Really Hidden Trojan, or, Not?

Discussion in 'malware problems & news' started by Gasp, Mar 14, 2010.

Thread Status:
Not open for further replies.
  1. Gasp

    Gasp Registered Member

    Joined:
    Jan 13, 2010
    Posts:
    82
    How do you remove malware you can't find?

    We have a PC here which has been hacked by what appears to be a keylogger. So far various accounts have been hacked including warcraft, email / msn, and possibly a few other bits and bobs. The accounts were recovered then hacked again hours later which indicates to me there is a keylogger present.

    We have run several advanced scans of the machine with several different anti-malware products. No signs of a trojan being present on the system. HiJackThis & Process Monitor also look clean. We then assumed this trojan / keylogger is being hidden by a rootkit. We downloaded and run GMER, AVG AntiRoot, Rootkit Revealer, Sophos AntiRoot. There was one small finding from Sophos which found a hidden tmp file in the windows temp folder. The temp file has now been removed but this doesn't help find the malware.

    What is the next course of action?
     
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,727
    Location:
    Texas
    https://www.wilderssecurity.com/showpost.php?p=1533481&postcount=3
     
  3. biscuits

    biscuits Registered Member

    Joined:
    Feb 16, 2010
    Posts:
    111
    Have you considered backing up your data then reformatting your system drive?

    Also, when you try to recover your accounts and change your passwords use a different PC.
     
  4. Gasp

    Gasp Registered Member

    Joined:
    Jan 13, 2010
    Posts:
    82
    The passwords were changed after the accounts were hacked for the first time, shortly after they were changed they hacked again.

    Reformatting is an easy quick-fix which I may have to use but right now I am looking for the educational solution. How can I be sure there is malware, and how can I find it?
     
  5. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,060
    Location:
    New Delhi Metallo β-Lactamase 1
    Do change your security questions and all....If you were hacked once, there will be more possibility that somebody read all your security questions and now he's trying to use that method to hack your accounts. Even i request you to shoot some random mails and delete them from your account and do remember those ID's to whom you sent those mails, this will help you to get back your mails....

    I know all this because once i hacked some email ID through social engineering, lock back and after that compromise those emails through this method.

    I know this crime but i did that...:D
     
  6. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @Gasp

    Hi,

    Highly recommended and should prevent keylogging.

    Zemana AntiLogger Fully functional 15-day trial http://www.zemana.com/AntiloggerOverview.aspx

    You could have one of the TDL3 type rootkits, these can help.

    TDL3 detectors & removers available for download http://www.kernelmode.info/forum/viewtopic.php?f=16&t=19

    As you've already used Gmer etc, here's some further suggestions for you.

    Rootkit Unhooker LE 3.8.386.589 SR1 https://www.rootkit.com/blog.php?newsid=997

    IceSword 1.22 (english) http://www.kernelmode.info/ARKs/IceSword122en.zip

    Kernel Detective v1.3.1 http://www.at4re.com/f/showthread.php?4385-Kernel-Detective-v1.3.1-by-GamingMaster-AT4RE

    Hidden Driver Detection Test, and lots more http://www.ntinternals.org/driver_detection_test.php

    Hope you sort it out :thumb:
     
  7. Gasp

    Gasp Registered Member

    Joined:
    Jan 13, 2010
    Posts:
    82
    Thanks Clone, I have tried a few of your suggestions but nothing.

    One thing which was strange was when running Sysinternals Rootkit Revealer it started to list a few registry entries and files but before I had change to read them the computer blue screened. Rebooted and tried again. As soon as it started to list, it BSOD'd again.
     
  8. wutsup

    wutsup Registered Member

    Joined:
    Sep 20, 2009
    Posts:
    630
    Location:
    United States
    have u tried hitman pro?
     
  9. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @Gasp

    What OS is it ?

    http://technet.microsoft.com/en-gb/sysinternals/bb897445.aspx

    RKR was a nice effort at the time, but hasn't been updated for several years, and has been superceeded by other ARK's, such as those i listed.

    RKR can give lots of FP's, especially if you don't shut down as many App etc as possible beforehand, and if you use the comp for ANYTHING else whilst scanning.

    http://forum.sysinternals.com/forum_posts.asp?TID=2351

    http://forum.sysinternals.com/forum_topics.asp?FID=15
     
  10. wutsup

    wutsup Registered Member

    Joined:
    Sep 20, 2009
    Posts:
    630
    Location:
    United States
    have u tried hitman pro or root repeal?
     
  11. biscuits

    biscuits Registered Member

    Joined:
    Feb 16, 2010
    Posts:
    111
    Okay for the sake of education, try scanning your system drive in another computer (preferably, a pc with a cleanly installed OS in a newly formatted HD). Make an image of the pc before you connect your possibly infected HDD. This image shall serve as the control for the experiment. After your through with this, turn off the pc, connect the possibly infected HDD then reboot. Now, scan your HDD using Sysinternals Rootkit Revealer or any rootkit scanner. If a rootkit is detected then good. However, removing them can be a pain. That is why i recommend a full reformat.

    If a BSOD appears, turn off the pc, disconnect the possibly infected HDD or just disable it in bios, then load the image you made awhile ago. Now, scan your system. If nothing comes up then good because we now know that there is an infection in your HDD cause by a worm/virus (other malwares don't replicate) and a rootkit (or many rootkits) that hides them. As for the presence of a keylogger, we don't know yet.

    As for your accounts try changing all the details (as suggested by avinash and with a strong password) using a different PC and if possible an ISP. After that, immediately delete all the notifications you received regarding the account changes.

    P.S. Have you received emails from noreply @ blizzard . com?
     
Loading...
Thread Status:
Not open for further replies.