# Remote Access Registry keys and values?



## JMFD17 (Mar 25, 2017)

Hello, 

This may seem like a dumb question, but I'm going to ask it anyway.... I did a search of my registry and I found 561 registry keys and values with the keywords "RemoteAccess". Does this sound normal? 

A few key pieces of info:
1)Home network compromised over a year ago and have been unable to secure or eradicate the culprit. 

2)This computer was purchased new last September, runs win 10, and had a clean install 3/2017. 

3) I have not had a home network since 9/16 or used a hotspot in several months. 

4) I disabled remote access and check it regularly. #1 I'm my search results says it is enabled. 

5) I cannot unpair my phone, or my car from this computer or each other. 

6) I have a bunch of remote access and "NULL" junk on all devices. 

7) I have been dealing with this for a Year now so I could go on and on, but I won't. 

Opinions please....


Thank you!


----------



## lunarlander (Sep 22, 2007)

The only sure way to eradicate an intrusion is to reload Windows. And it must be done for all machines where you suspect compromise, because usually attackers want to own the whole network. Leaving out 1 compromised machine would enable the attacker to launch attacks from it to other machines. It is laborious work, but that's why intrusions costs enterprises tens of thousands of dollars to fix. However, you don't have to buy credit report subscriptions for compromised accounts, and you don't have public relations costs. Enterprises also have security IT teams that can do forensics and inspect logs to pin point which machines were attacked,

Normally most attacks use remote access programs that they bring along because Window's remote access feature requires configuring your router to forward traffic to the machine you want. Whereas their remote access tools calls home and make routers a non-issue.

One method of preparing for an attack is to make drive images after a clean installation with all your applications and settings. That way, you can return to normalcy by recovering from the image. And it is a lot faster than a manual re-install of Windows and then of your applications and configuring them. But you still have to perform updates for your apps and Windows after the re-image. And of course it is understood that you need to backup your data regularly.


----------



## Powerful (Mar 4, 2016)

Hi, you failed to mention you used a registry cleaner, which returned all these items , most likely just a ruse to get you to pay for the program (without using remote access, an average registry will have around 50 entries containing "remote access'').

You have already shown on the other forum that you are having system problems, as stated here already, you are best served by doing a fresh install of windows.


----------



## Lanctus (Jul 20, 2017)

Be wary of your Documents files and folders as well. I would do a sweep through there for anything suspicious. While a clean install can rid your system of many unwanted intrusions, malware, and viruses, a skilled and knowledgeable hacker can try hiding things in your Documents, since these tend to follow you when you save them before running a clean sweep or install. Hopefully not, but sometimes a little paranoia is a healthy thing.


----------



## JMFD17 (Mar 25, 2017)

I apologize for my delayed response, I have been without internet access. I appreciate the responses and will try to reply to each, but first an update on that pc. Shortly after posting this question/post that laptop shutdown and reset. Wiping all my documents, files, programs, everything. I cannot access even the start menu, if I get it to log into an account which takes about ten minutes.

Lunarlander-
Yes, I can understand why this costs enterprises so much money as it has cost me thousands in software, IT security "experts", replacing devices, and of course the identity theft, credit card fraud, bank fraud, mail theft, and damage to my credit.

You mentioned configuring windows remote access to forward traffic.... I suspect that my ex husband, who is in IT security and had my computers, router, well, everything I owned for four months after I left him for trying to kill me, is behind this. I suspect this for many reasons, including the fact that he keeps getting added to my accounts, his email was listed as a remote admin on my all in one, and I'm suing him for breaching our divorce agreement.

So, I guess my next question would be ... if I have done everything mentioned to fix my devices, and I have, how do I figure out which of my smart devices, if any, could be affected? Such as my smart tv, or my bluray player that now barely functions and won't read blurays. I ask because I disconnected all computers, modems, routers, smartphones, tablets, even my internet and directv services, and got new devices but everytime I brought one home It slowed down, and was, for lack of a better word, reprogrammed. For example,my prepaid Samsung smartphone. Worked great at first, but within 12 hours of being home it went into Odin mode, warned me about installing a new operating system and started downloading. I took out the battery but the damage was done. 

Several computer "specialists" have told me that this is an unusual, aggressive, and obviously personal attack and there is nothing I can do to stop it. They have also said that there is some device in or near my house that my devices are connecting to, but none have given me advice on how to find that device, aside from paying for them to come out and sweep the house.

As for the clean install of windows, done it. On each device. Even had acer and hp send me new copies which took several hours to install, and the computers did strange things during install, but reading through the setup logs it says I installed windows 7 ultimate?? I've never had windows 7. When this started I had vista, 8 and 8.1 on different devices of course. All went into boot loops trying to update, one never came out of it.

One final question... what do I do if my firmware has been altered? I have seen several logs referencing changes to my firmware. Would a clean install work if my firmware was compromised? I guess that was 2 questions.

I wrote a longer reply than expected and will reply to the other two posts later this evening.

Thanks again,
JMFD17


----------



## JMFD17 (Mar 25, 2017)

Powerful said:


> Hi, you failed to mention you used a registry cleaner, which returned all these items , most likely just a ruse to get you to pay for the program (without using remote access, an average registry will have around 50 entries containing "remote access'').
> 
> You have already shown on the other forum that you are having system problems, as stated here already, you are best served by doing a fresh install of windows.


Powerful,
I have to reply to you real quick, the program used is a registry scanner, and did not prompt me to buy anything. If I called it a registry cleaner I misspoke. This is an ongoing problem, as I stated, and I have done clean installs.

I understand that a lot of people get paranoid about their computers and misinterpret logs and what not. I have never been paranoid or all that concerned about remote access or hackers bc I am no one special, don't have a lot of money, and honestly why would anyone go to that much effort or risk for little old me. I have always kept my computers, routers, smartphones, and av/am updated and secure with paid subscriptions. I don't open emails or attachments from people I don't know or anything suspicious and I don't frequent high risk sites, or chat rooms.

This is not something I did out of stupidity or paranoid delusions. My credit has been destroyed, thousands stolen from my bank accounts, credit cards maxed out, lines of credit and accounts opened in my name, I have even spoken with a local P.I. Who was hired (by whom he wouldn't say) to locate me. Which he did by running my credit back in 6/2015 as a tenant screen using a forged authorization form. Which I have a copy of, along with the report he got when he ran my credit.

Believe me, I understand how out there this sounds. Unfortunately this is the reality of my situation. I have gone to the police who told me they thought I was being stalked, but considered it all an "online crime" and they only deal with "local crime" so they wouldn't even give me a police report, which by law they are supposed to. The state I live in you have to go to the local police first, so I tried the FTC, the postal inspector, and identitytheft.gov. Never received a response from any, which doesn't mean they didn't send one. I just didn't get it, much like most phone calls, texts, and emails.

I could go on and on, but I think that's more than I intended to say to begin with.


----------



## lunarlander (Sep 22, 2007)

Hi,

A firmware that has been changed can possibly be rolled back, if the device has that option. Or you can check if the latest version is available for download and installing that.

Did you create a backup image after the new install of Windows? You can use Macrium Reflect (free) and save the image onto an external drive. That would save you hours of work when you need to re-install again. Backing up a new install takes approximately 15 mins and a restore takes 10 mins. But you may just wait until you need to re-install again because the PC has now gone online, and you won't be able to get a pristine backup. Forgot to mention that all Windows installs should be done offline.

Since you say we're dealing with an IT security specialist, you would have to do better than a clean install. Go read this: http://hardenwindows7forsecurity.com . ( you say you have Win 7 Ultimate )

If you suspect that your router has been configured for remote access, go use a paper clip and find the 'reset' pin hole in the back of the unit. Press and hold for a count to 10. Then all settings will be set back to the day of purchase. You will have to change the Wi-Fi WPA2 key(passphrase) and SSID. You can also look up the default password by google 'brand-name model default password'


----------



## JMFD17 (Mar 25, 2017)

Lanctus said:


> Be wary of your Documents files and folders as well. I would do a sweep through there for anything suspicious. While a clean install can rid your system of many unwanted intrusions, malware, and viruses, a skilled and knowledgeable hacker can try hiding things in your Documents, since these tend to follow you when you save them before running a clean sweep or install. Hopefully not, but sometimes a little paranoia is a healthy thing.


Hi Lanctus,

I have found that you are absolutely correct. On two of my laptops, both new and running win 10, in my "this pc" folder under HP\BIN there is a cmd prompt that allows me access to different commands and logs than if I just right click start and run an admin cmd prompt.

What's even more interesting is that only one of those laptops is an HP. The other is an Acer.

This is a little random, but for some reason responding to you made me think of it.... do you know what cloaker64.exe is? Probably something I'm supposed to have, but just in case. Oh, lol, and what a "Junction" or "Sym-LinkD" are?

Thanks, 
JMFD17


----------



## JMFD17 (Mar 25, 2017)

lunarlander said:


> Hi,
> 
> A firmware that has been changed can possibly be rolled back, if the device has that option. Or you can check if the latest version is available for download and installing that.
> 
> ...


Hi Lunarlander,

Both of the new laptops will not allow me to backup, reset, restore, or even set a restore point for win 10. I'm not sure how to rollback the firmware, although they keep asking if I want to rollback to windows 7 on one and windows 8 on the other. Both were purchased with win 10 home preinstalled.

The new install on each was done, the last time, with media sent from hp and acer on external drives and offline. So, no, I did not make a back up, I just have the drives they came on.

I actually do not have internet set up at home haven't since 9/2016. I gave up and unplugged the router and disconnected the service after the third new router was compromised and all of its security was disabled. I was very careful when I set them all up. They were offline, all devices were offline or off, I changed the router login and password, the ssid and passphrase, turned off the ssid broadcast, set mac filtering, did everything I was instructed to do to ensure they were secure before even connecting the Ethernet cable, but each one had all the security features disabled the following morning. Just like my av and firewall. I can't even turn the firewall on anymore on either laptop since I found all the firewall exceptions for remote access and file sharing and started to remove them.

I have data on this tablet and on my prepaid smartphone but have not gone online intentionally with either laptop. I did capture USB and Bluetooth traffic on them using wireshark. But the program shut down when I was capturing the USB traffic, and won't run again.

You said a restore should take 10 minutes? Whenever they shut down, in the middle of whatever I'm doing - usually looking at logs or when I find something potentially useful, they reset or restore and it usually takes two hours or more.


----------



## lunarlander (Sep 22, 2007)

OK regarding firmware, I thought you were talking about a device like a smart-phone. In the PC world it is the BIOS. One can have malware installing into the BIOS. If there are any updates, they can be found in the vendor's web site, underneath Support and looking up the model number. Did the compromise of the 3rd router happen after the Windows re-install or before?

On my Win 10 Home PC, I have very few programs and it just uses 18 Gigs, thus the restores and backups can go very fast.

Usually most attacks makes use a Remote Access Tool/Trojan ( RAT ) The attacker can actually see the screen and they are notoriously hard to find. The attacker can set up the program's properties like organization and version etc.


----------



## JMFD17 (Mar 25, 2017)

Lunarlander-

I really appreciate you taking the time to discuss this with me. I usually get told that I Must be confused about what's really going on. So, thank you for not immediately assuming I'm paranoid and/or crazy. 

Sorry, I am talking about multiple devices at once. Smartphones, tablets, laptops, a transformer, and an all in one. That is confusing, I apologize. The two laptops are both newer notebooks, purchased last September after the last router was compromised. The last reinstall was march of this year.

Organization... like enterprise? 

Both notebooks say that my "organization" is controlling certain settings, but I read that can happen if you have certain settings enabled or disabled. 

As far as a RAT, I have found references to both signal catchers and RATs on my phone but the app only worked for one day and was disabled. Would logs or any specific info help you to better understand the situation?


----------



## lunarlander (Sep 22, 2007)

So you have 2 laptops and an all-in-one.

Since you have Windows 10 on the 2 laptops. go look here: http://hardenwindows10forsecurity.com

If you have Win 10 Pro, then there is a Group Policy Editor ( gpedit.msc ) which can set and enforce many settings that govern how Windows behave. And you will run into error messages that say some setting are set by your organization. Just type in gpedit.msc and hit enter. By default, none of the settings are configured.

Sorry I am not familiar with cellphones. If they are Android, then it will be similar to Linux. And I know a little about Linux. If you want to, you can post the logs here and I can take a look.


----------



## JMFD17 (Mar 25, 2017)

Well, lol, no. I have several computers, but I'm only currently using the 2 notebooks/laptops. I have kept the all in one unplugged after finding my ex husbands email address listed as remote admin, just in case there was anything that could link him to all of this. I bought it just prior to leaving him and he used it for the 4 months he had my property in his possession. 

I will go to that link now. Thank you


----------



## JMFD17 (Mar 25, 2017)

The site you sent me to is great, thank you! It says if you're already compromised to do a clean install, but if my bios or my install media is corrupted/altered what are my options? I'm not sure how to verify the integrity of the media or my bios. Any ideas?


----------



## lunarlander (Sep 22, 2007)

Hi,

Just download the latest version of the BIOS and install it. But beware, if something goes wrong during the process your computer may become inoperable.


----------



## JMFD17 (Mar 25, 2017)

It doesn't do much now, so I think I'll risk it.

Thank you.


----------

