Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help urgently, my PC is hacked and might be keylogged!


  • This topic is locked This topic is locked
2 replies to this topic

#1 chaoscreater

chaoscreater

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:26 PM

Posted 24 December 2009 - 02:18 AM

Hello guys, i need help ASAP.

I've been hacked, my Gmail account password got changed this morning and i've tried my password several times already and it doesn't work. And then later on i found out my Rapidshare premium account got hacked as well, both happened this morning. I then emailed to both Gmail & Rapidshare support and right now i've got my Gmail account back and i can see that the IP log is different and that my Rapidshare password and security lock code has been changed this morning, which obviously suggests that it's hacked, since my Gmail is the primary email that is linked to Rapidshare, so any confidential changes to my Rapidshare account will be sent to my Gmail account.

Also, my personal info has been changed as well, the name is changed and everything else, so i am sure i've definitely been hacked.

I'm sure it's only a matter of time until i get my Rapidshare account back since i provided a lot of proof and information.

But right now i have several concerns........from what i think, there could be 2 ways i got hacked. The first way is that i might have been to some malicious websites (i don't even remember going to any website at all other than viewing Youtube the whole day), and that my Rapidshare account got philshed (which is impossible since i don't login my Rapidshare on any websites at all, i only use download managers which is a one time setup), and since my Rapidshare password is the same as my Gmail password, the hacker could've philshed my Rapidshare first and then tried the same password on my Gmail to change everything to block me out from accessing either of them.

OR, the most logical way i can think of is that i got keylogged. Which is weird since i'm using Avast Antivirus PRO and it didn't detect anything, and i don't remember downloading anything malicious or anything in the form of .exe files......but anyway i'm just assuming i got keylogged, so here are my main problems:

1. I am backing up my important files onto my external hardrive and will reformat my PC later, but is there any chance that the keylogger can install itself onto external devices like USB or external HDDs??

2. Is there any good program that can remove keyloggers?

3. Is there a good program that can scramble your passwords when you login onto any website? I've tried Googling a few and they don't seem very reliable or efficient.


also, i did a msconfig and checked the statup programs and services, and i found this program called:

JHSJKAHDJ

and the location of the file is at:

C:UsersShadowzAppDataRoamingsystem.exe

which is very suspicious to me.

and the registry location of that file is at:

HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun



and here is my Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:05:14 p.m., on 24/12/2009
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:Windowssystem32taskhost.exe
C:Windowssystem32Dwm.exe
C:WindowsExplorer.EXE
C:Program FilesSynapticsSynTPSynTPEnh.exe
C:Program FilesSynapticsSynTPSynTPHelper.exe
C:Program FilesRealtekAudioHDARtHDVCpl.exe
C:Program FilesIntelIntel Matrix Storage ManagerIAAnotif.exe
C:Program FilesJavajre6binjusched.exe
C:Program FilesUnlockerUnlockerAssistant.exe
C:Program FilesTOSHIBAPower SaverTPwrMain.exe
C:Program FilesTOSHIBASmoothViewSmoothView.exe
C:Program FilesTOSHIBAFlashCardsTCrdMain.exe
C:WindowsSystem32igfxtray.exe
C:WindowsSystem32hkcmd.exe
C:WindowsSystem32igfxpers.exe
C:Windowssystem32igfxsrvc.exe
C:Program FilesMicrosoft OfficeOffice12GrooveMonitor.exe
C:Program FilesAlwil SoftwareAvast4ashDisp.exe
C:Program FilesWinampwinampa.exe
C:Program FilesToposcFosSpeedcfosspeed.exe
C:Program FilesFileHippo.comUpdateChecker.exe
C:Program FilesInternet Download ManagerIDMan.exe
C:Program FilesRamCleanerRamCleaner.exe
C:Program FilesSoftware Informersoftinfo.exe
C:Windowssystem32igfxext.exe
C:Program FilesInternet Download ManagerIEMonitor.exe
C:Program FilesPOP PeeperPOPPeeper.exe
C:Program FilesTOSHIBATOSCDSPDTOSCDSPD.exe
C:Program FilesSRS LabsAudio SandboxSRSSSC.exe
C:Program FilesClipdiaryclipdiary.exe
C:Program FilesOperaopera.exe
C:Program FilesMalwarebytes' Anti-Malwarembam.exe
C:Program FilesTrend MicroHijackThisHijackThis.exe
C:Windowssystem32SearchFilterHost.exe

O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:Program FilesIEProiepro.dll
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:Program FilesInternet Download ManagerIDMIECC.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:Program FilesSkypeToolbarsInternet ExplorerSkypeIEPlugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:Program FilesMicrosoft OfficeOffice12GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:Program FilesJavajre6binjp2ssv.dll
O4 - HKLM..Run: [SynTPEnh] C:Program FilesSynapticsSynTPSynTPEnh.exe
O4 - HKLM..Run: [RtHDVCpl] C:Program FilesRealtekAudioHDARtHDVCpl.exe -s
O4 - HKLM..Run: [IAAnotif] C:Program FilesIntelIntel Matrix Storage Manageriaanotif.exe
O4 - HKLM..Run: [Adobe Reader Speed Launcher] "C:Program FilesAdobeReader 9.0ReaderReader_sl.exe"
O4 - HKLM..Run: [Adobe ARM] "C:Program FilesCommon FilesAdobeARM1.0AdobeARM.exe"
O4 - HKLM..Run: [SunJavaUpdateSched] "c:Program FilesJavajre6binjusched.exe"
O4 - HKLM..Run: [UnlockerAssistant] "C:Program FilesUnlockerUnlockerAssistant.exe"
O4 - HKLM..Run: [TPwrMain] %ProgramFiles%TOSHIBAPower SaverTPwrMain.EXE
O4 - HKLM..Run: [SmoothView] %ProgramFiles%ToshibaSmoothViewSmoothView.exe
O4 - HKLM..Run: [00TCrdMain] %ProgramFiles%TOSHIBAFlashCardsTCrdMain.exe
O4 - HKLM..Run: [IgfxTray] C:Windowssystem32igfxtray.exe
O4 - HKLM..Run: [HotKeysCmds] C:Windowssystem32hkcmd.exe
O4 - HKLM..Run: [Persistence] C:Windowssystem32igfxpers.exe
O4 - HKLM..Run: [autocleaner] C:Program FilesAuto Cleanercleaner.exe
O4 - HKLM..Run: [CleanIt] C:Program FilesCleanItcleanit.exe
O4 - HKLM..Run: [GrooveMonitor] "C:Program FilesMicrosoft OfficeOffice12GrooveMonitor.exe"
O4 - HKLM..Run: [avast!] "C:Program FilesAlwil SoftwareAvast4ashDisp.exe"
O4 - HKLM..Run: [WinampAgent] "C:Program FilesWinampwinampa.exe"
O4 - HKLM..Run: [cFosSpeed] C:Program FilesToposcFosSpeedcFosSpeed.exe
O4 - HKLM..Run: [Malwarebytes' Anti-Malware] "C:Program FilesMalwarebytes' Anti-Malwarembamgui.exe" /starttray
O4 - HKLM..Run: [XoftSpySE] "C:Program FilesXoftSpySE6XoftSpySE.exe" -NM -hidesplash
O4 - HKLM..RunServices: [JHSJKAHDJ] C:UsersShadowzAppDataRoamingsystem.exe
O4 - HKCU..Run: [RamCleaner] C:Program FilesRamCleanerramcore.exe -s
O4 - HKCU..Run: [DAEMON Tools Lite] "C:Program FilesDAEMON Tools LiteDTLite.exe" -autorun
O4 - HKCU..Run: [FileHippo.com] "C:Program FilesFileHippo.comUpdateChecker.exe" /background
O4 - HKCU..Run: [IDMan] C:Program FilesInternet Download ManagerIDMan.exe /onboot
O4 - HKCU..Run: [Software Informer] "C:Program FilesSoftware Informersoftinfo.exe" -autorun
O4 - HKCU..Run: [POP Peeper] "C:Program FilesPOP PeeperPOPPeeper.exe" -min
O4 - HKCU..Run: [TOSCDSPD] C:Program FilesTOSHIBATOSCDSPDtoscdspd.exe
O4 - HKCU..Run: [SpeedBitVideoAccelerator] C:Program FilesSpeedBit Video AcceleratorVideoAccelerator.exe
O4 - HKCU..Run: [SRS Audio Sandbox] "C:Program FilesSRS LabsAudio SandboxSRSSSC.exe" /hideme
O4 - HKCU..Run: [Clipdiary] C:Program FilesClipdiaryclipdiary.exe
O4 - HKUSS-1-5-19..Run: [Sidebar] %ProgramFiles%Windows SidebarSidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUSS-1-5-19..RunOnce: [mctadmin] C:WindowsSystem32mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUSS-1-5-20..Run: [Sidebar] %ProgramFiles%Windows SidebarSidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUSS-1-5-20..RunOnce: [mctadmin] C:WindowsSystem32mctadmin.exe (User 'NETWORK SERVICE')
O4 - HKUSS-1-5-18..Run: [Welcome Center] C:Windowssystem32rundll32.exe C:Windowssystem32OobeFldr.dll,ShowWelcomeCenter LaunchedBy_StartMenuShortcut (User 'SYSTEM')
O4 - HKUS.DEFAULT..Run: [Welcome Center] C:Windowssystem32rundll32.exe C:Windowssystem32OobeFldr.dll,ShowWelcomeCenter LaunchedBy_StartMenuShortcut (User 'Default user')
O4 - Global Startup: CleanTemp 1.5.lnk = C:Program FilesCleanTemp 1.5CleanTemp.exe
O8 - Extra context menu item: Download all links with IDM - C:Program FilesInternet Download ManagerIEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:Program FilesInternet Download ManagerIEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:Program FilesInternet Download ManagerIEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MIF5BA~1Office12EXCEL.EXE/3000
O9 - Extra button: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - C:Program FilesIEProiepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - C:Program FilesIEProiepro.dll
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:Program FilesIEProiepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:Program FilesIEProiepro.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:PROGRA~1MIF5BA~1Office12ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:PROGRA~1MIF5BA~1Office12ONBttnIE.dll
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:Program FilesSkypeToolbarsInternet ExplorerSkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:Program FilesSkypeToolbarsInternet ExplorerSkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:Program FilesSkypeToolbarsInternet ExplorerSkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MIF5BA~1Office12REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:progra~1speedbit video acceleratorsblsp.dll
O10 - Unknown file in Winsock LSP: c:progra~1speedbit video acceleratorsblsp.dll
O10 - Unknown file in Winsock LSP: c:progra~1speedbit video acceleratorsblsp.dll
O10 - Unknown file in Winsock LSP: c:progra~1speedbit video acceleratorsblsp.dll
O10 - Unknown file in Winsock LSP: c:progra~1speedbit video acceleratorsblsp.dll
O10 - Unknown file in Winsock LSP: c:progra~1speedbit video acceleratorsblsp.dll
O10 - Unknown file in Winsock LSP: c:progra~1speedbit video acceleratorsblsp.dll
O13 - Gopher Prefix: 
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:Program FilesMicrosoft OfficeOffice12GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:PROGRA~1COMMON~1SkypeSKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:Program FilesAlwil SoftwareAvast4aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:Program FilesAlwil SoftwareAvast4ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:Program FilesAlwil SoftwareAvast4ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:Program FilesAlwil SoftwareAvast4ashWebSv.exe
O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - C:Program FilesToposcFosSpeedspd.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:Program FilesIntelIntel Matrix Storage ManagerIAANTMon.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:Program FilesMalwarebytes' Anti-Malwarembamservice.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:Program FilesCommon FilesSony SharedAVLibMSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:Program FilesCommon FilesSony SharedAVLibPACSPTISVR.exe
O23 - Service: SmartFaceVWatchSrv - Toshiba - C:Program FilesTOSHIBASmartFaceVSmartFaceVWatchSrv.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:Program FilesCommon FilesSony SharedAVLibSsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:Program FilesCommon FilesSony SharedAVLibSPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:Program FilesCommon FilesSony SharedAVLibSSScsiSV.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:Windowssystem32TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:Program FilesTOSHIBAPower SaverTosCoSrv.exe
O23 - Service: VideoAcceleratorService - Speedbit Ltd. - C:PROGRA~1SpeedBit Video AcceleratorVideoAcceleratorService.exe
O23 - Service: XoftSpyService - ParetoLogic Inc. - C:Program FilesCommon FilesXoftSpySE6xoftspyservice.exe

--
End of file - 10855 bytes

and is there a way to check what services belong to what programs? I just send the HJT log to the www.hijackthis.de

and the file i found in the msconfig, the JHSJKAHDJ file, is detected as dangerous by the log, but i need to know what program installed it or else i might install it again by accident in the future.....except i dunno how i can find out the program running the service.

Edited by garmanma, 24 December 2009 - 09:39 AM.


BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:26 AM

Posted 05 January 2010 - 07:02 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Also, please subscribe to this topic, so you are notified when someone replies. Please continue to check manually on occasion, as every now and then the email may be caught by your spam filter.
To enable topic notifications you should do the following:
  • Click on the My Controls link at the top of the page to enter your control panel.
  • Scroll down to the Options category in the left hand side menu bar and click on the Email Settings link.
  • Put a checkmark in the checkbox labeled Enable 'Email Notification' by default?.
  • Set the If ticked, choose default type: menu option to Immediate Email Notification to have an email sent immediately when someone replied.
Information on A/V control HERE


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 SpySentinel

SpySentinel

  • Staff Emeritus
  • 2,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The United States
  • Local time:03:26 AM

Posted 11 January 2010 - 09:40 AM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact me or another staff member.

Everyone else please start a new topic.
Posted Image
Unified Network of Instructors and Trained Eliminators

Posted Image

My help is always free, but if you can, please Posted Image to help me continue the fight against malware.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users