Help with investigating an attack (remote control)

[chesnutcase]

(This is an extremely long post, so sorry for taking so much of your time).

I need help investigating an attack where someone hacked into my computer, remote controlled it (I'm very sure he had GUI access and stuff: see below) and installed a keylogger.

Here's how it started,

A few days ago, I woke up in the morning to find that some of my Chrome windows were closed. I had a browser game running that required you to afk, so I left it there overnight. But they were closed.

I opened up chrome history, and found out that someone accessed paypal on my browser, thinking I was logged in. I do not use paypal, and I always use incognito mode for all my browsing except playing the browser game I was referring to and reading its wiki pages. I also found that he went through some of my bookmarks, which were actually links to random posts and gifs.

As you can see, I went to sleep at about 1am. Then someone at 7:30am used Chrome to access paypal, and tried looking into some of my bookmarks that didnt have a name but only had an ip address (those I censored out in black, they show under 1:17pm because after I woke up I wanted to find out what these boookmarks are (i forgot my own bookmarks))

I asked around my family, and no one used my computer at that time. Everyone else in my household was asleep at that time. So no one in my house could have physically used my computer when I was gone.

Moving on to today (3rd of October). Its when things started to get scary.

I woke up in the morning and opened my laptop. Again, I was afking in the browser game and left my computer on through the night. To my horror, ALL of my windows were closed. I had some other stuff open other than Chrome as well.

Suspecting something, I went to check the chrome history again. To my even greater horror I found this:

Someone attempted to log into paypal again, AND INSTALLED A KEYLOGGER.

I went full panic mode and immediately pressed Ctrl+Shift+Esc. I looked at the running processes, and saw, at the top of the list, about 9 instances of hlds.exe running. (Sorry I couldnt get a screenshot).

I had no idea what this is, and I had no time to waste. I right-clicked and pressed open file location, and it redirected me into a subfolder in my download folder (where chrome saves downloads) called "fun".

(That's totally not a suspicious name isn't it?). I looked at the date created property in explorer, it was also around 7:30am. I immediately deleted it.

Afterwards, I checked online for what hlds.exe could possibly mean. It said "half life dedicated server", and when I recalled, I saw some files in the folder that appeared to be game binaries. So it looked like a legit dedicated server software.

Just that, I did not download it. I don't play half life, and if I recall you need to download it through steam, and if that's the case it wouldn't end up in my downloads folder. This one is rigged.

I hit the Start Button. My recent menu items were gone (except the pinned ones), except for one that I don't recognize: "Log Viewer". It was highlighted in light pink, meaning it was recently installed.

What? I didn't install anything recently!

I opened it up and saw that it was a log viewer to the Ardamax keylogger that the attacker installed. I looked into the start menu's list of programs again, and sure enough, someone installed a keylogger, and it was highlighted meaning it was recently installed.

I immediately got rid of it. Afterwards I went to do a virus scan with Avast Antivirus, nothing came out. (Actually I did a scan of the "fun" folder before I deleted it, reported as "safe"). I then manually scanned through my program files folders to look for anything suspicious and got rid of them.

I also realised that Steam, which I was logged into, was not running. I don't have auto-login open, and since I left it running in the background it meant that the attacker restarted my computer after doing his work. That would explain why my programs weren't open.

Aaaand the ordeal's "over". I started my own investigation.

List of suspects:

• Teamviewer
• SoftEther VPN

Teamviewer:

I use teamviewer regularly when I'm out of the house. I connect by logging into my teamviewer account from my phone and my laptop.
I suspected my teamviewer account had been compromised. However, upon checking the teamviewer logs, there were no connections at that time. The connection log wasnt rigged either, the date modified timestamp shows days before.
Teamviewer is innocent.


SoftEther VPN:
Its a crowd source vpn, and I use it regularly. I understand that the server hosts can conduct man in the middle attacks. However,

is it possible that he managed to hack in with nothing but my IP address and get GUI remote control? I mean, the only hacking attacks I know are conducted through a shell, how is it possible that he managed to get GUI control, as if it was like teamviewer? After all, he used chrome to browse websites and set up his keylogger. And he could restart my computer.

I was quite shocked at this since I'm the kind to be very cautious when installing software and stuff, when installing freeware I would read every single checkbox to make sure I don't get any adware and nonsensical toolbars.

I suspect this hacker isnt very wise for he hacked in at roughly the same time, BROWSED WITHOUT CLEARING HISTORY and didnt even bother to attempt to leave my computer as it was so that I wouldn't suspect anything. Here comes the real questions:

1. Besides teamviewer, how else could he have gained remote control?
2. What steps should I take now to prevent him from attacking again?
3. Not really important, but can I set up a honeypot to bait him the next time he enters? So that I can find out more about him.

 

[Jacee]

How did you remove Ardamax keylogger ? There are steps to remove all of it here: How to Remove Ardamax Keylogger (8 Steps) | eHow

 

[mdd1963]

hlds = HalfLife dedicated server? (Only a teenager would think it was cool to convert someone else's comp to a HalfLife server....)

Do you have any teenagers that might have played Halflife, or any other first person shooter games on it?

Many malicious downloads floating on assorted gaming servers; meant to allow download of patches/skins/game levels automatically, many instead export malicious payloads....

Edit: read your initial post a little more closely...
STEAM acct? that is almost undoubtedly where you were infected, by some punks server, gave you a malicious payload

Best bet? From a clean computer, change any/all passwords possibly compromised from access to your current computer, beginning with any associated with banking as early as possible....

disconnect internet access.....

Pull your windows product key from drive via UVK or other productkey readers...

I'd honestly look at deleting all partitions, reformatting, and reinstalling....; and, better yet, even after a reinstall, be very suspicious for a few weeks....

 

[mdd1963]

YOu could also immediately download/ run (avail from bleepings downloads section):

TDSSKiller
Rkill
Roguekiller

Then find Malwarebytes Antimalware
and HitmanPro....

See what they find....

 

[UsernameIssues]

I suspected my teamviewer account had been compromised. However, upon checking the teamviewer logs, there were no connections at that time. The connection log wasnt rigged either, the date modified timestamp shows days before.

Timestamps can be changed. They are not good for forensic evidence.

Pull your windows product key from drive via UVK or other productkey readers...

Why? The OP seems to have an Acer 4750G. The Acer vendor key would be not be needed when installing Windows from media that came from Acer. The Acer vendor key would be of no value when installing Windows from media that did not come from Acer (the key on the CoA sticker would be used instead).

 

[mdd1963]

I see nothing to indicate ownership/useage of an Acer, but, since you know exactly what computer and recovery media he/she is in possession of, feel free to direct accordingly. (Of course, if the Op doesn't have actual recovery media, and then finds out his generic OEM CoA is useless to reactivating, I wish you both well)

 

[UsernameIssues]

re: Acer ownership

Visit the original post and click on the link named My System Specs:

 

[chesnutcase]

Hi, and thank you all for your valuable input.

He broke in again today. (See below).

@Jacee I removed it simply through Control Panel -> Uninstall Programs and Features. I did follow your steps that you posted, however the registry keys already show up as empty.

@mdd1963 No, I don't have anyone who plays half life. This hlds file was downloaded by the attacker. I suspect he rigged it expecting me to open it. About steam, yes I actively play steam games, but I have not received any custom files made by other users such as custom maps, etc for the past few months.

@UsernameIssues I thought about faking timestamps, but considering he's someone who doesn't even clear browsing history....

About today's attack:
1st attack was on 2nd Oct, 2nd attack on 3rd Oct, 3rd attack on 5th October. Timestamps in screenshots are UTC+9.

After reading jacee's reply on Sunday (4th October), I followed his steps to remove Ardamax Keylogger but it seems like I already did beforehand as the registry keys and stuff were all gone. I subsequently did a full virus scan of my system using Avast! (nothing came out), and installed the latest windows updates. (I apparently forgot to install them for a month or so).

I stayed up the whole of Sunday night (4th October) into the wee hours of the morning (Monday, 5th October), staring at my afking computer, waiting for the attacker to strike again so that I can capture video evidence... but he didn't.

Morning came, and I resumed normal work. I left my house at about 11:40am, leaving my computer on.
At 12:40pm, while outside, I teamviewer'd back from my phone to do some stuff on my computer. Shockingly, all the windows that I had open were closed, but steam was opened. (I did not open steam before I left the house). Suspecting that guy came in again, I opened chrome, and sure enough -

He came in just minutes ago and attempted to use my chrome again. Looks like he was trying to buy something on a Chinese site using the paypal account that was logged in (i.e. no-one's).

I immediately shut down my computer through teamviewer to prevent him from doing anymore damage. I was really confused as the full virus scan that took hours yesterday reported nothing. I rushed home, and did the following:

1. Disconnected from the network immediately when I turned my computer back on.
2. Manually scan through my drive to see if anything was installed. Nothing was.
3. Reconnected to network, changed my home network's access point's password and security type (previously it was WEP, changed to WPA2)
4. Reset Windows Firewall to default.
5. Changed my steam and teamviewer passwords.
6. Looked through resource manager to see if there was anything suspicious using the network that could have allowed the attacker to connect. All of the processes were stuff that I recognised or just svchost.

Aaaand I'm back here. I still don't quite understand how can the attacker gain GUI control, to use chrome and close/open my windows.

About using my manufacturer's repair disc - I'm very unwilling to do this as I have alot of stuff installed on my computer, doing a reformat would be very inconvenient (my home internet is really slow, redownloading all the software and windows updates would take days...)

Can I set up a network logger to watch out for the next time he connects? I really want to catch this person and screw around with him as revenge report him to my local authorities if I find out he's also a person from my country.

EDIT: I'll check out the other malware killers suggested by mdd1963 later, and post the results.

 

[mdd1963]

FreeFixer

Download and run freefixer (takes 10-15 minutes to run through your assorted system locations/settings), harmless/riskless to run, just be careful on what you click to delete to fix afterward; but, certainly be on the lookout and give special attention for things that are not color coded green....

You might also want to make sure all your files/folders are unhidden, perhaps you can discover something that was installed.

 

[mdd1963]

re: Acer ownership

Visit the original post and click on the link named My System Specs:

View attachment 372936

That explains it

 

[Layback Bear]

From post #8

At 12:40pm, while outside, I teamviewer'd back from my phone to do some stuff on my computer.

Could be your phone is infected and is infecting your computer when you use teamviewer.

Anything that is or does hook to your computer in any fashion can infect your system.

 

[chesnutcase]

@layback bear
Possible, but I'll say unlikely. I use an android (susceptible to viruses, yes) but I have a whole array of tools I regularly use to make sure what apps are running on my phone and stuff. I don't download anything from any possibly malicious websites on my phone either.

Update:
I left my computer shut down for the past few days so nothing happened. Right now I'm using TcpLogView to record TCP connections, and Dexpot to hide it to another (virtual) desktop to prevent him from finding it and stopping the log.

Trap is set, now to lie in the bushes the bed and wait.... I'll let it sit for a day or two.

 

[mdd1963]

forgot to include freefixer link... (again, harmless to run/examine, but, be careful what you specify for deletion/fix)

FreeFixer

 

[mdd1963]

I'd also look into Task Scheduler, make sure nothing scheduled to run (TV, RDP, Chrome Remote Desktop, etc..)

run freefixer, grab a screenshot of results (black out anything personal), and let's have a look what might be amiss!

 

[chesnutcase]

Hi and thanks for your help again.

No attacks again, yay I guess.

Ran freefixer, but deleted nothing since all the results were stuff that I recognised except for stuff in Internet Explorer (which I don't use), "Chrome Hotword Shared Module" under Chrome Extensions, hkuqecps.exe and mseunkera64.dll

Links to screenshots of reports(12 total):
http://puu.sh/kBWG3/e7955cb924.png
http://puu.sh/kBWOl/55be0c9f8a.png
http://puu.sh/kBWP7/9125886eeb.png
http://puu.sh/kBWPs/e23094978e.png
http://puu.sh/kBWPA/c02dc1de6f.png
http://puu.sh/kBWPS/e71e542cbe.png
http://puu.sh/kBWQf/909e0490aa.png
http://puu.sh/kBWR0/589c7263e0.png
http://puu.sh/kBWRk/136dc07453.png
http://puu.sh/kBWRK/64775df2a5.png
http://puu.sh/kBWSK/1933b40f87.png
http://puu.sh/kBWT6/883f4a1bc2.png

TcpLogViewer, however, gave me more questions. Apparently teamviewer and SoftEther VPN (seemingly arbitrarily) opened and closed TCP connections throughout the day and night of logging. SoftEther VPN connected to VPN servers that I recently connected to (maybe it is checking the status of recently connected servers). However teamviewer, connected from a whole range of countries (Austria, Slovenia etc) for varying durations (some were for a minute or two, while others lasted for half an hour). What is teamviewer doing?

My suspicion is back to teamviewer and openVPN/softEtherVPN. I forgot to mention that occasionally I use teamviewer over OpenVPN (crowd source VPN). I usually use the same server that has a rather high reputation online, but occasionally if it goes down I would simply choose some random server from VPN Gate. Could someone have stolen my password, logged into my teamviewer account, did his dirty work over teamviewer and rigged the incoming connections log file (to show a false date modified)? Which explains why he had full GUI and admin access, the Teamviewer log file appeared innocent, the attacks only happened on days when I left teamviewer opened and also the attacks stopped after I changed my teamviewer password?

I'm going to write an email to Teamviewer support for my account's login logs to see if my account was used somewhere else, somewhen else and on another device. I'll also try some forensics software to determine if my incoming connections log for Teamviewer was rigged.

 

[Layback Bear]

Could you use this tutorial by Brink to post pictures/screen shots.

http://www.sevenforums.com/tutorials/9733-screenshots-files-upload-post-seven-forums.html

 

[mdd1963]

Which explains why he had full GUI and admin access, the Teamviewer log file appeared innocent, the attacks only happened on days when I left teamviewer opened and also the attacks stopped after I changed my teamviewer password?.

Sounds like a fairly reasonable theory....

I'd still run the TDSSKiller check for rootkits, if you haven't already.

Now that you've changed the password to TV, you could always intentionally leave it open, but while you are in close proximity to your computer for a few days, near previous hours of attack, to look for signs of another breach; it's possible you've solved it, assuming all traces of your aforementioned keylogger have been removed..

 

[Laith]

Now that i read it carefully as said i suggest you running Wireshark and try to hide it. I would try to set up Windows Firewall as good as possible for example only letting your phone in via Teamviewer and nothing else. This might not just be a keylogger, i have a suspicion of a rootkit aswell, so run TDSSKiller for that, you need some internet security guard aswell, MBAM has that in installed with Pro which you can test out for 30 days. I would also suggest running a scan of Malwarebytes aswell.

http://www.sevenforums.com/tutorials/338877-kaspersky-tdsskiller-detect-repair-tdss-rookits.html
http://www.sevenforums.com/tutorials/338716-malwarebytes-anti-malware-free.html (Remember to tick the 30 day free trial, i would also suggest turning off notifications when a malicious website has been blocked)

Sadly i have no tutorial for Wireshark, i'll just say download it and you'll understand what to do, it's very simple.
https://www.wireshark.org/download.html

Also you mentioned SoftEther, i highly doubt that it's SoftEther or VPNGate, i personally use SoftEther & VPNGate aswell(coincidence!) VPNGate has good security on their servers so you shouldn't worry about SoftEther. But if you are still wary about VPNGate you can always use Wireshark on VPNGate. I'm usually on the Japanese/Korean VPNGate servers and have no problem. What you should be worried of is TeamViewer, as said try to set up Windows Firewall to only allow your phone and no one else.

I hope this helped you out with most of what you needed.