Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Attacker gained full remote access to my computer...


  • This topic is locked This topic is locked
10 replies to this topic

#1 BrewDog

BrewDog

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:23 PM

Posted 21 August 2011 - 10:04 PM

Got home from work on Friday and discovered someone using my PC via a remote LogMeIn session (my LogMeIn account). They were searching the filesystem for a keylogging program that I had found and disabled earlier that morning (OGB.exe - apparenly Ardamax Keylogger). I yanked out the network cable and changed all my passwords from a different computer; one that I'm pretty confident was not compromised.

I know... In hindsight, it was pretty stupid of me to leave the computer on and connected after discovering the keylogger Friday morning.

Anyway, I need to know if my system is clean. I've posted DDS.txt below and attached two files (Attach.txt & ARK.txt) per the bleepingcomputer prep guide.

Thanks for the help!


.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_24
Run by Sam at 22:19:11 on 2011-08-21
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.2047.1058 [GMT -4:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: ZoneAlarm Firewall *Enabled* {D17DF357-CFF5-F001-D1C1-FCD21DFE3D5E}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\ZoneLabs\vsmon.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
C:\Program Files\Flip Video\FlipShareServer\FlipShareServer.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\SonicWALL\SonicWALL Global VPN Client\SWGVCSvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Logitech\Logitech Vid\Vid.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Users\Sam\AppData\Local\AbacastDistributedOnDemand\Node\11\AbacastDistributedOnDemand.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Users\Sam\AppData\Local\Google\Update\1.3.21.65\GoogleCrashHandler.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Users\Sam\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Sam\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Sam\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Sam\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [Logitech Vid] "c:\program files\logitech\logitech vid\vid.exe" -bootmode
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [AbacastDistributedOnDemand:11] c:\users\sam\appdata\local\abacastdistributedondemand\node\11\AbacastDistributedOnDemand.exe -r:11 -x:1
uRun: [Google Update] "c:\users\sam\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [OGB Start] c:\program files\ogb\OGB.exe
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [Linksys Wireless Manager] "c:\program files\linksys\linksys wireless manager\LinksysWirelessManager.exe" /cm /min /lcid 1033
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [OGB Start] c:\program files\ogb\OGB.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
StartupFolder: c:\users\sam\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\sam\appdata\roaming\dropbox\bin\Dropbox.exe
StartupFolder: c:\users\sam\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: intuit.com\ttlc
Trusted Zone: stamponelaw.com\mail
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon%20FiOS%20Installer.cab
DPF: {62FA83F7-20EC-4D62-AC86-BAB705EE1CCD} - hxxps://saas6.kaseya.net/klc/resources/cab/LiveConnectX.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {B44D252D-98FC-4D5C-948C-BE868392A004} - hxxp://recoverymanager.aepgcorp.com/Altiris/NS/NSCap/Bin/Win32/x86/AltirisNSConsole.cab
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: DhcpNameServer = 192.168.160.1 71.250.0.12
TCP: Interfaces\{29AA9595-E085-4DA7-BD28-4755F5CD81DC} : DhcpNameServer = 192.168.25.17 192.168.25.8 192.168.25.13 192.168.25.19
TCP: Interfaces\{4E1D2EBA-942F-4486-8CF8-6E5AA707A9C7} : DhcpNameServer = 192.168.160.1 71.250.0.12
TCP: Interfaces\{C9B864C9-DC34-4840-8697-E9432CA5C9D3} : NameServer = 192.168.160.1,71.250.0.12
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
Hosts: 192.168.160.201 tower
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\sam\appdata\roaming\mozilla\firefox\profiles\b1eibt7d.default\
FF - component: c:\program files\avg\avg10\firefox4\components\avgssff4.dll
FF - component: c:\program files\avg\avg10\firefox4\components\avgssff5.dll
FF - component: c:\program files\mozilla firefox\extensions\{82af8dca-6de9-405d-bd5e-43525bdad38a}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\users\sam\appdata\local\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\users\sam\appdata\roaming\facebook\npfbplugin_1_0_3.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Skype extension: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files\mozilla firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\avg\avg10\Firefox4
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-3-16 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 248656]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 34896]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-4-5 297168]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-8-18 176128]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-4-18 7398752]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
R2 FlipShareServer;FlipShare Server;c:\program files\flip video\flipshareserver\FlipShareServer.exe [2011-5-6 1085440]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2011-7-25 47640]
R2 SWGVCSvc;SonicWALL Global VPN Client Service;c:\program files\sonicwall\sonicwall global vpn client\SWGVCSvc.exe [2009-3-5 227352]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-4-14 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 21968]
R3 m4cxvista;NDIS6.0 Miniport Driver for D-Link DGE-5xx Gigabit Ethernet Adapter;c:\windows\system32\drivers\m4cxvista.sys [2009-2-19 299008]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-3-1 139776]
S1 SWIPsec;SonicWALL IPsec Driver;c:\windows\system32\drivers\SWIPsec.sys [2010-4-16 87064]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-24 135664]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-12-24 135664]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-8-4 41272]
S3 mirrorv3;mirrorv3;c:\windows\system32\drivers\rminiv3.sys [2010-4-21 3328]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2009-7-13 20992]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 SWVNIC;SonicWALL Virtual Miniport;c:\windows\system32\drivers\SWVNIC.sys [2009-3-4 21016]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-4-30 1343400]
S3 WUSB54GCv3;Compact Wireless-G USB Network Adapter;c:\windows\system32\drivers\WUSB54GCv3.sys [2009-10-27 627072]
.
=============== Created Last 30 ================
.
2011-08-22 01:08:02 -------- d-----w- c:\program files\SyncToy 2.1
2011-08-19 22:23:18 -------- d-----w- c:\program files\Flip Video
2011-08-19 16:31:08 -------- d-----w- c:\program files\ESET
2011-08-18 20:41:52 -------- d-----w- c:\windows\system32\rserver30
2011-08-17 19:04:40 -------- d-----w- c:\users\sam\appdata\local\QuickPar
2011-08-17 19:02:39 -------- d-----w- c:\program files\QuickPar
2011-08-16 14:03:41 -------- d-----w- c:\users\sam\appdata\local\eapNet64
2011-08-14 20:41:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-08-14 20:41:14 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-08-14 20:41:13 1047552 ----a-w- c:\windows\system32\mfc71u.dll
2011-08-14 20:41:13 -------- d-----w- c:\program files\WinMerge
2011-08-07 15:02:37 -------- d-----w- c:\users\sam\appdata\roaming\TeraCopy
2011-08-05 23:34:30 -------- d-----w- c:\program files\DVD Decrypter
2011-08-04 19:19:46 -------- d-----w- c:\windows\HaxFix
2011-08-04 18:47:55 -------- d-----w- c:\users\sam\appdata\roaming\Malwarebytes
2011-08-04 18:44:07 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-04 18:44:06 -------- d-----w- c:\programdata\Malwarebytes
2011-08-04 18:44:04 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-04 18:44:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-02 23:01:12 -------- d-----w- c:\program files\VideoLAN
2011-07-28 13:20:04 87552 ----a-w- c:\windows\system32\wudriver.dll
2011-07-28 13:19:58 33792 ----a-w- c:\windows\system32\wuapp.exe
2011-07-28 13:19:58 171608 ----a-w- c:\windows\system32\wuwebv.dll
2011-07-28 13:18:55 2421760 ----a-w- c:\windows\system32\wucltux.dll
2011-07-28 13:18:17 -------- d-----w- C:\ff666fc8193f8816783763e12694367f
2011-07-25 16:28:09 53632 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
2011-07-25 16:28:09 29568 ----a-w- c:\windows\system32\LMIport.dll
2011-07-25 16:28:07 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2011-07-25 16:28:07 47640 ----a-w- c:\windows\system32\drivers\LMIRfsDriver.sys
2011-07-25 16:28:04 87424 ----a-w- c:\windows\system32\LMIinit.dll
2011-07-25 16:28:00 -------- d-----w- c:\programdata\LogMeIn
2011-07-25 16:27:50 -------- d-----w- c:\program files\LogMeIn
.
==================== Find3M ====================
.
2011-07-22 04:56:17 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-07-16 04:37:32 169984 ----a-w- c:\windows\system32\winsrv.dll
2011-07-16 04:34:28 290816 ----a-w- c:\windows\system32\KernelBase.dll
2011-07-16 04:31:12 271360 ----a-w- c:\windows\system32\conhost.exe
2011-07-16 02:21:47 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2011-07-16 02:21:47 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2011-07-16 02:21:47 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2011-07-16 02:21:47 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2011-07-13 12:09:53 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-09 02:26:10 222720 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-06-23 04:38:05 3957120 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-06-23 04:38:04 3902336 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-06-21 05:39:53 1286016 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-06-21 05:36:36 981504 ----a-w- c:\windows\system32\wininet.dll
2011-06-21 05:35:05 44544 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-21 04:26:02 386048 ----a-w- c:\windows\system32\html.iec
2011-06-15 09:04:46 86016 ----a-w- c:\windows\system32\odbccu32.dll
2011-06-15 09:04:46 81920 ----a-w- c:\windows\system32\odbccr32.dll
2011-06-15 09:04:46 319488 ----a-w- c:\windows\system32\odbcjt32.dll
2011-06-15 09:04:46 163840 ----a-w- c:\windows\system32\odbctrac.dll
2011-06-15 09:04:46 122880 ----a-w- c:\windows\system32\odbccp32.dll
2011-06-11 02:37:19 2332672 ----a-w- c:\windows\system32\win32k.sys
2011-05-24 10:35:34 294912 ----a-w- c:\windows\system32\umpnpmgr.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7600 Disk: WDC_WD5000AAKS-75A7B2 rev.01.03B01 -> Harddisk1\DR1 -> \Device\Ide\IdeDeviceP1T0L0-1
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS PCIIDEX.SYS msahci.sys
1 ntkrnlpa!IofCallDriver[0x82E8E458] -> \Device\Harddisk1\DR1[0x85AA45B8]
3 CLASSPNP[0x8918C59E] -> ntkrnlpa!IofCallDriver[0x82E8E458] -> [0x8557D918]
5 ACPI[0x88C433B2] -> ntkrnlpa!IofCallDriver[0x82E8E458] -> \Device\Ide\IdeDeviceP0T0L0-0[0x8599D030]
kernel: MBR read successfully
_asm { ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; }
user != kernel MBR !!!
.
============= FINISH: 22:20:13.92 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,733 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:23 PM

Posted 26 August 2011 - 10:05 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/415538 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,733 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:23 PM

Posted 31 August 2011 - 10:10 PM

Hello again!

I haven't heard from you in 5 days. Therefore, I am going to assume that you no longer need our help, and close this topic.

If you do still need help, please send a Private Message to any Moderator within the next five days. Be sure to include a link to your topic in your Private Message.

Thank you for using Bleeping Computer, and have a great day!

#4 BrewDog

BrewDog
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:23 PM

Posted 07 September 2011 - 08:19 AM

Yes, I still need help! I will post a new DDS and GMER log when I get home tonight.

#5 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:10:23 PM

Posted 07 September 2011 - 08:29 AM

Greetings BrewDog and Welcome to the forums,

I'm looking over your log and will have some suggestions for you in a short while. Thanks for your patience!

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#6 BrewDog

BrewDog
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:23 PM

Posted 07 September 2011 - 08:41 AM

Greetings BrewDog and Welcome to the forums,

I'm looking over your log and will have some suggestions for you in a short while. Thanks for your patience!


Thank you!

Here's some additional info...
After discovering the attack and before posting my logs above I did the following:
  • Ran malwarebytes - discovered and removed "radmin" program
  • Removed VNC server - I noticed that the attacker had reconfigured my VNC server to bind to 127.0.0.1. It looked to me like things were being proxied through localhost.
  • Removed LogMeIn
  • Disabled RDP
  • Installed ZoneAlarm Firewall to monitor all incoming and outgoing connections

I'm at work now and won't have access to the PC until I get home because all my remote access methods have been disabled! ;)

#7 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:10:23 PM

Posted 07 September 2011 - 09:36 AM

OK, just a couple comments before we get started. First...Please be advised that during our troubleshooting endeavor, you should not use the system for anything other than to respond here to your posted instructions.

Open no other email except for email responses from BleepingComputer. Further, it is anticipated that you will not take upon yourself to do anything OTHER than what is instructed here to include, no surfing (of course), no running any scans of any kind even of your own on board security software except for what is already running on start up, some of which I may ask you to disable later on.

Make NO system changes whatsoever unless it is specifically detailed in some instruction here. Go nowhere on the internet except where directed here...and even then, I will provide the link for you. Thanks in advance for you understanding and cooperation!

Now, a few questions:

Got home from work on Friday and discovered someone using my PC via a remote LogMeIn session (my LogMeIn account). They were searching the filesystem for a keylogging program that I had found and disabled earlier that morning (OGB.exe - apparenly Ardamax Keylogger).

The above reads as though you were watching your screen as the cursor was moving on it's own. Is this correct? I'd also like to know how you came to the conclusion that the remote user had gained access via your LogMeIn account. How did you know the remote user was searching for the key logger you found? If it was gone, then what WAS searched for that lead you to conclude the intended search was for the key logger? How did YOU find this key logger? Was there some security application that found it and removed it, or did you do this? If you found it, tell me how and what gave you the clue to even go looking for it. If an application found it, please tell me which one and provide the log file it produced.

The very fact that you say you were able to find some key logger and remove it implies that you haven't lost complete control. However, the log does show a rootkit infection which should certainly cause alarm.

In looking through your installed programs, I see several that are more likely the conduit through which one might tunnel, and I would suspect a problem from VLC were it an out dated version but yours is the latest. Other, more likely candidates would be:
FileZilla Client 3.3.3
FlipShare
Java™ 6 Update 24

...all of which could ring the bell. Otherwise, you would have to show some proof that the user accessed via your LogMeIn account. If you KNOW that, then you might also know your abuser.

Also, LogMeIn, even RADMIN are not malicious by themselves and "remote" access IS their intended design. These type programs are fine to use but if one does so, one should always make certain to use and maintain strong passwords.

Before I suggest anything at all, I need to offer you the opportunity to make an informed decision as to what you would rather do:
IMPORTANT NOTE: One or more of the identified infections was related to a rootkit component. Rootkits and Backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer...not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read "How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?"

Although the rootkit was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the rootkit has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

"When should I re-format? How should I reinstall?"
"Help: I Got Hacked. Now What Do I Do?"
"Where to draw the line? When to recommend a format and reinstall?"

Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. Let us know how you wish to proceed.

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#8 BrewDog

BrewDog
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:23 PM

Posted 07 September 2011 - 10:21 AM

Now, a few questions:


Got home from work on Friday and discovered someone using my PC via a remote LogMeIn session (my LogMeIn account). They were searching the filesystem for a keylogging program that I had found and disabled earlier that morning (OGB.exe - apparenly Ardamax Keylogger).


The above reads as though you were watching your screen as the cursor was moving on it's own. Is this correct? I'd also like to know how you came to the conclusion that the remote user had gained access via your LogMeIn account. How did you know the remote user was searching for the key logger you found? If it was gone, then what WAS searched for that lead you to conclude the intended search was for the key logger? How did YOU find this key logger? Was there some security application that found it and removed it, or did you do this? If you found it, tell me how and what gave you the clue to even go looking for it. If an application found it, please tell me which one and provide the log file it produced.


Yes, that is correct. I noticed a strange file (OGB.exe) in my startup folder one morning. I found the program's directory and in it (among other files) was an html file that gave a 'quick tour' of how ardamax keylogger works. I zipped up the whole directory, copied it to a flash drive and deleted the directory from the hard drive. When I came home from work later that day I found the cursor moving (LogMeIn was active). I sat and watched to see what the user was doing. He was searching the filesystem for OGB.exe. When he couldn't find it, he moved on and opened Remote Desktop. RDP had a bunch of my previous connections listed in history. He picked one and I watched as he tried a few passwords... seemed like he was going down a list. On his third of fourth attempt he was successful... that's when I pulled the network cable.

I got the IP from the LMI connection log and it pointed to some eastern European country; I can't remember which one now. I began changing my passwords on all the online accounts I could think of and discovered that my PayPal account was also breached; three unauthorized transactions for about $2000. I've cancelled all my cards and changed all banking passwords and, after PayPal and Credit Card fraud investigations, have had the transactions reversed.


After reading your post, I think the best course is a complete format and reinstall. I do have backups of the computer. How do I make sure I don't restore anything that may compromise the computer again?

#9 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:10:23 PM

Posted 07 September 2011 - 11:34 AM

Since you are certain the user gained access via your LogMeIn account, I would suggest if you still want to use it, then practice the recommendation of creating Strong Passwords...and change them on occasion. If you must use remote access software, the strong password usage and maintenance is a necessity. Let us know how your reformat/reinstall goes for you. Thanks!

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#10 BrewDog

BrewDog
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:23 PM

Posted 07 September 2011 - 11:38 AM

Thanks again vet! Appreciate what you do here.

#11 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:10:23 PM

Posted 07 September 2011 - 03:05 PM

This issue will be resolved with the members choice to reformat and reinstall the operating system, thus the thread is closed to prevent others from posting here.
Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users