I believe I have a keylogger on my computer. A few days ago I was getting warnings from Norton saying someone was trying to send me something called 'Infostealer.JiangHu', Norton was saying it was being blocked, and I ran scans after anyway and it didn't find anything so assumed I was safe. Today my account and 2 other accounts for a game I play had been hacked and taken. I've ran every anti-virus, spyware, and all that I could find and the ones you listed but I'm still paranoid not knowing if its gone or not.
Keylogger
- Thread starter CoreyH
- Start date
- Status
howard_hopkinso
Posts: 21,238 +17
Hello and welcome to Techspot.
Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.
If after reading the above, you wish to clean your system, do the following.
Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.
Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.
Also, let me know the results of the AVG Antirootkit scan.
Regards Howard :wave: :wave:
This thread is for the use of CoreyH only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.
If after reading the above, you wish to clean your system, do the following.
Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.
Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.
Also, let me know the results of the AVG Antirootkit scan.
Regards Howard :wave: :wave:
This thread is for the use of CoreyH only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
D
DelJo63
the BAE.dll is a trojan!
howard_hopkinso
Posts: 21,238 +17
jobeard: The BAE.dll file is actually part of Google. See HERE.
CoreyH: Please do the following.
Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.
In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.
Go to add remove programmes in your control panel and uninstall anything to do with(if there).
SpywareBot<This is a rogue programme and needs to be removed.
Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.
Click on the processes tab and end process for(if there).
SpywareBot.exe
Close task manager.
Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O17 - HKLM\System\CCS\Services\Tcpip\..\{6BA804F4-3030-4F73-8C35-AAD5A73FE1A4}: NameServer = 68.2.16.25,68.2.16.30<Only fix this entry, if it doesn`t belong to your ISP.
Click on the fix checked button.
Close HJT.
Locate and delete the following bold files and/or directories(if there).
C:\Program Files\SpywareBot<Delete the entire folder.
Reboot into normal mode and rehide your protected OS files.
I need you to have a file checked out.
Please visit this link http://virusscan.jotti.org/
* Click the Browse... button
* Navigate to the following file C:\Program Files\Rupture\Rupture.exe
* Click Open
* Please let me know the results and post a fresh HJT log.
Regards Howard
This thread is for the use of CoreyH only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
CoreyH: Please do the following.
Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.
In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.
Go to add remove programmes in your control panel and uninstall anything to do with(if there).
SpywareBot<This is a rogue programme and needs to be removed.
Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.
Click on the processes tab and end process for(if there).
SpywareBot.exe
Close task manager.
Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O17 - HKLM\System\CCS\Services\Tcpip\..\{6BA804F4-3030-4F73-8C35-AAD5A73FE1A4}: NameServer = 68.2.16.25,68.2.16.30<Only fix this entry, if it doesn`t belong to your ISP.
Click on the fix checked button.
Close HJT.
Locate and delete the following bold files and/or directories(if there).
C:\Program Files\SpywareBot<Delete the entire folder.
Reboot into normal mode and rehide your protected OS files.
I need you to have a file checked out.
Please visit this link http://virusscan.jotti.org/
* Click the Browse... button
* Navigate to the following file C:\Program Files\Rupture\Rupture.exe
* Click Open
* Please let me know the results and post a fresh HJT log.
Regards Howard
This thread is for the use of CoreyH only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
D
DelJo63
>jobeard: The BAE.dll file is actually part of Google. See ...
Oops; guess the reference I found was wrong -- sorry for the confusion.
Oops; guess the reference I found was wrong -- sorry for the confusion.
halo71
Posts: 1,006 +1
http://vil.nai.com/vil/content/v_102355.htm
jobeard, looks like the reference I found must be wrong too!
And I also found the below info as well.....
What is BAE.dll? Is BAE.dll spyware or a virus?
Process name: BAE.dll
Product: Browser Address Error Redirector
Company: Dell Inc (www.dell.com) or Gateway Inc
File: BAE.dll
If you want a detailed security rating about your BAE.dll (and all other running background processes) download the free trial version of Security Task Manager.
Note: Any malware can be named anything - so you should check where the files of the running processes are located on your disk. If a "non-Microsoft" .exe file is located in the C:\Windows or C:\Windows\System32 folder, then there is a high risk for a virus, spyware, trojan or worm infection! Check it out!
jobeard, looks like the reference I found must be wrong too!
And I also found the below info as well.....
What is BAE.dll? Is BAE.dll spyware or a virus?
Process name: BAE.dll
Product: Browser Address Error Redirector
Company: Dell Inc (www.dell.com) or Gateway Inc
File: BAE.dll
If you want a detailed security rating about your BAE.dll (and all other running background processes) download the free trial version of Security Task Manager.
Note: Any malware can be named anything - so you should check where the files of the running processes are located on your disk. If a "non-Microsoft" .exe file is located in the C:\Windows or C:\Windows\System32 folder, then there is a high risk for a virus, spyware, trojan or worm infection! Check it out!
Alright I did it, SpywareBot wasn't in my add or remove programs list or in my program files but it was in the HGT list.
Also I'm a little confused about the BAE.dll thing, am I supposed to be deleting that or?
Oh and forgot, I uninstalled Rupture yestarday when all this happened because it was the only thing I could think of that I had downloaded recently. Do you want me to download it again and scan it at that site?
Also I'm a little confused about the BAE.dll thing, am I supposed to be deleting that or?
Oh and forgot, I uninstalled Rupture yestarday when all this happened because it was the only thing I could think of that I had downloaded recently. Do you want me to download it again and scan it at that site?
howard_hopkinso
Posts: 21,238 +17
No, don`t fix the BAE.dll file, it`s perfectly safe.
You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.
Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.
In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.
Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.
Click on the processes tab and end process for(if there).
Rupture.exe
Close task manager.
Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).
O4 - Startup: Rupture.lnk = C:\Program Files\Rupture\Rupture.exe
Click on the fix checked button.
Close HJT.
Locate and delete the following bold files and/or directories(if there).
C:\Program Files\Rupture<Delete the entire folder.
Reboot into normal mode and rehide your protected OS files.
Post a fresh HJT log and let us know if you`re still haveing problems.
Regards Howard
This thread is for the use of CoreyH only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.
Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.
In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.
Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.
Click on the processes tab and end process for(if there).
Rupture.exe
Close task manager.
Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).
O4 - Startup: Rupture.lnk = C:\Program Files\Rupture\Rupture.exe
Click on the fix checked button.
Close HJT.
Locate and delete the following bold files and/or directories(if there).
C:\Program Files\Rupture<Delete the entire folder.
Reboot into normal mode and rehide your protected OS files.
Post a fresh HJT log and let us know if you`re still haveing problems.
Regards Howard
This thread is for the use of CoreyH only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
howard_hopkinso
Posts: 21,238 +17
Your HJT log is now clean. Don`t worry that you couldn`t find the C:\Program Files\Rupture folder.
I can find nothing nasty on your system.
However, if you want to post an Autoruns log, I`ll be happy to take a look for you.
Download the Autoruns programme from HERE. When the programme runs, click options and make sure the "Hide Microsoft Entries" is ticked. Click the file menu and select refresh. Click the save icon and save the Autoruns log to wherever you want.
Attach the Autoruns log here.
Regards Howard
This thread is for the use of CoreyH only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
I can find nothing nasty on your system.
However, if you want to post an Autoruns log, I`ll be happy to take a look for you.
Download the Autoruns programme from HERE. When the programme runs, click options and make sure the "Hide Microsoft Entries" is ticked. Click the file menu and select refresh. Click the save icon and save the Autoruns log to wherever you want.
Attach the Autoruns log here.
Regards Howard
This thread is for the use of CoreyH only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
howard_hopkinso
Posts: 21,238 +17
No worries mate.
I can`t see anything nasty in your Autoruns log.
Your system looks clean. However, I can`t guarantee 100% you don`t have some malware hiding away somewhere.
That`s why I gave you this link earlier. The bottom line is this. If you use your computer for sensitive info, or for financial purposes, it makes sense to format rather than clean the system. Once a system has been compromised, it cannot be trusted 100% again.
If you have any further virus/spyware problems, please post in this thread.
Regards Howard
This thread is for the use of CoreyH only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
I can`t see anything nasty in your Autoruns log.
Your system looks clean. However, I can`t guarantee 100% you don`t have some malware hiding away somewhere.
That`s why I gave you this link earlier. The bottom line is this. If you use your computer for sensitive info, or for financial purposes, it makes sense to format rather than clean the system. Once a system has been compromised, it cannot be trusted 100% again.
If you have any further virus/spyware problems, please post in this thread.
Regards Howard
This thread is for the use of CoreyH only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
- Status
Similar threads
