Hijacked, passwords changing!

Hi Mike if their is some sort of malware/trojan/keylogger on your PC, then follow the below guide which should clean all of the easier issues and then highlight any other remaining ones,

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.


​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
  • 
    [*]runkeys.txt - the log from GetRunKey.bat
    [*]newfiles.txt - the log from ShowNew.bat
  • CounterSpy - ONLY IF you were not able to run Windows Defender
  • Bitdefender - from step 6
  • Panda Scan - from step 6
  • HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

We will find out once you have attached the logs, while very possible that a keylogger may hide itself, it still will have an active .exe file, wht firewall do you have installed? if its just th ewindows one it will not alert you to any outgoing programs that require internet access, so get something like ZoneAlarm free ( available from the main downloads section of this site )

If you have a firewall that alerts you to outgoing software then is their any strange applictions in the software list, eg. may have a name like dbjsue.exe * basically random letters/numbers*?

Best thing Mike is to run through the guide and we can go from their.

 

ZoneAlarm is a good software firewall. It can sometimes be a little resource hungry on some PCs but all protection software will slow your PC down somewhat. For some applications like ZoneAlarm the amount it slows you down is a tribute to how effective a job it is doing. The free version of ZoneAlarm is quite good especially when you consider it is free. The Pro version is even better.

As far as Astaro, I believe they make hardware firewall & software security applications to go along with the hardware. These are more meant for business use (small companies) than for a home user. And they can be quite expensive. What is your application (home or business)?

 

I see an application that could be used by a hacker: LogMeIn

Did you install LogMeIn and do you or have you used it? Is it password protected?

What about Keylogger Hunter 2.1? Did you install this?

Let's cleanup a few things!

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "realsched.exe" -osboot
O4 - HKLM\..\Run: [GNP Generic Host Process] C:\RECYCLER\RS-1-5-21-606747145-1085031214-725345543-500\taskmgr.exe

After clicking Fix, exit HJT.
Now empty your Recycle Bin!:
Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!

Now Copy the bold text below to notepad. Save it as fixWLK.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now reboot your PC and post a new HJT log.

 

Your log is clean!

As far as a slow PC is concerned:

• Is Ewido a free trial or paid version?
  • If free, uninstall it.
  • If paid, keep it and uninstall Windows Defender.

Did that help?

 

Re: Unsure if I am clean.

Based on the info that we are able to get from you via these logs. Yes we are sue. Are we 100% sure....no! We could only do that if we sat in front of your PC and used specialized tools to capture all packets being received and transmitted from your PC and then performing a decode/analysis on them. Nothing can hide at that level, but we simply cannot do that remotely.

If you are so worried about having a keylogger problem, then repartition, format, and reinstall your OS but that will not address the other PCs that you may use to do stuff. You did say at the beginning that you logged on to a friends PC and that was where your problems began. Perhaps you are cleaning the wrong PCs. You should never logon to any of your own password protect accounts from another persons PC. How do you know what they are running on their PC and how do you know they do not have any malware issues.

You should uninstall it, and observe how the performance of your PC changes. If it is still slow, you could have other non-malware problems causing issues. We see them all the time when antivirus, antispyware, and or firewalls are causing slow downs. If they are temporarily uninstall and the problems go away, you can zero in on which is the problem. If the problems do no go away, then you need to look at what other software is loading and also at potential Operating Systems issues. And yes, then you could also possibly expect super hidden background processes/keylogger issues.

 

All I can say is that it is unlikely but to be totally honest it is not impossible.

Did you uninstall Ewido to see if it made a change in your performance?

 

Uninstall ALL of Norton/Symantec and also uninstall Keylogger Hunter and then attach a new HJT log and a new log from ShowNew. Also with Norton uninstalled, how are things running.

Also run this Using Sophos Anti-Rootkit and attach the log.


If you look in Task Manager under Processes you can usually see which process are using large chunks of your CPU time. Don't make the mistake that many people make......System Idle is not a process. It is your CPU's idle time and this number should normally be very high (97 to 99 while you are not clicking anything or running a scan).

 

Okay! Best wishes to your Uncle!

 

You're welcome.

You should work thru the below link:

How to Protect yourself from malware!