Keylogger Found with Spysweeper PLEASE HELP

[waldjl108]

Just yesterday (The 24th) my AOL Instant Messanger (AIM) was hacked into, and I received a 'Your AIM has been signed in on two locations' message from AOLSystemMsg, but disregarded it because I often am signed in on my computer and my mobile phone. I left the house for about an hour, and when I came back I had a couple of instant messages from people that I had never initiated conversations with. I've known of the to happen when I IM someone on my cell phone their response for the entire conversation not only shows up on my Mobile IM but on my computer as well (when both AIMs are running). Plus I talked to the people that Mystery Hacker IMED..and they said that the person was saying things and they were pretty sure it wasn't me because it didn't sound like me. So this really got me worried. I changed ALL of my passwords, and turned off my internet for the night and ran SpySweeper and Norton AntiVirus and AdAware. Well when I got back to my computer today I saw that SpySweeper had found two System Monitars, Perfect Keylogger and Stealth Webpage Recorder. I'm assuming that this is how our Mystery Hacker got into my AIM to IM people I know. I used the Search option on my computer and found that the Zip files for the keylogger and the webpage recorder originated in Ares (the downloading agent.) Could someone have installed it through that way? A p2p network if they were good with computers? I know that Ares has a lot of files already in the Shared Folder when the program is initially installed. In the Ares shared folder it's a ZipFile..so I don't know if SpySweeper would pick up on it if it hadn't been unziped and running on the computer....and to my knowledge, I've never seen it in my SpySweeper log before. Does anybody know anything about this? Am I freaking out over nothing? Could SpySweeper have picked up on it as a ZipFile and the AIM thing is just a huge coincidence?

Now normally this wouldn't be a big deal, if it was just my AIM and I didn't really do anything important on my computer. But I shop online all of the time, do my banking online, and I work from my home computer doing medical billing. Now I work off of a secure website but SpySweeper is telling me that this Stealth Webpage recorder can acess secure websites. This is a HUGE problem for me because with doing the billing, I have acess to people's social security numbers, date of birth...everything that an identifty theft would need. The thing is that I'm pretty sure that I know who did it because nothing more severe than my AIM has happened---yet. But I definatly want to deal with this before something serious with my work or anything. Should I just remove this with SpySweeper and not worry about it? If it's not just a file that comes with Ares and is tracking something from my computer I'm intrested in finding out if it is who i believe it to be.

Thanks for you help in advanced.
Jessica

 

[howard_hopkinso]

Hello and welcome to Techspot.

Let`s see if we can get your system cleaned up.

Go HERE and follow the instructions exactly.

Then, post a fresh HJT log as a .txt attachment into this thread.

Regards Howard :wave: :wave:

 

[waldjl108]

It's telling me that there's an Error in the Upload... "Upload in Progress"

 

[howard_hopkinso]

I`m sorry too. I forgot to actually post the link(done now).

Only post a fresh HJT log after you`ve followed the instructions. Thanks.

Regards Howard

 

[waldjl108]

Okay done! :haha:

 

[howard_hopkinso]

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.


Boot into safe mode, under your normal user name. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

Keylogger Stopper

Close control panel.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

ksstop.exe

Close task manager.

Run HJT with no other programmes open(except notepad).Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKLM\..\RunOnce: [1] C:\WINDOWS\system32\cmd.exe /c erase "C:\DOCUME~1\Jessica\LOCALS~1\Temp\acsRollback.exe"

O4 - HKLM\..\RunOnce: [2] C:\WINDOWS\system32\cmd.exe /c erase "C:\DOCUME~1\Jessica\LOCALS~1\Temp\AcsRollbackRes.dll"

O4 - HKLM\..\RunOnce: [AOLRebootNeeded] regsvr32.exe /S

O4 - Startup: Keylogger Stopper.lnk = C:\Program Files\Keylogger Stopper\ksstop.exe

O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe

O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html

O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)

O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab

O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab

O20 - Winlogon Notify: ssqpn - C:\WINDOWS\system32\ssqpn.dll (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\Program Files\Keylogger Stopper

Reboot into normal mode and turn system restore back on.


Regards Howard

 

[waldjl108]

I'm really interested in not only removing it, but finding out who put it there...is there any way to find out that info? Or atleast find out where the keylogs and the screen shots are being sent?

Thanks

 

[howard_hopkinso]

Is the problem now gone?

As to how it got there, that`s anyones guess.

It is possible someone may have put it on your machine, on the other hand it may have been automatically installed by visiting a dodgy website.

I wouldn`t bother trying to find out where the keylogger is sending it`s info. This would require the keylogger to be present on your computer and that`s not a good idea. Even if it was present on your computer it may be very difficult to find out exactly where it`s sending the info.

Regards Howard

 

[waldjl108]

Do you think that the Keylogger could've gotten there by Ares or another downloading agent?

The only reason that I'm concerned is because whoever put it there used it to get my AIM password, and all my other passwords, and I have a pretty good idea of who put it there because of how they used this information. And it's not the first time that said person (who spends 99.5% of his free time working with computers doing stuff like this, and all his friends do the same thing) has done something to screw up my computer.

I just recently got in contact with this person again (he initiated it) and this is the first time I've ever had this kind of problem with my NEW computer. I'm just trying to find out who it was because if it was this person..I talked to my neighbor who works for the police, and he gave me the name of the guy who's head of the Computer Crime lab for our area. But I wanted to check here first and see if it's possible that this was installed on my computer through Ares before I did anything serious. The fact that I work off of my computer and have access to all of this information is a problem too, because I'd lose my job if anybody got a hold of that information. So it's pretty serious to me.

 

[howard_hopkinso]

I believe you should contact the police as the neighbour you spoke to has suggested.

Cybercrime is just like any other crime and needs to be dealt with.

It is perfectly possible for the keylogger to have been deliberately installed via the person you speak of. However, it is also possible for some spyware/adware etc to have installed it as well. You will have a better idea than me on this.

Obviously proving it could be difficult.

I take it you have now changed all your passwords?

I think it`s a good idea for you to go HERE and follow all the instructions exactly. This will help to ensure you have no undetected spyware etc on your system.


Regards Howard

 

[N3051M]

And in terms of Net safety, in the case of an accedental download via the net, a good line of defence (hardware/software firewall, AV etc) and also common sense in surfing and pc usage habits (whats this thing do? friend or foe?) should suffice in future preventions of this sort of things..