Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Evidence of Remote Attack -- need to fix ASAP


  • Please log in to reply
5 replies to this topic

#1 progan01

progan01

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 01 September 2016 - 01:05 PM

Several weeks ago my hardware firewall packed it in. In the few days before the replacement arrived, I relied on my software firewall alone... and this proved to be a mistake.

 

Somebody installed Oracle's VirtualBox on my PC. I can't find any trace of the virtual disk it's supposed to create -- I don't see any space being taken up on any of my drives and of course, no files. My CCleaner's daily report shows that the registry traces are still there.

 

ActiveX/COM Issue    VirtualBoxAsw.SessionAsw - {A4AB08B7-35EE-4f75-BE0A-D8F9630D755E}    HKCR\VirtualBoxAsw.SessionAsw
ActiveX/COM Issue    VirtualBoxAsw.SessionAsw.1 - {A4AB08B7-35EE-4f75-BE0A-D8F9630D755E}    HKCR\VirtualBoxAsw.SessionAsw.1
ActiveX/COM Issue    VirtualBoxAsw.VirtualBoxAsw - {F319F1B8-7587-4146-AF9C-0D6D77819BF1}    HKCR\VirtualBoxAsw.VirtualBoxAsw
ActiveX/COM Issue    VirtualBoxAsw.VirtualBoxAsw.1 - {F319F1B8-7587-4146-AF9C-0D6D77819BF1}    HKCR\VirtualBoxAsw.VirtualBoxAsw.1
ActiveX/COM Issue    VirtualBoxAsw.VirtualBoxClientAsw - {262E45B9-36DA-43ac-ABF4-C546A7EA3BFC}    HKCR\VirtualBoxAsw.VirtualBoxClientAsw
ActiveX/COM Issue    VirtualBoxAsw.VirtualBoxClientAsw.1 - {262E45B9-36DA-43ac-ABF4-C546A7EA3BFC}    HKCR\VirtualBoxAsw.VirtualBoxClientAsw.1

 

 

At the same time, Port 443 ceased being stealthed and is now open, as revealed by Gibson Research's ShieldsUP! page. I can't find the software responsible and tweaking the firewall setting has had no effect. This is the port used by Secure Socket Layer, which gives me quite a pang. I have attempted to remove these persistent entries with jv16 Power Tools X, only to have the removal aborted.

 

Scans by avast!, MalwareBytes Antimalware, Trojan Remover and Hijack This! have all come back negative. From what I've seen, I suspect I have a boot sector infection but don't know what kind -- except that it looks opportunistic, either waiting for me to reach the right web site again or leave the machine alone long enough for it to call home.

 

I can't be sure, but I think there may be a keylogger involved even if I can't find it. The presence of VirtualBox tells me that somebody wants to put a partition on my drives and work more mischief either with my files or somebody else's.

 

This is a critical problem for me. My family's finances and my business reside on this machine and interference or theft of data here would be catastrophic -- i.e., out-of-business, on-the-street catastrophic.

 

I would appreciate any help and advice at all about how next to proceed. Has anybody seen something like this before? I'm keenly interested in your experience.

 

Thanks.

 

 

 

---->P!



BC AdBot (Login to Remove)

 


#2 JohnC_21

JohnC_21

  • Members
  • 24,854 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:31 AM

Posted 01 September 2016 - 01:27 PM

I think those virtual box entries are from avast. If you have an older version of avast that uses NG then it creates a virtual environment for testing malware before it can infect the computer. Anything ASW is installed by avast. You can post your question over at the avast forum for confirmation. 

 

https://forum.avast.com/index.php?topic=164276.0

 

https://www.reasoncoresecurity.com/vboxc.dll-e7020c47a6cf815024120998e1d3e26196e18165.aspx

 

Avast uses port 443 to scan https sites.

 

https://www.avast.com/faq.php?article=AVKB25

 

HTTPS

Websites secured with SSL encryption are accessible over HTTPS using port 443, in most cases. In order to restrict access to allow standard HTTPS only, the application rule for your web browser should be set as follows:

  • At least Internet out access level;
  • Outbound port number 443;
  • Block all other connections.

 

Edit: From MalwareTips - What is avast NG   I believe the newest version of avast has done away with NG and put it in the cloud vs a virtual machine on the computer.

 

Avast! NG helps us to analyze malware real-time totally without any restrictions - it can load a kernel driver, it can delete any Windows files, format your volume, everything it wishes. The malware is executed on your OS using VirtualBox engine and the entire OS with malware is monitored. NG was heavily tested for a few months by our user base and we have fixed various HW/SW conflicts and tuned performance. After avast installation, it takes a couple of minutes to prepare NG (this is executed in the background with normal priority in this Beta, it'll be on idle priority in final release).

 


Edited by JohnC_21, 01 September 2016 - 01:41 PM.


#3 Kuszotke

Kuszotke

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:11:31 AM

Posted 01 September 2016 - 02:16 PM

My advice is to IMMEDIATELY backup all important data on the PC to a pendrive, CD, external hard drive, etc. 

 

After that cut the computer from all internet connections.

 

Just to be sure until the issue is fixed.

 

 

EDIT: Cut the PC from the internet before backing data up, so the potential intruder can't bamboozle with your external data storage device in the process.


Edited by Kuszotke, 01 September 2016 - 02:19 PM.


#4 progan01

progan01
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 01 September 2016 - 02:23 PM

Data is not saved to C. Backups are run daily. Presently my network is still being rebuilt; my external servers are not yet available. But that's good advice, Kuszotke.

 

If in fact avast! is running a VM on my machine and keeping an SSL port open, I'm mightily miffed. I will research the issue as you indicate, JohnC_21. This could be the thing that propels me to AVG, never mind the setup hassles.

 

I greatly appreciate your help and insight. Thank you.

 

 

---->P!



#5 Kuszotke

Kuszotke

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:11:31 AM

Posted 01 September 2016 - 02:32 PM

Is avast up to date? I suggest a fresh reinstall just to make sure it's files haven't been compromised.

 

Or completely get rid of avast and switch to 360 Total Security, AVG, Avira etc.

 

I actually highly recommend 360 Total Security (no one paid me to say that, i just think it's really good) 

It always alerts you when software wants to create start-up items, edit the registry, change login password etc. - really helpful.


Edited by Kuszotke, 01 September 2016 - 02:50 PM.


#6 progan01

progan01
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 04 September 2016 - 03:58 PM

avast! is up to date. In fact, due to consistent problems with avast! turning itself off and not telling me, I reinstalled it 30 July this year, which was about the time I noticed the VirtualBox installation. I wonder if avast! changed its installation procedure in response to the shutdown problem. Still need to research. I'm not pleased with avast!, if that's what they did.

 

I'll look into alternatives, including 360 Total Security.

 

 

---->P!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users