From post #8
Could be your phone is infected and is infecting your computer when you use teamviewer.At 12:40pm, while outside, I teamviewer'd back from my phone to do some stuff on my computer.
Anything that is or does hook to your computer in any fashion can infect your system.
@layback bear
Possible, but I'll say unlikely. I use an android (susceptible to viruses, yes) but I have a whole array of tools I regularly use to make sure what apps are running on my phone and stuff. I don't download anything from any possibly malicious websites on my phone either.
Update:
I left my computer shut down for the past few days so nothing happened. Right now I'm using TcpLogView to record TCP connections, and Dexpot to hide it to another (virtual) desktop to prevent him from finding it and stopping the log.
Trap is set, now to lie inthe bushesthe bed and wait.... I'll let it sit for a day or two.
Last edited by chesnutcase; 06 Oct 2015 at 11:37. Reason: Style
I'd also look into Task Scheduler, make sure nothing scheduled to run (TV, RDP, Chrome Remote Desktop, etc..)
run freefixer, grab a screenshot of results (black out anything personal), and let's have a look what might be amiss!
Hi and thanks for your help again.
No attacks again, yay I guess.
Ran freefixer, but deleted nothing since all the results were stuff that I recognised except for stuff in Internet Explorer (which I don't use), "Chrome Hotword Shared Module" under Chrome Extensions, hkuqecps.exe and mseunkera64.dll
Links to screenshots of reports(12 total):
http://puu.sh/kBWG3/e7955cb924.png
http://puu.sh/kBWOl/55be0c9f8a.png
http://puu.sh/kBWP7/9125886eeb.png
http://puu.sh/kBWPs/e23094978e.png
http://puu.sh/kBWPA/c02dc1de6f.png
http://puu.sh/kBWPS/e71e542cbe.png
http://puu.sh/kBWQf/909e0490aa.png
http://puu.sh/kBWR0/589c7263e0.png
http://puu.sh/kBWRk/136dc07453.png
http://puu.sh/kBWRK/64775df2a5.png
http://puu.sh/kBWSK/1933b40f87.png
http://puu.sh/kBWT6/883f4a1bc2.png
TcpLogViewer, however, gave me more questions. Apparently teamviewer and SoftEther VPN (seemingly arbitrarily) opened and closed TCP connections throughout the day and night of logging. SoftEther VPN connected to VPN servers that I recently connected to (maybe it is checking the status of recently connected servers). However teamviewer, connected from a whole range of countries (Austria, Slovenia etc) for varying durations (some were for a minute or two, while others lasted for half an hour). What is teamviewer doing?
My suspicion is back to teamviewer and openVPN/softEtherVPN. I forgot to mention that occasionally I use teamviewer over OpenVPN (crowd source VPN). I usually use the same server that has a rather high reputation online, but occasionally if it goes down I would simply choose some random server from VPN Gate. Could someone have stolen my password, logged into my teamviewer account, did his dirty work over teamviewer and rigged the incoming connections log file (to show a false date modified)? Which explains why he had full GUI and admin access, the Teamviewer log file appeared innocent, the attacks only happened on days when I left teamviewer opened and also the attacks stopped after I changed my teamviewer password?
I'm going to write an email to Teamviewer support for my account's login logs to see if my account was used somewhere else, somewhen else and on another device. I'll also try some forensics software to determine if my incoming connections log for Teamviewer was rigged.
Last edited by chesnutcase; 07 Oct 2015 at 14:13. Reason: Added freefixer library links
Could you use this tutorial by Brink to post pictures/screen shots.
Screenshots and Files - Upload and Post in Seven Forums
Sounds like a fairly reasonable theory....
I'd still run the TDSSKiller check for rootkits, if you haven't already.
Now that you've changed the password to TV, you could always intentionally leave it open, but while you are in close proximity to your computer for a few days, near previous hours of attack, to look for signs of another breach; it's possible you've solved it, assuming all traces of your aforementioned keylogger have been removed..
Now that i read it carefully as said i suggest you running Wireshark and try to hide it. I would try to set up Windows Firewall as good as possible for example only letting your phone in via Teamviewer and nothing else. This might not just be a keylogger, i have a suspicion of a rootkit aswell, so run TDSSKiller for that, you need some internet security guard aswell, MBAM has that in installed with Pro which you can test out for 30 days. I would also suggest running a scan of Malwarebytes aswell.
Kaspersky TDSSKiller: Detect / Repair TDSS Rookits
Malwarebytes Anti-Malware Free (Remember to tick the 30 day free trial, i would also suggest turning off notifications when a malicious website has been blocked)
Sadly i have no tutorial for Wireshark, i'll just say download it and you'll understand what to do, it's very simple.
https://www.wireshark.org/download.html
Also you mentioned SoftEther, i highly doubt that it's SoftEther or VPNGate, i personally use SoftEther & VPNGate aswell(coincidence!) VPNGate has good security on their servers so you shouldn't worry about SoftEther. But if you are still wary about VPNGate you can always use Wireshark on VPNGate. I'm usually on the Japanese/Korean VPNGate servers and have no problem. What you should be worried of is TeamViewer, as said try to set up Windows Firewall to only allow your phone and no one else.
I hope this helped you out with most of what you needed. :)
Quote