คอมโดน hack อยู่ดีๆ mouse ขยับไปมา คลิ๊กเปิดโน่นนี่นั่น ผมรีบไปปิด router พอปิด router ก็ยังไม่หาย เหมือนโดนรีโมทเข้ามาจากไหนก็ไม่รู้ งง เข้ามาทางไหน ก็เลยกดปิดเครื่อง เปิดขึ้นมาใหม่ก็หาย ก่อนหน้าจะที่จะโดน hack ไปโหลด trainer game มาจากเว็บ hack ไรสักอย่าง เสร็จแล้วพอเปิด trainer มันก็ไม่ทำงาน ก็ปิดเครื่องไป กินข้าว พอกลับมาเปิดคอม เม้าส์ขยับไปมา เปิดไฟล์โน่นนี่ นั่น ก็รีบไปลบไฟล์ ที่ตัวเจ้าปัญหา พวก trainer ที่โหลดมาทิ้งไปแล้ว แล้วใช้ eset scan ผมใช้ hijack scan log รบกวนช่วยดู log file ให้หน่อยครับ จริงๆมีเยอะกว่านี้ แต่คัดพวกไดร์เวอร์ หรือโปรแกรม ที่เราพอรู้จักออก รบกวนช่วยบอกวิธีแก้ไข หรือปิดวิธีรีโมทของ windows หน่อยครับ กลัวโดน hack
Running processes:
Number | Path
1 C:\Windows\ImmersiveControlPanel\SystemSettings.exe
1 C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
1 C:\Windows\System32\AdminService.exe
1 C:\Windows\System32\ApplicationFrameHost.exe
1 C:\Windows\System32\DriverStore\FileRepository\igdlh64.inf_amd64_7ee21f0fcd504371\igfxCUIService.exe
1 C:\Windows\System32\DriverStore\FileRepository\igdlh64.inf_amd64_7ee21f0fcd504371\igfxEM.exe
1 C:\Windows\System32\IntelSSTAPO\ParameterService\ParameterService.exe
6 C:\Windows\System32\RuntimeBroker.exe
1 C:\Windows\System32\SearchIndexer.exe
1 C:\Windows\System32\SecurityHealthService.exe
1 C:\Windows\System32\SettingSyncHost.exe
1 C:\Windows\System32\SgrmBroker.exe
1 C:\Windows\System32\Taskmgr.exe
1 C:\Windows\System32\VSSVC.exe
1 C:\Windows\System32\audiodg.exe
1 C:\Windows\System32\conhost.exe
2 C:\Windows\System32\csrss.exe
1 C:\Windows\System32\ctfmon.exe
1 C:\Windows\System32\dasHost.exe
2 C:\Windows\System32\dllhost.exe
1 C:\Windows\System32\dwm.exe
2 C:\Windows\System32\fontdrvhost.exe
1 C:\Windows\System32\lsass.exe
1 C:\Windows\System32\services.exe
1 C:\Windows\System32\sihost.exe
1 C:\Windows\System32\smartscreen.exe
1 C:\Windows\System32\smss.exe
1 C:\Windows\System32\spoolsv.exe
79 C:\Windows\System32\svchost.exe
2 C:\Windows\System32\taskhostw.exe
2 C:\Windows\System32\wbem\WmiPrvSE.exe
1 C:\Windows\System32\wininit.exe
1 C:\Windows\System32\winlogon.exe
1 C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
1 C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe
1 C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
1 C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.17763.164_none_7e114a3d4d0589d4\TiWorker.exe
1 C:\Windows\explorer.exe
1 C:\Windows\servicing\TrustedInstaller.exe
O4 - HKCU\..\StartupApproved\Run: [MiPhoneManager] (2560/06/05) = C:\Users\admin\AppData\Local\MiPhoneManager\main\MiPhoneHelper.exe
O4 - HKLM\..\StartupApproved\Run: [SecurityHealth] (2144/01/01) = C:\WINDOWS\system32\SecurityHealthSystray.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{9667fd29-c8dd-48b3-8353-733ed9e5d07d}: [NameServer] = 192.168.1.1
O22 - Task: AAct - C:\Windows\AAct_Tools\AAct_x64.exe /ofs=act /auto
O22 - Task: OInstall - C:\WINDOWS\OInstall.exe /activate
O22 - Task: Software Update Application - C:\ProgramData\OEM\UpgradeTool\ListCheck.exe
O22 - Task: \Microsoft\Windows\DeviceDirectoryClient\RegisterDevicePolicyChange - {AE31B729-D5FD-401E-AF42-784074835AFE},-RegisterDevice -SettingChange - C:\WINDOWS\system32\DeviceDirectoryClient.dll (Microsoft)
O22 - Task: \Microsoft\Windows\DeviceDirectoryClient\RegisterDeviceProtectionStateChanged - {AE31B729-D5FD-401E-AF42-784074835AFE},-RegisterDevice -ProtectionStateChanged -FreeNetworkOnly - C:\WINDOWS\system32\DeviceDirectoryClient.dll (Microsoft)
O22 - Task: \Microsoft\Windows\DeviceDirectoryClient\RegisterDeviceWnsFallback - {AE31B729-D5FD-401E-AF42-784074835AFE},-RegisterDevice -Periodic - C:\WINDOWS\system32\DeviceDirectoryClient.dll (Microsoft)
O22 - Task: \Microsoft\Windows\Flighting\OneSettings\RefreshCache - {E07647F7-AED2-48D9-9720-939BC24A8A3C} - C:\Windows\System32\wosc.dll (Microsoft)
O22 - Task: \Microsoft\Windows\HelloFace\FODCleanupTask - C:\WINDOWS\System32\WinBioPlugIns\FaceFodUninstaller.exe (Microsoft)
O22 - Task: \Microsoft\Windows\InstallService\ScanForUpdates - {A558C6A5-B42B-4C98-B610-BF9559143139} - C:\Windows\System32\InstallServiceTasks.dll (Microsoft)
O22 - Task: \Microsoft\Windows\InstallService\ScanForUpdatesAsUser - {DDAFAEA2-8842-4E96-BADE-D44A8D676FDB} - C:\Windows\System32\InstallServiceTasks.dll (Microsoft)
O22 - Task: \Microsoft\Windows\InstallService\SmartRetry - {F3A219C3-2698-4CBF-9C07-037EDB8E72E6} - C:\Windows\System32\InstallServiceTasks.dll (Microsoft)
O22 - Task: \Microsoft\Windows\LanguageComponentsInstaller\ReconcileLanguageResources - {D0582E3B-3126-4CAA-9155-AC37C912A489} - C:\WINDOWS\System32\LanguageOverlayServer.dll (Microsoft)
O22 - Task: \Microsoft\Windows\SMB\UninstallSMB1ClientTask - C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Unrestricted -NonInteractive -NoProfile -WindowStyle Hidden "& C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\SmbShare\DisableUnusedSmb1.ps1 -Scenario Client"
O22 - Task: \Microsoft\Windows\SMB\UninstallSMB1ServerTask - C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Unrestricted -NonInteractive -NoProfile -WindowStyle Hidden "& C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\SmbShare\DisableUnusedSmb1.ps1 -Scenario Server"
O22 - Task: \Microsoft\Windows\Speech\HeadsetButtonPress - C:\WINDOWS\system32\speech_onecore\common\SpeechRuntime.exe StartedFromTask (Microsoft)
O22 - Task: \Microsoft\Windows\UpdateOrchestrator\Backup Scan - C:\WINDOWS\system32\usoclient.exe StartScan (Microsoft)
O22 - Task: \Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task - C:\WINDOWS\system32\usoclient.exe StartScan (Microsoft)
O22 - Task: \Microsoft\Windows\UpdateOrchestrator\USO_UxBroker - C:\WINDOWS\system32\MusNotification.exe (Microsoft)
O22 - Task: \Microsoft\Windows\UpdateOrchestrator\UpdateModelTask - C:\WINDOWS\system32\usoclient.exe StartModelUpdates (Microsoft)
O22 - Task: \Microsoft\Windows\WaaSMedic\PerformRemediation - {72566E27-1ABB-4EB3-B4F0-EB431CB1CB32},None - C:\WINDOWS\System32\WaaSMedicSvc.dll (Microsoft)
O22 - Task: \Microsoft\Windows\WlanSvc\CDSSync - {B0D2B535-12E1-439F-86B3-BADA289510F0},$(Arg0) - C:\Windows\System32\WiFiCloudStore.dll (Microsoft)
O23 - Service R2: AtherosSvc - C:\WINDOWS\system32\AdminService.exe
O23 - Service R2: Intel SST Parameter Service - (IntelSSTSvc) - C:\WINDOWS\system32\IntelSSTAPO\ParameterService\ParameterService.exe
O23 - Service S3: Adobe Flash Player Update Service - (AdobeFlashPlayerUpdateSvc) - C:\WINDOWS\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service S3: Disc Soft Ultra Bus Service - C:\Program Files\DAEMON Tools Ultra\DiscSoftBusServiceUltra.exe
O23 - Service S3: Windows Defender Advanced Threat Protection Service - (Sense) - C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe
O23 - Service S3: Windows Defender Antivirus Network Inspection Service - (WdNisSvc) - C:\Program Files\Windows Defender\NisSrv.exe
O23 - Service S3: Windows Defender Antivirus Service - (WinDefend) - C:\Program Files\Windows Defender\MsMpEng.exe
คอมโดน hack อยู่ดีๆ mouse ขยับไปมา คลิ๊กเปิดโน่นนี่นั่น ปิด router แล้ว เม้าส์ยังขยับได้อีก เหมือนโดนรีโมทเข้ามา
Running processes:
Number | Path
1 C:\Windows\ImmersiveControlPanel\SystemSettings.exe
1 C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
1 C:\Windows\System32\AdminService.exe
1 C:\Windows\System32\ApplicationFrameHost.exe
1 C:\Windows\System32\DriverStore\FileRepository\igdlh64.inf_amd64_7ee21f0fcd504371\igfxCUIService.exe
1 C:\Windows\System32\DriverStore\FileRepository\igdlh64.inf_amd64_7ee21f0fcd504371\igfxEM.exe
1 C:\Windows\System32\IntelSSTAPO\ParameterService\ParameterService.exe
6 C:\Windows\System32\RuntimeBroker.exe
1 C:\Windows\System32\SearchIndexer.exe
1 C:\Windows\System32\SecurityHealthService.exe
1 C:\Windows\System32\SettingSyncHost.exe
1 C:\Windows\System32\SgrmBroker.exe
1 C:\Windows\System32\Taskmgr.exe
1 C:\Windows\System32\VSSVC.exe
1 C:\Windows\System32\audiodg.exe
1 C:\Windows\System32\conhost.exe
2 C:\Windows\System32\csrss.exe
1 C:\Windows\System32\ctfmon.exe
1 C:\Windows\System32\dasHost.exe
2 C:\Windows\System32\dllhost.exe
1 C:\Windows\System32\dwm.exe
2 C:\Windows\System32\fontdrvhost.exe
1 C:\Windows\System32\lsass.exe
1 C:\Windows\System32\services.exe
1 C:\Windows\System32\sihost.exe
1 C:\Windows\System32\smartscreen.exe
1 C:\Windows\System32\smss.exe
1 C:\Windows\System32\spoolsv.exe
79 C:\Windows\System32\svchost.exe
2 C:\Windows\System32\taskhostw.exe
2 C:\Windows\System32\wbem\WmiPrvSE.exe
1 C:\Windows\System32\wininit.exe
1 C:\Windows\System32\winlogon.exe
1 C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
1 C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe
1 C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
1 C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.17763.164_none_7e114a3d4d0589d4\TiWorker.exe
1 C:\Windows\explorer.exe
1 C:\Windows\servicing\TrustedInstaller.exe
O4 - HKCU\..\StartupApproved\Run: [MiPhoneManager] (2560/06/05) = C:\Users\admin\AppData\Local\MiPhoneManager\main\MiPhoneHelper.exe
O4 - HKLM\..\StartupApproved\Run: [SecurityHealth] (2144/01/01) = C:\WINDOWS\system32\SecurityHealthSystray.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{9667fd29-c8dd-48b3-8353-733ed9e5d07d}: [NameServer] = 192.168.1.1
O22 - Task: AAct - C:\Windows\AAct_Tools\AAct_x64.exe /ofs=act /auto
O22 - Task: OInstall - C:\WINDOWS\OInstall.exe /activate
O22 - Task: Software Update Application - C:\ProgramData\OEM\UpgradeTool\ListCheck.exe
O22 - Task: \Microsoft\Windows\DeviceDirectoryClient\RegisterDevicePolicyChange - {AE31B729-D5FD-401E-AF42-784074835AFE},-RegisterDevice -SettingChange - C:\WINDOWS\system32\DeviceDirectoryClient.dll (Microsoft)
O22 - Task: \Microsoft\Windows\DeviceDirectoryClient\RegisterDeviceProtectionStateChanged - {AE31B729-D5FD-401E-AF42-784074835AFE},-RegisterDevice -ProtectionStateChanged -FreeNetworkOnly - C:\WINDOWS\system32\DeviceDirectoryClient.dll (Microsoft)
O22 - Task: \Microsoft\Windows\DeviceDirectoryClient\RegisterDeviceWnsFallback - {AE31B729-D5FD-401E-AF42-784074835AFE},-RegisterDevice -Periodic - C:\WINDOWS\system32\DeviceDirectoryClient.dll (Microsoft)
O22 - Task: \Microsoft\Windows\Flighting\OneSettings\RefreshCache - {E07647F7-AED2-48D9-9720-939BC24A8A3C} - C:\Windows\System32\wosc.dll (Microsoft)
O22 - Task: \Microsoft\Windows\HelloFace\FODCleanupTask - C:\WINDOWS\System32\WinBioPlugIns\FaceFodUninstaller.exe (Microsoft)
O22 - Task: \Microsoft\Windows\InstallService\ScanForUpdates - {A558C6A5-B42B-4C98-B610-BF9559143139} - C:\Windows\System32\InstallServiceTasks.dll (Microsoft)
O22 - Task: \Microsoft\Windows\InstallService\ScanForUpdatesAsUser - {DDAFAEA2-8842-4E96-BADE-D44A8D676FDB} - C:\Windows\System32\InstallServiceTasks.dll (Microsoft)
O22 - Task: \Microsoft\Windows\InstallService\SmartRetry - {F3A219C3-2698-4CBF-9C07-037EDB8E72E6} - C:\Windows\System32\InstallServiceTasks.dll (Microsoft)
O22 - Task: \Microsoft\Windows\LanguageComponentsInstaller\ReconcileLanguageResources - {D0582E3B-3126-4CAA-9155-AC37C912A489} - C:\WINDOWS\System32\LanguageOverlayServer.dll (Microsoft)
O22 - Task: \Microsoft\Windows\SMB\UninstallSMB1ClientTask - C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Unrestricted -NonInteractive -NoProfile -WindowStyle Hidden "& C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\SmbShare\DisableUnusedSmb1.ps1 -Scenario Client"
O22 - Task: \Microsoft\Windows\SMB\UninstallSMB1ServerTask - C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Unrestricted -NonInteractive -NoProfile -WindowStyle Hidden "& C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\SmbShare\DisableUnusedSmb1.ps1 -Scenario Server"
O22 - Task: \Microsoft\Windows\Speech\HeadsetButtonPress - C:\WINDOWS\system32\speech_onecore\common\SpeechRuntime.exe StartedFromTask (Microsoft)
O22 - Task: \Microsoft\Windows\UpdateOrchestrator\Backup Scan - C:\WINDOWS\system32\usoclient.exe StartScan (Microsoft)
O22 - Task: \Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task - C:\WINDOWS\system32\usoclient.exe StartScan (Microsoft)
O22 - Task: \Microsoft\Windows\UpdateOrchestrator\USO_UxBroker - C:\WINDOWS\system32\MusNotification.exe (Microsoft)
O22 - Task: \Microsoft\Windows\UpdateOrchestrator\UpdateModelTask - C:\WINDOWS\system32\usoclient.exe StartModelUpdates (Microsoft)
O22 - Task: \Microsoft\Windows\WaaSMedic\PerformRemediation - {72566E27-1ABB-4EB3-B4F0-EB431CB1CB32},None - C:\WINDOWS\System32\WaaSMedicSvc.dll (Microsoft)
O22 - Task: \Microsoft\Windows\WlanSvc\CDSSync - {B0D2B535-12E1-439F-86B3-BADA289510F0},$(Arg0) - C:\Windows\System32\WiFiCloudStore.dll (Microsoft)
O23 - Service R2: AtherosSvc - C:\WINDOWS\system32\AdminService.exe
O23 - Service R2: Intel SST Parameter Service - (IntelSSTSvc) - C:\WINDOWS\system32\IntelSSTAPO\ParameterService\ParameterService.exe
O23 - Service S3: Adobe Flash Player Update Service - (AdobeFlashPlayerUpdateSvc) - C:\WINDOWS\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service S3: Disc Soft Ultra Bus Service - C:\Program Files\DAEMON Tools Ultra\DiscSoftBusServiceUltra.exe
O23 - Service S3: Windows Defender Advanced Threat Protection Service - (Sense) - C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe
O23 - Service S3: Windows Defender Antivirus Network Inspection Service - (WdNisSvc) - C:\Program Files\Windows Defender\NisSrv.exe
O23 - Service S3: Windows Defender Antivirus Service - (WinDefend) - C:\Program Files\Windows Defender\MsMpEng.exe