Over 1 million tech questions and answers.

Suspect Trojan and/or Keylogger - Battle.net and gmail accounts repeatedly hacked

Q: Suspect Trojan and/or Keylogger - Battle.net and gmail accounts repeatedly hacked

Over the past 3 weeks my battle.net and gmail accounts have been hacked on 2 major occasions. The first time the hacker seemed to always know my passwords after i changed them and i was engaged in a 30 minute battle of change-the-password before the hacker attached an authenticator to my account and locked me out. I then had to contact Blizzard to restore my account. After that i installed AVG and removed 4 infections and thought myself safe but last week i got hacked again when i was out, i didn't leave my pc on so he must have gotten my passwords earlier.I tried running DDS but it just quits and doesn't give me the logs. Tried GMER twice but both times my pc BSOD'd. All i have is a HijackThis log, hope its enough.(PS: PSMAntiKeyLogger was only installed minutes prior to this post as i only just found out about it, it was not running when i got hacked)Logfile of Trend Micro HijackThis v2.0.4Scan saved at 1:31:15 PM, on 7/13/2010Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.21020)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\AVG\AVG9\avgchsvx.exeC:\Program Files\AVG\AVG9\avgrsx.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\AVG\AVG9\avgcsrvx.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Google\Gmail Notifier\gnotify.exeC:\WINDOWS\system32\RUNDLL32.EXEC:\PROGRA~1\AVG\AVG9\avgtray.exeC:\Program Files\Windows Live\Messenger\msnmsgr.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\DNA\btdna.exeC:\Documents and Settings\Frostx\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exeC:\Program Files\PowerMenu\PowerMenu.exeC:\Program Files\PSMKorea\AntiKeyLogger\PSMAntiSpy.exeC:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\AVG\AVG9\avgwdsvc.exeC:\Program Files\AVG\AVG9\avgfws9.exeC:\Program Files\AVG\AVG9\avgam.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\AVG\AVG9\avgnsx.exeC:\Program Files\Common Files\Motive\McciCMService.exeC:\Program Files\Viewpoint\Common\ViewpointService.exeC:\Program Files\AVG\AVG9\avgemc.exeC:\Program Files\AVG\AVG9\avgcsrvx.exeC:\WINDOWS\system32\wscntfy.exeC:\Program Files\AVG\AVG9\avgcsrvx.exeC:\Program Files\Windows Live\Contacts\wlcomm.exeC:\WINDOWS\system32\WgaTray.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\WINDOWS\system32\rundll32.exeC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\system32\msiexec.exeC:\Program Files\Trend Micro\HijackThis\HiJackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0" target="_blank" class="wLink">http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://box.gamepath.net/wtflux/downloads/frostx/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.singnet.com.sg:8080R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localR3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dllO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dllO2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dllO2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dllO2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dllO3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dllO4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exeO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -kO4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startupO4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exeO4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /backgroundO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Frostx\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /cO4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')O4 - Startup: PowerMenu.lnk = C:\Program Files\PowerMenu\PowerMenu.exeO4 - Startup: PSMAntiSpy.lnk = C:\Program Files\PSMKorea\AntiKeyLogger\PSMAntiSpy.exeO8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htmO8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htmO9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exeO9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exeO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO10 - Unknown file in Winsock LSP: c:\windows\system32\prxernsp.dllO16 - DPF: {36E5F486-B4EF-4D21-85E0-C58EBAA81A30} (WebCtl Class) - http://app.gomtv.com/ce/gomtvax/bin/GOMTVAXCSETUP.EXE.CABO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1278991485957O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cabO16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1278991477019O16 - DPF: {6FC19219-C47E-4880-9A79-D218A1C374F9} (NMJTransX Control) - http://www.netmarble.jp/_common/cab/NMJTransX.cabO16 - DPF: {8FD68625-2346-418A-8899-67CB36B1917F} (McciSM Class) - http://care.singnet.com.sg/lwp/static/inst...aller_6-1-2.cabO16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ocx/15033/CTPID.cabO18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dllO18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dllO18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLLO20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dllO22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dllO23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exeO23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG9\Toolbar\ToolbarBroker.exeO23 - Service: AVG E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exeO23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exeO23 - Service: AVG Firewall (avgfws9) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgfws9.exeO23 - Service: AVG9IDSAgent (AVGIDSAgent) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: Turbine Message Service - Live (LiveTurbineMessageService) - Turbine, Inc. - C:\Program Files\Turbine\Turbine Download Manager\TurbineMessageService.exeO23 - Service: Turbine Network Service - Live (LiveTurbineNetworkService) - Turbine, Inc. - C:\Program Files\Turbine\Turbine Download Manager\TurbineNetworkService.exeO23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exeO23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exeO23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exeO23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)O23 - Service: npkcmsvc - Unknown owner - C:\Nexon\Mabinogi\npkcmsvc.exe (file missing)O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exeO23 - Service: Rx2Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectSpeed20\Rx2Agent.exeO23 - Service: Rx2Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectSpeed20\Rx2Engine.exeO23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe--End of file - 11602 bytes

RELEVANCY SCORE 200
Preferred Solution: Suspect Trojan and/or Keylogger - Battle.net and gmail accounts repeatedly hacked

I recommend downloading and running DAP. It can help sort out any driver and firmware related issues on your system

It's worked out well for many of us in the past.

You can download it direct from this link http://downloaddap.org. (This link will open the download page of DAP so you can save a copy to your computer.)

A: Suspect Trojan and/or Keylogger - Battle.net and gmail accounts repeatedly hacked

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.We need to create an OTL report,Please download OTL from this link.Save it to your desktop.Double click on the icon on your desktop.Click the "Scan All Users" checkbox.Under the Custom Scan box paste this in:netsvcsmsconfigdrivers32 /all%systemroot%\system32\*.dll /lockedfiles%systemroot%\system32\*.sys /90%systemroot%\Tasks\*.job /lockedfiles%systemroot%\System32\config\*.sav %SYSTEMDRIVE%\*.*%systemroot%\system32\Spool\prtprocs\w32x86\*.dll%systemroot%\*. /mp /s/md5starteventlog.dllscecli.dllnetlogon.dllcngaudit.dllsceclt.dllntelogon.dlllogevent.dlliaStor.sysnvstor.sysatapi.sysIdeChnDr.sysviasraid.sysAGP440.sysvaxscsi.sysnvatabus.sysviamraid.sysnvata.sysnvgts.sysiastorv.sysViPrt.syseNetHook.dllahcix86.sysKR10N.sysnvstor32ahcix86s.sysnvrd32.sysuser32.dllws2_32.dll/md5stop%systemroot%\*. /mp /sHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AUCREATERESTOREPOINTClick the Quick Scan button.The scan should take a few minutes.Please copy and paste both logs in your reply.We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:Why we request you disable CD Emulation when receiving Malware Removal AdviceThen create another GMER log and post it as an attachment to the reply where you post your new OTL log. Instructions on how to properly create a GMER log can be found here:How to create a GMER logIn your reply, please post both OTL logs and the GMER log.

Read other 2 answers
RELEVANCY SCORE 112.8

suspect keylogger. my online accounts are compromised occasionally but periodically.
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.17207  BrowserJavaVersion: 10.55.2
Run by User at 17:33:41 on 2014-07-18
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.8075.4448 [GMT 8:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\ibmpmsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)... Read more

A:Online Accounts Repeatedly Compromised ( Suspect Keylogger )

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.
We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.
To help Bleeping Computer better assist you please perform the following steps:
*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/541412 <<< CLICK THIS LINK
If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.
***************************************************If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of t... Read more

Read other 2 answers
RELEVANCY SCORE 84.4

Someone changed my password on my World of Warcraft account. I got an email saying it was changed. I immediately changed it through the website. I scanned my computer with Avast! and Malwarebytes, and detected nothing. I tried Hitman Pro and it found 2 or 3 things, which I deleted. I thought I was done. I logged into my account and played for awhile. When I logged off, there was another email, notifying me of a password change. I tried to log on and could not. Again I changed password. I was trying to follow the instructions on this site for posting and when running the gmer.exe file, I get an error:"C:\Windows\system32\config\system: The system cannot find the file specified.Here's my log and thanks:DDS (Ver_10-03-17.01) - NTFSX64 Run by xxxxxxxxx at 22:19:43.83 on Mon 08/16/2010Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_20Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3006.2036 [GMT -4:00]============== Running Processes ===============C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\svchost.exe -k RPCSSC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Program Files (x86)\Creative\Shared Files\C... Read more

A:Suspect keylogger, WoW account hacked

Hello JefffreyWelcome to BleepingComputer Are you still having issues?==========================Download OTL to your desktop.Double click on OTL to run it. When the window appears, underneath Output at the top change it to Minimal Output.Under the Standard Registry box change it to All.Under Custom scan's and fixes section paste in the below in boldnetsvcs%SYSTEMDRIVE%\*.*%systemroot%\system32\*.dll /lockedfiles%systemroot%\Tasks\*.job /lockedfiles%systemroot%\System32\config\*.sav %systemroot%\system32\drivers\*.sys /90%systemroot%\system32\Spool\prtprocs\w32x86\*.dllCheck the boxes beside LOP Check and Purity Check.Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

Read other 2 answers
RELEVANCY SCORE 84.4

Hi guys n gals wonder if you could help me?
my wow account was hacked yesterday heres the steps ive taken since and my hjt log any more advice you could give would be great.

downloaded atf cleaner and cleared everything.

downloaded ad-ware, ran full system scan and removed any infections found.

used spybot search and destroy done full scan and removed any infections found

downloaded MBAM (MalwareBytes' Anti-Malware) ran full scan and again removed any infections found.

Done full scan with avast (nothing was found at this point).

Here is my HJT log after these steps were carried out:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:49:17, on 25/09/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Windows\System32\wpcumi.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Inter... Read more

Read other answers
RELEVANCY SCORE 83.6

This past summer in May, I had my Battle.net account hacked and they had also gotten the registered e-mail information and kept changing the password. I contacted Blizzard and had the email changed and password changed and then ran AVG antivirus (free) as well as Malware Bytes. It found quite a bit and removed everything but it seems it has happened again. My gmail account was hacked and this morning woke up to a changed password and mass spamming of all my contacts with an email advertising something. I ran Malware again and it found 1 file and AVG found nothing. I also per recommendation downloaded Comodo Firewall. Just wanted to get some "professional" help to make sure I'm clean and what I can do in the future to prevent this. Thanks for your help!

EDIT: Running Windows 7 Home Premium

A:Gmail/Battle.net/Aol Hacked

I'm sorry for the bump...but it just got a bit more serious. Whoever is doing this got into my college stuff this morning and changed my name and have tried to do stuff with my classes. I just got off the phone with the school and told them to basically freeze any activity until I clear my computer up. Can someone point me in the right direction please??

Read other 2 answers
RELEVANCY SCORE 83.6

My sister recently noticed her Facebook password had changed and people had been using her account (the password was changed at around 9am and we suspect a kelogger is the cause, can someone please check through this log to see if there are any potential risks so we can (hopefully) rule this out

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 20:25:35, on 22/06/2011
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v8.00 (8.00.7601.17514)
Boot mode: Normal
Running processes:
C:\Program Files (x86)\AVG\AVG10\avgtray.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\AVG\AVG10\avgui.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0809&m=aspire_x1301&r=17360310sn0797358rsj5by9012328
R1 - HKLM\Software\Microsoft\Internet Explorer\Ma... Read more

Read other answers
RELEVANCY SCORE 83.6

K, this is my second time here. I was cleaned out thanks to the help of you guys. Now it seems, the hackers are back. This time, they got into my E-Mail account and had a couple of characters from a game I play (World of Warcraft) transferred to another Realm. Since the last time I was compromised, I changed the password on my e-mail as well as several other passwords I use to other sites and have been pretty observant to strange behavior on this comp. Anyway, here is my Hijackthis log, if there is anything here that would allow this type of thing to occur, please let me know what I can do to prevent it:Logfile of HijackThis v1.99.1Scan saved at 11:46:07 AM, on 5/14/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\spoolsv.exec:\program files\a-squared free\a2service.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGF... Read more

A:Game Account Was Hacked. Suspect Keylogger

Hello Dafunkdoc and welcome to the BC HijackThis forum. I see 1 service that looks suspicious so let's get it checked out.We need to make sure all hidden files are showing so please:Click Start.Open My Computer.Select the Tools menu and click Folder Options.Select the View tab.Under the Hidden files and folders heading select Show hidden files and folders.Uncheck the Hide file extensions for known types option.Uncheck the Hide protected operating system files (recommended) option.Click Yes to confirm.Click OK.Go to the Jotti's malware scan page and use the buttons at the top of the page to browse to this file(s) on your hard drive to submit for a scan:C:\WINDOWS\java\Java.LOG\services.exeSeveral scanning engines will be used to check the file for any threats. Please post the results of the scans back here.Cheers.OT

Read other 1 answers
RELEVANCY SCORE 81.2

Alright, a few days ago my PayPal account got hacked into. I am on a brand new computer and I will admit that I have not fully set it up yet. It is completely possible that I somehow got a keylogger.
PayPal is currently investigating the unauthorized activity, and they have already refunding the majority of my lost funds. However, if I do in fact have a keylogger, I want to get it off of my computer.

I am somewhat doubtful that it was a keylogger, because it seems that ONLY my PayPal account has been accessed. Of course I could be wrong, but nothing else was changed, and my online banking account was not accessed (as far as I know).

I admit that my password was not the best password ever, and it could have been guessed fairly easily (It was related to a username that I use on several forums). I deal with a lot of people online through PayPal, so many people would know my PayPal address.

So I am just wondering if you think that this is a keylogger or not. If it is, how can I remove it?
Is it true that keyloggers can be installed as add-ons to programs, so they actually wouldn't show up in processes?

Also, is there any antivirus program, free or paid, that could help me with this? I currently have AVG free and Spybot:S&D, and I also have a 60 day trial of Norton 360, which came with my computer.

For now I am just using an on-screen keyboard to imput important passwords.

A:Possible Keylogger-- Accounts hacked!

Hello and Welcome to TSF.

We want all our members to perform the steps outlined in the link I'll give you below, before posting for assistance. There's a sticky at the top of this forum, and a
Quote:




Having problems with spyware and pop-ups? First Steps




link at the top of each page.

------------------------------------------------------

Please follow our pre-posting process outlined here:

http://www.techsupportforum.com/f50/...lp-305963.html

After running through all the steps, you shall have a proper set of logs. Please post them in a new thread, as this one shall be closed.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

Please note that the Virus/Trojan/Spyware Help forum is extremely busy, and it may take a while to receive a reply.

------------------------------------------------------

Read other 1 answers
RELEVANCY SCORE 80.4

Hi this are my logs. My world of warcraft was hacked and i could be because of key logggers!DDS (Ver_09-02-01.01) - NTFSx86 Run by Admin at 17:55:08.95 on Mon 03/09/2009Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2331 [GMT 5.5:30]AV: ESET Smart Security 3.0 *On-access scanning enabled* (Updated)FW: ESET Personal firewall *enabled*============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcsC:\WINDOWS\system32\svchost.exe -k WudfServiceGroupsvchost.exesvchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\ESET\ESET Smart Security\ekrn.exeC:\WINDOWS\System32\svchost.exe -k HTTPFilterC:\Program Files\Java\jre6\bin\jqs.exeC:\PROGRA~1\COMMON~1\Stardock\SDMCP.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\PnkBstrA.exeC:\Program Files\Common Files\Protexis\License Service\PsiService_2.exeC:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exesvchost.exeC:\WINDOWS\system32\... Read more

A:Keylogger Some program accounts have been hacked!

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.comDDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Follow the instructio... Read more

Read other 2 answers
RELEVANCY SCORE 79.2

Multiple accounts including Emails have been hacked, ran multiple virus/adware programs including Ad-Aware, AVG, and Avast but couldn't find anything.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:01:54 PM, on 8/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd... Read more

Read other answers
RELEVANCY SCORE 74.8

My gmail account got hacked. Offenders changed my pw, alternate email address, and deleted my contacts. They sent email out to all the contacts saying that I was stranded in the UK without money and asking for contacts to respond to arrange to send $2000.00. Offenders changed settings so that response email would be forwarded to their account. Friends who got these fraudulent emails called and alerted me and I contacted gmail and reset the alternate email address so they could send me a link to reset pw. Upon regaining access I discovered the extent of compromise.
I also rec'd email from facebook that my account with them has been breached. I still have not regained access to that.
I had Norton360 v 3.0 running on my computer the whole time. I have scanned my computer with it then with Norton 360 v 4.0 and with Trend Micro and no virus or malware is detectable. How did my account get hacked?????
 

A:gmail and facebook accounts hacked

Norton is mainly an antivirus product, maybe they include anti-spyware too now, not sure. There are many ways to steal access to your gmail. One of the ways is to install a keylogger on your pc, and steal username and passwords as you type them. But if you have accessed your gmail from another computer, like at university; public library, your friend's PC etc, then it may be that those computers are infected and not yours. Also, it may not be a technical attack. Simply being able to look over your shoulder as you enter the passwords will get you hacked just as easily. Then, there are whats called brute force attacks, where a program simply points to a login page, and tries each combination in sequence till it hits the right one. Gmail may not fall to brute force attacks, but if you use the same password on multiple sites, then there is a chance that they hacked that account first and tried to use the same password on gmail. Then there may have been phishing attempts made at your account and you mistakenly entered your password into a web site that only looks like Gmail. There should be more ways to steal your gmail, but I am not a hacker.

If you are running Trend Micro along with Norton, you might end up with them interferring with each other. You cannot run multiple real-time antivirus products together.

When you reset your Gmail, use a complex passphrase that is easy to remember. Eg. The phrase "Kirk is the rightful captain of the USS Enterprise" can be tr... Read more

Read other 3 answers
RELEVANCY SCORE 74

Exploits allowing hackers to break into Gmail accounts are likely to occur, if they're not already circulating, after security researchers released details of a hole that Google has reportedly declined to patch....Make sure you have a strong password Many PC users select weak passwords that consist of common names or dictionary words, leaving them susceptible to brute-force discovery and configure Gmail to use SSL by default:To benefit from encryption when accessing Gmail, you should configure the service to use SSL by default. To do so, click Settings in the top-right corner of the main Gmail window, select Always use https in the "Browser connection" section at the bottom of the General tab, and click Save Changes.http://windowssecrets.com/comp/090423/

A:Gmail accounts hacked via unpatched hole

Or you can stop using a browser for accessing Gmail and start using Thunderbird for having all your emails delivered to your desktop.

Read other 1 answers
RELEVANCY SCORE 74

Exploits allowing hackers to break into Gmail accounts are likely to occur, if they're not already circulating, after security researchers released details of a hole that Google has reportedly declined to patch.Click to expand...

http://windowssecrets.com/comp/090423/
 

A:Gmail accounts hacked via unpatched hole

Is web mail safe, or is your mail safer when retrieved to your PC ? What is your opinion?
 

Read other 2 answers
RELEVANCY SCORE 72.8

My world of warcraft account was hacked 2 times in a row and I think I've got a keyloger or trojan virus on my computer. Please look at this logg and tell me if its ok and if there's something wrong I would appriciate that you would tell me whats wrong.

Here it is

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:43:11, on 2009-11-03
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18828)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\wuauclt.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Program Files\Trend Micro\HijackThis... Read more

A:I suspect I have a keylogger or trojan virus on my computer, please help me

OMG, this is my second time I do this and I never get a reply. I will never get my wow acc back
 

Read other 1 answers
RELEVANCY SCORE 72.8

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:05:48, on 01-08-2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal
Running processes:
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe
C:\Program Files (x86)\DigitalPersona\Bin\DpAgent.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe
C:\Program Files\BullGuard Ltd\BullGuard\Files32\Spamfilter\LittleHook.exe
C:\Program Files (x86)\Internet Explorer\IELowutil.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10h_ActiveX.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsof... Read more

Read other answers
RELEVANCY SCORE 70.8

DDS (Ver_09-03-16.01) - NTFSx86
Run by User at 1:21:39.58 on Sat 04/04/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1015.380 [GMT 8:00]

AV: Norton Internet Security 2006 *On-access scanning enabled* (Outdated)
FW: Norton Internet Worm Protection *disabled*
FW: Norton Internet Security 2006 *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Motive\McciCMService.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Hew... Read more

A:Spyware & trojan suspect, tons of virus... i had been hacked on my online game too.=(

Hi and welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem as soon as possible.

You may wish to subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Please be patient with me during this time.

Read other 16 answers
RELEVANCY SCORE 69.2

DDS (Ver_09-07-30.01) - NTFSx86 Run by Chris at 10:24:43.85 on 29/08/2009Internet Explorer: 8.0.6001.18702Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1023.261 [GMT 1:00]AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}============== Running Processes ===============C:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcsC:\WINDOWS\system32\svchost.exe -k WudfServiceGroupC:\WINDOWS\system32\Ati2evxx.exesvchost.exesvchost.exeC:\Program Files\Lavasoft\Ad-Aware\AAWService.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exeC:\WINDOWS\Explorer.EXEsvchost.exeC:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exeC:\Program Files\DAEMON Tools\daemon.exeC:\Program Files\Lexmark 8300 Series\lxcjmon.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Lexmark 8300 Series\ezprint.exeC:\Program Files\ATI Technologies\ATI.ACE\CLI.EXEC:\PROGRA~1\AVG\AVG8\avgtray.exeC:\Program Files\AVG\AVG8\IdentityProtection\agent\bin ... Read more

A:wow account hacked-pc infected? keylogger/trojan

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 2 answers
RELEVANCY SCORE 68.8

Here is my Hijack this log. I have tried everything and nothing seems to work. I get constant warning from random Executables running from C:\Recycler\ along with wincap.exe. I get a blue screen error when i try and run safe mode. I tried running DSS, but it would just get killed. Not even sure how that was happening. I have gotten my online accounts hacked, and am fairly sure I have a keylogger. So far I have isntalled AVG and ZoneAlarm and they seem to be containing the virus.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 6:21:38 PM, on 7/23/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\System32\WLTRYSVC.EXEC:\WINDOWS\System32\bcmwltry.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\... Read more

A:Trojan Hijacker Online Accounts Hacked

I just wanted to update that I turned off all firewalls, anti-virus, spware apps and tried running DSS and still could not. It just dissappears. I also still get a blue screen when I try to run in safe mode to run SDFix.

Read other 3 answers
RELEVANCY SCORE 68.4

Hello there,

After discovering my WoW account had been compromised last night, I followed the suggested steps to cleaning up my computer which inevitably ended up with me being referred to this website with a copy of a MBAM log file and a HiJackThis log file. (You must get this particular scenario a lot!)

I believe Malbyte's Anti-Malware discovered and alerted me to the issue and I think I was hacked via a key logging thing. But I would like to make sure as I'm no expert. I removed said offending files as soon as I was given the choice.

I'll attach the logs as Notepad files, I hope this is OK. If not let me know and I'll sort it straight away.

Hope you can help!

Thanks very much,
Steph.
 

Read other answers
RELEVANCY SCORE 68.4

Hello, my WoW account was recently hacked so I have been working on removing spyware/malware/trojans/etc from my PC. I have ran AVG free and spybot in safe mode and found a trojan called Groove.x32. I deleted the folder it was and then ran hijackthis.. here is my log:

(UPDATE 1 I also notice a ping spike in my connection every few minutes which has started only a few days ago.. deleting the groove.x32 folder did not resolve this issue like I expected)

(UPDATE 2 I was googling and found this: http://www.threatexpert.com/report.aspx?md5=f1622f63ef3f9a674f660789fe21984d it looks like what I have.. ran IOBit security 360 and it found a that folder and the install.exe)

(UPDATE 3 I downloaded SDFix and when I tried running it in safe mode I get a quick blue cmd prompt screen flash and close with nothing else.. I'm guessing the virus wont let me run it)

(UPDATE 4 I downloaded combofix and ran it in safe mode on the other PC.. here is the log:

ComboFix 09-11-07.02 - Tim 11/08/2009 4:19.1.2 - NTFSx86 MINIMAL
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2048.1248 [GMT -5:00]
Running from: c:\users\Tim\Downloads\asdf.exe
SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-10-08 to 2009-11-08 )))))))))))))))))))))))))))))))
.

2009-11-08 09:23 . 2009-11-08 09:23 -------- d-----w- c:\users\postgres\AppData\Local\temp
2009-11-08 09:23 . 2009-11-08 09... Read more

A:World of Warcraft account hacked, trojan/keylogger?

here's another hijackthis log on another PC connected to the same network that might have the same thing:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:12:08 PM, on 11/7/2009
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\CtHelper.exe
C:\Program Files\Razer\DeathAdder\razerhid.exe
C:\Program Files\Razer\DeathAdder\razertra.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Creative\Shared Files\CTSched.exe
C:\Windows\System32\StikyNot.exe
C:\Program Files\Razer\DeathAdder\razerofa.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aimzones.aol.com/homepage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\S... Read more

Read other 3 answers
RELEVANCY SCORE 61.6

Hello,

Up till now I've only used the Windows Defender and the AVG8 antivirus program (I updated today to AVG9)

My account on battlenet was hacked yesterday. Since then I've taken the following steps

1) Ran a program called ATF Cleaner (supposedly removes any cookies, temporary files, history files etc)
2) Downloaded and ran Ad-Aware (it deleted some cookies)
3) Downloaded and ran Spybot Search&Destroy (nothing found)
4) Downloaded and ran Malwarebyte's anti-malware

It detected the following registry keys that were infected and it dealt with them

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3aa42713-5c1e-48e2-b432-d8bf420dd31d} (Rogue.AntiVirus2008) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.

5) Had a full system scan with AVG8. Again it only gave me some cookie warnings, but I was worried so I quarantined and deleted all of them. Should I be doing this more often? I have been so far under the impression that cookies are not something I should worry about, let me know if I am wrong

6) I downloaded HijackThis and I ran it, the log follows

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:30:58 &#956;&#956;, on 27/10/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.0... Read more

Read other answers
RELEVANCY SCORE 60.8

Hello,

Windows Vista, IE8, AVG8 and Windows Defender were the only security I had.

I do not have a readily available Windows Installation disk right now, but if there is no other way to deal with an issue I can get it within the month (has to be shipped from my home)

Since retrieving my Battlenet account I've ran various different anti-malware tools. Ad-aware, Spybot Search&Destroy, Full scan on my antivirus, CCleaner, MBAM etc

I've deleted all the cookies and MBAM found a Rogue.Antivirus2008 infection in a registry key and deleted it. Could this have been my source of problems?


DDS follows, attached files also follow


DDS (Ver_09-10-26.01) - NTFSx86
Run by User at 23:51:00,76 on ??* 27/10/2009
Internet Explorer: 8.0.6001.18828 BrowserJavaVersion: 1.5.0_12
Microsoft? Windows Vista? Home Premium 6.0.6002.2.1253.30.1032.18.2045.1002 [GMT 2:00]

SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Windows\system32\lsm.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNe... Read more

Read other answers
RELEVANCY SCORE 58.8

so, i have reason to believe that there is a keylogger on my computer, but i don't know where. i've taken basic precautions i.e. i am now using a separate computer to do everything.
I run mcafee (as you can probably see from the report), which does its periodical scan, but so far it hasn't come up with anything.


DDS (Ver_09-02-01.01) - NTFSx86
Run by Janne at 14:21:57.50 on Sun 02/15/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_07
Microsoft? Windows Vista? Home Premium 6.0.6001.1.1252.1.1033.18.2045.938 [GMT -8:00]
============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32&#... Read more

A:Suspect there is a keylogger

Hi symposium,Welcome to BC HijackThis forum and sorry for the delay. I am farbar. I am going to assist you with your problem.Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.Tell me if you have done anything since previous post. Or you have run any other tools. Also tell me how is the current condition of your computer.

To get an idea about the current condition of you computer download random's system information tool (RSIT) by random/random from here and save it to your desktop.Double click on RSIT.exe to run RSIT.Set the scan files/folders to 3 Months.Click Continue at the disclaimer screen.Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Note 1: If you have difficulty finding the logs, the logs are in this folder: C:\rsit

Note 2: The tool takes not more than one minute to scan the system.You might want to save this page on your favorites, so you can find it again when you return.

Read other 13 answers
RELEVANCY SCORE 58.8

Here is my HiJackThis log. I have already run an anti-spyware and anti-virus program so i apologize if I have already removed the issue.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:58:28 PM, on 8/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\ASUS\AI Booster\OverClk.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:... Read more

Read other answers
RELEVANCY SCORE 58.8

MBAM reports that I have no viruses but I don't believe it; both my e-mail account and my battle.net account have been logged as being accessed from China and I have not been phished, nor do any other users have access to my respective accounts. I have a DDS log available as well; GMER produces an error to the effect of "C:\Windows\System32\config\system: The system cannot find the file specified." so I cannot run it with the settings that the guide suggests that I do. Thank you in advance for the help.Logfile of Trend Micro HijackThis v2.0.4Scan saved at 10:34:45 PM, on 8/24/2010Platform: Windows 7 (WinNT 6.00.3504)MSIE: Internet Explorer v8.00 (8.00.7600.16385)Boot mode: NormalRunning processes:D:\Games\Steam\Steam.exeC:\Program Files (x86)\DAEMON Tools Lite\DTLite.exeC:\Program Files (x86)\FeedDemon\FeedDemon.exeC:\Program Files (x86)\DNA\btdna.exeC:\Windows\SysWOW64\CtHelper.exeC:\Program Files\Alwil Software\Avast4\ashDisp.exeC:\Program Files (x86)\Winamp\winampa.exeC:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exeC:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeC:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exeC:\Users\Fugu\AppData\Local\Google\Chrome\Application\chrome.exeC:\Users&... Read more

A:I suspect that I have a keylogger.

Hello Fugu,Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.Your using an old version of AVAST.The new avast version 5.0 is now available.Uninstall the old version and download the new Avast version 5.0,Then run it let it remove anything it finds. ************Download Security Check by screen317 from here or here.Save it to your Desktop.Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.A Notepad document should open automatically called checkup.txt.Please post the contents of that document. ************Please post the last Malwarebytes' Anti-Malware log so I can see what it found. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. ************Spybot will find keyloggers, so please download, update and run Spybot 1.6.2 I recommend you do not enable Teatimer at this time, as it will interfere with SUPERantispyware (see below). Fix whatever Spybot suggests. Here is a helpful tutorial for Spybot.Spybot Tutorial************Download SUPERantispywareLoad SUPERantispyware and click the check for updates button. Once the update is finished click the scan your computer button. Check Perform Complete Scan and then next. Superantispyware will now scan your computer and when its finished it will list all the infections it has found. Make sure that they all have a check next to them and press... Read more

Read other 2 answers
RELEVANCY SCORE 58.8

Hi folks, I think I've got a keylogger. I tried to log into two separate accounts today for two different places and neither passwords worked.
These are both accounts for two of my games, and I definitely didn't type either password wrong, and the info is not the kind of info you'd be likely to guess. I've already ran a full system scan in safemode using Spybot Search & Destroy, Super Anti-Spyware, Malwarebytes, and Ad-Aware.

I encountered no problems whilst doing this, so I think I'm clean except for the danger of some information stealing program. Any advice would be greatly appreciated, I went over to another computer that I've not had problems with and I changed all my important passwords and information, so I'm not in any immediate danger. However, I'd like to get be able to use my main computer, which I'm afraid to do till I figure how my information got stolen.

Thanks.

Read other answers
RELEVANCY SCORE 58.8

An online account of mine was recently "hacked" and I am suspecting a keylogger is the culprit. I did a system restore back to a very early point. I am in the process of running Adaware. superantispyware and Spybopt search&destroy as well as Avast antivirus but i was wondering if someone coud take a look at my hijackthis logfile to see if anything looks amiss?? Thanks so much...Logfile of Trend Micro HijackThis v2.0.2Scan saved at 5:09:46 PM, on 4/19/2010Platform: Unknown Windows (WinNT 6.01.3504)MSIE: Internet Explorer v8.00 (8.00.7600.16385)Boot mode: NormalRunning processes:C:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Windows\system32\taskhost.exeC:\Windows\SOUNDMAN.EXEC:\Program Files\Alwil Software\Avast4\ashDisp.exeC:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exeC:\Program Files\Common Files\Java\Java Update\jusched.exeC:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exeC:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exeC:\Program Files\uTorrent\uTorrent.exeC:\Program Files\Lavasoft\Ad-Aware\AAWTray.exeC:\Windows\system32\wuauclt.exeC:\Windows\system32\Macromed\Flash\FlashUtil10c.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\Windows�... Read more

A:Suspect keylogger please help??

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 2 answers
RELEVANCY SCORE 58.8

i suspect a keylogger has been put on my pc..here is the hijack log. Does anyone know if this shows one.....

Logfile of HijackThis v1.98.2
Scan saved at 10:34:49 PM, on 6/29/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.ex... Read more

A:suspect keylogger on my pc

Dont know how good this is but its free to try Keylogger Hunter

http://www.soft32.com/download_7700.html
 

Read other 3 answers
RELEVANCY SCORE 58.8

Computer is a Toshiba Satellite A305-S6916, Intel Core 2 Duo Processor T6400, 4GB SDRAM, 320GB HDD, 15.4" Diagonal widescreen TrueBrite display, ATI Mobility Radeon HD 3650W/512MB. Operating system was Windows Vista Home Premium 64 bit, hard drive was formatted and Windows 7 Home Premium 64 bit installed.

Antivirus software being used is Microsoft Security Essentials and Ad-Aware. Browser Firefox and use NoScript http://noscript.net/

I play World of Warcraft and my password has been stolen 2 times. Found $RY0MSQX.exe Troj_Gen R29C3G4 using Trendmicro Housecall Free Online Scan.

Password stolen 2nd time about 1 week later.

Found on World of Warcraft forum recommendation for cleaning computer and did what was suggested.

Turned off System Restore, used Steven Gould Cleanup!, used Malwarebyte Anti-Malware, Microsoft Malicious Software Removal Tool, Spybot Search & Destroy, Ad-Aware, SmitFraud Fix 64 bit, scanned with Microsoft Security Essentials, McAfee free online scan.

McAfee found C:\Windows\System32\Process.exe - PrcViewer
and C:\Windows\SysWOW64\Process.exe - PrcViewer

Do not know what to do with Process.exe so left it.

After a Google search for info about Process.exe found TechGuy forums. Joined and downloaded HiJackThis. HiJackThis gives an error about the Hosts file and indicates to open it with Run Notepad C:\Windows\System32\etc\Hosts This does not work as Hosts file is in a different location, maybe because of Windows 7. Doing a search found Hosts fil... Read more

Read other answers
RELEVANCY SCORE 58.8

they even have a second windows vista running

A:i nave been repeatedly hacked

Hello and to Bleeping Computer.I'm afraid you're going to need to give a lot more information if I'm going to be able to help you. . . I have no idea what's going on.Start with what your symptoms are in detail, and then list what you've tried to resolve the issue.~Blade

Read other 1 answers
RELEVANCY SCORE 58.8

This is kind of an embarrassing message to have to be writing, but Gmail account has been hacked, two days in a row! It's always about the same time 1:00am-2:00am EST. Yesterday it was just from South Korea (123.212.95.14), and I thought it must just be some email spammer. All the same I changed my password to a completely unique one I've never used before. I ran antivirus, malware, spyware, all the utilities. I checked all my Gmail settings everything looked in order nothing malicious, spent 30min going through each setting with a fine tooth comb. I changed my security questions and everything. I've never been hacked before and I took it very serious to make sure it wouldn't happen again. Imagine my surprise when I woke this morning to find my new password wouldn't work, someone had changed the password and locked me out AGAIN!

The only way to reset the password on Gmail is for Google to text you an unlock code to your cell phone. So it makes it even more difficult for me to understand how I'm being compromised. I checked the IPs and last night it was not only China (115.148.172.137) but also SC (hgtc.edu:199.5.207.215) and MI (24.176.11.86). I can understand the overseas IP but SC and MI right here in the US, now I'm really suspicious. I checked hgtc.edu turns out it's Horry-Georgetown Technical College based out of... you guessed it SC. I mean I don't know if that means anything, or if it's just a server the hacker bounce... Read more

Read other answers
RELEVANCY SCORE 58.4

This is my first post on your web site. Wish I had known about the site long ago, could have saved myself so many headaches. Anyway, I hope I'm in the correct forum for my problem. I strongly suspect a relative has hacked into my computer. The person I suspect is listed as a user on my system, and is also a computer specialist, working in the field for over 20 years. He had done some minor repairs to my laptop a year ago, and since that time has been listed as a user, and also had remote priviliges, and who knows what else. I was away for several days, came home, turned on my laptop and the icons on my desktop were huge, blurred, and scattered from one side of the screen to the other, some even off the screen. I went through the steps of changing the display, but nothing worked. I was also getting a lot of error messages, my router wasn't working, and I suspected my dsl modem was also malfunctioning. I phoned my service provider's tech service and, as she walked me through some possible fixes, we found that there were no ip addresses, among other things. She was able to get the dsl modem back on track, but not the router. She also told me that it was highly likely that someone had hacked into my machine, since the condition of my desktop screen could not have happened accidently, especially since I was unable to fix it through "Display". I immediately deleted this person's name and icon from my desktop as a user on my laptop, but not sure if he c... Read more

A:Suspect my Computer's Been Hacked

Read other 16 answers
RELEVANCY SCORE 58.4

Hi.
I let a friend of a friend to use my computer without my presence, but I regret that now after that i knew that his USB was infected after that he got hacked and he put that USB into my computer.
 
I used Gmer to look at the Services tab and i found some unknown entries like that in the screenshot that I provide.
 
What log do I need to provide in this case?
 
Any help would be great.

A:I suspect that I got hacked or infected

Hi and Welcome!! appatatus My name is Robybel.I would be more than happy to take a look at your log and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.The fixes are specific to your problem and should only be used for the issues on this machine.Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.It's often worth reading through these instructions and printing them for ease of reference.If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.Please reply to this thread. Do not start a new topic.IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your Operating System and losing all your programs and data.Vista and Windows 7 users:These tools MUST be run from the executable. (.exe) every time you run themwith Admin Rights (Right click, choose "Run as Administrator")Stay with this topic until I give you the... Read more

Read other 23 answers
RELEVANCY SCORE 58

Hello,While browsing an online forum last night, i followed a suspicious link. Keylogger posts which link to sites with keyloggers on them are common on this forum, and I'm concerned I may have got one. Here are the steps I have taken so far:1) Ran AVG Free Anti-Virus (found nothing)2) Ran Ad-Aware (found nothing)3) Ran Spybot- Search and Destroy (found nothing)4) Ran McAfee Stinger (found nothing)5) Ran Panda Anti-Virus (found nothing)6) Ran AVG Free Anti-Virus again (Found a tracking cookie, but I don't think that it is it)7) Installed No-Script on Mozilla Firefox (a little late, but I thought it would be a good idea)EDIT: I found a suspcious process in my Task manager, so I am putting in a updated HijackThis log.Here is my (updated) HijackThis log.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 6:04:51 PM, on 11/17/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\Program Files\Intel\Wireless\Bin\WLKeeper... Read more

A:Suspect a keylogger on my system

Hello, AtmoHawk to BleepingComputer.comMy name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)Please give me some time to look over your computer's log(s).Please take note of the following:In the meantime, please refrain from making any changes to your computer.Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.Finally, please reply using the button in the lower left hand corner of your screen.We need to run a Scan with DDSPlease download DDS, and save it to your desktop, from one of the following mirrors:This is a mirrorThis is another mirrorDisable any type of "Script Blockers" or "Script Protection" installed on your system.Double click on your desktop.If prompted by any script blocking tools, please allow any actions taken by DDS.When prompted to preform an Optional Scan, please select Two reports will open. Please reply with the generated reports:DDS.txt <-- Copy and paste into your next postAttach.txt <-- Attach to your next postWe need to scan for rootkits with GMERPlease download gmer... Read more

Read other 7 answers
RELEVANCY SCORE 58

please help with this one. I have reason to believe a keylogger is instaled on my pc but couldnt find it. Besides that i have problems with completely removing some programs (panda antivirus & weatherchnnel) please helpDDS (Ver_10-03-17.01) - NTFSx86 Run by vukica at 12:19:16,59 on pet 28.05.2010Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_20Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.447.83 [GMT -7:00]AV: Panda Cloud Antivirus *On-access scanning enabled* (Updated) {5AD27692-540A-464E-B625-78275FA38393}AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}============== Running Processes ===============C:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Analog Devices\Core\smax4pnp.exeC:\Program Files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exeC:\Program Files\ESET\ESET NOD32 Antivirus\egui.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\Common Files\Java\Java Update\jusched.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\ESET\ESET NOD32 Antivirus&... Read more

A:i suspect a keylogger is installed on my pc

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 2 answers
RELEVANCY SCORE 58

Hi!
Since last year, someone has been trying to access my computer files and email. When I was out on vacation, I had to give my password to a co-worker and ever since then, even though I've changed my password a few times, no one ever tries to hack into it anymore. Yet, this coworker seems to get the jump on my work. I suspect some kind of spyware but don't know how to find it. I've been following the preparation guide and have some trouble with the GMER window. I've unchecked the boxes as directed however, the example on your site has many boxes checked which my computer would not allow me to check. They are: System, Sections, Devices, Modules, Processes, Threads and Libraries. The only boxes my computer would allow me to have checks in are: Services, Registry, Files, "C" and ADS. I ran a scan and saved it as directed. Would the scan be accurate if the boxes you show should be "checked" are not checked? Thank you so much for this site. I'm not very knowledgeable about computers and appreciate the help very much. Sincerely, Jeanne

DDS (Ver_2012-11-05.02) - NTFS_AMD64
Internet Explorer: 9.0.8112.16450
Run by Marketing at 8:53:38 on 2012-11-06
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3944.1404 [GMT -5:00]
.
AV: Norton Internet Security *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Enab... Read more

A:Suspect infected with a keylogger

Hello, Welcome to BleepingComputer.I'm nasdaq and will be helping you.If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.===Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofixLink 1Link 2* IMPORTANT !!! Save ComboFix.exe to your DesktopIMPORTANT....1. Close any open browsers.2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.3. Do not install any other programs until this if fixed.How to : Disable Anti-virus and Firewall...http://www.bleepingcomputer.com/forums/topic114351.htmlDouble click on ComboFix.exe & follow the prompts. When finished, it will produce a report for you. Please post the C:\ComboFix.txt Note:Do not mouse click ComboFix's window while it's running. That may cause it to stallNote: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.htmlNote: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.===Third party programs if not up to date can be the ca... Read more

Read other 2 answers
RELEVANCY SCORE 58

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything. We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. To help Bleeping Computer better assist you please perform the following steps:*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/425931 <<< CLICK THIS LINK If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.*************************************************** If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lo... Read more

A:Suspect Keylogger or Root-kit

Hello again!I haven't heard from you in 5 days. Therefore, I am going to assume that you no longer need our help, and close this topic.If you do still need help, please send a Private Message to any Moderator within the next five days. Be sure to include a link to your topic in your Private Message.Thank you for using Bleeping Computer, and have a great day!

Read other 2 answers
RELEVANCY SCORE 58

Hey,
 
can I ask you guys if my system is hacked badly or is it just my face book account that keeps getting it, 
 
I have had to change my password numerous times in the last week or so,
 
can I get advice on how to proceed here thanks.

A:my facebook account is repeatedly hacked

sorry but iv no choice but to bump this,
 
i have waited 4days and also i followed the link after 3 days of no activity and posted there over 12 hrs ago and nothing yet, 
 
you can be blunt but at least can i have an answer so i can move on

Read other 4 answers
RELEVANCY SCORE 57.6

I think there may be a keylogger or other malicious software on my computer because someone is able to access my computer even after I change my password.
Any and all help is greatly appreciated


Deckard's System Scanner v20071014.68
Run by HP_Administrator on 2007-11-10 14:21:20
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2007-11-10 20:21:21 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2007-11-10 14:24:28
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\Runservice.exe
C:\Pro... Read more

Read other answers
RELEVANCY SCORE 57.6

Wondering if anyone here knows high-security ways to secure the Windows SAM (Security Accounts Manager) file from being hacked via remote network access or physical access to an unattended machine.

Have already informed the police (though they don't do anything) that a neighbour or local burglar enters the property when I'm out and copies written passwords. They may also install malware on the computer or perhaps all hacking is done remotely via installed malware.

Regardless, the local area constantly give me the impression that my computer activity is closely watched.

Can anyone answer the questions in the first paragraph or give me advice on how to maximise security and the privacy of my computer and its usage?

Read other answers
RELEVANCY SCORE 55.6

Hi, sorry so long but I figured I had to list all things I've tried so far! I'm wondering if my W98SE computer picked up an infection through a zip file with five pics in it that I was emailed a few days ago. After download I scanned it with AVG before opening, and nothing was found, but I'm sure that doesn't say much. Then I also scanned with spybot & adaware and they didn't find anything either, which again may not say much but I don't know of any better such free programs for W98SE. Machine is not worth spending money on.

FYI, I also have spywareguard, spywareblaster and version 4.5 of zone alarm. Other things I tried later include HJT + startup log; and failed attempts at Kaspersky, Trendmicro, Panda & Bitdefender. Details further below.

Symptoms:
Almost right away, Firefox started hestitating or freezing up for a second at least half the time after I click a link or load a page, and I hear hard disk activity during it. Entering text into forms has frozen or slowed down a couple times too. Usually I just attribute anything of the kind to this unreliable old laptop, and my dialup connection. Especially after not rebooting during many hours of use. But I don't remember any of the above being as "blatant" and noticeable as this.

Once, site graphics loaded incompletely in Firefox, like they do when you print a web site. Twice a similar thing happened with I.E., on testing sites built for I.E. Once my ISP software cras... Read more

A:Suspect infection (keylogger??) from attachment, but having hard time testing

OH MY GOD the person who sent the attachment just emailed me and out of the blue mentioned twice that her husband is always installing keyloggers on her computer! My diagnosis just got a lot more feasible I think! Do you think the keylogger reported that I've been going to testing sites and googling keylogger stuff?? It would have been on this laptop since 7/24 now. Wow this is freaky. Can it see everything on the computer or just passwords I enter and text I type? I'm still using it, guess that's not too smart. Hep hep!
 

Read other 2 answers
RELEVANCY SCORE 55.2

Hi, thanks in advance for your help.

Several weeks ago, my online accounts were compromised. I believe that my computer is the source of the infection, as it started acting funkily, and only accounts that I had accessed from this machine were compromised. I have already changed all of my account information; now is the first chance I've had to fix this computer.

here is my dds.txt:

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.18015
Run by Larry at 16:58:07 on 2015-12-17
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3561.1328 [GMT -8:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {B7ECF8CD-0188-6703-DBA4-AA65C6ACFB0A}
SP: Microsoft Security Essentials *Enabled/Updated* {0C8D1929-27B2-688D-E114-9117BD2BB1B7}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Spybot - Search and Destroy *Enabled/Outdated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\IDT\WDM\STacSV64.exe
C:\Windows\system32\svchost.exe -k NetworkServi... Read more

Read other answers
RELEVANCY SCORE 55.2

Hi, thanks in advance for your help.

Several weeks ago, my online accounts were compromised. I believe that my computer is the source of the infection, as it started acting funkily, and only accounts that I had accessed from this machine were compromised. I have already changed all of my account information; now is the first chance I've had to fix this computer.

here is my dds.txt:

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.18015
Run by Larry at 16:58:07 on 2015-12-17
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3561.1328 [GMT -8:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {B7ECF8CD-0188-6703-DBA4-AA65C6ACFB0A}
SP: Microsoft Security Essentials *Enabled/Updated* {0C8D1929-27B2-688D-E114-9117BD2BB1B7}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Spybot - Search and Destroy *Enabled/Outdated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\IDT\WDM\STacSV64.exe
C:\Windows\system32\svchost.exe -k NetworkServi... Read more

A:Online accounts compromised. Strongly Suspect Malware/Rootkit

Hello and welcome to TSF Draymond Green,

My name is Tolga and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

If you haven't already, please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.
First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
Please download to and run all requested tools from your Desktop.
Perform everything in the correct order. Sometimes one step requires the previous one.
If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the c... Read more

Read other 3 answers
RELEVANCY SCORE 55.2

My World of Warcraft account has been hacked repeatedly, and I'm fairly certain that something in my system is stealing the passwords. I have repeatedly changed the password, and tried copy/pasting the passwords Blizz sends me to attempt to circumvent keyloggers, but with no success.

This computer is a hand-me-down, and bloated. I dont know where to begin looking, but I have run Ad-Aware, AVG and Spybot and they have located problems but been unable to remove them....

I have posted a hijackthis log below. Any analysis of that, and any additional advice that would help me secure my computer and put a stop to the hacking would be much appreciated.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:54:25 AM, on 11/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
F:\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\SnoopFreeSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Sha... Read more

A:HJT log: hacked/keylogger?

Read other 6 answers
RELEVANCY SCORE 55.2

My email got hacked and I can't get it back someone changed it. I think I may have a keylogger but I can't detect anything can anyone please help me?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:59:04 PM, on 9/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files... Read more

Read other answers
RELEVANCY SCORE 55.2

hi everyone
i got hacked by a keylogger recently and lost 3 wow accounts because of it . i dont know what kind of other info might ve been retreived by the keylogger and so ive taken up to cleaning my PC
ive ran THis guide to the letter
http://forums.wow-europe.com/thread.html?topicId=5383442401&sid=1 after having ran all those scans and deleted all that was suspicious im left with the 3 logs i need ure help with reading
malware bytes and highjackthis as well as spybot
one of the keyloggers i think was on my PC Was nmdfgds0.dll but dont know thats its the only ones since spybot avast and stuff found like 4 trojan file along with dodgy cookies and dont know if nmdgds0.dll was removed (heard it was a tricky one )
im running a XP family edition OS

i dont really know what kind of other information i should provide so i ll link the logs i have and ill answer any question as much information is needed if asked what it is .
thanks in advance for all the help

anyway here goes :

SPYBOT LOG

--- Search result list ---
Win32.Rungbu.a: [SBI $8819FA0B] Class ID (Clé du registre, fixed)
HKEY_CLASSES_ROOT\CLSID\MADOWN

Virtumonde.sdn: [SBI $9296ACFF] Réglages Autorun (cdoosoft) (Valeur du registre, fixed)
HKEY_USERS\S-1-5-21-3447838262-1227803128-2347894883-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cdoosoft

Virtumonde.sdn: [SBI $9296ACFF] Fichier de programme (Fichier, fixed)
C:\WINDOWS\system32\olhrwef.exe
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF... Read more

A:hacked by a keylogger

bump
 

Read other 2 answers