls them back to what it wants and keeps a copy of in the recovery partitions. I'm attempting a net recovery at the moment, but genuinely don't believe this is going to get rid of it. Its also in the secure boot system and virtualization settings of the bios. It will allow it to claim its secure booting, but only windows will be able to. I've attempted full installs of fedora, Ubuntu and kali, and all have failed. I cannot boot from media after using the media 1 time. If it's a usb drive, I can do an old school boot and scan 1 time, and that scan will show it, but after that it will not recognize anything as a virus and values detected will be incredibly different if I scan again. This is similar to something that used to infect the bios of Nvidia cards that I had to clean off a Mac that had been dual booted using boot camp. The only way to get this off I believe is going to be to live boot from a read only media like a live DVD and using a grub command line scrub it manually from the system bios and efi files. Hopefully, I'll be able to get it to recognize the security keys in secure boot shortly, at which point I'll be able to perform a clean install and have this gone.
      My Computer


  7. Posts : 18,424
    Windows 11 Pro
       #7

    Or, as @Bree posted it could be Microsoft's real update.
      My Computer


  8. Posts : 12
    All
       #8

    NavyLCDR said:
    Or, as @Bree posted it could be Microsoft's real update.
    Microsofts update doesnt have the ctac.json file in it alter keys in the registry for all known security platforms with regular maintenance while at the same time try to block access to your camera unless its for a specific app, redirect all camera keys to a demo app that doesn't come natively on windows, or actively take steps to activate hidden programs to roll back drivers in the background, all while redirecting every single updating service including steam and Googles to Chinese domains for sources. Microsoft spies a ton on people, but not in a way that renders defender or Kaspersky useless(those aren't the only security platforms affected btw. Pretty much anything that was being actively maintained in 2018 and 2019.)

    - - - Updated - - -

    There is a much bigger world than what you'll find installed on the computers on the quaint little scooner the navy probably has you on. Again, I have over 15 years experience tracking down crap like this among other things in cyber security. Plus through Kaspersky I've already confirmed its a variant of badur.

    - - - Updated - - -

    Yeah I was army. I'm going to lay it on pretty thick because of that name you've chosen to use publicly online. Bottom line is no matter what you try to say, it's a confirmed virus I'm trying to get as much information on from others so I can submit to way more than just Kaspersky and hopefully get a proper fix for it. Don't just sit there and do what mindless zombies do and claim it's just Microsoft and I'm being paranoid. Maybe assist contacting op so I can try and get a copy of that ctac.json to inspect.
      My Computer


  9. Posts : 2,800
    Windows 7 Pro
       #9

    You can upload the file to virustotal and they will confirm if you have an original Microsoft provided ctac.json...

    Hacked computer-screenshot00196.jpg
      My Computers


  10. Posts : 12
    All
       #10

    That's how I found out the ctac.json was indeed wrong. It looked funny when I examined, I opened in visual studio restricted mode to have a look, then submitted and confirmed, then contacted Kaspersky since they're who I have service with. Kaspersky looked at it and many other files I had found waiting for the remote connection to initialize and me not be whatever number in their queue anymore, which took hours, and I noticed hidden files started appearing after I edited one of the registry settings that the json file showed it would target and alter back to what it should have been. From there, I had to force ownership on a bunch of stuff, including nonmicrosoft origin powershell scripts I found, and upon examination of that realized it was still linked into the steam updater. As I was removing steam the connection enabled and Kaspersky had me zip archive almost 2.5 gb of files I had confirmed altered, including the scripts to have their md5 and sha256 hashes altered that I found so they read legit that way, and after a 6 hr upload from my isp being crap sent that away. I still have the archive and the json in a cloud file. Badur is an insane virus that has been around in multiple forms for almost a decade and needs to end. Every form give someone the ability to spy on an infected system.

    - - - Updated - - -

    So after examining the system log of the web reset I've now completed, it did try to once again integrate, but because the registry keys it was trying to use to integrate were completely wrong, it was not able to reinstall into windows 11. Remember the registry for windows 10 has been basically the same since windows 7. This is really the first big change in almost a decade. It was trying to redirect, per the log, to base recovery files instead of webui or online os files. It also denied loading the preexisting hive when pushbuttonreset attempted to redirect it to do so, instead only loading the reg hive from online os. Whenever it tried changing registry keys or reconstruct registry keys, it failed as a result. I'm still at this time very worried about the bios, as secure boot wasn't working which is why I believe this to be a rootkit and not bootkit, and also concerned about it having pre-installed hp software and a very old Nvidia driver that loaded with windows 11 web update even though I set if for a clean scrub, but the factors that tell me somethings going on hidden are mostly not present anymore. What I use on my phone essentially as Wireshark is showing its not at this time sending anything or scanning networks, but I'll continue to monitor. First thing is visual studio and ensuring anti-virus can read virtualization extensions without them being hijacked by something.
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 16:57.
Find Us




Windows 10 Forums