Jump to content

Need a bit of asistance


Mojo_Monkey

Recommended Posts

Last week my runescape account had its password changed (hacked). Im convinced I have a Keylogger because today after I recovered my account and made a new password the same thing happened again. Your going to say "Why didn't you scan?" And my response is...I did. I used Avast at first last week and came up with nothing. Then today after my password was changed again I downloaded and scanned with MSE, and Malwarebytes.

 

All three programs ended up coming up with nothing.

 

Please help

 

Oh, I also looked and used the tips from the other threads here to no avail.

orlyn.png

youry.png

Link to comment
Share on other sites

Download AVG Antivirus if you haven't yet. That should catch it. Otherwise, try a system restore to a date you know won't have the keylogger. Try to remember if you downloaded anything dodgy in the past few days, then pick a date before that.

Link to comment
Share on other sites

There has to be something that caused it. Have you opened any fishing e-mails? Or clicked any links that could be malicious within your e-mails? A keylogger doesn't just pop out of nowhere. It's either that, or someone got your personal info somehow and hacked you.

 

EDIT: Yes, that's also a very simple answer to your questions. Your e-mail could have been compromised. It's pretty easy to do that.

Link to comment
Share on other sites

Download AVG Antivirus if you haven't yet. That should catch it. Otherwise, try a system restore to a date you know won't have the keylogger. Try to remember if you downloaded anything dodgy in the past few days, then pick a date before that.

 

I suggest against downloading AVG. The antiviruses used in the OP are already much better than AVG.

 

What I'm thinking here is that there is no keyloggers. Either your info is too easy to find, or your password is too weak.

I would still run a scan (and save a logfile) with hijackghis, and post the information of the logfile here so we can check what's running.

Link to comment
Share on other sites

Download AVG Antivirus if you haven't yet. That should catch it. Otherwise, try a system restore to a date you know won't have the keylogger. Try to remember if you downloaded anything dodgy in the past few days, then pick a date before that.

 

I suggest against downloading AVG. The antiviruses used in the OP are already much better than AVG.

 

What I'm thinking here is that there is no keyloggers. Either your info is too easy to find, or your password is too weak.

I would still run a scan (and save a logfile) with hijackghis, and post the information of the logfile here so we can check what's running.

I'll agree with you.

 

Make sure your password uses capitalization as well as numeric characters and is at the very least eight characters long for maximum strength. And of course, keep it private!

Link to comment
Share on other sites

I don't think my password was weak it was 17 long with numbers and letters, and when I changed it i made it even long (I think 20 long is maximum for RS pass). Thanks for your guys' help, I'll download the program and post the results in a minute (just woke up).

 

Thank you sooo much

 

Quick question, where do you download "Hijackthis"?

 

Edit: never mind just had to do some looking around on the site

orlyn.png

youry.png

Link to comment
Share on other sites

Okay I did it here's what it came up with

[hide]

 

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 7:13:42 AM, on 8/3/2012

Platform: Windows 7 SP1 (WinNT 6.00.3505)

MSIE: Internet Explorer v9.00 (9.00.8112.16447)

Boot mode: Normal

 

Running processes:

C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel[Caution: Executable File]

C:\Users\Vincent\AppData\Local\Google\Update\1.3.21.115\GoogleCrashHandler[Caution: Executable File]

C:\Program Files (x86)\IObit\Advanced SystemCare 5\ASCTray[Caution: Executable File]

C:\Program Files (x86)\PictureMover\Bin\PictureMover[Caution: Executable File]

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM[Caution: Executable File]

C:\Program Files (x86)\Secunia\PSI\psi_tray[Caution: Executable File]

C:\Program Files\AVAST Software\Avast\AvastUI[Caution: Executable File]

C:\Program Files (x86)\iTunes\iTunesHelper[Caution: Executable File]

C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray[Caution: Executable File]

C:\Users\Vincent\AppData\Local\Google\Chrome\Application\chrome[Caution: Executable File]

C:\Users\Vincent\AppData\Local\Google\Chrome\Application\chrome[Caution: Executable File]

C:\Users\Vincent\AppData\Local\Google\Chrome\Application\chrome[Caution: Executable File]

C:\Users\Vincent\AppData\Local\Google\Chrome\Application\chrome[Caution: Executable File]

C:\Users\Vincent\AppData\Local\Google\Chrome\Application\chrome[Caution: Executable File]

C:\Users\Vincent\AppData\Local\Google\Chrome\Application\chrome[Caution: Executable File]

C:\Users\Vincent\AppData\Local\Google\Chrome\Application\chrome[Caution: Executable File]

C:\Users\Vincent\AppData\Local\Google\Chrome\Application\chrome[Caution: Executable File]

C:\Users\Vincent\AppData\Local\Google\Chrome\Application\chrome[Caution: Executable File]

C:\Users\Vincent\Downloads\HijackThis[Caution: Executable File]

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/CQNOT/1

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?ilc=2

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/CQNOT/1

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/CQNOT/1

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: IObit Toolbar - {0BDA0769-FD72-49F4-9266-E1FB004F4D8F} - C:\Program Files (x86)\IObit Toolbar\IE\6.2\iobitToolbarIE.dll

F2 - REG:system.ini: UserInit=userinit[Caution: Executable File]

O2 - BHO: IObit Toolbar - {0BDA0769-FD72-49F4-9266-E1FB004F4D8F} - C:\Program Files (x86)\IObit Toolbar\IE\6.2\iobitToolbarIE.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll

O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll

O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~4\Office14\URLREDIR.DLL

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll

O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll

O3 - Toolbar: IObit Toolbar - {0BDA0769-FD72-49F4-9266-E1FB004F4D8F} - C:\Program Files (x86)\IObit Toolbar\IE\6.2\iobitToolbarIE.dll

O4 - HKLM\..\Run: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart[Caution: Executable File]" MSRun

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM[Caution: Executable File]"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask[Caution: Executable File]" -atboottime

O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI[Caution: Executable File]" /nogui

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper[Caution: Executable File]"

O4 - HKLM\..\Run: [iObit Malware Fighter] "C:\Program Files (x86)\IObit\IObit Malware Fighter\IMF[Caution: Executable File]" /autostart

O4 - HKLM\..\Run: [searchSettings] "C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings[Caution: Executable File]"

O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui[Caution: Executable File] /install /silent

O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel[Caution: Executable File] -hidden

O4 - HKCU\..\Run: [Google Update] "C:\Users\Vincent\AppData\Local\Google\Update\GoogleUpdate[Caution: Executable File]" /c

O4 - HKCU\..\Run: [Advanced SystemCare 5] "C:\Program Files (x86)\IObit\Advanced SystemCare 5\ASCTray[Caution: Executable File]" /AutoStart

O4 - Global Startup: PictureMover.lnk = C:\Program Files (x86)\PictureMover\Bin\PictureMover[Caution: Executable File]

O4 - Global Startup: Secunia PSI Tray.lnk = C:\Program Files (x86)\Secunia\PSI\psi_tray[Caution: Executable File]

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~4\Office14\EXCEL[Caution: Executable File]/3000

O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~2\MICROS~4\Office14\ONBttnIE.dll/105

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll

O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

O9 - Extra button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O9 - Extra 'Tools' menuitem: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll

O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll

O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics

O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

O23 - Service: Advanced SystemCare Service 5 (AdvancedSystemCareService5) - IObit - C:\Program Files (x86)\IObit\Advanced SystemCare 5\ASCService[Caution: Executable File]

O23 - Service: Andrea RT Filters Service (AERTFilters) - Andrea Electronics Corporation - C:\Program Files\Realtek\Audio\HDA\AERTSr64[Caution: Executable File]

O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - LSI Corporation - C:\Program Files\LSI SoftModem\agr64svc[Caution: Executable File]

O23 - Service: @%SystemRoot%\system32\Alg[Caution: Executable File],-112 (ALG) - Unknown owner - C:\Windows\System32\alg[Caution: Executable File] (file missing)

O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx[Caution: Executable File] (file missing)

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService[Caution: Executable File]

O23 - Service: Application Updater - Spigot, Inc. - C:\Program Files (x86)\Application Updater\ApplicationUpdater[Caution: Executable File]

O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc[Caution: Executable File]

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder[Caution: Executable File]

O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass[Caution: Executable File] (file missing)

O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc[Caution: Executable File] (file missing)

O23 - Service: HP Health Check Service - Hewlett-Packard Company - C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service[Caution: Executable File]

O23 - Service: HP Wireless Assistant Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service[Caution: Executable File]

O23 - Service: HP Quick Synchronization Service (HPDrvMntSvc[Caution: Executable File]) - Hewlett-Packard Company - C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc[Caution: Executable File]

O23 - Service: HP Software Framework Service (hpqwmiex) - Hewlett-Packard Company - C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex[Caution: Executable File]

O23 - Service: HPWMISVC - Unknown owner - C:\Program Files\Hewlett-Packard\HP Quick Launch\HPWMISVC[Caution: Executable File]

O23 - Service: IMF Service (IMFservice) - IObit - C:\Program Files (x86)\IObit\IObit Malware Fighter\IMFsrv[Caution: Executable File]

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService[Caution: Executable File]

O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass[Caution: Executable File] (file missing)

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft Limited - C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService[Caution: Executable File]

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files (x86)\Common Files\LightScribe\LSSrvc[Caution: Executable File]

O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc[Caution: Executable File] (file missing)

O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass[Caution: Executable File] (file missing)

O23 - Service: @%systemroot%\system32\Locator[Caution: Executable File],-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator[Caution: Executable File] (file missing)

O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass[Caution: Executable File] (file missing)

O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec[Caution: Executable File]

O23 - Service: Secunia PSI Agent - Secunia - C:\Program Files (x86)\Secunia\PSI\PSIA[Caution: Executable File]

O23 - Service: Secunia Update Agent - Secunia - C:\Program Files (x86)\Secunia\PSI\sua[Caution: Executable File]

O23 - Service: @%systemroot%\system32\spoolsv[Caution: Executable File],-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv[Caution: Executable File] (file missing)

O23 - Service: @%SystemRoot%\system32\sppsvc[Caution: Executable File],-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc[Caution: Executable File] (file missing)

O23 - Service: @%SystemRoot%\system32\ui0detect[Caution: Executable File],-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect[Caution: Executable File] (file missing)

O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass[Caution: Executable File] (file missing)

O23 - Service: @%SystemRoot%\system32\vds[Caution: Executable File],-100 (vds) - Unknown owner - C:\Windows\System32\vds[Caution: Executable File] (file missing)

O23 - Service: @%systemroot%\system32\vssvc[Caution: Executable File],-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc[Caution: Executable File] (file missing)

O23 - Service: @%SystemRoot%\system32\Wat\WatUX[Caution: Executable File],-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc[Caution: Executable File] (file missing)

O23 - Service: @%systemroot%\system32\wbengine[Caution: Executable File],-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine[Caution: Executable File] (file missing)

O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv[Caution: Executable File],-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv[Caution: Executable File] (file missing)

O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk[Caution: Executable File],-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk[Caution: Executable File] (file missing)

 

--

End of file - 12098 bytes

[/hide]

orlyn.png

youry.png

Link to comment
Share on other sites

Sorry for the delay, I'm having an extremely busy weekend.

 

Appart from the following line, which I have no idea what the program is, everything seems fine.

O4 - HKLM\..\Run: [searchSettings] "C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings[Caution: Executable File]"

 

After further research on it it appears that it has a very bad reputation. Here is an example with the WoT users: http://www.mywot.com/en/scorecard/spigot.com

 

Also, some sources (and some comments on that page) say that some spigot software use a browser exploit to install software that will capture your keystrokes. It looks like you do have a keylogger on your computer. If you go back to hijackthis, run it again, and fix that line that I pasted in this post, then the computer should be safe, but as additionnal measures, I'd still run an antivirus scan and a malwarebytes scan.

Edited by Sbrideau
Link to comment
Share on other sites

  • 2 weeks later...

    Check the task list by press ctrl+alt+del in windows. Examine all the tasks running, if you unsure of a task look it up on a search engine.

    Use the system configuration utility to determine which task are loaded at start-up (type "msconfig" in the run box to start).

    Run your antivirus checker, it's possible this will pick up the Keylogger on your system.

    Scan your hard disk for the most recent files stored. Look at the contents of any files continually updating (these might be logs).

    Download a specific keylogger detector program, and see if it detects anything.

    Run Spybot S&D, this program checks for some known keyloggers.

Love me, love my dog.

Link to comment
Share on other sites

If you're scanning for a virus and nothing comes up then it could mean a number of things.

 

1) You don't have a virus (I'll explain in a bit what the problem with this is)

2) You're virus is programmed and encrypted by a professional hacker who can hide the true intention of his virus which means it is undetectable by Anti-Virus software

3) You virus is more spyware than a virus.

 

If it's number 1 it could be that your e-mail may have been hijacked. Does someone you know know your login details to your e-mail address? Perhaps change those details.

 

If it's number 2 then you may be a bit stuck unless you have a friend who knows about computer viruses that you know can remove them manually (I do this for clients).

 

If it's number 3 then just get spybot - search and destroy and you should be good to go.

 

Your best bet is to download a very good free anti-virus (I recommend AVG) and spyware removing software such as spybot. Change all of your login credentials again. If your details are changed then I would recommend trying to system restore to about a day before you downloaded anything. Unless the virus is a extremely well programmed virus then it should be removed.

 

But can I please say that torrents are not 100% safe. Chances are you are downloading something that has something extra attached. I know no matter what you will probably never stop downloading through torrents so let me just recommend that you download your files into a .RAR file and scan that file twice for viruses.

 

Hope this helps =]

-= K a t z M e i s t e r =-

 

My YouTube channel

My Twitter page

Link to comment
Share on other sites

Have you read the thread? It's already been established that there's a possible keylogger in his computer. Also, it has been mentionned that AVG is one of the worst antiviruses currently, and I didn't know people still suggested spybot, that program is so outdated..

Link to comment
Share on other sites

  • 3 weeks later...

A HijackThis log analyzer might help.

 

Also, try downloading Process Explorer and check if you have any suspicious processes or DLLs running.

ixfd64.png

 

ARENAscape:

 

Baratus [AS] max hit: 166 with Moon Battle Hammer

ixfd64 [AS] max hit: 116 with (untitled spell #2)

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.