Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Keylogger


  • Please log in to reply
8 replies to this topic

#1 Nacire

Nacire

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Location:Louisville, Ky
  • Local time:09:42 AM

Posted 07 May 2011 - 09:22 PM

Hi there and let me start off by saying thanks for any possible help you may lend. I believe I have been infected with a keylogger. About two weeks ago my email account as well as an online gaming account were both hacked. I quickly booted to safe mode scanned with Microsoft Security Essentials as well as Malwarebytes. Both came back clean so I assumed all was well.

Two days ago I had a repeat performance. I've been going through all of the processes currently running and I'm just not finding much at the moment. I know you guys are far more educated at this type of attack than I am, so I'm just searching for a little help. Thanks so much!

Edited by Orange Blossom, 07 May 2011 - 10:18 PM.
Moved to AII from Windows 7. ~ OB


BC AdBot (Login to Remove)

 


#2 Computerproblem101

Computerproblem101

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 07 May 2011 - 09:30 PM

Http://www.superantispyware.com


Update, run FULL scan. Remove anything found, let me know how the PC is running.

#3 Nacire

Nacire
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Location:Louisville, Ky
  • Local time:09:42 AM

Posted 07 May 2011 - 10:07 PM

Hey thanks for replying quickly. I had already stumbled across the hacked forum (sorry if I posted in the wrong place) and I actually grabbed the SuperAntiSpyware and started a quick scan. I'll run a full scan as soon as it's done. Should I have any programs open, such as my online game that was hacked while I run it?

Also, my pc never ran bad. It's just that my email was hacked and my passwords were changed and then my gaming account hacked. So I'm not sure what type of answer you want by asking "How the pc is running?"

Thanks again!

#4 Nacire

Nacire
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Location:Louisville, Ky
  • Local time:09:42 AM

Posted 07 May 2011 - 10:10 PM

Also, I have the ip address of the person(s) who accessed my email. Here is the log from the quick scan. Starting the FULL scan now!

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/07/2011 at 11:07 PM

Application Version : 4.52.1000

Core Rules Database Version : 7012
Trace Rules Database Version: 4824

Scan type : Quick Scan
Total Scan Time : 00:36:26

Memory items scanned : 916
Memory threats detected : 0
Registry items scanned : 2943
Registry threats detected : 0
File items scanned : 36862
File threats detected : 3

Adware.Tracking Cookie
C:\Users\Forrest\AppData\Roaming\Microsoft\Windows\Cookies\forrest@adserver.adtechus[2].txt
C:\Users\Forrest\AppData\Roaming\Microsoft\Windows\Cookies\forrest@content.yieldmanager[1].txt
C:\Users\Forrest\AppData\Roaming\Microsoft\Windows\Cookies\forrest@imrworldwide[2].txt

#5 Nacire

Nacire
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Location:Louisville, Ky
  • Local time:09:42 AM

Posted 07 May 2011 - 11:08 PM

Okay, after performing a FULL scan the software found no harmful files or software.

#6 Nacire

Nacire
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Location:Louisville, Ky
  • Local time:09:42 AM

Posted 08 May 2011 - 12:21 AM

To add I'm using Windows 7 Ultimate 64bit with Service Pack 1.

#7 ranget

ranget

  • Members
  • 250 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:42 AM

Posted 08 May 2011 - 12:46 AM

i promote Using Hitman pro x64 do a scan and get back with the results

as for know you can use the Free key scrambler extension

A big thanks to Dider Stevens

sorry for not being around

 


#8 Nacire

Nacire
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Location:Louisville, Ky
  • Local time:09:42 AM

Posted 08 May 2011 - 01:34 AM

So I downloaded Hitman Pro 3.5 x64 I ran a one time scan and once it started posting the results to upload to the scan cloud all the uploads failed. About half way through failing to upload the files it said it was done and it had found 4 instances of malicious software and advised me to click next to remove them. The list was mainly tracking cookies and some .exe files for games I have installed. I exported the resulting log to an XML file, but other than that I don't see much in terms of results.

I took a quick glance at the xml file, but can't make much of it myself.

#9 Nacire

Nacire
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Location:Louisville, Ky
  • Local time:09:42 AM

Posted 10 May 2011 - 12:12 AM

I still don't know if I've cleared up my problem yet. I used cmd prompt to do a netstat -anb and it returned some odd numbers. Is it normal for so many things to use the 60K port range?

Microsoft Windows [Version 6.1.7601]
Copyright © 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>netstat -anb

Active Connections

Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
RpcSs
[svchost.exe]
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
Can not obtain ownership information
TCP 0.0.0.0:2869 0.0.0.0:0 LISTENING
Can not obtain ownership information
TCP 0.0.0.0:5357 0.0.0.0:0 LISTENING
Can not obtain ownership information
TCP 0.0.0.0:7511 0.0.0.0:0 LISTENING
[raysat_3dsmax2010_32server.exe]
TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING
[wininit.exe]
TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING
eventlog
[svchost.exe]
TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING
Schedule
[svchost.exe]
TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING
[lsass.exe]
TCP 0.0.0.0:49165 0.0.0.0:0 LISTENING
[services.exe]
TCP 127.0.0.1:5354 0.0.0.0:0 LISTENING
[mDNSResponder.exe]
TCP 127.0.0.1:27015 0.0.0.0:0 LISTENING
[AppleMobileDeviceService.exe]
TCP 127.0.0.1:27015 127.0.0.1:49187 ESTABLISHED
[AppleMobileDeviceService.exe]
TCP 127.0.0.1:49187 127.0.0.1:27015 ESTABLISHED
[iTunesHelper.exe]
TCP 127.0.0.1:49336 0.0.0.0:0 LISTENING
[CurseClient.exe]
TCP 127.0.0.1:61327 127.0.0.1:61328 ESTABLISHED
[firefox.exe]
TCP 127.0.0.1:61328 127.0.0.1:61327 ESTABLISHED
[firefox.exe]
TCP 127.0.0.1:61329 127.0.0.1:61330 ESTABLISHED
[firefox.exe]
TCP 127.0.0.1:61330 127.0.0.1:61329 ESTABLISHED
[firefox.exe]
TCP 192.168.1.103:139 0.0.0.0:0 LISTENING
Can not obtain ownership information
TCP 192.168.1.103:64469 66.220.145.44:80 ESTABLISHED
[firefox.exe]
TCP 192.168.1.103:64707 12.129.206.130:1119 ESTABLISHED
[WoW.exe]
TCP 192.168.1.103:64709 206.18.148.159:3724 ESTABLISHED
[WoW.exe]
TCP 192.168.1.103:64710 206.18.148.161:3724 ESTABLISHED
[WoW.exe]
TCP 192.168.1.103:64822 208.43.87.2:80 TIME_WAIT
TCP 192.168.1.103:64823 208.43.87.2:80 TIME_WAIT
TCP 192.168.1.103:64825 208.43.87.2:80 TIME_WAIT
TCP [::]:135 [::]:0 LISTENING
RpcSs
[svchost.exe]
TCP [::]:445 [::]:0 LISTENING
Can not obtain ownership information
TCP [::]:2869 [::]:0 LISTENING
Can not obtain ownership information
TCP [::]:5357 [::]:0 LISTENING
Can not obtain ownership information
TCP [::]:7511 [::]:0 LISTENING
[raysat_3dsmax2010_32server.exe]
TCP [::]:49152 [::]:0 LISTENING
[wininit.exe]
TCP [::]:49153 [::]:0 LISTENING
eventlog
[svchost.exe]
TCP [::]:49154 [::]:0 LISTENING
Schedule
[svchost.exe]
TCP [::]:49155 [::]:0 LISTENING
[lsass.exe]
TCP [::]:49165 [::]:0 LISTENING
[services.exe]
UDP 0.0.0.0:3702 *:*
EventSystem
[svchost.exe]
UDP 0.0.0.0:3702 *:*
EventSystem
[svchost.exe]
UDP 0.0.0.0:3702 *:*
EventSystem
[svchost.exe]
UDP 0.0.0.0:3702 *:*
EventSystem
[svchost.exe]
UDP 0.0.0.0:3702 *:*
FDResPub
[svchost.exe]
UDP 0.0.0.0:3702 *:*
FDResPub
[svchost.exe]
UDP 0.0.0.0:5355 *:*
Dnscache
[svchost.exe]
UDP 0.0.0.0:49645 *:*
[mDNSResponder.exe]
UDP 0.0.0.0:51470 *:*
[mDNSResponder.exe]
UDP 0.0.0.0:51642 *:*
[mDNSResponder.exe]
UDP 0.0.0.0:51900 *:*
[mDNSResponder.exe]
UDP 0.0.0.0:52122 *:*
[mDNSResponder.exe]
UDP 0.0.0.0:57120 *:*
[mDNSResponder.exe]
UDP 0.0.0.0:57120 *:*
[mDNSResponder.exe]
UDP 0.0.0.0:58192 *:*
[mDNSResponder.exe]
UDP 0.0.0.0:59653 *:*
FDResPub
[svchost.exe]
UDP 0.0.0.0:59655 *:*
EventSystem
[svchost.exe]
UDP 0.0.0.0:59657 *:*
EventSystem
[svchost.exe]
UDP 0.0.0.0:59667 *:*
EventSystem
[svchost.exe]
UDP 0.0.0.0:61811 *:*
[steam.exe]
UDP 0.0.0.0:64148 *:*
[mDNSResponder.exe]
UDP 0.0.0.0:64576 *:*
[mDNSResponder.exe]
UDP 0.0.0.0:65059 *:*
[mDNSResponder.exe]
UDP 127.0.0.1:1900 *:*
SSDPSRV
[svchost.exe]
UDP 127.0.0.1:44301 *:*
[PnkBstrA.exe]
UDP 127.0.0.1:50336 *:*
[WoW.exe]
UDP 127.0.0.1:54683 *:*
[CurseClient.exe]
UDP 127.0.0.1:59312 *:*
SSDPSRV
[svchost.exe]
UDP 127.0.0.1:65197 *:*
[DivXUpdate.exe]
UDP 192.168.1.103:137 *:*
Can not obtain ownership information
UDP 192.168.1.103:138 *:*
Can not obtain ownership information
UDP 192.168.1.103:1900 *:*
SSDPSRV
[svchost.exe]
UDP 192.168.1.103:5353 *:*
[mDNSResponder.exe]
UDP 192.168.1.103:59311 *:*
SSDPSRV
[svchost.exe]
UDP [::]:3702 *:*
FDResPub
[svchost.exe]
UDP [::]:3702 *:*
EventSystem
[svchost.exe]
UDP [::]:3702 *:*
EventSystem
[svchost.exe]
UDP [::]:3702 *:*
EventSystem
[svchost.exe]
UDP [::]:3702 *:*
FDResPub
[svchost.exe]
UDP [::]:3702 *:*
EventSystem
[svchost.exe]
UDP [::]:5355 *:*
Dnscache
[svchost.exe]
UDP [::]:49646 *:*
[mDNSResponder.exe]
UDP [::]:59654 *:*
FDResPub
[svchost.exe]
UDP [::]:59656 *:*
EventSystem
[svchost.exe]
UDP [::]:59658 *:*
EventSystem
[svchost.exe]
UDP [::]:59668 *:*
EventSystem
[svchost.exe]
UDP [::1]:1900 *:*
SSDPSRV
[svchost.exe]
UDP [::1]:5353 *:*
[mDNSResponder.exe]
UDP [::1]:59310 *:*
SSDPSRV
[svchost.exe]
UDP [fe80::ccbc:7003:4f48:db48%10]:1900 *:*
SSDPSRV
[svchost.exe]
UDP [fe80::ccbc:7003:4f48:db48%10]:59309 *:*
SSDPSRV
[svchost.exe]




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users