PDA

View Full Version : Possible Keylogger, Hijack This Log



FinalXevv
16-08-2011, 03:17 AM
So i've been getting hacked left and right for about a month and no matter how much anti-virus/spyware scan I run, how many times I change email and password, I always get hacked, so I ran hijack this and was wondering if anyone can tell me of anything suspicious.

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\ProgramData\TVersity\Media Server\berkelium.exe
C:\hp\support\hpsysdrv.exe
C:\WINDOWS\RtHDVCpl.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\schtasks.exe
C:\Program Files\Steam\Steam.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\ProgramData\TVersity\Media Server\web\admin\TVersity.exe
C:\Users\David\AppData\Local\Google\Chrome\Applica tion\chrome.exe
C:\Users\David\AppData\Local\Google\Chrome\Applica tion\chrome.exe
C:\Users\David\AppData\Local\Google\Chrome\Applica tion\chrome.exe
C:\Users\David\AppData\Local\Google\Chrome\Applica tion\chrome.exe
C:\Users\David\AppData\Local\Google\Chrome\Applica tion\chrome.exe
C:\Users\David\AppData\Local\Google\Chrome\Applica tion\chrome.exe
C:\Users\David\AppData\Local\Google\Chrome\Applica tion\chrome.exe
C:\Users\David\AppData\Local\Google\Chrome\Applica tion\chrome.exe
C:\Windows\system32\rundll32.exe
C:\Users\David\AppData\Local\Google\Chrome\Applica tion\chrome.exe
C:\Users\David\AppData\Local\Google\Chrome\Applica tion\chrome.exe
C:\Users\David\AppData\Local\Google\Chrome\Applica tion\chrome.exe
C:\Users\David\AppData\Local\Google\Chrome\Applica tion\chrome.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Users\David\AppData\Local\Google\Chrome\Applica tion\chrome.exe
C:\Users\David\Downloads\HijackThis.exe
C:\Users\David\AppData\Local\Google\Chrome\Applica tion\chrome.exe
C:\Users\David\AppData\Local\Google\Chrome\Applica tion\chrome.exe
C:\Users\David\AppData\Local\Google\Chrome\Applica tion\chrome.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSource=10&ctid=CT2645238
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ca&c=81&bd=Pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ca&c=81&bd=Pavilion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ZoneAlarm Security Engine Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\Tru stCheckerIEPlugin.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ZoneAlarm Security - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files\ZoneAlarm_Security\prxtbZone.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateReg] "C:\Windows\system32\jureg.exe"
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ISW] "C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" /icon="hidden"
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Users\David\AppData\Local\Google\Update\GoogleU pdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1694525646-4071683024-747703073-1002\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'UpdatusUser')
O4 - Global Startup: LOLRecorder.lnk = C:\Program Files\LOLReplay\LOLRecorder.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: ZoneAlarm Toolbar IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
O23 - Service: TVersity Media Server (TVersityMediaServer) - Unknown owner - C:\ProgramData\TVersity\Media Server\MediaServer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\System32\ZoneLabs\vsmon.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

Speedy Gonzales
16-08-2011, 09:04 AM
Uninstall Spybot. Use malwarebytes instead. (http://www.malwarebytes.org)

Using Utorrent wont help.

You can tick these in startup. Disable system restore

O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [SunJavaUpdateReg] "C:\Windows\system32\jureg.exe"

O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

Make sure there's only one version of Java installed (the latest). And make sure there's only one version of flash installed (the latest)

If this is 32 bit use trojan remover (http://www.simplysup.com). Update it then click on scan. Then select all options under the utils menu

dugimodo
16-08-2011, 10:22 AM
Speedy's the expert at this stuff so I won't disagree, would point out though that if you like Spybot you don't need to uninstall it just disable the SD helper, tea timer, etc. It's an ok scanner but its' memory resident functions are not well regarded and can cause issues.

I've tried scanning with Ad Aware, Malware Bytes, and Spybot one after the other. Whichever you run first always seems to get rid of all the tracking cookies etc leaving the others with nothing to find unless you have some actual malicious software. Malwarebytes seems to be the current weapon of choice among the free scanners.

Keyloggers can be difficult to find/remove though. What specifically is being hacked if you don't mind my asking? Internet account, Game Login, something more serious ? Some things have other security measures you can take.

For example I use a free authenticator app on my smartphone to secure my battlenet account. I had the keyring version but I gave it to my flatmate after his account got hacked and malwarebytes flagged up a bunch of dodgy stuff. He's been fine since using the authenticator.

pctek
16-08-2011, 11:06 AM
Speedy's the expert at this stuff so I won't disagree, would point out though that if you like Spybot you don't need to uninstall it just disable the SD helper, tea timer, etc.


Well I will disagree.
Don't run the resident stuff, sure, but not use it?? No, I always run at least 2 antispywares, Spybot being one of them.

It works.

Agent_24
16-08-2011, 01:42 PM
Spybot is quite useful in my opinion... and you get some preventative protection without having to pay for it like Malwarebytes.

Using uTorrent (or any bittorrent client) is not a problem unless you download something with a virus in it. By itself uTorrent will not give you a virus.

Remember bittorrent is just a method of distributing data and can be used for perfectly legitimate software distribution.


To FinalXevv: I would scan the PC with something like BitDefender Rescue CD, which ensures no virus is active during scanning. Most good keyloggers will come with rootkits and these can be very difficult to detect while windows is booted, hence an 'offline' scan with something else is a good idea.