Keylogger(s) residing within my PC?

[JustTryToFindMe]

Alrighty good people, I ask you to ease my paranoia a lil bit. I have good reason to suspect that I have at least one person trying to get/already is inside my computer and he/she/they enjoy harassing me. Not sure why anybody would be able to enjoy doing stuff like this.

Here's some background info on my current situation.

Until recently, I was an absolute idiot(still am technically) and had a very crappy firewall. Now I use Norton and I'm pretty comfortable with it. However before I replaced my crappy firewall with Norton, there were a couple of serious Trojans and keyloggers that had been installed on my computer. Some of it was so bad that the conspirators set passwords on my computer so I was unable to get in. Rebooted my computer from scratch, but that actually didn't fix my problems. So after all of that I got Norton Pro. Scanned my computer and it removed everything that my last firewall couldn't find. Thing is, for the past few months I just can't shake the feeling I have one or two keyloggers that have remained in the shadows. Often when I shut down my computer I get a popup message that stays on the screen only for 2 seconds or so saying something along the lines of win*insert series of numbers and letters here*.dll is shutting down. With that said, I've scanned my hard drive to death with both Norton and anti rootkit software to no avail. Another thing that makes me uncomfortable is that the PC I use now isn't new in the least, I've had it since 2001. Would the age of my computer make a difference with the security capabilities even if I have a respected firewall like Norton running in the background. I've considered getting a new computer since this hacking experience, but I wanted to ask you guys first if there's anything I can do.

[evilfantasy]

It is important to know that hijacktjis only shows some forms of malware. You can not tell if you are infected judging from a Hijackthis log.

This infection - O23 - Service: FFI - Unknown owner - C:\WINDOWS\System32\svchost.exe:exm.exe (file missing) is an Alternate Data Stream file attached to the legitimate C:\Windows\System32\svchost.exe folder. Do not delete the C:\Windows\System32\svchost.exe file as Windows will not operate correctly without it. To delete the Alternate Data Stream you should read this tutorial.

Although first you may want to go to this thread and read the instructions and then post the required logs so we can have a better look at what is going on.

[JustTryToFindMe]

It is important to know that hijacktjis only shows some forms of malware. You can not tell if you are infected judging from a Hijackthis log.

This infection - O23 - Service: FFI - Unknown owner - C:\WINDOWS\System32\svchost.exe:exm.exe (file missing) is an Alternate Data Stream file attached to the legitimate C:\Windows\System32\svchost.exe folder. Do not delete the C:\Windows\System32\svchost.exe file as Windows will not operate correctly without it. To delete the Alternate Data Stream you should read this tutorial.

Although first you may want to go to this thread and read the instructions and then post the required logs so we can have a better look at what is going on.

Okay, first things first. Checked my Add or Remove programs and nothing out of the ordinary there. Just downloaded ADS and was prompted with 2 alternate data streams. I DO remove them, correct?

Note:I am not a very tech savvy individual so my apologies if I make some of the staff here want to choke me through their computer screens thanks to my down-syndrome like understanding of computers. I appreciate what you guys do.

[evilfantasy]

Let's do this.


• Start HijackThis
  
• Click on the Open the Misc Tools section
  
• Select Open ADS Spy...
• Click Scan
• Click Save log
• post the log back here

[JustTryToFindMe]

Let's do this.


• Start HijackThis
  
• Click on the Open the Misc Tools section
  
• Select Open ADS Spy...
• Click Scan
• Click Save log
• post the log back here

Full scan or quick and ignore safe system info or no?[/list]

[evilfantasy]

Like this.



[recovering space - attachment deleted by admin]

[JustTryToFindMe]

Odd. I scanned it and got no results.   

[evilfantasy]

Try running through the scans in the removal thread. It would be best to ensure there is no other malware to deal with first.

Post the logs back here when complete.

[patio]

The user name is an interesting choice...

[evilfantasy]

I have good reason to suspect that I have at least one person trying to get/already is inside my computer and he/she/they enjoy harassing me.

The user name is an interesting choice...

Kind of telling no?

[patio]

 

[JustTryToFindMe]

Ban me if you please, don't know why my username has any bearing on helping me.

[evilfantasy]

Guilty conscience? Were just having fun, don't take it too personal.....

Why did you not have MBAM either Quarantine or delete what it found?

Don't worry about it right now, it's just one file. Do this instead and we will re-run it later.

Download Combofix by sUBs from one of the below links.
(Try all three if necessary)

• Link #1
  
• Link #2
  
• Link #3

Important! Combofix.exe MUST be saved to and ran from the Desktop.

• Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting Combofix.
• Important! Temporarily disable your antivirus, script blocking and any antispyware real time protection before performing a scan.
  • Click this link to see a list of security programs that should be disabled and how to disable them.
    
  • If yours is not listed and you don't know how to disable it, please ask.
• Warning: Combofix disconnects your computer from the internet. The connection is automatically restored before Combofix completes its run.
  
• Double click combofix.exe & follow the prompts.
• Choose Yes to accept the Disclaimers.[

• When finished, it will produce a log for you.
• Post that log in your next reply.

Warning: Do not mouseclick combofix's window while it is running. That may cause it to stall

• If Combofix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your computer.
  
• Important: Remember to re-enable your antivirus and antispyware before reconnecting to the Internet.

.
If needed, see this Combofix tutorial with screenshots that will detail the downloading and running of combofix more thoroughly.

----------

Post the combofix log in the next reply.

[JustTryToFindMe]

Guilty conscience? Were just having fun, don't take it too personal.....

Honestly, no guilty conscience, but I wouldn't put it past anybody to say something like "oh haha nice name", and it being more than just "fun". My username is a reference to how with hackers there's nowhere I can really go online without being bothered. *censored*, I've heard stories of how certain hackers steal people's identities, etc. Not something one would enjoy while online.

I'll get back to you in a few hours. Thanks.

[evilfantasy]

My username is a reference to how with hackers.....

And we caught on to that. You are asking for help with a keylogger.....

Do you see the same parallel we did? Sort of looks like someone did find you.

Again please don't take it personally, were just having fun, things from my side can be just as frustrating as they are for you. I'm not just looking at the logs, I'm looking for very subtle clues to what might be there. Sometimes it is simply a difference in this and th is. There is a lot of text there so....just blowing off steam