Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

personal laptop showing unauthorized activity [Solved]

Malware Spy

  • This topic is locked This topic is locked

#1
Cremebrulee54

Cremebrulee54

    Member

  • Member
  • PipPip
  • 17 posts

Hi All, 

 

It's been a long time that my personal laptop and personal Samsung devices are being hacked. I believe this is the case because:

 

On my laptop, (Lenovo Think Pad S430, Windows 10), the following functions are enabled:

 

1. In Remote Desktop, the function 'Change settings to allow remote connections to the computer' is ticked

2. in Remote Desktop, 'Change settings to that the PC never goes to sleep when plugged in', is ticked

3. In Remote Desktop, 'Change settings to that the PC never hybernates when plugged in' is ticked

4. Under System Properties, 'Allow Remote Assistance connections to this computer' is ticked

5. Under Computer name, next to Workgroup: I read' WORKGROUP' (I am not currently part of any work group nor am I an employee, therefore my laptop should not be  part of any workgroup).

6. Under 'Select the option that describes your network', the option 'This computer is part of a business network, I use it to connect to other computers at work' is selected.

7 PROXY, 'Automatically detect settings', is ON

8 Under 'Hotspot 2.0 networks', the function 'Let me use Online Sign-up to get connected, is ON

9 My Google account, two-step verification has been switched off and replaced with 'Skip password when possible', I found this function ON

10. my Bluetooth is on (I have never used it).

11. Although I switch off all the above, some functions re-appear as ON the following day.

12 I have a terrible stomach churning gut feeling that something terribly sinister is happening, I am being spied on, that's for sure ,and I don't know how to find the source of this hacking, and there is very little I can do.

 

 

My Samsung devices show the following:

1. Samsung S9 connected to my S21 FE via Hotspot, which I have never used in my life but which I have found ON. When I try to switch it off, the Bluetooth comes ON (without me touching anything)

2. Please consider that my Samsung S9 is a 3-4 years old phone which I no longer use because the screen is broken. I switched it on in early Nov 24 to take pictures of what I found on my S21 FE. When I put the S9 Phone on, and when I tried to connect it to my Wi-Fi, my S9 showed 2 Wi-Fi connections, one of which had my full name on it and the S21 FE phone displaying my full name on it!. The weird thing is that I only have 1 Wi-Fi, but my S9 was connected to my S21 FE phone via its Hotspot and Bluetooth. Whoever is hacking my phone is an IT expert and this is a targeted attack. 

3. My Samsung S21 FE shows the following functions activated: 'Continue apps on other devices'=ON; 'Camera sharing'=ON, 'Multi Control'= ON

4. 'Nearby Scanning Devices': ON

 

I have alerted the Police about all this, I have Avast and Malware Bites running on my laptop but they haven't detected anything suspicious. Whoever these Hackers are, they are possibly hacking through my Wi-Fi? I have changed my router 3 days ago just in case, yet again, this is my 4th router in 6 months, I don't think it's making much of a difference, the unusual activities continue daily.

 

I ensure to turn off any functions that look suspicious, every single day, all my devices have been factory reset every day from 23rd December 2024 to 2nd January 2025, all passwords connected to all my accounts have been changed every day. I am exhausted, but still no change. 

Unusual activity takes place every single day. 

 

Avast scanning and Malware Bites scanning report no threats.

 

I there is anyone who is willing to help, I'd really appreciate it. 

 

I am based in London, UK.


Edited by Cremebrulee54, 21 January 2025 - 01:16 PM.

  • 0

Advertisements


#2
DR M

DR M

    The Grecian Geek

  • Malware Removal
  • 4,418 posts

Hello, and welcome to Geeks to Go Forums.
 
If you need assistance related to mobile devices, please open a new topic here: https://www.geekstog...es-and-tablets/
 
If you would like us to check your computer, please do the following:

Download Farbar Recovery Scan Tool and save it to your desktop. --> IMPORTANT

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your antivirus software detects the tool as malicious, it’s safe to allow FRST to run. It is a false-positive detection.

If English is not your primary language, right click on FRST.exe/FRST64.exe and rename to FRSTEnglish.exe/FRST64English.exe

  • Double-click the FRST icon to run the tool. When the tool opens click Yes to disclaimer.
  • Press Scan button and wait for a while.
  • The scanner will produced two logs on your Desktop: FRST.txt and Addition.txt.
  • Please attach the content of these two logs in your next reply.

(To attach the files, click on the More Reply Options at the bottom right of the reply area, and then choose Attach File)


  • 0

#3
Cremebrulee54

Cremebrulee54

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts

Dear, 

Thank you so much for replying to my query. Files are attached as requested. 

I will also submit a query about my 2 phones separately.

 

Best 

 

Cremebrulee

Attached Files


  • 0

#4
DR M

DR M

    The Grecian Geek

  • Malware Removal
  • 4,418 posts

Hi, CB. 
 
Your logs show that there is a problem with your Windows activation. 
 
Do you have an OEM or a Retail license for your operating system? 
 
The following step will tell us more about it:

  • Press Windows icon on your Desktop, together with the letter R.
  • Type cmd, and press Ctrl + Shift + Enter to run Command Prompt as administrator.
  • Copy and paste the following command and press Enter:
slmgr /dli
  • After running the command, you will get a report. Please take a screenshot of what you got and attach it in your next reply. Here is an article where you can see how do you take a screenshot with the snipping tool, in case you need it.

  • 0

#5
Cremebrulee54

Cremebrulee54

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts

Thank you, attached is the snapshot called 'Windows licence'

 

 

I don't know what OEM is, but I purchased my laptop approximately 8-10 years ago from a legitimate outlet called PC World here in London, UK, Windows 10 was pre-installed. I also purchased Office 2019 directly from Microsoft via the same retail company (it still exists).

I have also liaised with Microsoft several occasions as I desperately tried to resolve this matter, they reset my laptop several times over the months and daily from 23rd December 2024 to 2nd January 2025, they have uninstalled and re-installed Windows 10 every time, though there have been issues in between because at some point my Windows kept on rebooting itself through a blue error code (the blue error code said simply 'we have to restart your Windows' or something to that effect). 

 

Another aspect to consider is that in 2024 I 'upgraded' my laptop via a private IT specialist here in London, I upgraded my SSD and the memory, not sure if this has damaged/altered Windows in any way.

If it helps, attached are the 'Upgrade specs' carried out by the IT specialist.

 

 

I am still not sure how my laptop can be part of a 'WORKGROUP' if I am not an employee. All I can think of is that , during the Covid19 pandemic, my previous employer modified my laptop to enable me (and all staff) to connect to the office computer, and this 'workgroup' could be a legacy of that arrangement. Knowing them it's possible they still were using that connection to spy onto my personal stuff (wouldn't be surprised). Nevertheless, this odd activity is very recent and my software such as Adobe, and Microsoft Office have shown strange activity.

For instance, in addition to all the above, I notice that when I open my documents, or any applications such as Excel, Word etc.. the windows are re-sized differently. When I use Adobe, the files are greyed out in the middle of my typing and crash unexpectedly as if someone externally is deliberately crashing the application, I have lived this scenario in the past, so I know what happens. 

--Question: I think I have disconnected the 'PROXY' link to the Workgroup, but please let me know what I need to check to make sure I have done it correctly.

 

The second option is much bleaker, I am currently working with very sensitive documents, some individuals (who act and live on the wrong side of the law) are certainly keen to access these documents and I wouldn't be surprised if they are trying in every possible way to access my devices, they have the IT knowhow to do that and the Police has been alerted to this possibility also. These people are linked to the above 'Workgroup'. 

 

The third scenario is an app called OLIO, it's a community app such as 'Good to Go', Next door etc...  which I have on my phones (now only downloaded on my S21 FE), however, via Hotspot or Bluetooth, they may have connected to my laptop also. Sadly, there have been reports of OLIO staff tampering with members' personal devices via the OLIO application. Either way, I am absolutely certain there is third party access to my devices also in view of what is happening to my phones. 

I have spoken to other Olio members and they also have witnessed/noticed 'unusual' activity on their devices that mirrors my experience. 

I don't exclude that all the above scenarios are at play, because they are all part of the same industry/type of organization and they work together.

 

I hope this helps, the key is to find the source of all this.

 

Many thanks for your help

 

Kind Regards  

Attached Thumbnails

  • Windows licence.PNG
  • Upgrade specs.PNG

Edited by Cremebrulee54, 27 January 2025 - 01:54 PM.

  • 0

#6
DR M

DR M

    The Grecian Geek

  • Malware Removal
  • 4,418 posts

Please take a screenshot where you see the WORKGROUP.
 
To check the activation further:
 
Select the Start  button, and then select Settings  > Update & Security  and then select Activation  .  Your activation status will be listed next to Activation.
 
Take a screenshot of what you see. 


  • 0

#7
Cremebrulee54

Cremebrulee54

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts

Just remembered... during the pandemic, my old employer asked me to take my personal laptop to the office so they could 'prepare it', they kept if for a week, which was quite odd, they also asked for my password etc.. I remember feeling very uneasy about this, because of course once they had my password etc.. they had access to all my personal documents etc.. 

I wonder if they have replaced my Windows licence with one of theirs? If so, that licence has never been changed/removed.

 

I have had the below settings on since 2020, and noticed unusual activity on my laptop since then. Sadly I have only realised those functions were one few days ago. I have switched all those functions off after taking the snapshots, but I wonder if they will be able to connect to my stuff yet again.

 

Incidentally, I am starting to receive few blue error codes and my Windows has shut down once today. It is happening every more and more often every time I use my laptop and since all these factory resets have taken place. 

 

Many thanks for your help 

 

Kind Regards

Attached Thumbnails

  • Windows activation.PNG
  • 20250111_1.jpg
  • 20250111_2.jpg
  • 20250111_3.jpg
  • 20250111_4.jpg
  • 20250111_5.jpg
  • 20250111_6.jpg
  • 20250111_7.jpg

Edited by Cremebrulee54, 27 January 2025 - 01:50 PM.

  • 0

#8
DR M

DR M

    The Grecian Geek

  • Malware Removal
  • 4,418 posts

Now I see what you mean. 

 

Starting from your last screenshot: you chose Network ID and started the wizard about the description of your network. That doesn't mean you have a business computer. The second screenshot is the first step of the wizard. What you should do to see how you are currently set, is clicking on Change. And yes, the option you want here is the WORKGROUP. Not a domain. 

 

I believe you got confused with all those settings, but I don't think the system has a problem. Since some days passed since you first attached the FRST logs, please run the tool once more and attach for me fresh logs to review. You will have my reply tomorrow. Now it's late for me here. 


  • 0

#9
DR M

DR M

    The Grecian Geek

  • Malware Removal
  • 4,418 posts

Something else before I go to bed.
 
I asked you for fresh FRST logs. Have in mind that now I'll start the cleaning procedure, so the following guidelines are very important for you to follow. So, I would appreciate if you stopped trying things by yourself now, and just follow my instructions.


1. Always ask before acting. Do not continue if you are not sure, or if something unexpected happens!

2. Do not run any tools unless instructed to do so. Also, do not uninstall or install any software during the procedure, unless I ask you to do so.

3. Cracked or pirated programs are not only illegal, but also can make your computer a malware target. Having such programs installed, is the easiest way to get infected. Thus, no need to clean the computer, since, soon or later, it will get infected again. If you have such programs, please uninstall them now, before we start the cleaning procedure.

4. If your computer seems to start working normally, don't abandon the topic. Even if your system is behaving normally, there may still be some malware remnants left over. Additionally, malware can re-infect the computer if some remnants are left. Therefore, please complete all requested steps to make sure any malware is successfully eradicated from your PC.

5. You have to reply to my posts within 3 days. If you need some additional time, just let me know. Otherwise, I will leave the topic due to lack of feedback. If you are able, I would request you to check this thread at least once per day so that we can resolve your issues effectively and efficiently.

6. Logs from malware diagnostic or removal programs can take some time to get analyzed. Also, have in mind that all the experts here are volunteers and may not be available to assist when you post. Please, be patient, while I analyze your logs.


  • 0

#10
Cremebrulee54

Cremebrulee54

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts

I also would like to show you these pictures:

- Since I have experienced all these problems, my DVD drive no longer works and it's not identified, USB drives are partially visible, but not plugged in at all, and when I do plug them in I cannot view the content.

 

- When I try to shut down the laptop I receive the message as per attachment: '20250127_If you shut down now'

 

- By the way, when I was uploading these pictures to Google Photos, I accidentally clicked on an image and have learned that I am part of a Google Photos 'conversation' with the people listed in the  attachment called 'Screenshot_NameList_Google Play services', is that normal?? I have now blocked those people, I don't know any of them and certainly I didn't know I was part of their 'conversation'. 

 

- Regarding the Change, I prefer not to touch anything else, I feel I might break something...

 

- Logs are attached

 

 

 

Attached Thumbnails

  • Not working well.JPG
  • Admin Security.JPG
  • Screenshot_NameList_Google Play services.jpg
  • Screenshot_20250127_200324_Photos.jpg
  • Screenshot_20250127_200219_Photos.jpg

Attached Files


Edited by Cremebrulee54, 27 January 2025 - 03:50 PM.

  • 0

Advertisements


#11
Cremebrulee54

Cremebrulee54

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts

attaching the last image.

Attached Thumbnails

  • 20250127_If you shut down now.jpg

  • 0

#12
DR M

DR M

    The Grecian Geek

  • Malware Removal
  • 4,418 posts

Moving on.
 
1. FRST fix

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

  • Select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.
Start::
CreateRestorePoint:
CloseProcesses:
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiSpyware] Restriction <==== ATTENTION
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiVirus] Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
Task: {509D0609-1F91-466E-AB97-4DAE5E8CA656} - System32\Tasks\AvastBrowserProtectS-1-5-21-782492474-2161672437-1728553647-1001 => C:\Program Files\Avast Software\Browser\Application\AvastBrowserProtect.exe  --runonce (No File)
Task: {ECF02A47-3E4D-4821-885B-99D7858C1376} - System32\Tasks\DolbySelectorTask => %ProgramFiles%\Dolby Digital Plus\ddp.exe  -autostart (No File)
S3 cpuz158; \??\C:\Windows\temp\cpuz158\cpuz158_x64.sys [X] <==== ATTENTION
CMD: DISM /Online /Cleanup-Image /RestoreHealth
CMD: SFC /scannow
End::
  • Right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
  • Press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt on your Desktop.
  • Post the log in your next reply.

 

2. ESET Online Scanner

Download ESET Online Scanner and save it to your desktop.

  • Right-click on esetonlinescanner_enu.exe and select Run as Administrator.
  • When the tool opens, click Get Started.
  • Read and accept the license agreement.
  • At the Welcome to ESET Online Scanner window, click Get Started.
  • Select whether you would like to send anonymous data to ESET.
  • Note: if you see the "Welcome Back to ESET Online Scanner" screen, click Computer Scan > Full Scan.
  • Click on the Full Scan option.
  • Select Enable ESET to detect and remove potentially unwanted applications, then click Start scan.
  • ESET will now begin scanning your computer. This may take some time.
  • When the scan is finished and if threats have been detected, select Save scan log. Save it to your desktop as eset.txt. Click on Continue.
  • ESET Online Scanner may ask if you'd like to turn on the Periodic Scan feature. Click on Continue.
  • On the next screen, you can leave feedback about the program if you wish. Check the box for Delete application data on closing. If you left feedback, click Submit and continue. If not, Close without feedback.
  • Open the scan log on your desktop (eset.txt) and copy and paste its contents into your next reply.

 

 

In your next reply, please post:

  1. The fixlog.txt
  2. The eset.txt

  • 0

#13
Cremebrulee54

Cremebrulee54

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts

Attached please find:

1. Fixlog

2. eset.txt

 

Content of the Eset.txt file below:

 

28/01/2025 15:52:34
Scanned files: 524422
Detected files: 2
Cleaned files: 4
Total scan time 00:35:52
Scan status: Finished
C:\Users\papir\Downloads\avast_secure_browser_setup (1).exe a variant of Win32/Avast.AVGSecureBrowser.A potentially unwanted application,a variant of Win32/CCleaner.A potentially unsafe application cleaned by deleting
 
C:\Windows.old\Users\papir\Downloads\avg_secure_browser_setup.exe a variant of Win32/Avast.AVGSecureBrowser.A potentially unwanted application,a variant of Win32/CCleaner.A potentially unsafe application cleaned by deleting
 
 
I have also submitted a query regarding my Samsung phones, they contain important information linked to unusual activity on my laptop.
 
- Regarding the 'WORKGROUP', please may you guide me to change settings in case I have clicked on the wrong thing when I was switching things off?
- Regarding Microsoft Defender, should I install it and activate it?
 
Grateful for your suggestions
 
Kind Regards

Attached Files


Edited by Cremebrulee54, 28 January 2025 - 10:07 AM.

  • 0

#14
DR M

DR M

    The Grecian Geek

  • Malware Removal
  • 4,418 posts

Hi.

 

You have Avast installed. As a result, Windows Defender disabled itself in favor of the 3rd party antivirus. It's not recommended to use more than one antivirus program, so you need to decide which of the 2 you want to keep. In case you decide to uninstall Avast, let me know, so I can give you instructions how to do it.

 

I don't see anything suspicious in your system. You are clean. 

 

As to the WORKGROUP, it is normal to be there, since you are not connected to a domain.

 

I'm not expert in mobile phones cleaning. But you can install ESET for android and perform a scan. 

 

Let me know if you need anything else.


  • 0

#15
Cremebrulee54

Cremebrulee54

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts

Really appreciate your help

 

I must admit, I am torn... the system is clean, yet I cannot understand why all the problems I have experienced to date, and why the 'blue code errors' on my Windows, the last one only yesterday?

 

Regarding the Antivirus, I would like to have the best one out of the two, grateful with your suggestion, then yes of course, please provide instructions on how to.

 

- I will now install ESET for android.

 

Many thanks for all your help so far.


  • 0






Similar Topics


Also tagged with one or more of these keywords: Malware, Spy

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP