dio_85 Posted September 14, 2012 ID:597174 Share Posted September 14, 2012 This is extremely frustrating for me since I'm always extremely careful with my system, somehow I got a keylogger/trojan.The files in my computer are fine, sadly I can't say the same about my email (Yahoo, hotmail) paypal, facebook and ebay accounts.Here are the logs, I've scanned my computer in safemode with:ComboFix, dds, Mawarebytes Anti-Malware, SmitfraudFix, Spybot Search & Destroy and Avira antivirus (Every time I restart I get two messages about two missing .dll files), I'm still unable to login to very specific pages, moreover, some pictures appear as broken/don't load, interestingly enough, peerblock shows extremely suspicious network activity while trying to load these pages/broken images (It's always Range: Baltimore Technologies, Source:192.168.1.2.5543, Destination: 64.18.30.10) So I'm afraid that the keylogger/worm/whatever this is hasn't been completely deleted and my information is trying (or is actually still being) redirected to this IP address)Attach.txtDDS.txt Link to post Share on other sites More sharing options...
dio_85 Posted September 14, 2012 Author ID:597179 Share Posted September 14, 2012 Oh, I forgot about this info:I'm running Microsoft Windows 7 Home Premium, my usual browser of choice is Opera. I'm a college art student so (And in finals week) so this makes the situation even more frustrating since I can't focus on my finals now. Seems like my files are fine so far, the only thing that's been compromised as of now is all the data I have online.I also forgot to mention that malwarebytes Anti-Malware did detect some keyloggers which I quarantined, but I still have this issue with the broken images/websites and suspicious network activity. Link to post Share on other sites More sharing options...
Staff screen317 Posted September 14, 2012 Staff ID:597203 Share Posted September 14, 2012 Hi and welcome to Malwarebytes.At this stage, I would highly suggest backing up your data, formatting your hard drive, and reinstalling Windows.The problem with these keylogging infections is that they're often accompanied by backdoor trojans which completely compromise your computer for the future, even if we can clean any visible infections.Here is my standard speech when I see a backdoor:I'm afraid I have bad news.Your logs reveal a backdoor trojan. A backdoor severely compromises system integrity.A compromised system may allow illicit network connections, disabling of security software, modifying critical system files and collection and transmiission of personal identifiable information without your consent.I recommend that you disconnect this PC from the Internet immediately, and only reconnect to download any tools that are required. If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. If it were on my PC I would not hesitate for a moment to do so. Please read these for more information:How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?When Should I Format, How Should I ReinstallShould you have any questions, please feel free to ask. Link to post Share on other sites More sharing options...
dio_85 Posted September 14, 2012 Author ID:597219 Share Posted September 14, 2012 I wish I could reinstall my OS immediately (I have an ASUS, do you think the standard factory restore tool will work? Is it possible for this infection to somehow transfer to the factory restore?) but since I'm in finals right now that's not a choice (I have to survive like this for one more week). I will back up my workfiles as soon as possible though.I know this person is screwing up with my email just to gain more time, I tried to contact ebay and paypal as soon as I noticed this but now I'm effectively locked out from my mail (Which is funny because I've been changing passwords these last two days a lot of times, yet this person somehow manages to log back into my mail and modify my account info)So not only my online data is compromised, but my actual computer files might be compromised too? That's extremely scary (Again, I'm in finals), I'll start backing up work files after class (Is there a chance that this infection can somehow transfer to my external while backing up? I'm a GAD student, most of my files are 3ds max files, maya files, pictures, textures, some UDK files. Plus music)I just skimmed through your links real quick and I noticed this entry concerning formatting:"Install a clean version of your operating systemAnything on that system could have been modified, including the kernel, binaries, data-files, running processes, and memory.In general, the only way to trust that a machine is free from backdoors and intruder modifications is to reinstall the operating system from the distribution media and install all of the security patches before connecting back to the network. Merely determining and fixing the vulnerability that was used to initially compromise this machine may not be enough.We encourage you to restore your system using known clean binaries. In order to put the machine into a known state, you should re-install the operating system using the original distribution media."What should I do in this situation? Sounds like using a factory restore might not do the trick, should I take my computer to Bestbuy after finals for assistance?Thanks for the identity fraud link, I'll check it after class, I'm late because I've been trying to deal with this issue all night. Link to post Share on other sites More sharing options...
dio_85 Posted September 14, 2012 Author ID:597222 Share Posted September 14, 2012 Oh, another small detail, these are the missing dll message I get after each restart:There was a problem starting:C:\Users\Gin\Roaming\adshck.dllC:\Users\Gin\Roaming\gnatng.dllNot that it matters anymore I guess... since I'm doing a clean reinstall of everything.I still don't understand how this happened, my firewall, peerblock and antivirus (Avira) are always updated and running. Any tips to avoid dealing with this issue again? I'm very afraid, if this happened once chances are that it might happen again since now I'm targeted by this person. Link to post Share on other sites More sharing options...
dio_85 Posted September 16, 2012 Author ID:597710 Share Posted September 16, 2012 No more feedback concerning possible future infections? I'm only asking because this is the first time a backdoor trojan somehow makes it into my system (even though my antivirus, firewall and peerblock are always up) and I fear that this might happen again without me or my antivirus programs noticing.I can't really think of anything that caused this infection, but there must be something for sure that was most likely my fault. Is there a risk of this backdoor trojan somehow infecting the files I'm backing up? This is also an important question I have since sometimes we work on teams at college and we have to transfer a lot of files between us.I really appreciate the assistance provided so far. Link to post Share on other sites More sharing options...
Staff screen317 Posted September 16, 2012 Staff ID:597713 Share Posted September 16, 2012 Hi,My apologies for the delay.Infections generally can't infect the restore partition since there are special permissions set there. If you are only backing up documents, videos, and photos, you should be fine. Your music and school files should also be fine (it's important to note a distinction between backdoor trojans like what you have, and file infectors like Virut which infect individual files.Once finals are over, I suggest backing up everything and using the recovery partition. Link to post Share on other sites More sharing options...
dio_85 Posted September 16, 2012 Author ID:597721 Share Posted September 16, 2012 Oh, don't worry about the delay.I must confess that while I'm good at dealing with some minor issues, backdoor trojans are way out of my expertise. I've never caught an infection since I started using a computer (Since 1999)... that's why I'm so worried right now, I seriously can't understand how I got infected by this trojan, and I'm worried that it might happen again.My last question would be concerning that particular point, maybe the programs I use to protect my computer no longer doing the job (I'm mainly talking about Avira...Peerblock is doing an okay job blocking all this suspicious net activity ever since I deleted the trojans... that also means you were right and I'm not totally clean even though Malware-Bytes and other programs don't detect any more infections), do you have any suggestions in particular?I'm glad to hear that the restore partition can't be modified, especially since I'm done backing up all of my files and I was wondering if I could somehow infect my external HDD. Link to post Share on other sites More sharing options...
Staff screen317 Posted September 20, 2012 Staff ID:599390 Share Posted September 20, 2012 Hi dio_85,I will give you my standard prevention speech below. Avira is a good antivirus, but no one program can catch everything.Your external should be fine. You could always do a full scan with your antivirus (and MBAM) with the external plugged in.I highly recommend the PRO version of MBAM; with it, it's likely that this issue would have been prevented in the first place.Also please take the following steps to help prevent reinfection:1) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.2) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.3) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.4) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:Green to goYellow for cautionRed to stopWOT has an addon available for both Firefox and IE.5) Be sure to update your Antivirus and Antispyware programs often!Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?Safe surfing,-screen317 Link to post Share on other sites More sharing options...
Staff screen317 Posted September 28, 2012 Staff ID:602147 Share Posted September 28, 2012 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts