Jump to content

Networkit

Members
  • Posts

    12
  • Joined

  • Last visited

Reputation

1 Neutral

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Thank you @AdvancedSetup Is it possible that the virus was injected into the BIOS/UEFI or other space?
  2. Do you mean that the old Windows installer from the disc may not cope with the correct formatting of the disk? What should I tell to local computer IT technician that specializes in security if I decide for?
  3. I have folders USOShared, WindowsHolographicDevices and SoftwareDistribution with ETL logs. They have a pre-format creation date. Folders All Users and Default User and has the same pre-format creation date. Could this be a sign?
  4. At that time, I deleted all partitions from the disc with the Windows CD functions and installed fresh Windows from the CD offline. I never used Microsoft Online account for the installation. I rent a router, but I have done a factory reset with button several times before I connected it to internet. I created new very strong password and SSID name, also I disabled remote management and WPS. I wanted, but I can't create separate network for Wi-Fi because it only can have support only one network. It's updated (no longer supported). And after this, RAT was still active. I did it again a few weeks ago. I will check this: Disable acceptance of ICMP Pings Specifically set Firewall rules to BLOCK; TCP and UDP ports 135 ~ 139, 445, 1234, 3389, 5555 and 9034
  5. Thank you @AdvancedSetup I've already tried these scanners after new format. I scan with these scanners from time to time, but even when the RAT was actually active - it was undetected by any of these scanners. It's a very advanced RAT or something else. What else it can be? Somehow, the scanners can't detect it. I don't know how this malware is made. New scans: - AdwCleaner (no detection) - aswMBR (crashing during scan, can't complete scan) - Emisoft Emergency Kit (no detection) - Eset Online Scanner (detected USB Disc Security as PUP Win32/Adware.Linkzb.A) - Farbar Recovery Scan Tool (no detection - done after very fresh format and checked by specialist) - Farbar Service Scanner (?) - F-Secure Online Scanner (no detection) - Microsoft Safety Scanner (no detection) - RKill (no detection) - Sophos Virus Removal Tool (no detection) I tried them a few weeks ago, but I will do new scans this week: - ClamWin - Diag - HouseCall - Malwarebytes - Norton Power Eraser - Panda Cloud Cleaner - RogueKiller - SUPERAntiSpyware - Stinger - Zemana AntiMalware - Windows Defender Can you recommend any other tools? msert.log
  6. I didn't log in home system directly with work credentials (work account). I only log in home system with candidate account and my work account was separate, but I don't know if they had access to both credentials, but both were managed by that company, so it probably doesn't matter. Anyway, I connected the company's laptop to the home router and it happened. I reported it to my supervisor, but he said it's not possible (good joke).
  7. Thank you @AdvancedSetup "These type of access permissions can easily happen if you're using Microsoft software from a business on your home system and logging in with work credentials. It will ask you if you want the organization to be able to manage all apps on the system type of question." You mean the company laptop was "officially" managed by the company? Yes I know, so hidden remote connection to that company's laptop it was nothing special? It's like it was his laptop was connected to my network? It seems that if someone is connected to the same network, it is very easy to get to other devices. Very easy for technician. Let's try to fix it, but what if it's not in the system (not on Windows)? It may be in BIOS/UEFI, firmware, controller etc. (where else in PC parts it may be?). It may be faking Windows files, or it's just using Windows resources in a hidden way. It's not simple RAT, which you could disable from msconfig or find infected files with scanner. What should I look for? Is it possible that RAT has the own hidden disc sector, and it falsifies disc size while I'm formatting Windows from CD? It has to come back somehow from somewhere.
  8. I can't edit posts, but this is my last update for now. I think ssh is worth mentioning and was used in this case. I think it was a remote kernel or whatever which sets up an ssh connection with port forwarding to a remote host or something like that. Whoever did this, he must be really good in networks and systems. I think it's more than just CCNA knowledge.
  9. I remember that the "Reset this PC" option didn't work then (factory settings of Windows 10). If I go to "For developers" from "Update & Security" double UAC prompt, for the second time the whole screen behind UAC is black. Btw. the entire "Accounts" menu works slowly or it will never load.
  10. I noticed that the "Allow VPN over metered networks" and "Allow VPN while roaming" options are always on, but there is no VPN connection above. Same with "Sync your settings". Interesting, now I can't access "Sync your settings" from "Accounts" (it stuck) and I couldn't access "Activity History" from "General" but this time it turned on for 5 seconds then the whole menu disappeared. Option "Allow Remote Assistance connections to this computer" in "Remote Assistance" from "System Properties" self enables and when I click "Advanced" "Allow this computer to be controlled remotely" from "Remote Assistance Settings" it's enabled too. "Set the maximum amount of time invitations can remain open" is set to "6 Hours".
  11. Thank you for the information I'm sending the file. Greetings mbst-grab-results.zip
  12. Hello. I'm trying to figure out how someone could hack all devices in my network like laptops and smartphones, with unknown threat - probably RAT (Remote Access Trojan or Remote Administration Tool?). I don't know which malware exactly it is, but they are able to monitor my whole laptop, smartphone or network activity, and currently it's fully hidden, so it sounds like a RAT. This is a very advanced RAT which is entirely hidden, and I don't know what to look for. There is no any suspicious file or process (it's impossible to recognize it from legitimate files and processes - will I find out from the file dates?). It had to survived few formats from Windows CD, or it comes back from infected flash drives. It happened during remote work, and somehow it went from the company's laptop through my network to my private devices. I think furthermore, I will create another thread to try to remove it because it's too big. For now, I just want to know how it all happened. Once, I had to work remotely, so I connected a company laptop to my family's network (via Wi-Fi), so I had to type the password of my network (technically it's one network, so you can connect via cable without password, and you can connect via Wi-Fi with network name and password, but it's separate password from router's admin). I knew this laptop had keylogger, Cisco AnyConnect, Microsoft's monitoring software, two VPN's, yourphone.exe, Bluetooth, enabled synchronization, domain user account (Windows), integrated OneDrive and more... It was an MDM laptop managed by IT administrators, and it was used by the other past employees before. Funny fact that at work, an IT administrator needed my permission for remote access, and I was informed about such an attempt but in my home somehow he accessed my private laptop just connecting to my network. Exact way: 1. I typed my Wi-Fi password on the company's laptop to connect it to my network and work, so the network name and password was saved in that laptop. 2. IT administrator had to silently start remote access (there was no any information about remote access session) on company's laptop while it was in my network, and somehow it already allowed him to do something (what exactly?). He connected to all devices one by one with Cisco AnyConnect? How? He had full access to that company's laptop. My router had firewall turned off, but devices had its own Windows's firewall and were set to hidden in network (connected like to public network). 2. I didn't notice anything, expect big lags on my private laptop, so he connected from company's laptop through network via Cisco AnyConnect to my private laptop at the moment? Then I restarted private laptop, but I didn't know what is going on, so they could continue later when I wasn't checking private laptop, or they already installed something. Windows Defender and Windows firewall were sleeping well... I didn't notice lags on the company's laptop, but it was always working slower than I think it should work, so there had to be something working in the background all the time. 3. Later I realized what actually happened, and I only found already uninstalled Cisco AnyConnect (not installed by me) on my private laptop and other files with names like "backdoor" etc. with unknown file extensions. 4. Some unknown shell with Kernel error pop up during uninstallation of some program installed be me few months ago. I replaced the drive in this laptop and formatted other devices, but RAT was still working without any signs. So Cisco AnyConnect was used to install RAT on my devices? 5. There is still something that I can't find. I don't know if it's RAT or something else. Probably it's outside the Windows. I tried 20 different scanners and nothing is detectable. Logs from Farbar are clean too. For Malwarebytes system is clean too. 6. I think Windows Credentials are faked - that's why it's undetectable. Control Panel\User Accounts\Credential Manager had some active session with login and password ("Windows credential" and "Cerificate based credential" menu). I don't know if it's a legitimate file or not or what it was caused by.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.