A bit stressed - being remotely hacked

Hello,

[Sorry if I posted this in the wrong section!]

I usually do not register on forums and solve most if not all issues by myself and google searching or forum lurking.

I find myself to be in a mess and I really don't know where to turn to.

It seems, after executing a certain exe. which instantly installed some sort of remote assistance tool ? I am being remotely "assisted". Had something to do with a VPN sort of tool - SoftEther VPN was called.

At any rate, I think at that time I also had a laptop on (from which I am now writing) connected to the same network as my desktop (the infected one) through WLAN. Would it be possible that also my laptop was infected in the process ?

As counter measures I've reinstalled my desktop and also reset my IP (I got that sort of internet provider that gives you another IP if you unpower and repower the router) but to my surprise, after I got on the new windows, suspicious activity was still recorded. Things like, I did not have permission to move a certain file on C, or  "remote desktop connection" was seen in the start menu after a couple of minutes (as far as I know, this is no default option upon windows reinstall).

So having a persistent visitor even after format does upset me a bit. As far as my limited computers knowledge helps, they can track you either through IP, or MAC address of the hard drive. In this case - if, let's say I would get another HDD and renew my IP address with the trick I mentioned earlier (on-off router, new ip) and a fresh windows install, would that prevent further unwanted visits ? What about changing my actual MAC address and keeping my HDD, any suggestions?

To be honest, I really don't know how to tackle this issue, as this is my first real confrontation with such an attack. What would you guys recommend I should do?

Edited by hamluis, 10 November 2016 - 05:53 PM.
Moved from Win 7 to Am I Infected - Hamluis.

If you have Win7 then the remote desktop thing shows up by default in the start menu.

SoftEther is a great program, i use it myself. 

and if you are being remotely hacked, first thing to do is disconnect from the internet. 

then in command prompt (as admin) type in:

ipconfig /flushdns

ipconfig /release

ipconfig /renew

Connect back to your network.

That will give you another dynamic IP address. 

and you want to do this on all devices that you think could be affected. 

After that is done, Run Rkill:  http://www.bleepingcomputer.com/download/rkill/

and post the results of the HOSTS part of Rkill. 

We'll be here!

And yes, one could infect other devices on the network after authenticating one.

And   to BC!

Sorry for the gros output!

Rkill 2.8.4 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2016 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 11/11/2016 10:48:11 AM in x64 mode.
Windows Version: Windows 7 Professional Service Pack 1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * C:\Users\Andrei\AppData\Roaming\uTorrent\updates\3.4.9_42606\utorrentie.exe (PID: 3716) [UP-HEUR]
 * C:\Users\Andrei\AppData\Roaming\uTorrent\updates\3.4.9_42606\utorrentie.exe (PID: 1224) [UP-HEUR]

2 proccesses terminated!

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * No issues found.

Checking Windows Service Integrity:

 * No issues found.

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * No issues found.

Program finished at: 11/11/2016 10:48:18 AM
Execution time: 0 hours(s), 0 minute(s), and 6 seconds(s)
 

Okay it looks like the utorrent updater was killed, have you deleted recent torrents that you downloaded? and or uninstalled (if in "Programs" ) things like KNCTR  or anything most would consider "bloat-ware"?

Clean up your downloads folder too. there are no HOSTS so that is a good sign.

Now Download ADWCleaner (AdWareCleaner) http://www.bleepingcomputer.com/download/adwcleaner/

and run that on the machine(s) after that scan has completed, it will want to restart your computer, do so.

Once you're logged back in, a .txt log file will open up, that's ADWCleaner's log, Find the file (Normally under  C:\AdwCleaner/AdwCleaner[S*].txt      * = scan number. if first scan, [S0] )

Please post that text file after you have renamed it.

Edited by Viper_Security, 11 November 2016 - 04:56 AM.

Ok. Sorry for the delay I've been experimenting a bit since my last reply.

Here's what I've found:

In a desperate attempt to diagnose what exactly that exe did, I reinfected my pc briefly and made a note of what i saw (these appeared as 2 separate windows)

Creating a new virtual network adapter for windows.

This process can take several seconds or over a minute.

Please wait...

(Please do not perform other operations while the virtual network adapter is being installed.)

SoftEther

The "SoftEther VPN client" service (servicename: serviceclient) has been installed succesfully.

(execution path:

"C:\Users\Andrei\Appdata\local\temp\is-BDA86.tmp\new folder\vpnclient_x64.exe" /service)

The service has started.

After that I've instantly restarted my pc and formatted it again.

It seems that even after format, my pc experiences some awkward run downs, like a constant 50 % cpu usage that cannot be traced in task manager (found the exe with another win 7 tool, resource monitor I think it was called), it seemed to be a "svchost.exe (netsvcs)" process.

It is true that I used an USB stick to copy the network driver from the laptop , which could also be infected, but somehow I doubt it. It doesn't seem to have slowdowns like the desktop has.

Closing, let me ask you this Viper, and thank you for your assistance so far:

If I format my pc and get clean copy of windows, + clean a source for installing my network drive (from an USB stick), + plus reset of my router (new IP) would it still be possible for the virus/hacker to resurface ?

PS, I've entered those commands as you requested, first shutting down my internet (unplugged cable). The first command worked fine, but the last 2 commands stated something like this "no operation can be performed on Wireless network connection (4 times, mentioning each  one wireless 1, 2, 3 and local area connection) while it has its media disconnected."

PSS - I also saved the exe before formatting my pc and archived them both. Would it be possible to somehow analyses them in a safe environment ? Or is it of any use, for analyzing purposes?

Edited by AndrewBears, 11 November 2016 - 07:35 AM.

Yes, those commands will not work if the internet is disconnected, that was my fault, you should disconnect, flush dns, reconnect THEN /release/renew. My apologies. 

Also the Softether VPN is running out of appdata, it should be running out of, Program Files.  open "Run" (Windows key on keyboard + R) then type in %temp% then hit enter. go through the temp/appdata folders and remove the Softether VPN, and then clear your recycle bin and restart your machine.

The virtual network adapter is part of Softether to, that's how it connects to the VPN Server(s) then that is translated to your main card, giving you a different IP (basically).

And i can analyze the .exe but since you think it is infected, let's not post it here. 

From the Exe's you sent me:

00017078:  0x0041EE78:   6F 63 65 73 73 54 6F 6B 65 6E 00 00 00 00 4C 6F  |OpenProcessToken....Lo|

00017088:  0x0041EE88:   6F 6B 75 70 50 72 69 76 69 6C 65 67 65 56 61 6C  |okupPrivilegeVal|
00017098:  0x0041EE98:   75 65 57 00 63 6F 6D 63 74 6C 33 32 2E 64 6C 6C  |ueW.comctl32.dll|

seems fishy to me. "comctl32.dll"

Edited by Viper_Security, 11 November 2016 - 03:31 PM.