Got hacked.
July 26th, 2016
I use Vista Ultimate and my windows firewall is turned on.
Two days ago while browsing this word document opens up and it reads “Hey i am in your computer and watching your screen and taking note of whatever you type”. I close that word file and open up NetTools and open a list of all the active connections to and from my computer, however before this is done another word document opened up and it read “Ok bro dont worry, i am gonna leave you alone now, the trojan is in CCLEANER.exe have fun”.
Then I removed ccleaner by using Your Uninstaller and made sure all the registry keys were gone. I installed Eset Smart Security. On Eset Smart Security i saw two processes for firefox one process actually opens up whenever windows started and whenever i clicked on end process it disappeared for a few seconds and popped back on again. The process was only sending data and not receiving it. The amount of data being sent never went over 1 mb and usually it was just a few bytes.
I got Security Task Manager and used that to uninstall the process along with the associated registry entries.
That process went away for a while but is back again now.
I need help with this and fast.
Thanks
Looks to be a bitfrost or something.
Run HijackThis (google it) and post the log here
Maybe a keylogger..backup your data..reformat and reinstall..Maybe there are easier solution…
i dont know what your question is but the only way guarantee getting rid 100% of whatever “trojan”, keylogger, spyware, malware, etc from your pc is to wipe the drive and do a clean install of the os.
you are right, it is bifrost.
I will run hijack this and post.
Format is not an option, it is never an option….
Lets see if it helps though. Some bitfrosts (modded included), dll inject into firefox, thats why you are seeing the 2 processes.
HijackThis Log[/code]
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:39:59 PM, on 8/1/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\Drivers\WTSRV.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Sony\VAIO Event Service\VESMgrSub.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\System32\WTClient.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Users\Faizan\Desktop\DeskSpace_v1.5.1_By_philly93\DeskSpace v1.5.1\deskspace.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
C:\Program Files\Apoint\Apvfb.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Windows\system32\wsctnfy.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Windows\system32\CMMON32.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com?o=1607
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Helper] wsctnfy.exe
O4 - HKLM\..\Run: [WTClient] WTClient.exe
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\RunServices: [Windows Helper] wsctnfy.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [DeskSpace] C:\Users\Faizan\Desktop\DeskSpace_v1.5.1_By_philly93\DeskSpace v1.5.1\deskspace.exe
O4 - HKCU\..\Run: [Windows Helper] wsctnfy.exe
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix: O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{3CC8D31C-3307-46B8-B76E-297E9360BABD}: NameServer = 10.101.10.5 10.101.10.2
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: WindowsService - Unknown owner - C:\Windows\b0.exe (file missing)
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\Windows\System32\Drivers\WTSRV.EXE
--
End of file - 9134 bytes
Format is not an option, it is never an option....
Yet it’s the best option…
It is indeed the easy option.
Any other suggestions guys?
You should seriously reformat, if he has you keylogged and its hidden in there no way you can find it. Also why havent you installed an antivirus, are you crazy?!? Why would you be without one? lol Get Kasperksy or McAfee antivirus and scan in safemode. BTW i dont know what this is
Unknown
C:\Windows\system32\wsctnfy.exe
Unknown
C:\Windows\System32\WTClient.exe
and you dont need this
O2 – BHO: IDM Helper – {0055C089-8582-441B-A0BF-17B458C2A3A8} – (no file)
Try to change the mode of your firewall to “Interactive Mode”. In this mode,
you manually accept or deny internet connection to any program / service on your computer.
This way, you can block all the programs that look suspicious to you.
I believe that currently your firewall is set to automatic detection, and this detection can be sometimes wrong.
Alright, thanks for all your advice,
Yes I was EXTREMELY foolish and lazy to not have installed Antivirus+Firewall Protection.
I don’t know what wscntfy.exe is and I removed it from startup via msconfig untill I can find out more about it.
I am going to remove the bifrose registry entries then get rid of the files aswell and see if that fixes anything and I will reformat if it comes down to it.
Is there really no way to find out if I am being keylogged? Is a reformat really the only option?
I can detect all the incoming and outgoing connections via Eset Smart Security firewall, surely when the keylogger sends data it will show up…
When the keylogger boots, it sends out a DNS query then connects to the resolved ip and a port.
Since its done auto, you can see if its gone or not. The reason it uses ur internet browser is because those are always allowed through a firewall
Deleted bifrose.
Just thought I should let you guys know.
wsctnfy.exe is a variant of RBOT backdoor.
I removed it now.
Everything seems to be working perfectly and no unknown connections/process seem to exist.
Thanks Lithium for suggesting that it was bifrose, it really helped me narrow down my removal options.
Please don't double post and use the edit button instead. Members are allowed to double or triple post only if their previous post has exceeded the maximum characters limit.
~ hecos ~
Looks to be a bitfrost or something.
Run HijackThis (google it) and post the log here
Threw me there bitfrost instead of bifrose but alls weel that ends well
Sounds like you had a backdoor, it might still be there you never know
No I am sure it is gone,
I am using two connections monitors one that is built into ESET smart security and another that comes with Nettools.
They both are excellent and list every connection the remote ip’s and the ports being used.
I have been keeping an eye on them and it all seems to be normal activity.
I got hacked again
Alright, thanks for all your advice,
Yes I was EXTREMELY foolish and lazy to not have installed Antivirus+Firewall Protection.
...
if that is the case FORMAT; reinstalled your OS
and please remember, not to install from the same ISO u installed before. maybe the person who created the ISO have slipped a backdoor/keylog.
I got hacked again
FORMAT
For god sake format!