hackers got in even with a clean installation!

[luv2liv]

as some of you may know, i left TeamViewer idle. 2 weeks ago, Jan 14, someone got in and took full control. they used my PayPal account because all my browsers have pw saved.

i did a clean install on Jan 15. this time, absolutely no traces of TeamViewer. today, 8pm, i see someone using the machine via TeamViewer, ID 228404890 ! wth. apparently they put the exe file in an obscure location like "C:\Users\tung\AppData\Local\Temp" instead of crogram files...

how are they getting in? and why teamviewer? if they are that good, wouldnt they just use command line? there is wifi in the house, but desktop is not connected over wifi.

what can i do? for now, i set up password if inactive for 6mins. i also disable the LAN adapter after done with PC.

 

[Ichinisan]

as some of you may know, i left TeamViewer idle. 2 weeks ago, Jan 14, someone got in and took full control. they used my PayPal account because all my browsers have pw saved.

i did a clean install on Jan 15. this time, absolutely no traces of TeamViewer. today, 8pm, i see someone using the machine via TeamViewer, ID 228404890 ! wth. apparently they put the exe file in an obscure location like "C:\Users\tung\AppData\Local\Temp" instead of crogram files...

how are they getting in? and why teamviewer? if they are that good, wouldnt they just use command line? there is wifi in the house, but desktop is not connected over wifi.

what can i do? for now, i set up password if inactive for 6mins. i also disable the LAN adapter after done with PC.

How did you go about the clean install? If you didn't override boot order and use external media (DVD, USB, etc), then wipe all partitions from the HDD, rootkit level malware would probably still be active.

What OS?

 

[Red Squirrel]

Is the computer directly connected to the internet? If yes this is probably why. If it's behind a NAT/firewall then I'm really not sure how this is possible. Unless you have a machine on your network that is also compromised. Do you have anything port forwarded like torrents or something? If there's an vulnerability in that program they could then gain access to the rest of your network through that machine.

 

[Skunk-Works]

Clean install?

 

[luv2liv]

i did a clean install of windows 7 pro on the 1st ssd drive formatted.
all documents are connected on the 2nd drive with D and E drive and those have not been formatted. if there's a malware exe file, can it self execute in those D and E drive???

the computer connects to a Netgear Nighthawk R7000 > netgear gs108 switch > antiontec router from Verion fios > fios box.
nothing port forwarded. no torrent or any downloads, that im aware of anyway.

in the house, there are 2 android phones over wifi, 1 Hikvision security cam on wifi, 1 Hikvision on Cat5, 4 rasberry pis on wifi, 2 TV on wifi, 2 Belkin smart switches on wifi, and finally my desktop PC on cat5.

what is rootkit? is this on the motherboard level?
if i get a firewall, what is the best place to put it? let's say the security cams are compromised, is it possible to place a firewall to separate the PC from all the other simple devices?

 

[luv2liv]

i just got into my gateway Actiontec MI424WR router
and see a bunch of ports being forwarded. some i recognized from the security cams. some i have no idea but they show up as Application from Teredo and skype.

i did a hard reset. changed the admin password to the router. so the only 2 port forwarding by default is
localhost
127.0.0.1Verizon FiOS Service
Tcp Any -> 4567


192.168.1.254:5001
Sb0013b607767f
TCP Any -> 5001

 

[Ichinisan]

what is rootkit? is this on the motherboard level?

A rootkit runs before the OS boot loader and hides itself from anything that runs after. It can persist through an OS reinstall depending on the way you handle it.

Make an install DVD or USB drive.

Adjust your system's boot priority to boot the DVD disc or USB drive first.

Boot the install media (disc/USB).

Delete all partitions from the internal target drive.

Select the large unpartitioned space and allow Windows to continue install.

Get all updates and security patches.

Before system is fully updated, limit how much web browsing you do with Internet Explorer. Use Chrome instead.

That would usually do it.

 

[luv2liv]

That would usually do it.

yes, i did all that.
im thinking the Actiontec router is the weakest link now since it is on fw 20, while latest is 30.
strangely i cant update using the webtool cause i have rev F. others were able to resolve because they are on rev D.
https://www.dd-wrt.com/phpBB2/viewtopic.php?p=1114985#1114985

 

[Elixer]

i did a clean install on Jan 15. this time, absolutely no traces of TeamViewer. today, 8pm, i see someone using the machine via TeamViewer, ID 228404890 ! wth. apparently they put the exe file in an obscure location like "C:\Users\tung\AppData\Local\Temp" instead of crogram files...

If you actually did a clean install of the OS (that means, secure wipe what was there before, and install the OS again), and they are still able to get in, and install programs, then, apparently they have your login credentials, and are installing things that way.

I have never seen a rootkit survive an actual clean install, unless it is mounted from a compromised USB device.

 

[mikeymikec]

I think simpler possibilities should be considered, like the OP made a mistake after the installation that let the malware in, for example downloading a known bit of software from an unofficial source. The first possibility that sprang to mind was that the OP re-used binaries from the old install that happened to be compromised (by the same attacker?), though I think this is less likely. Another possibility was that a non-up-to-date browser was used on the Internet and encountered say an iffy ad banner and a vulnerability was exploited. Another possibility was that an up-to-date browser was used and the same happened.

The fact that the attacker is using TeamViewer could simply be a coincidence.

I don't often see router compromises but usually they're the simple variety such as exploiting default admin accounts then changing the DNS servers.

All I'm trying to point out here is that there's a tendency when a system is compromised for people to assume the worst, like some really sophisticated technique was used to get in, when it's more likely to be a simple reason. Let's assume for a second that a rootkit somehow managed to survive the clean install. Why on earth would the compromised exe be running from the user's temp folder? If the rootkit was good enough to evade a system drive wipe, then its designer ought* to be good enough to continue to evade detection. It doesn't stand to reason that the exe would be running from there, because if you're designing a rootkit the point is to evade detection by using all the privs at your disposal.

* - everyone makes mistakes though. Even then, it seems unlikely to me. IMO, if someone designed a rootkit to evade a system drive wipe, then they're pretty damn good. To then intentionally run their exe for remote access in such a clown-shoes manner to me seems pretty implausible. That's not a mistake, that's just sloppy. Having said that, in the malware industry it often happens that someone truly good at their job designs a bit of malware, rustles up a handy UI for it to configure its behaviour then sells it. The people buying it aren't necessarily competent.

 

[luv2liv]

Is there a web site or program that can scan my network to see where the vulnerability comes from?

 

[Elixer]

Is there a web site or program that can scan my network to see where the vulnerability comes from?

How many machines do you have on your LAN?

You said you did a clean install, which means, unless you specifically opened it up again, nothing should be able to come on in through the network.

 

[luv2liv]

1 have 1 desktop on LAN. but many security cams and 1 NVR. i wonder if they are going through the cam system?

 

[Elixer]

Highly doubt it.

If you are using a SSD, I would secure erase it, then download the win 10 ISO from MS, and use that to install the OS with.

 

[Ichinisan]

Highly doubt it.

If you are using a SSD, I would secure erase it, then download the win 10 ISO from MS, and use that to install the OS with.

...and make sure you're creating the install from a non-compromised computer.

 

[Ketchup]

That temp folder you referenced would be exactly where I would expect to see an app installed from a browser without using the save option, or when installing an upgrade to the current version. Go to programs and make sure you didn't install it.... and while you are in the users folder, check and see if there are folders with .old attached to them, or a Windows.old in the root directory.

 

[Iron Woode]

a clean install means a freshly formatted ssd or hdd with a new windows install.

did you transfer any old files from the other drives? did you scan your entire PC with an anti-virus scanner and Malwarebytes AntiMalware with scan for rootkits checked off?

the only way anyone is going to get inside your PC is to have compromised software put on it. It's time to sterilize the PC and make sure every piece of software is from a trusted source.

 

[WhoBeDaPlaya]

Time to fire up a live Linux distro, and run "hdparm --user-master u --security-erase PWD /dev/sdX"

 

[luv2liv]

so far, i hard reset the Actiontec router. changed the password. monitoring no port forwarding allowed.
before i do another install, im going to use malwarebytes software to see if there's rootkit. someone else suggested Nessus from Tenable? will try that too!
is there a software that can alert me of outbound traffic to detect keyloggers or what not phoning back to the owner?

im curious how app can be installed from a browser without me noticing? wouldnt a UAC permission window pops up? im very careful what i download too.

 

[luv2liv]

and here's a preliminary scan result from Malwarebytes if anyone's curious
https://imgur.com/a3VS39b
performing custom scan with rootkit enabled and all the other drives attached now...

 

[Ketchup]

Wow. Lots of Trojans. Delete the Partition and do a fresh install.

 

[luv2liv]

Wow. Lots of Trojans. Delete the Partition and do a fresh install.

ok i will delete partition n do fresh install from dvd again. n definitely buying this malwarebyte scanner too! $60 is very reasonable for 3 machines

 

[Elixer]

ok i will delete partition n do fresh install from dvd again. n definitely buying this malwarebyte scanner too! $60 is very reasonable for 3 machines

No, don't delete the partition.
Secure erase the whole darn drive.

Since you said you did a "clean install" before, and you STILL got infected, something seems to be living on the boot partitions (or...), so, just secure erase the whole drive, not quick format either.

 

[luv2liv]

No, don't delete the partition.
Secure erase the whole darn drive.

You mean write zeroes to the drive? As when I sell drives on eBay? I can Google later but just want to confirm that's what you meant

 

[bononos]

You mean write zeroes to the drive? As when I sell drives on eBay? I can Google later but just want to confirm that's what you meant

I think thats what he meant. I wouldn't bother because it would take a very long time if you have a large drive. Maybe the quick 16kb option in disk eraser would work but what I normally do is run zeroing program and then break/quit after about 100Mb or so.