Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

strange spyware question


  • This topic is locked This topic is locked
11 replies to this topic

#1 3LOJIM

3LOJIM

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:07 AM

Posted 02 December 2009 - 10:30 PM

Hi. About a couple weeks ago i visited a site my friend owns and created himself. Since then he has made some comments on my facebook page that make me think he can view my online activity. I have antivirus, ad aware, firefox antikeylogger plugin, and malware bytes. I empty my browser history at least once a day. Is it still possible that he has installed spyware on my computer? If so what exactly can he view and what information can he get?

Edit: Moved topic from XP to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 ThunderZ

ThunderZ

  • Deactivated
  • 4,454 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:07 AM

Posted 02 December 2009 - 10:35 PM

If anything is installed, depending on what it is, he can basically own your PC.

Some friend. :thumbsup:

#3 3LOJIM

3LOJIM
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:07 AM

Posted 02 December 2009 - 11:06 PM

I just viewed a few pages. Its basically an online store so i dont see him installing spyware on anyones computer for business reasons, other than a tracker but that shouldve been deleted. However, he probably has my IP address. Ive ran scans on my computer and nothing unusual has been detected. What about facebook? can you hack through that?

#4 ThunderZ

ThunderZ

  • Deactivated
  • 4,454 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:07 AM

Posted 02 December 2009 - 11:15 PM

Many social engineering sites have been\are exploited on a regular basis.

#5 3LOJIM

3LOJIM
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:07 AM

Posted 02 December 2009 - 11:44 PM

So is there any way i can find out if someone is? So far nothing has been detected. When i do think someone could be snooping will their IP address show up if i use the netsat command or my ip scanner?

#6 ThunderZ

ThunderZ

  • Deactivated
  • 4,454 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:07 AM

Posted 02 December 2009 - 11:47 PM

I would not panic just yet.

Download the free version of Malwarebytes. Install it\update\and go ahead and run a full scan.
Post you log when it is finished.

#7 3LOJIM

3LOJIM
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:07 AM

Posted 02 December 2009 - 11:55 PM

I believe i just updated to the latest version a week or 2 ago. I will run a scan. I will post when its done.

#8 3LOJIM

3LOJIM
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:07 AM

Posted 03 December 2009 - 04:29 AM

Database version: 3283
Windows 5.1.2600 Service Pack 3

12/3/2009 1:29:57 AM
mbam-log-2009-12-03 (01-29-57).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 194985
Time elapsed: 2 hour(s), 2 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#9 ThunderZ

ThunderZ

  • Deactivated
  • 4,454 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:07 AM

Posted 03 December 2009 - 07:43 AM

Will see about getting your HJT log look`d at. I`m not a trained member. But nothing jumps out at me.

In the mean time MBAM shows clean. There is a newer database, 3283, available. May have just been pushed out.
Lets try one other scan with SAS. Be sure to check for updates. Definition Database Version should be Core: 4284 Trace : 2159 Program Version 4.31.1000.

#10 3LOJIM

3LOJIM
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:07 AM

Posted 03 December 2009 - 11:58 AM

Good Call... Spybot, ad aware, Mbam, or avast could not detect these.
I have my HD partitioned for gaming and music (C:) and the (D:) for internet.
Heres the report;

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/03/2009 at 08:52 AM

Application Version : 4.31.1000

Core Rules Database Version : 4330
Trace Rules Database Version: 2185

Scan type : Complete Scan
Total Scan Time : 00:52:38

Memory items scanned : 505
Memory threats detected : 0
Registry items scanned : 4916
Registry threats detected : 55
File items scanned : 25443
File threats detected : 49

Trojan.Agent/Gen
HKLM\Software\Classes\CLSID\{2E6F4C13-49FB-4DF3-B601-030D1D470E32}
HKCR\CLSID\{2E6F4C13-49FB-4DF3-B601-030D1D470E32}
HKCR\CLSID\{2E6F4C13-49FB-4DF3-B601-030D1D470E32}
HKCR\CLSID\{2E6F4C13-49FB-4DF3-B601-030D1D470E32}\InprocServer32
HKCR\CLSID\{2E6F4C13-49FB-4DF3-B601-030D1D470E32}\InprocServer32#ThreadingModel
HKCR\CLSID\{2E6F4C13-49FB-4DF3-B601-030D1D470E32}\ProgID
HKCR\CLSID\{2E6F4C13-49FB-4DF3-B601-030D1D470E32}\Programmable
HKCR\CLSID\{2E6F4C13-49FB-4DF3-B601-030D1D470E32}\TypeLib
HKCR\CLSID\{2E6F4C13-49FB-4DF3-B601-030D1D470E32}\VersionIndependentProgID
HKCR\KKToolbar.IEKKToolbar.1
HKCR\KKToolbar.IEKKToolbar.1\CLSID
HKCR\KKToolbar.IEKKToolbar
HKCR\KKToolbar.IEKKToolbar\CLSID
HKCR\KKToolbar.IEKKToolbar\CurVer
HKCR\TypeLib\{ECDD82A3-943F-4147-BE19-1334DEA3C68D}
HKCR\TypeLib\{ECDD82A3-943F-4147-BE19-1334DEA3C68D}\1.0
HKCR\TypeLib\{ECDD82A3-943F-4147-BE19-1334DEA3C68D}\1.0\0
HKCR\TypeLib\{ECDD82A3-943F-4147-BE19-1334DEA3C68D}\1.0\0\win32
HKCR\TypeLib\{ECDD82A3-943F-4147-BE19-1334DEA3C68D}\1.0\FLAGS
HKCR\TypeLib\{ECDD82A3-943F-4147-BE19-1334DEA3C68D}\1.0\HELPDIR
D:\PROGRA~1\KINGKO~1\CAPTURE\KKBROW~1.DLL
HKLM\Software\Classes\CLSID\{DAB46A0D-8939-4056-B80C-028DCE8999EF}
HKCR\CLSID\{DAB46A0D-8939-4056-B80C-028DCE8999EF}
HKCR\CLSID\{DAB46A0D-8939-4056-B80C-028DCE8999EF}
HKCR\CLSID\{DAB46A0D-8939-4056-B80C-028DCE8999EF}\InprocServer32
HKCR\CLSID\{DAB46A0D-8939-4056-B80C-028DCE8999EF}\InprocServer32#ThreadingModel
HKCR\CLSID\{DAB46A0D-8939-4056-B80C-028DCE8999EF}\ProgID
HKCR\CLSID\{DAB46A0D-8939-4056-B80C-028DCE8999EF}\Programmable
HKCR\CLSID\{DAB46A0D-8939-4056-B80C-028DCE8999EF}\TypeLib
HKCR\CLSID\{DAB46A0D-8939-4056-B80C-028DCE8999EF}\VersionIndependentProgID
HKCR\KKCatch.KKTBCatch.1
HKCR\KKCatch.KKTBCatch.1\CLSID
HKCR\KKCatch.KKTBCatch
HKCR\KKCatch.KKTBCatch\CLSID
HKCR\KKCatch.KKTBCatch\CurVer
HKCR\TypeLib\{5B0DB187-2227-404C-BA32-D68EEBF0FE50}
HKCR\TypeLib\{5B0DB187-2227-404C-BA32-D68EEBF0FE50}\1.0
HKCR\TypeLib\{5B0DB187-2227-404C-BA32-D68EEBF0FE50}\1.0\0
HKCR\TypeLib\{5B0DB187-2227-404C-BA32-D68EEBF0FE50}\1.0\0\win32
HKCR\TypeLib\{5B0DB187-2227-404C-BA32-D68EEBF0FE50}\1.0\FLAGS
HKCR\TypeLib\{5B0DB187-2227-404C-BA32-D68EEBF0FE50}\1.0\HELPDIR
D:\PROGRA~1\KINGKO~1\CAPTURE\KKCATC~1.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DAB46A0D-8939-4056-B80C-028DCE8999EF}
HKU\S-1-5-21-1960408961-308236825-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2E6F4C13-49FB-4DF3-B601-030D1D470E32}
HKU\S-1-5-21-1960408961-308236825-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DAB46A0D-8939-4056-B80C-028DCE8999EF}
HKLM\Software\Microsoft\Internet Explorer\Toolbar#{2E6F4C13-49FB-4DF3-B601-030D1D470E32}
HKU\S-1-5-21-1960408961-308236825-725345543-1004\Software\Microsoft\Internet Explorer\URLSearchHooks#{DAB46A0D-8939-4056-B80C-028DCE8999EF}
HKCR\Interface\{3605DAEB-B708-4A2E-B10E-4A408EF31635}
HKCR\Interface\{3605DAEB-B708-4A2E-B10E-4A408EF31635}\ProxyStubClsid
HKCR\Interface\{3605DAEB-B708-4A2E-B10E-4A408EF31635}\ProxyStubClsid32
HKCR\Interface\{3605DAEB-B708-4A2E-B10E-4A408EF31635}\TypeLib
HKCR\Interface\{3605DAEB-B708-4A2E-B10E-4A408EF31635}\TypeLib#Version
HKCR\Interface\{B914CAA9-2795-453D-9559-C2C769C5155A}
HKCR\Interface\{B914CAA9-2795-453D-9559-C2C769C5155A}\ProxyStubClsid
HKCR\Interface\{B914CAA9-2795-453D-9559-C2C769C5155A}\ProxyStubClsid32
HKCR\Interface\{B914CAA9-2795-453D-9559-C2C769C5155A}\TypeLib
HKCR\Interface\{B914CAA9-2795-453D-9559-C2C769C5155A}\TypeLib#Version

Adware.Tracking Cookie
C:\Documents and Settings\Tito\Cookies\tito@adrevolver[2].txt
C:\Documents and Settings\Tito\Cookies\tito@ad.yieldmanager[2].txt
C:\Documents and Settings\Tito\Cookies\tito@adopt.specificclick[2].txt
C:\Documents and Settings\Tito\Cookies\tito@adopt.euroclick[1].txt
C:\Documents and Settings\Tito\Cookies\tito@server.iad.liveperson[1].txt
C:\Documents and Settings\Tito\Cookies\tito@casalemedia[1].txt
C:\Documents and Settings\Tito\Cookies\tito@advertising[2].txt
C:\Documents and Settings\Tito\Cookies\tito@apmebf[1].txt
C:\Documents and Settings\Tito\Cookies\tito@atdmt[1].txt
C:\Documents and Settings\Tito\Cookies\tito@burstnet[2].txt
C:\Documents and Settings\Tito\Cookies\tito@msnportal.112.2o7[1].txt
C:\Documents and Settings\Tito\Cookies\tito@data.coremetrics[1].txt
C:\Documents and Settings\Tito\Cookies\tito@doubleclick[2].txt
C:\Documents and Settings\Tito\Cookies\tito@fastclick[2].txt
C:\Documents and Settings\Tito\Cookies\tito@media.adrevolver[1].txt
C:\Documents and Settings\Tito\Cookies\tito@mediaplex[1].txt
C:\Documents and Settings\Tito\Cookies\tito@questionmarket[2].txt
C:\Documents and Settings\Tito\Cookies\tito@realmedia[1].txt
C:\Documents and Settings\Tito\Cookies\tito@revsci[2].txt
C:\Documents and Settings\Tito\Cookies\tito@tribalfusion[1].txt
C:\Documents and Settings\Tito\Cookies\tito@zedo[2].txt
D:\Documents and Settings\Mejor\Cookies\mejor@ad.yieldmanager[2].txt
D:\Documents and Settings\Mejor\Cookies\mejor@socialmedia[1].txt
D:\Documents and Settings\Mejor\Cookies\mejor@ads.as4x.tmcs[2].txt
D:\Documents and Settings\Mejor\Cookies\mejor@a1.interclick[1].txt
D:\Documents and Settings\Mejor\Cookies\mejor@interclick[1].txt
D:\Documents and Settings\Mejor\Cookies\mejor@interclick[2].txt
D:\Documents and Settings\Mejor\Cookies\mejor@a1.interclick[2].txt
D:\Documents and Settings\Mejor\Cookies\mejor@a1.interclick[3].txt
D:\Documents and Settings\Mejor\Cookies\mejor@adultfriendfinder[1].txt
D:\Documents and Settings\Mejor\Cookies\mejor@specificmedia[2].txt
D:\Documents and Settings\Mejor\Cookies\mejor@content.yieldmanager[11].txt
D:\Documents and Settings\Mejor\Cookies\mejor@richmedia.yahoo[1].txt
D:\Documents and Settings\Mejor\Cookies\mejor@richmedia.yahoo[2].txt
D:\Documents and Settings\Mejor\Cookies\mejor@content.yieldmanager[4].txt
D:\Documents and Settings\Mejor\Cookies\mejor@content.yieldmanager[5].txt
D:\Documents and Settings\Mejor\Cookies\mejor@content.yieldmanager[2].txt
D:\Documents and Settings\Mejor\Cookies\mejor@content.yieldmanager[3].txt
D:\Documents and Settings\Mejor\Cookies\mejor@content.yieldmanager[1].txt
D:\Documents and Settings\Mejor\Cookies\mejor@content.yieldmanager[6].txt
D:\Documents and Settings\Mejor\Cookies\mejor@adecn[1].txt
D:\Documents and Settings\Mejor\Cookies\mejor@content.yieldmanager[8].txt
D:\Documents and Settings\Mejor\Cookies\mejor@content.yieldmanager[9].txt
D:\Documents and Settings\Mejor\Cookies\mejor@content.yieldmanager[7].txt
D:\Documents and Settings\Mejor\Cookies\mejor@atdmt[2].txt
D:\Documents and Settings\Mejor\Cookies\mejor@collective-media[1].txt

Trojan.Downloader-Gen/Suspicious
D:\PROGRAM FILES\KING KONG SOFTWARE\CAPTURE\UNINSTALLER.EXE

#11 ThunderZ

ThunderZ

  • Deactivated
  • 4,454 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:07 AM

Posted 03 December 2009 - 12:27 PM

Let SAS remove everything.

Be aware that this may cause some programs to stop working. If so then it is your decision as to whether continue use of those programs.

In the meantime I will request that you post HERE after reading the information in the Forum Guidelines at the top of that page.

#12 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:05:07 AM

Posted 03 December 2009 - 02:30 PM

Your HJT post is here: http://www.bleepingcomputer.com/forums/ind...p;#entry1523539

Now that you have a HJT log posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.


To avoid confusion, I am closing this topic.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users