Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Help with investigating an attack (remote control)

05 Oct 2015   #11
Layback Bear

Windows 7 Pro. 64/SP-1
 
 

From post #8

Quote:
At 12:40pm, while outside, I teamviewer'd back from my phone to do some stuff on my computer.
Could be your phone is infected and is infecting your computer when you use teamviewer.

Anything that is or does hook to your computer in any fashion can infect your system.


My System SpecsSystem Spec
.
06 Oct 2015   #12
chesnutcase

Windows 7 Home Premium x64
 
 

@layback bear
Possible, but I'll say unlikely. I use an android (susceptible to viruses, yes) but I have a whole array of tools I regularly use to make sure what apps are running on my phone and stuff. I don't download anything from any possibly malicious websites on my phone either.

Update:
I left my computer shut down for the past few days so nothing happened. Right now I'm using TcpLogView to record TCP connections, and Dexpot to hide it to another (virtual) desktop to prevent him from finding it and stopping the log.

Trap is set, now to lie in the bushes the bed and wait.... I'll let it sit for a day or two.
My System SpecsSystem Spec
06 Oct 2015   #13
mdd1963

Windows 7 Home Premium 64 bit
 
 

forgot to include freefixer link... (again, harmless to run/examine, but, be careful what you specify for deletion/fix)

FreeFixer
My System SpecsSystem Spec
.

06 Oct 2015   #14
mdd1963

Windows 7 Home Premium 64 bit
 
 

I'd also look into Task Scheduler, make sure nothing scheduled to run (TV, RDP, Chrome Remote Desktop, etc..)

run freefixer, grab a screenshot of results (black out anything personal), and let's have a look what might be amiss!
My System SpecsSystem Spec
07 Oct 2015   #15
chesnutcase

Windows 7 Home Premium x64
 
 

Hi and thanks for your help again.

No attacks again, yay I guess.

Ran freefixer, but deleted nothing since all the results were stuff that I recognised except for stuff in Internet Explorer (which I don't use), "Chrome Hotword Shared Module" under Chrome Extensions, hkuqecps.exe and mseunkera64.dll

Links to screenshots of reports(12 total):
http://puu.sh/kBWG3/e7955cb924.png
http://puu.sh/kBWOl/55be0c9f8a.png
http://puu.sh/kBWP7/9125886eeb.png
http://puu.sh/kBWPs/e23094978e.png
http://puu.sh/kBWPA/c02dc1de6f.png
http://puu.sh/kBWPS/e71e542cbe.png
http://puu.sh/kBWQf/909e0490aa.png
http://puu.sh/kBWR0/589c7263e0.png
http://puu.sh/kBWRk/136dc07453.png
http://puu.sh/kBWRK/64775df2a5.png
http://puu.sh/kBWSK/1933b40f87.png
http://puu.sh/kBWT6/883f4a1bc2.png

TcpLogViewer, however, gave me more questions. Apparently teamviewer and SoftEther VPN (seemingly arbitrarily) opened and closed TCP connections throughout the day and night of logging. SoftEther VPN connected to VPN servers that I recently connected to (maybe it is checking the status of recently connected servers). However teamviewer, connected from a whole range of countries (Austria, Slovenia etc) for varying durations (some were for a minute or two, while others lasted for half an hour). What is teamviewer doing?

My suspicion is back to teamviewer and openVPN/softEtherVPN. I forgot to mention that occasionally I use teamviewer over OpenVPN (crowd source VPN). I usually use the same server that has a rather high reputation online, but occasionally if it goes down I would simply choose some random server from VPN Gate. Could someone have stolen my password, logged into my teamviewer account, did his dirty work over teamviewer and rigged the incoming connections log file (to show a false date modified)? Which explains why he had full GUI and admin access, the Teamviewer log file appeared innocent, the attacks only happened on days when I left teamviewer opened and also the attacks stopped after I changed my teamviewer password?

I'm going to write an email to Teamviewer support for my account's login logs to see if my account was used somewhere else, somewhen else and on another device. I'll also try some forensics software to determine if my incoming connections log for Teamviewer was rigged.
My System SpecsSystem Spec
07 Oct 2015   #16
Layback Bear

Windows 7 Pro. 64/SP-1
 
 

Could you use this tutorial by Brink to post pictures/screen shots.

Screenshots and Files - Upload and Post in Seven Forums
My System SpecsSystem Spec
07 Oct 2015   #17
mdd1963

Windows 7 Home Premium 64 bit
 
 

Quote   Quote: Originally Posted by chesnutcase View Post
Which explains why he had full GUI and admin access, the Teamviewer log file appeared innocent, the attacks only happened on days when I left teamviewer opened and also the attacks stopped after I changed my teamviewer password?.
Sounds like a fairly reasonable theory....

I'd still run the TDSSKiller check for rootkits, if you haven't already.

Now that you've changed the password to TV, you could always intentionally leave it open, but while you are in close proximity to your computer for a few days, near previous hours of attack, to look for signs of another breach; it's possible you've solved it, assuming all traces of your aforementioned keylogger have been removed..
My System SpecsSystem Spec
11 Oct 2015   #18
Laith

Windows 10 Professional x64
 
 

Now that i read it carefully as said i suggest you running Wireshark and try to hide it. I would try to set up Windows Firewall as good as possible for example only letting your phone in via Teamviewer and nothing else. This might not just be a keylogger, i have a suspicion of a rootkit aswell, so run TDSSKiller for that, you need some internet security guard aswell, MBAM has that in installed with Pro which you can test out for 30 days. I would also suggest running a scan of Malwarebytes aswell.

Kaspersky TDSSKiller: Detect / Repair TDSS Rookits
Malwarebytes Anti-Malware Free (Remember to tick the 30 day free trial, i would also suggest turning off notifications when a malicious website has been blocked)

Sadly i have no tutorial for Wireshark, i'll just say download it and you'll understand what to do, it's very simple.
https://www.wireshark.org/download.html

Also you mentioned SoftEther, i highly doubt that it's SoftEther or VPNGate, i personally use SoftEther & VPNGate aswell(coincidence!) VPNGate has good security on their servers so you shouldn't worry about SoftEther. But if you are still wary about VPNGate you can always use Wireshark on VPNGate. I'm usually on the Japanese/Korean VPNGate servers and have no problem. What you should be worried of is TeamViewer, as said try to set up Windows Firewall to only allow your phone and no one else.

I hope this helped you out with most of what you needed.
My System SpecsSystem Spec
Reply

 Help with investigating an attack (remote control)




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
Remote Control
I would like to install a Remote Control system so that I can cut out journeys to some of my club members to solve small problems on their computers and take control of their PC's from mine. As it is a comminity project we have no funds so it would need to be Open Source software. Don't want to go...
Network & Sharing
i looking for a WMP remote control
i looking for a WMP remote control. I mean apple has its own remote like mac remote on Flickr - Photo Sharing! & Apple Remote - Wikipedia, the free encyclopedia. so i need a remote control for WMP for my xp & 7 from where i found this type of remote.
Hardware & Devices
remote control wmp in w7
Is it possible to remotely control wmp in windows7. I don't want to stream media, just control wmp without access the remote pc with rdp.
Network & Sharing


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 23:51.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App