Stolen Password

Hello. Somebody stole my account number and password to my brokerage account and then placed some unauthorized trades :eek. I could have lost a substantial amount of money. In an effort to learn more about internet secuirty, I stated perusing the internet. I found out that Spy Doctor 5.5. was highly recommend by some and so I ran the trial version. When I said fix the problems, it said pay $30. I decided to see what else was out there and ended up running some free stuff: Spybot, Ad Aware and Windows Defender. After running these and fixing the problems they found, I reran Spy Doctor. Much to my disappointment, it still found high risk trojans. I have had McAfee running for almost a year and the stolen password probably took place just recently, as the fraudulent account activity occured last week. Where should I go from here??? Any help would be greatly appreciated. Thanks.

 

Thank you for your reply.

I attached the Spwyare Doctor results in a Word file. How serious are these infections?

After reading the links towards the bottom of your post, particularly the first one, I don't know that I would have peace of mind unless I had a professional come to my home and assist me in reformatting and reinstalling my computer. I am not tech savvy and very regularly access personal bank, brokerage and retirement accounts on my computer.

My plan this morning is to again call each financial institution and see if there has been any fraudulant activity. For those that have not been hacked, is it safe to just change my passwords via the public library? If not hacked would you still recommend that I have the insitutions change my account numbers?

If a reformat and reinstall is best, whom would you recommend I call, and what type of service and cost should I expect?

Thank you again for your help.

 

Hello again Chaslang,

I decided to clean my computer and not reformat/reinstall. I am on the step that say to be sure that MSConfig is not being used to control Startups. How do I determine this?

You asked: Did your PC come with a factory restore type option (either a disk or a built-in partition)?
I do not know how to determine this either.

FYI - when I checked the 'bad' programs list I found three and removed them:
Viewpoint Manager (Remove Only)
Viewpoint Toolbar
Weather Services

Thanks,
Jeff

 

I tried to run the CCleaner a few times and the process would never complete. I clicked on the link for the download and then hit "run". I let it run for up to 45 minutes (and I have a cable modem ) and it just kept running. The header said:
"Verifying CCsetup2007_slim.exe from files6.MajorGeeks.com"
Even though it would say that the estimated time left was 1 sec left it would run for dozen(s) of minutes thereafter.
Does it make a difference if I save the program to my computer, then double click on it from there to run it?

Thank you.

 

O.K. I got to the part where I need to download some tools. I tried to download the first one, SUPERantispware, and it looked like it was going to be a very quick download. When I clicked on it to begin, the download quickly counted down the seconds remaining until it got to the last second. Then the process seemed to just stop; it stopped with one second left; and nothing else would happen. It wouldn't finish. What would cause this? What do I do?

 

Not sure what created the problem I described on my last post, but I have since tried again and everything worked. I understand now that I need to download, install and then run. Thanks for clarifying that. I was able to do that with CCleaner and then also with SUPERSpyware, which is the last step I have taken. I have attached the SAS log for review. Waiting for your reply before I go on to the next steps. Thanks so much for your help.

 

For ComboFix, the instrucions say to "shutdown/stop all of your protection software to the best of your ability". I have McAfee and wasn't sure what I needed to do, so I didn't do anything and just tried to run ComboFix to see if it would work. I immediately received an alarming message from McAfee that a trojan was just installed, or something to that nature. I responded by chosing the option that says to remove the Trojan, it said it could not be removed. I then began to look at McAfee in more detail to try to determine what "shutdown/stop" might mean. One screen listed three different areas of protection like this:
1) Computer & Files
Protected
2) Internet & Network
Protected
3) E-mail & IM
Protected
There are various protections under each that I can disable through reconfiguring them. To my knowledge these protections are my main safegaurds against major problems. Am I to disable all services under each of the three areas while my computer is still connected to the internet? Since this seems dangerous, I wanted to double check with you that this is what I should actually be doing before running ComboFix.
Also, Spybot gave me an alarming message as well. Unfortunatley, I accidentally closed that window before I could get any details.
The alarming messages from McAfee and Spybot S&D both came immediately after I tried to run Combo-Fix, so am I safe in assuming that whatever these programs found is actually harmless and whatever "Trojan" that is now on my computer, according to McAfee, does not need any attention?
Thanks for your help.

 

I attached the SuperAntiSpyware log in a previous post, so with this post's attachments, I believe I have attached all required logs.

Looking forward to hearing from you about the number and nature of problems on my computer. Was a backdoor used?

You found a trojan in my SuperAntiSpyware log and provided a couple links so I could get additional information (thanks). The trojan was password stealing, but was categorized as low risk. How could a password stealing trojan be low risk? Hoping this can be successfully removed, and that if you don't find any others you would consider my situation to be low threat (not too vulnerable to having additional passwords stolen).

Thanks for all your help!

 

Chaslang....I've been very busy!

I removed J2SE Runtime Environment 5.0 Update 6.

I ran, rebooted and ran again Norton Removal Tool (SymNRT).

I do not recall installing / setting up these items...

O23 - Service: FreezeScreenSaver - Unknown owner - C:\WINDOWS\system32\FreezeScreenSaver.exe
O24 - Desktop Component 0: (no name) - http://www.usna.usda.gov/graphics/us...ne/zones77.jpg

I probably don't need them and would like to get rid of them.


I double-clicked C:\MGtools\analyse.exe and expected to see scan options so I could do a system scan only, but it never presented scan options. If I remember right, it didn't the first time I ran this tool. Also, when it finished running, it just let me know that it was finished and that it created a zip file. I was expecting a long list of lines to select from which would include those you referenced below:
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O8 - Extra context menu item: &Search - ?p=ZS

What did I do wrong?

I stopped following instructions here as I figured that additonal steps are probably supposed to be done only as each current step is successfully completed.

I did get the following message via a window popup while MGtools was running...

C:\WINDOWS\system32/cmd.exe
C:\PROGRA~\Symantec\S32EVNT1.DLL. An installable Virtual Device Driver failed Dll initialization. Chosse 'Close' to terminate the application.

It gave me Close and Ignore as options. I clicked Close. The message popped up almost immediately thereafter. I clicked Ignore the second time.

Question unrelated to this particular post: I have read that you can get virus', malware, etc. on your computer by opening emails. Does this mean opening attachments to emails or just by merely opening the email itself? It the later is true: When you have a split pane email screen and you click on an email once in the pane that lists emails so that it is viewable in the other pane, but you don't double click on the email, which would enlarge it in the viewing pane, does that constitue opening the email?

Finally, was I supposed to send a log from SpyBot - Search & Destroy?

Thank you.

 

I added these to the HijackThis fix

O23 - Service: FreezeScreenSaver - Unknown owner - C:\WINDOWS\system32\FreezeScreenSaver.exe
O24 - Desktop Component 0: (no name) - http://www.usna.usda.gov/graphics/us...ne/zones77.jpg

Hopefully the Service was fixed.

The solution to the MGTools error I posted previously said that sometimes if you just select "ignore" that things will run o.k. This seemed to have been the case.

I followed all the steps under combo fix to the point of putting the notepad file on Combo-Fix.exe and was prompted to run Combo-Fix, so I did. You said to "follow the prompts", but I did not receive any prompts that asked me to do anything after running. Did I do something wrong, again. Towards the end of the combofix run, or just after finishing, I received a Windows message saying that it could not open the file: pv.cfexe and that to open it, it needed to know what program created it. At about the same time I also received a messagee from McAfee saying it was trying to block something. I was going to put Allow, but first wanted to write down the exact message thinking that it may be useful in determing why I received the message above. After I went to get some paper to write it down, the message was gone! Do I need to do something differently and redo this whole step?
I tried to close the window that said it cannot open the file: pv.cfexeit and it just kept popping up. I ended up outmuscling it, clicking on it a good twenty times over about 20 minutes. It finally gave up...:strong

I attached the combofix log thinking it may be helpful for you to decide if I need to redo this step.

Sorry to be pushing your patience Chaslang, remember it is not intentional!