Spyware hunting

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by suetoo, Apr 2, 2009.

  1. suetoo

    suetoo Private E-2

    Hi

    I think someone has had access to my email accounts and possibly other things on my computer, so I am hunting for spyware. The guy I think was in my accounts is an expert in computer "security" so if there is something then it's probably very well hidden and quite likely undetectable by standard software, though I am not qualified to judge.

    I was unable to manually update AdAware. When i clicked on 'import definitions', only folders showed, no files. Nor did pasting the REF file into the appropriate Program Files folder help. In case it there is a keylogger or somesuch, I don't want to go online, as that will presumably send logs of my offline activities to whoever put it on.

    When I tried installing Dr Web on the possibly infected machine it was unable to open dwebio32.dll, though there were no problems running the program on my friend's computer.

    In an internet cafe the scanner found cm0.com on my usb drive, which can apparently be a rootkit. Not sure if that's significant.

    Ad-Aware (with old definitions) found Win32.worm.vb in the registry for Int Explorer - HKU:S-1-5-21-19356..... - and a load of cookies.

    Rootkit Unhooker found kernel32.dll, advapi32.dll, user32.dll, ntd.dll, shell32.dll (hundreds of each) and ntkrnlpa.exe under 'Code hooks', but I don't know how significant they are.

    Avira AV found TR/Proxy.Agent.atf.1 trojan in my system restore files.

    Thanks.
     
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!


    Have you changed all of your passwords for everything including all user accounts on this computer? If not, you need to change them now. Make sure you change every password for things you access online, and it would be best if you changed them from another computer.

    It is not a good idea to use a USB drive in an internet cafe and then take it to your own PC. The PCs are those places are unlikely to have proper protection and could potential have all kinds of malware.

    Ad-Aware is ineffective. You need better tools. Please follow the instructions in the READ & RUN ME FIRST link given futher down and attach the requested logs when you finish these instructions.


    • If you have problems where no tools seem to run, please try following the steps given in the below and then continue on no matter what you find. You only need to try the TDSSserv steps if having problems getting scans in the Read & Run Me First.
    • If something does not run, write down the info to explain to us later but keep on going.
    • Do not assume that because one step does not work that they all will not.
    READ & RUN ME FIRST. Malware Removal Guide
    • After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!
    Helpful Notes:



    1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
    2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware, Malwarebytes and Spybot ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
    3. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:
    Any additional post is a bump which will add more delay. Once
     
  3. suetoo

    suetoo Private E-2

    I'm afraid I couldn't wait any longer as I am going away tomorrow, so I took it into a shop today to get it reformatted and XP re-installed.

    Please confirm that that will get rid of any malware. (I have scanned my external hard drive and USB with AVG, Avira, Ad-Aware and ESET, and will run SAS later.)

    I have changed all online passwords and security questions (some of them several times) from a different computer. I will use a different login password when I get my computer back.

    However, some suspicious behaviour is still being exhibited by my gmail accounts. I have already posted on the gmail forum but have not had a response on whether there may be innocent explanations. It may not be appropriate for this forum but perhaps you can advise on the following, since nobody else will.

    1. One time I was using gmail chat (in IE) and the person I was chatting with mentioned our concerns about the person who I suspect of getting into my account. Not wanting her to say any more about him in case he could read it, I quickly closed the chat window and logged out. I also logged out of my other gmail account which was open in Firefox. When I logged back in about 5-10 minutes later, the acct in Firefox opened directly onto the Acct Settings page, which I had not used that day. The other acct, which I had been chatting in, opened straight to the saved chat message about that guy. Again, I had not even been on that page before I logged out.

    The suspected attacker, who has a reputation for being an expert hacker, was on the same wireless network as me at that time. I noticed HDbg9c.ocx running briefly in system processes that day (I think before this incident). I couldn't find it with a Google search, but I know 9c.ocx can be related to Flash Player, old versions of which (like the one I was using at the time) made you vulnerable to hijacking.

    2. Several times the following has happened: I change my password, and save the changes. I switch to another browser and do unrelated work. The first browser suddenly becomes active (i.e. comes to the front of all the other windows and the page reloads. Sometimes it has said, just for a few seconds, at the bottom of the page that one other user was logged onto the account, but at the same IP address. This has happened even after changing the password (and security question) on a 'clean' computer (a friend's, or in a cafe). This did not happen to my friend's account when she changed her pswd on the same machine, in the same browser.

    3. There were a few other occasions where the display was unusual:
    (a) The 'Invisible' option disappeared from chat for at least a few days around the time I think i was initially attacked.
    (b) For a few days there was a blank space around the size and shape of a name+status line in the list of contacts, just below my name and status. Nothing happened if I clicked on it.
    (c) Once when i was chatting, I minimised the chat window, but then it popped up again. This was repeated a few times before stabilising. The only other time i've noticed this behaviour was when sharing another account with someone else: when one user minimised the window, that minimised it on the other user's account too.

    4. Today, i was suddenly logged out of a gmail account (while using Firefox), just after I clicked on the link to this post in fact. I logged back in. No other users were reported to be online or showed up in the account history. I suppose I may have accidentally clicked on 'sign out' when i was clicking on this tab as they were very close, but I don't think so. What concerns me is that this is an account that I set up a few days ago in response to problems with the other accounts, specifically so I could use it to send confidential mail. I have never used it on my suspect laptop, only my apparently clean friend's.

    At no time have I seen anyone online from a different ISP, or noticed in the record that my account had been accessed at a time when I was sure I was not in it myself. I have signed out other users. There are no unrequested filters or forwarding. Therefore, it seems that either someone has found a way of getting sustained access to my accounts (and possibly other information) without it showing up in the records, and without it being affected by changes of security info; or else everything has a perfectly innocent explanation (which nobody has been able to provide as yet).

    Due to the sensitive nature of my work, it is extremely important for me to know whether my accounts/machine were compromised, to what extent, and whether they are still vulnerable (e.g. if they could have set up some kind of backdoor in my accounts to gain continued access). Even better would be to get some evidence that this is going on, though I imagine that would be very hard. I really appreciate any help you can give me in this regard.

    Thanks a lot.
     
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Since you already are working your problems at the below forum, this thread will be closed. You should not be cross posting in multiple forums. There are not enough resources on the internet performing free services like this and posting in multiple forums results in wasted efforts;

    http://forums.spybot.info/archive/index.php/t-47259.html
     
  5. suetoo

    suetoo Private E-2

    If you read the other post, you will see that nobody replied to those specific questions about gmail. I have been trying to get answers to this urgent issue for about 10 days, and have waited for one forum's response before posting on another (or if there was no response for 3 days, I posted elsewhere as I thought they were not going to reply). I only re-posted questions that were unresolved or completely unanswered on previous forums.

    I appreciate that you are busy, but I think I have been pretty careful not to waste volunteers' efforts.

    And I still have no answers...
     
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Note it does take a number of days to get answers. Example, it took 3.5 days for me to get back to you. That is how busy we and many other forums are.

    Does it matter now since you have taken your PC in to get reinstalled.

    If you suspect your gmail account has been hacked, create a new account with new passwords. That is the most secure solution. You could attempt using a different PC to simply change gmail passwords first if you don't want to create a new account.

    In reality if you really suspect that you had a keylogger problem, you should really be changing every password that you have.
     
  7. suetoo

    suetoo Private E-2

    Thanks for your reply.

    I have changed every online password at least a few times, including to my secondary email accounts.

    Closing those accounts would be an enormous hassle as they hold emails from the last few years which I still need to access from time to time; plus I don't know that the suspected attacker couldn't easily get into any new ones I set up.

    I'm afraid this stuff does matter even after re-installing XP. I can't go into details, but I suspect a particular individual of doing this. He has recently been hired to do IT work at our organisation, which may give him access to extremely sensitive data. If his loyalties lie elsewhere, we need to know that asap so that we can take appropriate steps. Nobody so far has been able or willing to give me their best estimate as to the most likely explanation for certain events; nor for how likely it is that he will be able to get continued access to my/our data.

    The most suspicious event, to me at least, is my gmail account opening, directly after logging on, into a saved chat about the guy I suspect, when he was on the network at the time. I had never even been into that saved chat before; and besides, I've never known of gmail opening onto anything other than the inbox. Is this good evidence of intrusion, or is it explicable some other way? (See my earlier posts for other strange account activity.)

    Regarding continued access, nobody has told me if it's possible for a very proficient IT person to set up some kind of backdoor to a gmail account which resists changes to passwords, security questions, secondary emails and reformatting the hard drive. I suppose you wouldn't want to say how on a forum like this, but maybe you can at least say if it's possible.

    I can't even find out which accounts have requested mail from a given account (I don't mean forwarding or filtering, I mean using the 'fetch mail' or 'Get mail from other accounts' facility). Surely if someone had access once, they could set mails to be forwarded to their account, delete the 'permission' email from my account, and I would be none the wiser.
     
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you are reinstalling your PC, you should not be having any hacker problems. Since you never complete our cleaning instructions, I cannot comment on whether you even had any malware problems. If you ever use any other PCs to log into your accounts, you need to realize that those other PCs could also be a source of your problem.

    Sounds like you your company needs to address this. It is not an issue we can help you with in the Malware Forum. All I can tell you is that if a PC is properly reinstalled and properly protected, you will not have remaining problems due to any previous hacking. If however other PCs have been compromised and other passwords have been stolen and people are not changing their PCs to new more secure passwords...... well then the problem is due to lack of security knowledge by the users of the PCs.

    I cannot help you with this. As stated a properly reinstalled PC will not have problems. You need to secure all PCs and all passwords. We cannot do this for you and not malware scanning will help fix already stolen information. If you are having problems or suspect security issues with gmail, you need to speak to Google.

    You should be completing the instructions in the below on you newly installed PC and it should have an antivirus, antispyware, and real firewall installed before it is ever connected to a live network.

    How to Protect yourself from malware!
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds