Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Passwords continually compromised


  • Please log in to reply
3 replies to this topic

#1 HDane82

HDane82

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 04 September 2010 - 11:32 AM

'm having a serious issue with computer security right now, like I've never had before.

A week or two ago, I was at work, and my Android popped up with an alert that it couldn't sign into my Gmail account. Come to find out, it had been logged into from an IP in China which changed my e-mail. They also had the password to my battle.ent account, and promptly got that locked.

I got home from work, and set about sweeping my main desktop computer (the only one I had signed in to both accounts from). Could not find a THING (no suspicious programs running, . So, I decided the only safe way was to nuke from orbit, and used my recovery disk to reload my computer.

The next day, they had me again.

Disconnecting the main desktop from the LAN and internet, I set about with my other desktop into my router - I did a factory reset from inside the router, changed the router name, IP, as well as the PW. I made it a point not to log into my accounts on any other computer and a few days later, they get me again.

I change my password on my Google account again from work. When I get home, I'm exhausted (12+ hour days) and this time, only log in to my Google Account from my netbook, which happens to be running Vista and not Win7 like my desktops. This is Wednesday.

Everything looks clear until just about now. I get home from work, I'm on my Android doing a lil' web surfing, I connect to my Wifiz, and whether that's a coincidence or not, about 10 minutes later I have a notification that my password to Google is no longer valid. Yup, they're in again.

A few things noticed from my router logs:

Blocked incoming TCP packet from 119.75.218.45:80 (China) to (my internet ip):36355 as SYN:ACK received but there is no active connection.

Blocked incoming TCP connection request from 221.192.199.35:12200 (China) to (my internet ip):7212

Blocked incoming UDP packet from 115.132.210.56:1304 (Malaysia) to (my internet ip):26568

Along with that, I've noticed at various times connections in my router's internet sessions list from my LAN IP to IPs in Asia. Is my router compromised or has some sort of undetectable keylogger/virus simply spread to every machine on my network?

Edited by hamluis, 05 September 2010 - 04:26 PM.
Removed HJT log per request ~ Hamluis.


BC AdBot (Login to Remove)

 


#2 HDane82

HDane82
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 04 September 2010 - 11:44 AM

My TCPView file.

Attached Files



#3 HDane82

HDane82
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 04 September 2010 - 01:08 PM

I found tmvsthfss.bin and tmvsthfud.bin in my drivers/etc folder. They update every minute.

Google tells me that it belongs to Trojan_Qhost, but running the removal tool from Symantec doesn't find it. What else?

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,567 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:33 PM

Posted 06 September 2010 - 08:31 PM

If you delete those two files, do they come back on reboot?

Found this:

http://threatinfo.trendmicro.com/vinfo/vir...OIV&VSect=T

This worm monitors the following processes to steal sensitive information, such as user names and passwords, related to certain online games.


Sounds like you are infected. You may want to open a topic using the steps here:

http://www.bleepingcomputer.com/forums/topic34773.html

You may also want to scan your computer with other programs such as malwarebytes, superantispyware, kaspersky online scanner, and eset online scanner to see if they spot anything.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users