Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

remote access - even after system format


  • Please log in to reply
5 replies to this topic

#1 empersec

empersec

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 07 June 2017 - 03:02 PM

Hello together and thanks in advance!

 

First of all I want to mention that i am an software developer / architect so we can speak on a somewhat technical level if required.

 

5 weeks ago when I worked on a Word document (Windows 10 Home) somebody began to write into it while I was watching. He wrote a sentence which would mean something like "Now he is f*****" in English.

This felt like some kind of remote access trojan. I am rather paranoid and just do Gaming, Photoshop and Office stuff (if MS Office is mandatory) in Windows. Important stuff is  usually done in Ubuntu.

 

So I took the Computer from the network and tried to investigate. I have a Kaspersky Internet Security installed and checked the past network activity and there was nothing I would consider suspicious. No big data transfer amounts and no executables which would make me nervous. 

 

Since I did not find anything I formatted my System disk and nearly everything else on the other disks except some Steam games. I changed every user account I could remember. This was a lot of work and I felt save.

 

Now suddenly 2 days ago while working somebody wrote into my browser search bar the same sentence while I was watching and you can imagine that I was shocked.

The last 2 days I tried to find some kind of RAT or anything which is suspicous with absolutely no success. Without knowing how this backdoor works I can never be sure that I have a clean system (yeah I know we can never know but you know what I mean).

 

What I tried already

- CCleaner

- AdwCleaner

- Kaspersky Scans

- Kaspersky Rescue Disk Scans for finding Bootkits

- Malwarebytes

- Zemana

- and many more

 

- I checked FRST logs (as far as I understand them - e.g. for unsigned drivers)

- watched sysinternals process explorer and process monitor for ages to find something suspicious (an unknown process, something unsigned, something with no company, some packed image, checked strings for URLs etc..)

- checked sysinternals Autostarts for anything obivious

 

and I found absolutely nothing. This is very scary since a NAS system in the same network contains years of development work and personal documents i want to know save.

Since I run out of ideas I am writing in here. Maybe some of you guys is able to give some advice what I can do. I am also wondering whether I should call the cops in this case.

 

Thank in advance!


Edited by empersec, 07 June 2017 - 03:04 PM.


BC AdBot (Login to Remove)

 


#2 Moritz30

Moritz30

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:32 AM

Posted 07 June 2017 - 03:15 PM

Please run Malwarebytes Anti Rootkit and tell us what it found. DO NOT TELL IT TO REMOVE ANYTHING OR REMOVE ANYTHING IT FINDS WITHOUT OUR APPROVAL UNDER ANY CIRCUMSTANCES. IT IS BETA SOFTWARE AND FINDS STUFF THAT IS IMPORTANT FOR YOUR OPERATING SYSTEM QUITE OFTEN.

 

Also: Please install and run Speccy. Once you have started it wait until it has finished analysing. Then click File->Publish Snapshot, click yes and send us the link


White Hat, Security Researcher, Modder, CEO at and founder of @DragonTeamMC, @OmniDragonBot and CryptID. Real name is Matthias Merkel.

#3 empersec

empersec
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 07 June 2017 - 03:48 PM

Thank you!

 

 

MBAR items:

 
HKCR\exefile\shell\open\command| (Broken.OpenCommand)
HKCR\batfile\shell\open\command| (Broken.OpenCommand)
HKCR\comfile\shell\open\command| (Broken.OpenCommand)
HKCR\piffile\shell\open\command| (Broken.OpenCommand)
HKCR\scrfile\shell\open\command| (Broken.OpenCommand)
HKCR\regfile\shell\open\command| (Broken.OpenCommand)

 

SPECS:

http://speccy.piriform.com/results/kPHOZ672ZebpBjftCmyqU7y



#4 empersec

empersec
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 10 June 2017 - 01:44 AM

Any advice or tipp what I could do / look for?



#5 Guest_Aaron_Warrior_*

Guest_Aaron_Warrior_*

  • Guests
  • OFFLINE
  •  

Posted 10 June 2017 - 02:25 AM

Any advice or tipp what I could do / look for?

- If there is a USB device you should unplug it.  It may be a source of infect/reinfection

 

- Your Windows Updates is not configured and I wonder if it is not updated.  If not, that may be the reason for the possible infection.

-  Your O/S was installed just in March 2017, less than 3 months old. What was the reason for the install?

 

-  An upgrade, or were there problems before?

 

- You have at least 2 programs installed on non-system drives, which is odd but probably not related to your problems.

 

-  Also something called a "USB phone" also odd.

 

-  Multiple Anti-Virus softwares (always bad) and two of them are disabled and I wonder why.

 

-  Google Crash is running which means (probably) Chrome has a problem.

 

-  Multiple monitors and multiple desktop managing software "Desktop.exe".  My guess is that this is a professional work computer.  Which makes me wonder if you have information on that computer that hackers would want to acquire.

 

-  Good quality firewall installed.

 

-  You have "AutoRuns" installed, which means you've been tinkering.

 

-  Skype is installed and sometimes I wonder if there isn't a zero day exploit for Skype that hasn't been discovered yet.

 

 

HOLY COW.

You have at least 66 instances of "C:\Windows\System32\svchost.exe" running.  Literally SIXTY SIX INSTANCES.

 

Look at your Speccy Report and see them.

that can't be right.  Ima stop now cause I think I just found the end of the thread of the problem.


Edited by Aaron_Warrior, 10 June 2017 - 02:28 AM.


#6 jwoods301

jwoods301

  • Members
  • 1,489 posts
  • OFFLINE
  •  
  • Gender:Male

Posted 10 June 2017 - 03:12 PM

I would recommend checking your router security settings.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users