Jump to content
tudorbosnea

I suspect a keylogger

Recommended Posts

Hi, I suspect I am infected with some kind of keylogger. All my emails and accounts are safe, because I use authentificators and phone, but my Netflix account keeps getting "hacked". Someone changes my password. When I change it to something else, he knows what the password is. He is not resetting it, he just logs in and changes it (because crappy netflix can't make a layered protection), so I suspect a keylogger. This are the files I was asked to attach after I scanned my PC (attached below).

 

Please help me out.

Addition.txt FRST.txt

Share this post


Link to post
Share on other sites

Hi, 

My name is Maurice. I will be helping and guiding you, going forward on this case.

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me.

If you will be away for more than 3 consecutive days,  do try to let me know ahead of time, as much as possible.

 

Please only just attach   all report files, etc  that I ask for as we go along.

 

Please know I help here as a volunteer.  and that I am not on 24 x 7.

Help on this forum is one to one.   Again, please be sure to ONLY attach report files  with your reply (s)  as we go along.  Do not do a copy / paste into main body.

 

Q:  Do you use very strong passwords ?  It may be possible that someone is doing good guesses on the Netflix account.

More on strong passwords later.

 

The first thing that strikes me is that there are three ( 3  ) active, resodent antivirus programs.  That is a bad practice  & it eventually leads to deadly conflicts.

There is 360 Total Security   +   Avast Antivirus   +   ESET Security

If you have a paid license to ESET that is fantastic, in which case you should Uninstall the other 2   & then Restart Windows.

Your pc should only ever have but one installed antivirus.

So please uninstall 2 of these antivirus apps   & let me know after this is done.   By the way, my advice is to be sure to uninstall the 360 Total Security.

 

By the way, this pc runs Windows 10 which has the built-in Windows Defender which is  (a) built in & free on Windows 10, and b) is a fine, excellent and powerful antivirus.

Therefore, you did not need any of the 3 above.   But I will say that ESET is also a excellent antivirus  and a great for-pay antivirus.

 

Malwarebytes for Windows can certainly find and remove any rogue keylogger.   I can guide you to installing it  & doing a scan, later on.

Share this post


Link to post
Share on other sites

Yeah, I used to have avast and I uninstalled it (I just searched for it on control panel uninstall section and no sign of it). I use Eset with paid license, but only for a few days and I suspect the keylogger is older than 3 days. And the 360 one I just installed today, looking for a specific malware remover and ending up on their page (I will uninstall it).

The so called hacker changed my password hours ago, and I had Eset activated, so something is fishy. my last password was 7Castraveti!  and the one before it was Speshul01. None of them are hakjsdh98712987!@##%@#$âI♥☼ , but they are not 123qwe either.

 

I attached the files before, because I read similar topics and they were all asked pretty much the same thing, so I tried guessing what you were going to ask for me and attached the 2 files (if this is not what you needed, I apologize and I really appreciate your volunteer work).

I went ahead and uninstalled the 360 one and restarted my PC (it was pretty fishy, I agree...asked me several times if I want to uninstall "Are you sure" "Are you really sure? Really Really sure? Try for free, visit our website, repair, install again...etc)

I just installed the Malawarebytes for Windows and I got 19 detections (I attached the file below with the results). Most of them were PUP and I know sometimes they are harmless, but I also got 2 results that were malware. And Eset did not find them, it seems.

 

Tell me what to do now, please.

results.txt

Share this post


Link to post
Share on other sites

For your security, Never ever post any passwords here, or anywhere out in public.   !!!

I am in process of posting another reply to you.  I am just shocked that you even posted your passwords here, even if they are old ones !

 

Share this post


Link to post
Share on other sites

Those were passwords never used on any of my other accounts and are now changed. I'm not dumb to put my active passwords here :)

Share this post


Link to post
Share on other sites

Thanks for the Malwarebytes for Windows scan report.   There were several P U P  and also a Adware.Elex

 

Lets follow-on with this next different scan for adwares.

I  would suggest to download, Save, and then run Malwarebytes ADWCLEANER.

Please close Chrome and all other open web browsers after you have saved the Adwcleaner and before you start Adwcleaner scan.

Adwcleaner  detects factory Preinstalled applications too!

 

Please download  Malwarebytes AdwCleaner  https://downloads.malwarebytes.com/file/adwcleaner
 

Be sure to Save the file first, to your system.  Saving to the Downloads folder should be the default on your system.

 

Go to the folder where you saved Adwcleaner. Double click Adwcleaner  to start it.

At the prompt for license agreement, review and then click on I agree.

 

You will then see a main screen for Adwcleaner. ( if you do not see it right away, minimized the other open windows, so you can see Adwcleaner).

Then click on Dashboard button.

Click the blue button "Scan Now".

 

allow it a few minutes to finish the Scan.   Let it remove what it finds.

NOTE:  When it comes to the section "

Pre-installed applications

 

You can skip that.

Please find and send the Adwcleaner "C" clean report.

In Adwcleaner, click the "Reports" button.  Look at the list of reports for the latest date & type "Clean".

Double Click that line & it will open in Notepad.   Save the file to your system and then Attach that with your reply.

 

That C clean report will be the one with the most recent Date and time at folder  C:\AdwCleaner\Logs

Thanks.  Keep me advised.

 

Share this post


Link to post
Share on other sites

Thanks for the reports. 

Let us do a different scan, with a special scan tool.

Please download RogueKiller (x64) using the link below.
→ http://download.adlice.com/api?action=download&app=roguekiller&type=x64

  •  
  • Save the file first,
  • Close any running programs that you started on your own ( if any).

 

Double-click  RogueKillerx64.exe to run the program.

Follow the prompts. If a browser window opens, close the window.

 

In the HOME tab, click Start Scan.

Upon completion, a browser window may open. Close this window.

 Important: Please do not have RogueKiller remove any detected items.

Click the HISTORY tab followed by Scan Reports.

Double-click the scan log. Click Export TXT, enter a filename and save the file to your Desktop.

Please attach the file in your next reply.

 

Share this post


Link to post
Share on other sites

Thanks for the report.  Re-run RogueKillerx64   and have it remove these 2 elements:

¤¤¤¤¤¤¤¤¤¤¤¤¤ Services 
[PUP.Slimware (Potentially Malicious)] SWDUMon (0) -- \SystemRoot\system32\DRIVERS\SWDUMon.sys -> Found

 

¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Registry 
>>>>>> O23 - Services
  [PUP.Slimware (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SWDUMon -- C:\WINDOWS\system32\DRIVERS\SWDUMon.sys (missing) -> Found
 

NEXT,  run a scan with the ESET antivirus.

 

Next, after that, a different report.

RSIT (Random's System Information Tool)
Please download RSITx64 by random/random... save it to your desktop.

  1. Right click on RSIT.exe and select "Run As Administrator" to run it. If Windows UAC prompts you, please allow it.
  2. Please read the disclaimer... click on Continue.
  3. RSIT will start running. When done... 2 logs files...will be produced.
    The first one, "log.txt", <<will be maximized... the second one, "info.txt", <<will be minimized.
  4. Please post both... "log.txt" and "info.txt", file contents in your next reply.

.

Share this post


Link to post
Share on other sites

Thanks.

Run a  new scan with Malwarebytes for Windows 4.
Start Malwarebytes from the Windows  Start menu.

Click Settings ( gear icon)   at the top right of Malwarebytes window.   We want to see the SETTINGS window.

Then click the SECURITY  tab.
Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON
Click it to get it ON  if it does not show a blue-color

Now click the small X  to get back to the main menu window.


Click the SCAN button.
Select a Threat Scan ( which should be the default).

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

Then click on Quarantine selected.

 

Be sure all items were removed. Then too, Repeat the scan one more time. It does not take long.

and again, be sure all detected items are removed.


Let it remove what it has detected.

 

NOTE:  Regarding the Netflix account, contact Netflix support.  Inquire about changing your Login-user-account to a brand new one and also changing your password for that account.

Use STRONG passwords.

Tips  on that:

Lastpass site can generate a strong one for you on-demand     https://www.lastpass.com/password-generator

also see at Microsoft    https://support.microsoft.com/en-us/help/4026406/microsoft-account-how-to-create-a-strong-password

and   https://www.microsoft.com/en-us/p/strong-password-generator/9nblggh0gr9l

Share this post


Link to post
Share on other sites

I did the scan with Malwarebytes and it did not find anything. I had nothing on my quarantine, so nothing to delete. I will change my netflix username and I will create a stronger password (maybe I will create for all my accounts stronger passwords).

Do I keep Malwarebytes? (you said I should not have more than one antivirus and I already paid for ESET)

 

Thank you again for all your help, you have been an angel :) I really appreciate your help and I will be sure to recommend this forum to anyone who needs a hand.

Share this post


Link to post
Share on other sites

Cool.   Thanks so much.

Yes, do keep Malwarebytes.   It co-exists with ESET very well.   ESET is an excellent antivirus.

Share this post


Link to post
Share on other sites

You are very welcome.

To help cleanup on tools used:

 

Download "Delfix by Xplode" and save it to your desktop.

Or use the following if first link is down:

"Delfix link mirror"

 

If your security program alerts to Delfix either, accept the alert or turn your security off.

please right-click on Delfix  and choose run as administrator

Make Sure the following items are checked:

  Remove disinfection tools <----- this will remove tools we may have used.



Now click on "Run" and wait patiently until the tool has completed.

Any remaining  files/logs from tools we have used can be deleted.

 

# 2:

See this article on our Malwarebytes Blog
https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

 

You want to disable the ability of each web browser on this machine from being able to allow "push ads". That means Chrome, Firefox, or Edge browser (on Windows 10), or on Opera.

Scroll down to the tips section "How do I disable them".

 

If this pc has the Google Chrome browser, or the Brave browser, I suggest you install the Malwarebytes Browser guard for Chrome.

To get & install the Malwarebytes Browser Guard extension for Chrome,

 

Open this link in your Chrome   browser: 

https://chrome.google.com/webstore/detail/malwarebytes/ihcjicgdanjaechkgeegckofjjedodee

 

Then proceed with the setup.

 

If the pc has Mozilla Firefox, to get & install the Malwarebytes Browser Guard  Firefox extension.

Open this link in your Firefox browser  

https://addons.mozilla.org/en-US/firefox/addon/malwarebytes/

Then proceed with the setup.

That link is for English US.   There are other language version.  Just go to the very bottom right of the page and look at “Change language” list drop down.

.

I am glad to have helped you.

 

I am going to pass on these best practices tips, and then mark this case for closure.

 

Best  practices & malware prevention:
Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources.
First rule of internet safety: slow down & think before you "click".

Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos).


Free games & free programs are like "candy". We do not accept them from "strangers".


Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing.
Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program.

 

 

Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed.
Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next".

Use a Standard user account rather than an administrator-rights account when "surfing" the web.
See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html
Dont remove your current login. Just use the new Standard-user-level one for everyday use while on the internet.

 
Do a Windows Update.

Make certain that Automatic Updates is enabled.
https://support.microsoft.com/en-us/help/12373/windows-update-faq




Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

For other added tips, read "10 easy ways to prevent malware infection"

 

Backup is your best friend.   Make regular backups of each system to offline media.

+

For each windows 10 system:

suggest that ( at your next best opportunity) enable the F8 function key use at machine boot  ( that way you have means to have advanced startup options

See Option One at this article

https://www.tenforums.com/tutorials/22455-enable-disable-f8-advanced-boot-options-windows-10-a.html

Share this post


Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.