Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I'm afraid I've been key logged. Need some help please, ty!


  • Please log in to reply
12 replies to this topic

#1 w1rex

w1rex

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:07 PM

Posted 01 August 2013 - 09:17 PM

Over the past week I've been suspecting that someone else has access to my computer or accounts.  I run a private enterprise business where I share personal information such as logins and passwords between clients and myself and myself and my employees.

There have been 2 cases of unauthorized logins on two client's accounts from someone other than myself or my employees.  I'd like to runs some scans to see if I can clean out anything that I may have downloaded.

Please post the necessary steps below and I'll follow them to the letter.



BC AdBot (Login to Remove)

 


#2 GodfatherKing

GodfatherKing

  • Members
  • 587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:07 AM

Posted 02 August 2013 - 02:48 AM

:welcome:

 

:step1: Install and run MBAM

:step2:  Running TDSSKiller to obtain log

 

Note: Don't cure or delete a threat, but choose skip for all instead.

  • Please download TDSSKiller from here and save it to your Desktop
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters

tds2.jpg

  • In the Additional options: Check Detect TDLFS file system
  • Click Start Scan and allow the scan process to run

tds4-1.jpg

  • Choose for all threats to Skip for all of them.
  • Click Continue
  • Please post the TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically c:\)

===================================================

 

:step3: ESET Online Scanner

==================

Note: If your AV is blocking Eset online scanner, please temporarily disable your AV.

 

I'd like us to scan your machine with ESET OnlineScan This process may may take several hours, that is normal.

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and » UNCHECK "Remove found threats" <== Important
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Copy and paste the information in your next reply. (If no malware was found you will not be presented with a log).
  • Click the Back button.
  • Click the Finish button.

===================================================


If you have received help from me and I don't have respond to you for almost >= 3 days, send me a Private Message.  :hello:


#3 w1rex

w1rex
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:07 PM

Posted 02 August 2013 - 07:54 AM

MalwareBytes Found Nothing
MalwareBytes RootKit Found Nothing
TDSSKiller Found Nothing




ESET Online Scanner Found These:
C:\Users\w1rex\AppData\Local\Temp\DTLite4471-0333.exe Win32/OpenCandy
C:\Users\w1rex\AppData\Local\Temp\InstallMonetizer.exe Win32/DownWare.G
C:\Users\w1rex\AppData\Local\Temp\natmsisnpj\kmwzllcx.exe a variant of Win32/BitCoinMiner.AB
C:\Users\w1rex\AppData\Local\Temp\oasdmmwljwfhlty\kuqhszzrsj.exe a variant of Win32/BitCoinMiner.AB
C:\Users\w1rex\Downloads\skypelogview.zip a variant of Win32/SkypeLogView.A
C:\Users\w1rex\Downloads\VVUT8WgAs8.zip Win32/GameHack.IE


The last entry is the Keygen for my Adobe Photoshop so I will be restoring that. But the first 5 entries are definitely unwanted. I did not know (entry #3) that someone had installed a BitCoin miner on my system. I hadn't noticed any performance issues with my PC's performance lately either.

If someone could help me explain what the first two entries are by the way, I have never come across them before. The fifth entry could be the keylogger, so I think my suspicions were correct that someone indeed had compromised my Skype chat logs and retrieved customer data.

I appreciate any help that can be given from this point on to help me out, thank you guys!


Edited by w1rex, 02 August 2013 - 07:58 AM.


#4 GodfatherKing

GodfatherKing

  • Members
  • 587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:07 AM

Posted 02 August 2013 - 11:34 AM

For OpenCandy:

 

http://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Adware%3AWin32%2FOpenCandy#tab=2

 

For DownWare.G

 

http://home.mcafee.com/virusinfo/virusprofile.aspx?key=3581317#none


If you have received help from me and I don't have respond to you for almost >= 3 days, send me a Private Message.  :hello:


#5 w1rex

w1rex
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:07 PM

Posted 02 August 2013 - 01:31 PM

Going through with both of those links right now.  Thanks for your help GodfatherKing.



#6 GodfatherKing

GodfatherKing

  • Members
  • 587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:07 AM

Posted 02 August 2013 - 02:22 PM

:thumbup2: I normally give also this advice:

 

 

:step1: My advice is to keep your computer up to date with Windows Updates, Java and Adobe Reader and Flash Player.

 

:step2: Use WOT to inspect sites if they are safe or not :http://www.mywot.com/

 

:step3: A good working (free) AntiVirus is also important. I personally advice Avast free or Avira free. MSE it's detection is not so great.

 

:step4: Let's check how good your security is:

 

Download Security Check from here or here and save it to your Desktop.

  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.
NOTE 2 SecurityCheck may produce some false warning(s), so leave the results reading to me.


If you have received help from me and I don't have respond to you for almost >= 3 days, send me a Private Message.  :hello:


#7 MzLindyOne

MzLindyOne

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:07 PM

Posted 02 August 2013 - 03:14 PM

w1rex,

 

Apparently this thing is spread via Skype spam.

http://www.zdnet.com/bitcoin-mining-malware-spreads-on-skype-as-price-rises-7000013676/

 

The "InstallMonetizer.exe Win32/DownWare.G" would have been the initial install that downloaded the rest of it.



#8 w1rex

w1rex
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:07 PM

Posted 02 August 2013 - 08:38 PM

 Results of screen317's Security Check version 0.99.60  
 Windows 7 Service Pack 1 x64 (UAC is disabled!)  
 Internet Explorer 9  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
Microsoft Security Essentials   
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:````````` 
 Malwarebytes Anti-Malware version 1.75.0.1300  
 Java 7 Update 25  
 Java version out of Date! 
 Adobe Flash Player 11.7.700.224  
 Adobe Reader XI  
 Mozilla Firefox (19.0) 
 Google Chrome 28.0.1500.72  
 Google Chrome 28.0.1500.95  
````````Process Check: objlist.exe by Laurent````````  
 Microsoft Security Essentials MSMpEng.exe 
 Microsoft Security Essentials msseces.exe 
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C: 0% 
````````````````````End of Log`````````````````````` 


#9 GodfatherKing

GodfatherKing

  • Members
  • 587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:07 AM

Posted 03 August 2013 - 01:56 AM

:step1: Remove old java version then install new version ==> http://www.java.com

 

:step2: UAC is disabled, this means malware can easily install itself s without asking permission to install. I would it set to highest level.  But it's personal choice of course. 

 

:step3: Update IE 9.0 to IE10 (if possible),  also do it if you don't use it, because it can be exploited. 

 

:thumbup2: The rest is perfect. Happy and safe browsing again. :warrior:


If you have received help from me and I don't have respond to you for almost >= 3 days, send me a Private Message.  :hello:


#10 w1rex

w1rex
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:07 PM

Posted 03 August 2013 - 05:23 AM

Regards, and thank you.

It's just that I interact with clients and employees regularly through Skype.  And Im afraid some of them are less than savory characters.  I'll be more cautious when accepting images through Skype from now on.



#11 Harnessmaker

Harnessmaker

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:07 AM

Posted 17 August 2013 - 09:41 AM

/!\  SECURITY CONCERN regarding the DOWNLOAD LINK given for TDSSkiller above:  

Don't know if the problem comes from my computer or if it may be on the page??

 

Ostensibly the link leads to:

http://support.kaspersky.com/downloads/utils/tdsskiller.exe, and now that I'm running on Linux using Opera browser, that is exactly what it does.

 

However, a short time ago clicking the same link from Windows XP and Internet Explorer (fully patched and running VirginMedia security's Trend Micro) that same link  downloaded an unsigned version, lacking the Kaspersky logo and signature, which made me suspicious.  

 

To check where the download had actually come from, I right-clicked the link (which appeared  to lead to http://support.kaspersky.com/downloads/utils/tdsskiller.exe) to copy the actual link and found it to be six lines long and apparently leading to digitaldriver.com.  Pasting the whole link into the address bar of my browser resulted in  a security blocking of the site as unsafe.

 

I'm sorry not to be able to paste the text of the link here, but my two systems are completely separate, although I imagine you could easily replicate what I did to find it.  

 

Is there perhaps an Active X on the page that is overwriting the link?  Or is it perhaps malware on my computer that is redirecting the link?

 

Feedback would be welcome, especially as to what other Internet Explorer users find.  Thanks.



#12 w1rex

w1rex
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:07 PM

Posted 18 August 2013 - 02:27 PM

 

 

/!\  SECURITY CONCERN regarding the DOWNLOAD LINK given for TDSSkiller above:  

Don't know if the problem comes from my computer or if it may be on the page??

 

Ostensibly the link leads to:

http://support.kaspersky.com/downloads/utils/tdsskiller.exe, and now that I'm running on Linux using Opera browser, that is exactly what it does.

 

However, a short time ago clicking the same link from Windows XP and Internet Explorer (fully patched and running VirginMedia security's Trend Micro) that same link  downloaded an unsigned version, lacking the Kaspersky logo and signature, which made me suspicious.  

 

To check where the download had actually come from, I right-clicked the link (which appeared  to lead to http://support.kaspersky.com/downloads/utils/tdsskiller.exe) to copy the actual link and found it to be six lines long and apparently leading to digitaldriver.com.  Pasting the whole link into the address bar of my browser resulted in  a security blocking of the site as unsafe.

 

I'm sorry not to be able to paste the text of the link here, but my two systems are completely separate, although I imagine you could easily replicate what I did to find it.  

 

Is there perhaps an Active X on the page that is overwriting the link?  Or is it perhaps malware on my computer that is redirecting the link?

 

Feedback would be welcome, especially as to what other Internet Explorer users find.  Thanks.

 

 

 

 

Thank you for your feedback.  I expect as such from random posters.  So I always search for the program myself instead of clicking links.

If what you say is true he was indeed trying to mask his real link.  A common method for scammers.



#13 w1rex

w1rex
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:07 PM

Posted 18 August 2013 - 02:28 PM

 

 

/!\  SECURITY CONCERN regarding the DOWNLOAD LINK given for TDSSkiller above:  

Don't know if the problem comes from my computer or if it may be on the page??

 

Ostensibly the link leads to:

http://support.kaspersky.com/downloads/utils/tdsskiller.exe, and now that I'm running on Linux using Opera browser, that is exactly what it does.

 

However, a short time ago clicking the same link from Windows XP and Internet Explorer (fully patched and running VirginMedia security's Trend Micro) that same link  downloaded an unsigned version, lacking the Kaspersky logo and signature, which made me suspicious.  

 

To check where the download had actually come from, I right-clicked the link (which appeared  to lead to http://support.kaspersky.com/downloads/utils/tdsskiller.exe) to copy the actual link and found it to be six lines long and apparently leading to digitaldriver.com.  Pasting the whole link into the address bar of my browser resulted in  a security blocking of the site as unsafe.

 

I'm sorry not to be able to paste the text of the link here, but my two systems are completely separate, although I imagine you could easily replicate what I did to find it.  

 

Is there perhaps an Active X on the page that is overwriting the link?  Or is it perhaps malware on my computer that is redirecting the link?

 

Feedback would be welcome, especially as to what other Internet Explorer users find.  Thanks.

 

 

Thank you for your post.  I expect as such and always search for the download links myself and avoid clicking on links that are presented.

if what you say is indeed true, then the user was masking his link and attempting to phish information from us.


Edited by w1rex, 18 August 2013 - 02:28 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users