Help with investigating an attack (remote control)

(This is an extremely long post, so sorry for taking so much of your time).

I need help investigating an attack where someone hacked into my computer, remote controlled it (I'm very sure he had GUI access and stuff: see below) and installed a keylogger.

Here's how it started,

A few days ago, I woke up in the morning to find that some of my Chrome windows were closed. I had a browser game running that required you to afk, so I left it there overnight. But they were closed.

I opened up chrome history, and found out that someone accessed paypal on my browser, thinking I was logged in. I do not use paypal, and I always use incognito mode for all my browsing except playing the browser game I was referring to and reading its wiki pages. I also found that he went through some of my bookmarks, which were actually links to random posts and gifs.



As you can see, I went to sleep at about 1am. Then someone at 7:30am used Chrome to access paypal, and tried looking into some of my bookmarks that didnt have a name but only had an ip address (those I censored out in black, they show under 1:17pm because after I woke up I wanted to find out what these boookmarks are (i forgot my own bookmarks))

I asked around my family, and no one used my computer at that time. Everyone else in my household was asleep at that time. So no one in my house could have physically used my computer when I was gone.

Moving on to today (3rd of October). Its when things started to get scary.

I woke up in the morning and opened my laptop. Again, I was afking in the browser game and left my computer on through the night. To my horror, ALL of my windows were closed. I had some other stuff open other than Chrome as well.

Suspecting something, I went to check the chrome history again. To my even greater horror I found this:



Someone attempted to log into paypal again, AND INSTALLED A KEYLOGGER.

I went full panic mode and immediately pressed Ctrl+Shift+Esc. I looked at the running processes, and saw, at the top of the list, about 9 instances of hlds.exe running. (Sorry I couldnt get a screenshot).

I had no idea what this is, and I had no time to waste. I right-clicked and pressed open file location, and it redirected me into a subfolder in my download folder (where chrome saves downloads) called "fun".

(That's totally not a suspicious name isn't it?). I looked at the date created property in explorer, it was also around 7:30am. I immediately deleted it.

Afterwards, I checked online for what hlds.exe could possibly mean. It said "half life dedicated server", and when I recalled, I saw some files in the folder that appeared to be game binaries. So it looked like a legit dedicated server software.

Just that, I did not download it. I don't play half life, and if I recall you need to download it through steam, and if that's the case it wouldn't end up in my downloads folder. This one is rigged.

I hit the Start Button. My recent menu items were gone (except the pinned ones), except for one that I don't recognize: "Log Viewer". It was highlighted in light pink, meaning it was recently installed.

What? I didn't install anything recently!

I opened it up and saw that it was a log viewer to the Ardamax keylogger that the attacker installed. I looked into the start menu's list of programs again, and sure enough, someone installed a keylogger, and it was highlighted meaning it was recently installed.

I immediately got rid of it. Afterwards I went to do a virus scan with Avast Antivirus, nothing came out. (Actually I did a scan of the "fun" folder before I deleted it, reported as "safe"). I then manually scanned through my program files folders to look for anything suspicious and got rid of them.

I also realised that Steam, which I was logged into, was not running. I don't have auto-login open, and since I left it running in the background it meant that the attacker restarted my computer after doing his work. That would explain why my programs weren't open.

Aaaand the ordeal's "over". I started my own investigation.

List of suspects:

• Teamviewer
• SoftEther VPN

Teamviewer:

I use teamviewer regularly when I'm out of the house. I connect by logging into my teamviewer account from my phone and my laptop.
I suspected my teamviewer account had been compromised. However, upon checking the teamviewer logs, there were no connections at that time. The connection log wasnt rigged either, the date modified timestamp shows days before.
Teamviewer is innocent.


SoftEther VPN:
Its a crowd source vpn, and I use it regularly. I understand that the server hosts can conduct man in the middle attacks. However,

is it possible that he managed to hack in with nothing but my IP address and get GUI remote control? I mean, the only hacking attacks I know are conducted through a shell, how is it possible that he managed to get GUI control, as if it was like teamviewer? After all, he used chrome to browse websites and set up his keylogger. And he could restart my computer.

I was quite shocked at this since I'm the kind to be very cautious when installing software and stuff, when installing freeware I would read every single checkbox to make sure I don't get any adware and nonsensical toolbars.

I suspect this hacker isnt very wise for he hacked in at roughly the same time, BROWSED WITHOUT CLEARING HISTORY and didnt even bother to attempt to leave my computer as it was so that I wouldn't suspect anything. Here comes the real questions:

1. Besides teamviewer, how else could he have gained remote control?
2. What steps should I take now to prevent him from attacking again?
3. Not really important, but can I set up a honeypot to bait him the next time he enters? So that I can find out more about him.

hlds = HalfLife dedicated server? (Only a teenager would think it was cool to convert someone else's comp to a HalfLife server....)

Do you have any teenagers that might have played Halflife, or any other first person shooter games on it?

Many malicious downloads floating on assorted gaming servers; meant to allow download of patches/skins/game levels automatically, many instead export malicious payloads....

Edit: read your initial post a little more closely...
STEAM acct? that is almost undoubtedly where you were infected, by some punks server, gave you a malicious payload

Best bet? From a clean computer, change any/all passwords possibly compromised from access to your current computer, beginning with any associated with banking as early as possible....

disconnect internet access.....

Pull your windows product key from drive via UVK or other productkey readers...

I'd honestly look at deleting all partitions, reformatting, and reinstalling....; and, better yet, even after a reinstall, be very suspicious for a few weeks....

YOu could also immediately download/ run (avail from bleepings downloads section):

TDSSKiller
Rkill
Roguekiller

Then find Malwarebytes Antimalware
and HitmanPro....

See what they find....

chesnutcase said:

I suspected my teamviewer account had been compromised. However, upon checking the teamviewer logs, there were no connections at that time. The connection log wasnt rigged either, the date modified timestamp shows days before.

Timestamps can be changed. They are not good for forensic evidence.

mdd1963 said:

Pull your windows product key from drive via UVK or other productkey readers...

Why? The OP seems to have an Acer 4750G. The Acer vendor key would be not be needed when installing Windows from media that came from Acer. The Acer vendor key would be of no value when installing Windows from media that did not come from Acer (the key on the CoA sticker would be used instead).

I see nothing to indicate ownership/useage of an Acer, but, since you know exactly what computer and recovery media he/she is in possession of, feel free to direct accordingly. (Of course, if the Op doesn't have actual recovery media, and then finds out his generic OEM CoA is useless to reactivating, I wish you both well)

re: Acer ownership

Visit the original post and click on the link named My System Specs:

Hi, and thank you all for your valuable input.

He broke in again today. (See below).

@Jacee I removed it simply through Control Panel -> Uninstall Programs and Features. I did follow your steps that you posted, however the registry keys already show up as empty.

@mdd1963 No, I don't have anyone who plays half life. This hlds file was downloaded by the attacker. I suspect he rigged it expecting me to open it. About steam, yes I actively play steam games, but I have not received any custom files made by other users such as custom maps, etc for the past few months.

@UsernameIssues I thought about faking timestamps, but considering he's someone who doesn't even clear browsing history....

About today's attack:
1st attack was on 2nd Oct, 2nd attack on 3rd Oct, 3rd attack on 5th October. Timestamps in screenshots are UTC+9.

After reading jacee's reply on Sunday (4th October), I followed his steps to remove Ardamax Keylogger but it seems like I already did beforehand as the registry keys and stuff were all gone. I subsequently did a full virus scan of my system using Avast! (nothing came out), and installed the latest windows updates. (I apparently forgot to install them for a month or so).

I stayed up the whole of Sunday night (4th October) into the wee hours of the morning (Monday, 5th October), staring at my afking computer, waiting for the attacker to strike again so that I can capture video evidence... but he didn't.

Morning came, and I resumed normal work. I left my house at about 11:40am, leaving my computer on.
At 12:40pm, while outside, I teamviewer'd back from my phone to do some stuff on my computer. Shockingly, all the windows that I had open were closed, but steam was opened. (I did not open steam before I left the house). Suspecting that guy came in again, I opened chrome, and sure enough -



He came in just minutes ago and attempted to use my chrome again. Looks like he was trying to buy something on a Chinese site using the paypal account that was logged in (i.e. no-one's).

I immediately shut down my computer through teamviewer to prevent him from doing anymore damage. I was really confused as the full virus scan that took hours yesterday reported nothing. I rushed home, and did the following:

1. Disconnected from the network immediately when I turned my computer back on.
2. Manually scan through my drive to see if anything was installed. Nothing was.
3. Reconnected to network, changed my home network's access point's password and security type (previously it was WEP, changed to WPA2)
4. Reset Windows Firewall to default.
5. Changed my steam and teamviewer passwords.
6. Looked through resource manager to see if there was anything suspicious using the network that could have allowed the attacker to connect. All of the processes were stuff that I recognised or just svchost.

Aaaand I'm back here. I still don't quite understand how can the attacker gain GUI control, to use chrome and close/open my windows.

About using my manufacturer's repair disc - I'm very unwilling to do this as I have alot of stuff installed on my computer, doing a reformat would be very inconvenient (my home internet is really slow, redownloading all the software and windows updates would take days...)

Can I set up a network logger to watch out for the next time he connects? I really want to catch this person and screw around with him as revenge report him to my local authorities if I find out he's also a person from my country.

EDIT: I'll check out the other malware killers suggested by mdd1963 later, and post the results.

FreeFixer

Download and run freefixer (takes 10-15 minutes to run through your assorted system locations/settings), harmless/riskless to run, just be careful on what you click to delete to fix afterward; but, certainly be on the lookout and give special attention for things that are not color coded green....

You might also want to make sure all your files/folders are unhidden, perhaps you can discover something that was installed.

UsernameIssues said:

re: Acer ownership

Visit the original post and click on the link named My System Specs:

That explains it :)