Jump to content

Hijacked Internet connection - trojan? Help Please


Recommended Posts

Quick update:  house maintenance is taking a lot longer than expected - won't be able to run KRD10 until Friday.

It looks as though the CMOS battery needs replacing in the 64bit Win7 PC - from one boot to the next (dropping into BIOS settings), the clock doesn't seem to be running - the system time hasn't changed from the last time I set it.  Unless malware can actually stop the clock, I doubt that that's the issue.  Of course, once into the OS, WIndow keeps track of the time.  Ho hum.

Edit: Hmm, may have spoken too soon - the after leaving the PC alone & running for two hours, the Windows time is still roughly at the time I set it two hours ago.

 

Edited by KenEgginton
Link to post
Share on other sites

  • Replies 73
  • Created
  • Last Reply

Top Posters In This Topic

Sorry, I didn't get chance to sit down at the PC yesterday - and will be busy a lot of today too.  The last thing I did was to run the old KRD10 disk through the 64bit win7 PC (the one whose clock was playing up - I've now bought a new CMOS battery and will fit it later but when I powered-up a after over 24hrs of being off, the clock was still correct - hmm).  The scan threw-up nothing except some 'processing error' / 'password protected' DataStoreAndWULogfiles.zip files in local/ElevatedDiagnostics folder (which was created April 19, 2015 but modified June 8, 2018).  I did try up upgrade the Win 7 to Win 10 a couple of years ago but it failed on that drive (a SSD), some remanants may still be lurking around. I did get the upgrade running on a HD but I need the speed of a SSD for uncompressed video capture on that PC - so I never did get round to making a permanent switchover to WIn10, now might be the time to do it.

Yesterday my Sony tablet (Xperia Z) was the center of my concerns. Since all these unusual probems began back in April/May - it has had a tendency to suddenly reboot itself (no warning) maybe two or three times in succession, not long after powering-up (which is not often these days - which leads to a lot of updating of apps).  Neither Malwarebytes nor AVG pick-up anything on scans.  I'm not sure what to make of it.  I would have thought legitimate app updates would give warning of an impending reboot.  I might have to start a thread in the Android section.

I will keep you in touch.

Ken.

Link to post
Share on other sites

Hi Ron,

Finally got round to downloading the 2018 version of KRD (didn't realize that KRD10 is no longer supported) and burning a CD.  I had to run the tool without Internet access (and got the cloud/ base update warning but the database being used was dated yesterday (the same as on a machine with Internet access - so I guess it's the latest.)

Attached are photos of the report for the 32bit Win 7 machine, the second one shows the bottom three entries that are not on the first photo.

As you can see, the entry to worry about is: Rootkit.Win32.HijRMS.ac in the file ProgramFiles/SecondLifeViewer/winmm.dll

As yet, I have not selected an action and moved on - I thought I'd wait for your advice. I did wonder about submitting it to Virus Total but I can't do that if I accept the recommended action of 'Delete'.

Cheers,

Ken

 

KRDreport 002b.jpg

KRDreport 001b.jpg

Link to post
Share on other sites

Update:  I copied the winmm.dll file onto a flash drive and uploaded it to VirusTotal using a machine on the 'net.  The report is below,

Note MD5 and SHA-256 are the same as given by KRD.

Btw. The app it belongs to is old (2014) and no longer used.

Do you think KRD/Tencent are reporting a false positive? 

Cheers,

Ken

 

One engine detected this file
 
 
SHA-256 3832bbb60ff49f234e797509994248ef60ed07de0d5b720d25aa9e577e8add3d
File name winmm.dll
File size 76.5 KB
Last analysis 2018-07-01 23:14:26 UTC

 

ALL AV SCANNERS (inc Kaspersky) report 'CLEAN' except for this one (after a re-analysis): 

Tencent

Win32.Rootkit.Hijrms.Wtxy

 

Basic Properties

MD5
6eda8aeac03d056b51ce71ef84c2ffaa
SHA-1
64d6cd932980500662e72dd5fb9af4ad355d4f03
Authentihash
a902bfeafe0612bf85eda400c89600c569e0a10d2aba80a9a2d58813a4ed9838
Imphash
2469dfb6a433edc674c19468e1a84b12
File Type
Win32 DLL
Magic
PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
SSDeep
1536:39INbNgxY6WJ4yDPnQdakO1axwWqmQra:39I3gxYLJ4zjxv8ra
TRiD
Win32 Executable MS Visual C++ (generic) (67.3%) Win32 Dynamic Link Library (generic) (14.2%) Win32 Executable (generic) (9.7%) Generic Win/DOS Executable (4.3%) DOS Executable Generic (4.3%)
File Size
76.5 KB

Tags

pedll

History

Creation Time
2014-10-01 17:51:52
First Submission
2014-10-07 02:05:06
Last Submission
2014-10-07 02:05:06
Last Analysis
2014-11-01 21:19:55

File Names

  • winmm.dll
  • d4f44cea6a6a7c6875add1c415a6b736bbdf7b7fdd832a7089fbbe22a0d31960

Portable Executable Info

Header

Target Machine
Intel 386 or later processors and compatible processors
Compilation Timestamp
2014-10-01 17:51:52
Entry Point
15538
Contained Sections
4

Sections

Name
Virtual Address
Virtual Size
Raw Size
Entropy
MD5
.text
4096
46883
47104
6.64
09735074e24a47dfeb129ddba072df9c
.rdata
53248
19558
19968
5.18
845602809cc90265be2fc63c2f4cbf1b
.data
73728
8220
4096
3.88
6fb9ce6a0e4c4e5b4210c97f5389df6b
.reloc
86016
6096
6144
4.76
456107ec39627bd6115d58f3d1a8845a

Imports

  • KERNEL32.dll
  • USER32.dll

Exports

  • CloseDriver
  • DefDriverProc
  • DriverCallback
  • DrvGetModuleHandle
  • GetDriverModuleHandle
  • OpenDriver
  • PlaySoundA
  • PlaySoundW
  • SendDriverMessage
  • auxGetDevCapsA

ExifTool File Metadata

CodeSize
47104
EntryPoint
0x3cb2
FileType
Win32 DLL
ImageVersion
0.0
InitializedDataSize
34816
LinkerVersion
10.0
MIMEType
application/octet-stream
MachineType
Intel 386 or later, and compatibles
OSVersion
5.1
PEType
PE32
Subsystem
Windows command line
SubsystemVersion
5.1
TimeStamp
2014:10:01 18:51:52+01:00
UninitializedDataSize
0
Edited by KenEgginton
Link to post
Share on other sites

Shall I skip all then?  I will use KRD2018 on the other machines tomorrow.  I was just trying to install kb4284848 june cumulative update on the Win10 machine and it couldn't complete after abput 95% (0x800f0922) - ho hum.  Will try again tomorrow.

Goodnight,

Ken

Link to post
Share on other sites

Thanks Ron,

I agree, the tools we have used do not seem to have revealed anything but my Windows Update issues (weird downloading pattern on the 32bit win7 and now the latest WU failure on the Win10 PC) make me very uneasy.

I shall look at the Win10 update again today.

One thing that struck me as odd yesterday, is that I burned the KRD CD on a Win10 laptop, not long after booting it (not connected to the 'net) I was notified that Drive E: was running out of space (42Mb left out of 450Mb, yet it reports as being empty)  Now Drive E: seems to be a small NTFS OEM partition which along with a 100Mb system partition and the rest of the 128Gb SSD is Drive C.  I didn't set-up this machine but I'm wondering what is using up the space.

I mention this because from what I gather about the WU failure 0x800f0922 on WIn10, it can be caused by the (hidden) system partition from being short on space (also firewalls can get in the way, so I'll have to deal with that too).

As you know, I have been worried that my machines are being virtualized - AV scanners find no infections because in the VM everything is running normally.  I wonder if when shutting down a machine, the filesystem is returned to some sort of 'normal' state and so the likes of KRD don't see a problem either. 

Are there any other tools that might detect this sort of activity?

Cheers,

Ken.

Link to post
Share on other sites

Ron, a quick question:

I have investigated the System Reserved Partition on the Win10 desktop PC - I assigned a drive letter and explored it.

I find there is a Kaspersky Rescue Disk 10 folder in there with over 400Mb of files.  Clearly, this would seem to be the cause of the problem of low drive space.

Can I simply delete the KRD10 folder from the SRP - or isthere a specific method I need to follow?

Cheers,

Ken

Link to post
Share on other sites

  • Root Admin

Sorry for the delay Ken, but yes I would say removing the files from there would be safe. Glad you got your answer.

Yes, at this time the only thing that appears to be wrong is just oddball Windows configuration, installation, operational issues. A fresh installation of Windows would cure that ?

Keep me posted though.

Ron

 

Link to post
Share on other sites

I think you have the patience of Job - thank you Ron.

The Win10 update went ok this time and the machine seems 'normal' at this time.  I still have the laptop to sort out - see if that''s the same KRD10 problem - bu that will wait until tomorrow.

I'm using the 32bit Win7 PC at the moment, letting it soak in the Internet for a little while, it's ok-ish but I'll be keeping my eye on it - what I don't like is the screen flash when I open new windows (it makes me think they're being grabbed) and long white pauses when I first open Chrome or Firefox - but that may just be the slowness of this PC and updated browser operation.  As you say, maybe it's time to refresh or replace.

Thank you again for all your time, I'll keep you informed of any developments.

Ken

Link to post
Share on other sites

  • Root Admin

Did you try resetting the browsers ?

Have you updated the video drivers from an official source?

 

Please visit each of the following sites and let's reset all of your browsers back to defaults to prevent unexpected issues.
If you are not using one of the browsers but it is installed then you may want to consider uninstalling it as older versions of some software can pose an increase in the potential for an infection to get in.

Internet Explorer
How to reset Internet Explorer settings

Microsoft Edge
How to Reset Microsoft Edge in Windows 10

Firefox
Click on Help / Troubleshooting Information then click on the Refresh Firefox button.

Chrome
Reset Chrome back to defaults to completely clear out issues with Chrome.

  • Open Chrome and at the top right, click ellipse.png.2829aeeb2aea006bc956de077091and then More tools and then Extensions
  • Write down the list of Extensions installed.
  • Next, go to >> Google Sync << and sign into your account. Make sure you know your password as this will clear it from the browser.
  • Scroll down until you see the  reset_chrome_sync.png "reset sync" button to clear your data from the server and remove your passphrase.
  • Now, close all Chrome windows. Chrome cannot be running for the next step. If needed, print this information or use another browser to read the information.
  • Press the Windows key + R at the same time, to bring up the run dialog box.
     
    • run_command.png
       
  • Type in (or copy/paste) the following and press Enter:     %localappdata%\Google\Chrome\User Data\Default\
  1. Press Ctrl + A to select all the files and folders.
  2. Hold down Ctrl + A and click once on the files "Bookmarks" and "Bookmarks.bak". This will unselect them.
  3. With all the files selected (except for your Bookmarks), press the Delete key and click Yes to delete the files and folders.
  4. Example of all files and folders selected, except Bookmarks

chrome_files_folders.png.00938ead26fa2bd

 

Restart your computer now and make sure there are no longer any redirects or other browser issues and let me know the results

Thanks

Ron

 

 

Link to post
Share on other sites

Hi Ron, thanks for that.

I recently had a graphic card driver (IIRC) update on the 32 Win7 PC but will check it again.  I will try browser reset later in the week and see if that makes any difference.

Is the Google Sync thingy the same as their backup & sync service that links with the Android App Google Photos?  It was that, that was playing up in the first place.

Cheers,

Ken

Link to post
Share on other sites

Yes, their photo backup/sharing service has gone through several incarnations (and that may be the cause of some of the issues) - I know other users have had issues.

Yes, I'd updated the GPU driver in May.  Last night my wife's Win10 machine through up a 'redirect' in Firefox - I'd used google to search for washing machines (ours has just broken down and that's ging to take me away from the PC problems for a whiel) and it wouldn't respond to a left-click on a link.  I used a right-click to open the link in a new tab and got a black screen with small text saying that the previous page was trying to redirect to the page I wanted.  Seems odd, as that is what I wanted it to do,  but I also had a 'Cannot make a secure connection' error last week - after checking that out it seems Firefox have introduced aome new SSL (1.3?) security protocol that Avast may not be ready to handle but this black screen worrried me - I've never seen it before.  In fact I didn't quite follow the refernce to 'redirections' in your last message.  I had thought that that PC was 'clean-ish' but now I'm wondering.

Cheers,

Ken

Link to post
Share on other sites

I'm sorry I haven't updated the thread - I've not had much time to work on the PCs the last couple of days (and will still be busy for the next few days).  Reading around, I think Google Photos on the Sony tablet is causing the sudden crashes - maybe due to a corrupt photo - I'm still investigating.

Cheers,

Ken

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.