Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

backdoor trojan with bank/password redirect WINDOWS 7


  • This topic is locked This topic is locked
6 replies to this topic

#1 lucidstorm

lucidstorm

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 24 January 2018 - 02:58 PM

this is the continuation of the previous post and they should be closed

I didn't receive help previously, I hope to receive help now. This is potentially dangerous and serious issue - maybe not ransomware level but still - rootkits are terrible (I am not angry or anything just disappointed this thread will autoclose again, plz don't put me on the ignore list or this guy again - I will follow procedure and we will fix this)

 

 

 

2 days back I found a trojan invader 2 inside temp (heur by kaspersky), the name file $RPVL2E7 (it was catpured by Kaspersky in .temp) is often inside %recycle bin folder. Today this is the scan result:

 

 

perhaps TROJAN INVADER: 

RPVL2_E7.png

 

RPVL2_E72.png

 

 

 

THIS GUY IS ABLE TO TURN REMOTE ACCESS BACK ON - I always keep this disabled, always

the rogue opened a few programs, when I was back on pc I saw new stuff on desktop and icons, sometimes he erases random stuff

on wifi connection box it says there are multiple connections, I am literally connecting to two wifi network at the same time! I  I have 1 episode per day, after I reset router it seems to be fixes for a short time

 

 

also my PC attempted connection by itself using the APIPA 160.... bypassing DHCP 
The DHCP was 100% available since I connected to it all other devices 
 

if this is hacker it wouldn't make any sense, I am no VIP and not commercial, also not rich, so completely useless for a hacker in my opinon

 

.com files planted in folders I use. For instance a trustworthy file I know got .com extension. Clever (ESET called them trojan.onlinegames) . I also got a crackwin10 appearing on my desktop 10 days back (see post hacker activity). 

 

Today I was able to identify also a bad file that was on system: :

this is what it does - examined in pestudio: (threat called wisdom eyes,

 

wisdom eyes activity:

GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?6a35649cf39713e4 HTTP/1.1 Connection: Keep-Alive Accept: */* If-Modified-Since: Thu,20 Apr 2017 16:02:20 GMT If-None-Match: 04e707defb9d21:0 User-Agent: Microsoft-CryptoAPI/6.1 Hos,Heuristic match: GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?8037697b3a8ced6a HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Microsoft-CryptoAPI/6.1 Host: ctldl.windowsupdate.com,Heuristic match: GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCED141%2Fl2SWCyYX308B7Khio%3D HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Microsoft-CryptoAPI/6.1 Host: s2.symcb.com,Pattern match: http://www.symauth.com/cps0*,Heuristic match: http://www.symauth.com/rpa0,Heuristic match: GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQe6LNDJdqx%2BJOp7hVgTeaGFJ%2FCQgQUljtT8Hkzl699g%2B8uK8zKt4YecmYCEBuN56dlW1Lzehhu%2FtdSD3U%3D HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Microsoft-CryptoAPI/6.1 Host: sv.symcd.com,Pattern match: http://www.symauth.com/cps0*,Heuristic match: GET /CRL/Omniroot2025.crl HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Microsoft-CryptoAPI/6.1 Host: cdp1.public-trust.com,Heuristic match: GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAt%2BEJA8OEkP%2Bi9nmoehp7k%3D HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.digicert.com,Heuristic match: GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSLIycRsoI3J6zPns4K1aQgAqaqHgQUZ50PIAkMzIo65YJGcmL88cyQ5UACEAG2Yem3HYLmNssdMr3TCFk%3D HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.digicert.com"

hosts:"95.101.142.114:80"
 
(the windows update process was a bit weird, if u want I can give examples)
 
 
this stuff is planted out of nowhere
 
 
I am having link redirects, for instance when connecting to origin by EA
 
kaspersky immediately identified this as : http://locahost:3219/genEula (heuristic)
the window of origin was different from the usual and weird, origin was downloaded from official site
 
most of certificates are off and not to be trusted according to kaspersky, signed locally it says. Maybe the script kaspersky injects is not compatible with comodo certificates - so OK. 
 
 
 
 I already lost alot of important data and got an account stealing attempt, weird emails from services I am using (legitimate emails, but they are saying that I requested an account reset which I didn't) , when I tried to login to router it said there is already somebody in and logs me out (I am using it alone)
 
 
another weird thing, when I was installing kaspersky it stopped, said ''there are viruses on your system, please install TDSS killer and try again'', but when I clicked setup again it asked me to reboot. After reboot during install it stopped again but this time a new window appeared and continued install despite the error in red. I feel this is my fault and unrelated though but thought I'd mention it. 
 
need further advice, I feel I am doing 1 step forward two steps back with this guy
this is after reformat, just few new stuff installed, the trojan might be on the backup file as well. 
I shred the file idendified (2/60 virus total) wisdow eyes trojan with 100 passes, but if u want I saved a sample on external (unfortunately with all my backup data since I didn't know back then), I can send u trojan if u want to examine
I don't want to make u think its the trojan, that might be misleading, I might be attacked from something else, just see the logs and judge. I might be attacked by my own paranoia 2 (I accept that)
some of this might be user errors or false positives but I still need to be sure. So if u see the logs and say fine I'll ask to close the thread. 
 
best

I see a pattern here, files are hidden in $recycle bin, also it is able to spread to other PC (maybe shadow volume copies?), its 4th time I reformat

Attached Files


Edited by lucidstorm, 24 January 2018 - 09:38 PM.


BC AdBot (Login to Remove)

 


#2 lucidstorm

lucidstorm
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 28 January 2018 - 02:12 PM

avz reports trojan subseven in port 1234 TCP attached to system.exe - trojan subseven, hotline_or_troj (system)

 

cool (I have full report of scan just in case)

 

another thing reported: appinit_dlls= C:programfiles (x86)\\keycryptsdk(1).dll

 

 

also my disk disappeared now from PC, I had 5 now I have 4, after few ''windows'' (I am unsure can a trojan route updates from somewhere else?) updates the disk is back on but it is set as active and boot which shouldn't be


Edited by lucidstorm, 28 January 2018 - 03:12 PM.


#3 polskamachina

polskamachina

  • Malware Response Team
  • 3,998 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:37 PM

Posted 29 January 2018 - 02:48 PM

Hi lucidstorm :)

 

My name is polskamachina and I would like to welcome.gif you to the Malware Removal Forum. I will be helping you with your malware issues.

What follows below are some ground rules for this forum.
 
I will reply as soon as possible (typically within 24-48 hours). In turn, I ask that you please respond within 72 hours. If you know you will be away longer than that, please let me know. I am in California at GMT-8 hours (Pacific Standard Time). If I do not respond to you within 48 hours, feel free to send me a private message.

Some points for you to keep in mind:

  • Do NOT run any tools unless instructed to do so.
  • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine. Running any additional tools may detect false positives, interfere with our tools, cause unforeseen damage, or system instability.
  • Do not attach logs or use code boxes, just copy and paste the text into your replies to me.
  • I cannot see your computer. Periodically update me on the condition of your computer, and provide as much detail as you can in every post.
  • Once things seem to be working again, please do not abandon the thread. I will give an "all-clean" message at the very end.
  • NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planned. You can put them on a CD/DVD, external drive or a flash drive, anywhere except on the computer.
  • NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. Please remember to copy the entire post so you do not miss any instructions.

Please give me some time to review your situation and I will get back to you with further instructions.

 

Let me know if you have any questions.
 
polskamachina



#4 lucidstorm

lucidstorm
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 30 January 2018 - 02:02 PM

 First thing I notice as soon as I connect (from a fresh format) port 1234 established connection. Ah that another thing reported: appinit_dlls= C:programfiles (x86)\\keycryptsdk(1).dll was coming from zemana antilogger so at least that is fine (they use appinit dll technique which is long abandoned by windows but they said it is more stable) . For the rest I am not an expert so u judge yourself what that is, 

 

best and awaiting instructions


Edited by lucidstorm, 31 January 2018 - 07:04 AM.


#5 polskamachina

polskamachina

  • Malware Response Team
  • 3,998 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:37 PM

Posted 31 January 2018 - 09:19 PM

Hi lucidstorm :)
 
Going over your logs I noticed you have many issues affecting your system. At this point I would recommend that you reformat your disk (I know you've done this already more than a few times) and reinstall Windows. However this time after Windows is installed, do not install any other programs. Then I would like you to test your system to make sure everything is normal.
 
Will you agree to reformat your drive and reinstall Windows again?
 
Let me know if you have any questions.
 
polskamachina



#6 polskamachina

polskamachina

  • Malware Response Team
  • 3,998 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:37 PM

Posted 03 February 2018 - 10:55 PM

Hi lucidstorm :)
 
It's been a while since you've checked in. Did you need any more help with this? If not, this topic will be closed in 48 hours.
 
Please let me know if you have any questions.
 
polskamachina



#7 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,374 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:37 PM

Posted 06 February 2018 - 09:28 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users