Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hidden Hook Rootkit Intruder has Remote Desktop Access


  • This topic is locked This topic is locked
4 replies to this topic

#1 SambaDelDublinho

SambaDelDublinho

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 10 April 2018 - 06:39 AM

Hello,

 

Leading up to this event I noticed strange activity on my laptop. This was confirmed when the hacker edited one of messages as I was typing out an email.

 

Some very downright unsavoury and nasty threats have been made against me and I will be bringing this to the attention of local authorities and it has already been reported to my ISP who have issued a new IP and they are currently investigating. The more proof I have the better.

 

Operating System

 

Windows 7 Home Premium OEM 64bit.

Comodo Firewall and AV

 

The machine is connected via LAN, though the router does have wirless enabled which I suspect is the point they are gaining access. Only one user on the network is reliant on it and I'll soon be swtiching them over to LAN to disable it entirely. I suspect the culprits are local to me.

 

After seeing a message edited in front my own eyes my first instinct was to nuke the installation by restoring a clean system image, I did not reformat which was probably a mistake and the irregual activity has persisted after restoring a clean system image. I have seen further edits of search queries when browswing online.

 

I generally go through my system upon each fresh install and disable most options such as remote desktop services upnp services etc but this did not deter them.

 

I have run a few rootkit detection tools such as TDSS killer and Malware bytes but they've all turned up nothing, I just ran rogue killer which turned up two PUM.Startmenu registry potential threats.

 

I suspect a number of machines on the network have been targeted if I can fix one I can address the other machines and shut them out. I would greatly appreciate some assistance removing this intruder from this machine and i'll follow up on the others myself.

 

Other strange behaviour that I have noticed is ARP traffic in my firewall logs being blocked originating from and going to the same IP address on my network?

 

As i'm new I can't add a screen shot.


Edited by SambaDelDublinho, 10 April 2018 - 07:00 AM.


BC AdBot (Login to Remove)

 


#2 SambaDelDublinho

SambaDelDublinho
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 13 April 2018 - 09:43 AM

I ran a battery of Rootkit scans including Kaspersky, McAfee etc and nothing is being detected. I'm 100% sure the system is compromised as mentioned above the hacker edited an email draft infront of my own eyes. I suspect a malicious hook / rootkit is lurking on my system.

 

PC Hunter did reveal one potentially harmful hook.

 

Ring0Hooks

 

Existed Int2e/Sysenter Hook:

0xFFFFF8002FF0840 C:\Windows\System32\ntoskrnl.exe

 

It prompts to restore it and if I try to I get the BSOD


Edited by SambaDelDublinho, 13 April 2018 - 09:43 AM.


#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:13 PM

Posted 16 April 2018 - 11:38 AM

Hi, we need a deeper look. Do steps 6 & 7..
Please follow this Preparation Guide and post in a new topic.
Let me know if all went well..
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 SambaDelDublinho

SambaDelDublinho
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 16 April 2018 - 12:22 PM

Hi, we need a deeper look. Do steps 6 & 7..
Please follow this Preparation Guide and post in a new topic.
Let me know if all went well..

 

Thank you!

 

https://www.bleepingcomputer.com/forums/t/675720/rootkithook-remote-desktop-breach/

 

All set.



#5 hamluis

hamluis

    Moderator


  • Moderator
  • 55,244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:04:13 PM

Posted 16 April 2018 - 01:31 PM

Open MRL topic at https://www.bleepingcomputer.com/forums/t/675720/rootkithook-remote-desktop-breach/ .

 

This topic is now closed to avoid confusion.

 

Louis






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users