Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Potential Keylogger Infection


  • This topic is locked This topic is locked
2 replies to this topic

#1 Corey1690

Corey1690

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:27 AM

Posted 14 July 2014 - 04:09 PM

I've been having issues for some time with people periodically attempting to enter my hotmail and google accounts. As of today, they managed to access my google/youtube account but were stopped because of their location and device.


I've done many scans with Malwarebytes, JRT, ESET, Roguekiller, Kaspersky's Rootkit killer, etc. All of them have pulled everything up as clean for the most part. However, when I run HijackThis, I get a message: "For some reason your system denied write access to the Hosts file. If any hijacked domains are in this file, Hijackthis may NOT be able to fix this. If that happens, you need to edit the file yourself. To do this, click Start, Run, and type: Notepad: C:\Windows\system32\drivers\etc\hosts and press Enter" etc.  It's worth noting that when this pops up, there is red lettering on the Hijack this program that reads "01- Hosts file redirection".

When I do pull up my hosts file manually, it comes up entirely in french with some example domains.

 

What I'm wondering is if anybody could take a look at my logs and tell me whether or not this is the culprit to my break in this morning.

PS: researching has told me that running HijackThis as admin is the problem, however when I got run as admin, the option simply isn't there.

Attached Files


Edited by Corey1690, 14 July 2014 - 04:16 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:27 AM

Posted 19 July 2014 - 08:32 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Your Hosts file was compromised and must be reset back to the default.
How To:
http://support.microsoft.com/kb/972034

Use the Fix it button on the page.
===


Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

Download the correct version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

===

Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.
To attach a file select the "More Reply Option" and follow the instructions.

Let me know what problem persists.

#3 nasdaq

nasdaq

  • Malware Response Team
  • 40,464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:27 AM

Posted 24 July 2014 - 07:26 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users