As someone who is working towards a bachelors degree in computer networking, I have a half decent understanding (or so I thought) of how the internet works. But today... today my mind was blown. I knowingly downloaded something for a game that was a bit sketchy, fully aware that there was a 90% chance a keylogger came packaged with it, didn't concern me that much. I tend to be a bit reckless with my machine because just about every virus I've ever come across I can take care of with relative ease (and heck virus removal offers a weird thrill). Throw in a Hiren's boot CD, run trusty old MBAM, TDSS killer etc. and smash malware with an iron fist. Not to mention I tend to re install my OS every two months because I make such a mess of my file system I figure its best I start anew, and continue to dump everything to desktop.
So here's the story of what happened today, I'm playing my game and having a blast when all of a sudden it closes. I figure "Hey, the game just crashed that's pretty lame". Upon attempt to run the game again and log in I was confronted with a "Password is incorrect" message, at this point I knew what was going on, got keylogged and someone was in the process of trying to cause havoc with the account. I giggled a bit, then proceeded to go to the website and push a password reset request through my email, since the email had a different password I wasn't too concerned. Upon logging into my email to confirm the password reset, I saw another email sent to confirm the change of email on the account, which I did not request. A fraction of a second later, my display did a brief reset and returned to normal, except for the fact that I was no longer in control of my mouse and keyboard, someone else had taken that liberty. It took me a second to realize what was happening and I reached over and smashed that power button on my tower down. But it was to late, they swiftly used a ctrl+c and ctrl+v combo to paste the link to change the account email into the URL bar. I was flabbergasted and staring at my powered down computer for a minute. I was shocked.. and impressed.
Upon power on I booted into safemode, checked msconfig to find a svchost.exe located in the startup folder and knew that it was the culprit. Proceeded to update MBAM and run a full scan. Checked processes in task manager and checked the location of all the svchost.exe processes and found the baddie in c:\users\username\AppData\Roaming, and killed the process. I let MBAM finish scanning and sure enough detected that file and a couple others in the same directory, deleted those, then checked the folder myself and deleted some other files that shouldn't have been there. The system option to enable Remote Assistance was also enabled in control panel, so I disabled that nonsense. Looked to be some visual basic files. Ran TDSS and Rkill with nothing to report.
So that's about it, ran netstat and TCP view to check active connections and didn't see anything foreign, just stuff coming from the loopback address etc. As for my account it's long gone, but I didn't really care about it.
So I'm baffled. How is it so easy to exploit Remote Assistance? Not to mention I'm on my college network which has a pretty giant network topology to crawl through, with what I would assume contains a multitude of security devices. I'm just trying to make sense of this all. In addition, If you have any suggestions to make sure I'm back to where I want to be security wise I'm all ears.
Sorry for the long read!