Account information compromised, possible keylogger

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by solon, Nov 7, 2009.

  1. solon

    solon Private E-2

    I run an application on my computer regularly that requires me to login with my accountname/password :cry .. somehow this information was compromised and I believe I have a keylogger or something because i recently changed my password and account name but still got compromised.

    Here is what my logs show. I noticed my pc is a little slower as well for the past 2-3 weeks. Any information will help.

    If there is anything else I need to post let me know , thank you.
     

    Attached Files:

    solon, Nov 7, 2009
    #1
  2. solon

    solon Private E-2

    more logs
     

    Attached Files:

    solon, Nov 7, 2009
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I am reviewing your logs and will get back to you.

    Do you know what this is:
    C:\CPS3

    The application that you run, I am assuming it is a web based app. that you need to log into? If so, did you use a different computer to change both username and password?
     
    TimW, Nov 10, 2009
    #3
  4. solon

    solon Private E-2

    CPS3 is the capcom playstation emulator that is empty, nothing in the folder .

    Yes it is a application that required to be online. No I didnt switch computers to change pass /login info :(

    But did follow http://forums.majorgeeks.com/showthread.php?t=35407 (malware removal guide) prior to changing it and came up clean.
     
    solon, Nov 10, 2009
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    There is an item in your logs that I am needing to do some research on, so hang in there.
     
    TimW, Nov 10, 2009
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You have a new form of a nasty MBR virus. I would first suggest that you backup all your personal data and files.

    If this PC needs to be secure, why is uTorrent running on it? And also the below are contrary to having a secure PC:
    LimeWire 5.2.13
    Shareaza 2.4.0.0
    World of Warcraft
    plus other games especially online ones.

    These appear to be related to some phone software you have installed, but could you elaborate as to there usage:
    O4 - HKLM\..\Run: [Fonawy] C:\Program Files\Fonawy Standard\Fonawy
    O4 - HKCU\..\Run: [acc] C:\PROGRA~1\acc\acc.exe
    O8 - Extra context menu item: >>> DIAL <<< - file://C:\WINDOWS\numb.htm
    O23 - Service: Remote Procedure Call (TPM) (RPCT) - Unknown owner - C:\Program Files\Common Files\System\qmgr.exe

    And are these services being used or neccesary:
    O23 - Service: SupportSoft Listener Service (sprtlisten) - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
    O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe

    I am going to also suggest that you download the free version of Prevx 3 , disable your AV program and install and run this. If it makes a log, attach that along with the new Combo log. If this doesn't remove the infection, then we will need to do the below. But before we do that, Attach the Prevx log and the new Combo log so we can see if we still need to run the fixmbr.

    You will need to boot to the Recovery Console (perhaps when you installed ComboFix) to remove this infection.

    Now boot to the Recovery Console and run the fixmbr to clear a Master Boot Record infection that you have.

    You can read the below to help you do this:

    http://support.microsoft.com/kb/307654


    Then boot back into normal mode.

    Now download and run the latest version of ComboFix.
     
    Last edited: Nov 11, 2009
    TimW, Nov 11, 2009
    #6
  7. solon

    solon Private E-2

    Okay, I ran Prevx 3 and it found nothing, so I booted in recovery console and fixmbr, then rebooted in normal mode and ran combo fix,

    Then when I was browsing the internet, prevx 3 found some malware on my pc that my old AV wont even detect. Its in my logs.. what do you recomend as a goood AV to remove this?

    Here is the log...
     

    Attached Files:

    solon, Nov 17, 2009
    #7
  8. solon

    solon Private E-2

    and prevx 3 log, had to zip becuase it was too large.
     

    Attached Files:

    solon, Nov 17, 2009
    #8
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    The only thing I see that Prevx found was in your WOW files. Please re-run ComboFix and also run the C:\MGtools\GetLogs.bat and attach both logs.
     
    TimW, Nov 21, 2009
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds