Hacked? Keylogger? Someone Has Passwords, Help

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Woodstockmichael, May 30, 2017.

  1. Woodstockmichael

    Woodstockmichael Private E-2

    I am posting this for help in determining how my ex is still in my computer even though I have changed usenames and passwords. She has indicated that someone is "in my computer and can see what I am doing". My life is not that interesting but I want this to stop.

    I have run Norton, Malwarebytes, CCleaner, Anti-adware, and as suggested AdwCleaner without any results. I have followed your forums suggestion for detection. My concenr is that some type of program has been installed that is capturing emails, messages, and other potentially compromising information.

    I am posting AdwCleaner log and HijackThis log is attached. Any other suggestions or actions I can take other than buying a new computer would be appreciated. To start I am posting resulkts for my Windows 10 Home Gateway NE56R41u laptop.

    # AdwCleaner v6.047 - Logfile created 30/05/2017 at 18:54:43
    # Updated on 19/05/2017 by Malwarebytes
    # Database : 2017-05-30.2 [Server]
    # Operating System : Windows 10 Home (X64)
    # Username : Gateway - DESKTOP-Q5OONPC
    # Running from : C:\Users\Gateway\Downloads\AdwCleaner.exe
    # Mode: Clean
    # Support : https://www.malwarebytes.com/support

    ***** [ Services ] *****

    ***** [ Folders ] *****

    ***** [ Files ] *****

    ***** [ DLL ] *****

    ***** [ WMI ] *****

    ***** [ Shortcuts ] *****

    ***** [ Scheduled Tasks ] *****

    ***** [ Registry ] *****

    [-] Key deleted: HKU\S-1-5-21-1937046234-2252510703-2901732972-1001\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
    [#] Key deleted on reboot: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
    [#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}


    ***** [ Web browsers ] *****

    *************************

    :: "Tracing" keys deleted
    :: Winsock settings cleared

    *************************

    C:\AdwCleaner\AdwCleaner[C0].txt - [1161 Bytes] - [30/05/2017 18:54:43]
    C:\AdwCleaner\AdwCleaner[S0].txt - [1484 Bytes] - [30/05/2017 18:52:45]

    ########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [1307 Bytes] ##########

    Now HijackThis results:
     
    Woodstockmichael, May 30, 2017
    #1
  2. Woodstockmichael

    Woodstockmichael Private E-2

    Files with results are attached. These reports are for one of two computers I own. Hopefully, this one is clean.
     

    Attached Files:

    Woodstockmichael, May 31, 2017
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Your logs do not show any problems.
     
    chaslang, May 31, 2017
    #3
    Woodstockmichael likes this.
  4. Woodstockmichael

    Woodstockmichael Private E-2

    Thanks for the help on the Gateway laptop, I have attached files to my HP Laptop for help. Question: will the suggestions programs detect keystrokeloggers as well?

    Your assistance is greatly appreciated!
     

    Attached Files:

    Woodstockmichael, Jun 1, 2017
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    These logs are also not showing any problems.

    Not always. It depends on whether the keylogger is one of the commercial/professional types with rootkit/stealth technology. Many times we do see something out of the ordinary though. But we could dig deeper and try the below which runs from the Win 7 Recovery Console and would more likely show something since the scan is running without Windows loaded. Let's see if this method with FRST will still run.

    Please do the below so that we can boot to System Recovery Options to run a scan.

    For 32-bit (x86) systems download Farbar Recovery Scan Tool and save it to a flash drive.
    For 64-bit (x64) systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.


    Plug the flashdrive into the infected PC.

    Enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.


    On the System Recovery Options menu you will get the following options:
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please attach this file to your next reply. (See: How to attach)
     
    chaslang, Jun 2, 2017
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Also lets try running the below even if the above does not run.

    Please run the below anti-rootkit tool from Malwarebytes.
    • Download Malwarebytes Anti-Rootkit
    • If you happened to get a ZIP file version instead of an EXE file then unzip the contents to a folder in a convenient location.
    • Open the folder where you saved Malwarebytes Anti-Rootkit to. Now run mbar-1.07.0.1009.exe ( If running Vista, Win7 or Win 8, use right click and Select Run As Administrator )
      • Note: This filename will change as new versions are released, so this is just an example ).
    • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
    • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
    • Wait while the system shuts down and the cleanup process is performed.
    • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
    • If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:
      • Internet access
      • Windows Update
      • Windows Firewall
    • If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included with Malwarebytes Anti-Rootkit and reboot.
    • Verify that your system is now functioning normally.
     
    chaslang, Jun 2, 2017
    #6
  7. Woodstockmichael

    Woodstockmichael Private E-2

    When I try to run frst.exe, I get the following message: The subsystem needed to support the image type is not present.

    I followed the directions as supplied above. Am I doing something incorrectly?
     
    Woodstockmichael, Jun 5, 2017
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay run the Malwarebytes Anti-Rootkit instructions first. And then run FRST as below from normal boot mode.

    • Double-click FRST.exe to run it. When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your next reply.
    • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
     
    chaslang, Jun 5, 2017
    #8
  9. Woodstockmichael

    Woodstockmichael Private E-2

    Attached are the FRST reports from my Gateway. Malwarebytes Rootkit did not find anything.
     

    Attached Files:

    Woodstockmichael, Jun 6, 2017
    #9
  10. Woodstockmichael

    Woodstockmichael Private E-2

    Here are the reports from my HP.
     

    Attached Files:

    Woodstockmichael, Jun 6, 2017
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Also no issues in any these logs.
     
    chaslang, Jun 7, 2017
    #11
  12. Woodstockmichael

    Woodstockmichael Private E-2

    The logs say there are no issues, however, she was able to read Messenger messages with others and stated passwords back to me. How is this happening even though I have changed passwords and sign ins? That is why I ask about keystroke loggers because i use long, multiple type character random passwords and don't understand how this is being accomplished by her. Any further ideas are greatly appreciated.
     
    Woodstockmichael, Jun 9, 2017
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Jun 9, 2017
    #13

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds