Suspected Keylogger, battling over Aim/yahoo/Myspace passwords.

[JRPuja]

Hello all,

I have been in a password battle war for the past few days. I finally got the impression that they were doing so to get at my Myspace password, after a reset was requested. I canceled my Yahoo, as well as my Myspace. Since my Myspace has been canceled I have received no other other password resets. I am pretty sure I know who is doing this, but I have no way to prove it without an ip adress from who was changing the passwords other than me.

I am suspicious that it would be a keylogger, considering the rapid speed at which the passwords would change back and forth. I ran Avira, Malwarebytes, and a-squared, but this was NOT in safemode. I have hijack this, which I am sure will be requested.

Any help would be more than appreciated. Thanks so much.

 

[Osiris]

run malwarebytes and post its log

 

[Antec-User]

I'm running a key scrambler on my browser.. Peerguardian used to have it for the web browsers too.

 

[JRPuja]

Here is the Safemode log (ran it last night) of Malwarebytes. I also ran a safemode 30 day trial of Zone Alarm Extreme Security. (Can't get AVG 9 to connect to the net. My friend is having the same problem with that)

Malwarebytes' Anti-Malware 1.36
Database version: 2031
Windows 5.1.2600 Service Pack 3

10/28/2009 9:19:41 AM
mbam-log-2009-10-28 (09-19-41).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 263017
Time elapsed: 1 hour(s), 13 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Antec- That is something I need to look into after all other steps have been taken. Thank you so much for the suggestion

 

[Osiris]

Run combofix as well

 

[Ste]

Might as well use spywareblaster and spybot search and destroy.

And regularly delete broswer private information combined with CCleaner.

Couldn't hurt.

 

[JRPuja]

\I also found a txt I made of an infected file that could not be repaired or quarantined that I made awhile ago, being lazy I did nothing about it. It is: C:\Documents and Settings\*name hidden*\Local Settings\Temporary Internet Files\Content.IE5\M0BDT6L9\PortalServe[1].

Right before the running of Combofix I received an error it said something along the lines of: Error Registry2 (it flashed somewhat fast so I could not get the full name).

Do you want the log? My only problem with posting it publicly is that my first and last name is in documents users folders.

I will run more anti-malwares that were mentioned tonight, but I thought I heard the Search and Destroy was filled with spyware itself...maybe I heard wrong.I have a few friends who are comp tech, and a prof coder brother and sometimes I get conflicting reports. None are in the area right now and they are super busy. I Didn't want to bother them, and am very happy to be finding such helpful responses here.

Edit- Did run CCleaner in the past 3 days.

 

[JRPuja]

I have a question about this running on startup. It is 'potentially dangerous' in the Security Task Manager.
It is 'runservice.exe'. I read that it is harmless, unless in the windows folders themselves.

It is 1.5 MB in the C:\\WINDOWS\runservice.exe.
The text in the file is:
This program cannot be run in DOS mode.
Service failed.
LoadLibrary failed.
Service Pack 3
----------------
Service
LicCtrlService
s error d
RegisterEventSourceA
ReportEventA
DeregisterEventSource
wsprintfA
GetVersionExA
LoadLibraryA
SGetProcAddress
GetLastError
.data
.rdata
.text
Rich

Is this something to be concerned about? Also The anti-keylogger program, how does that effect computer performance?

Thank you in advance.

 

[Osiris]

Yes remove it ASAP

It could be part of a E-Licensing program as well

 

[JRPuja]

Thank you so much! It is deleted.