PDA

View Full Version : Surveillance software


lizzy9
2009-03-31, 09:09
I have reason to believe someone I know, who is apparently an expert in IT security/hakcing, entered my g mail accounts. He had access to my laptop for some time, so one possible way he may have got in is by putting a key logger or some other surveillance program(s) on my computer. I have run a few AV and anti-rootkit programs. I found cm0(dot)com, which can apparently be a rootkit, on my USB, but I don't know if that is related to this problem. Also found kernel32, but I don't think that's used in spyware (not sure though). Using Rootkit Unhooker, lots came up under 'Code Hooks' but I don't know if any of it is significant.

Given his skill level, I imagine if there is anything on my machine it is very well hidden, but perhaps you guys can help. I am prepared to re-install my OS (XP), but would like to find some evidence first.

Below is the log of HJT. I can put up the results of RKU too if you like, but it's really long.

Thanks.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:43:27, on 31/3/2552
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\akl_svc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CNAP2LAK.EXE
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\AntiLogger\AntiLogger.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Anti-keylogger\Anti-keylogger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CNAP2RPK.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CNAB8SWK.EXE
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\ThreatFire\TFService.exe
C:\Program Files\ThreatFire\TFGui.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fhl%3Den%26tab%3Dwm%26ui%3Dhtml%26zy%3Dl&bsv=zpwhtygjntrz&scc=1&ltmpl=default&ltmplcache=2&hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CNAP2 Launcher] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CNAP2LAK.EXE
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [AntiLogger] "C:\Program Files\AntiLogger\AntiLogger.exe" /minimized
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Anti-keylogger] C:\Program Files\Anti-keylogger\Anti-keylogger.exe /autorun
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [cdoosoft] C:\WINDOWS\system32\olhrwef.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O19 - User stylesheet: C:\AlphaZawgyi\ie.css
O20 - AppInit_DLLs: acaptuser32.dll
O23 - Service: 39F0791E - Unknown owner - C:\WINDOWS\system32\39F0791E.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Anti-keylogger Service (akl_svc) - Unknown owner - C:\WINDOWS\system32\akl_svc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

--
End of file - 9276 bytes
shelf life
2009-04-03, 00:44
Most commercial antimalware will flag surveillance software. Legit software can also "hook" system calls and functions. We will stop a service for now:
go to start>run and type in cmd click ok or enter
at the prompt >_
copy/paste whats in the box below
click enter and close the window;


sc stop 39F0791E

Or to check its status you can do this:
start>run and type in:
services.msc
click ok or enter
Windows services will open:

in the list of services that comes up look for, under the name column: 39F0791E

right click on it and select properties.
under the general tab:
the path to the .exe should be:C:\WINDOWS\system32\39F0791E.exe
make sure that the service status is: Stopped, if not click the Stop button
and the Startup type is: disabled, if not change it to disable
click apply, then ok


see if you can spot these two in the system32 dir.
C:\WINDOWS\system32\olhrwef.exe
C:\WINDOWS\system32\39F0791E.exe

if so you can upload them at the web site below. You can copy/paste the results in your reply

http://www.virustotal.com/
lizzy9
2009-04-03, 14:07
Thanks.

Typing in the code in cmd led to:

[SC] ControlService FAILED 1062:

The service has not been started.

(I typed it because I have taken the possibly infected computer offline.)

The service status was already stopped, but was set on Manual so I disabled it.

I couldn't find C:\WINDOWS\system32\olhrwef.exe.

I uploaded C:\WINDOWS\system32\39F0791E.exe:


File 4CAFDAC7.exe received on 04.03.2009 10:58:09 (CET)
Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.04.03 Trojan-Spy.Agent.NJP!IK
AhnLab-V3 5.0.0.2 2009.04.03 Win-Trojan/Agent.6656.FJ
AntiVir 7.9.0.129 2009.04.03 -
Antiy-AVL 2.0.3.1 2009.04.03 Trojan/Win32.OnLineGames
Authentium 5.1.2.4 2009.04.03 -
Avast 4.8.1335.0 2009.04.02 -
AVG 8.5.0.285 2009.04.02 -
BitDefender 7.2 2009.04.03 -
CAT-QuickHeal 10.00 2009.04.03 Trojan.Agent.IRC
ClamAV 0.94.1 2009.04.03 Trojan.Spy-44942
Comodo 1096 2009.04.02 TrojWare.Win32.Agent.~GAJ
DrWeb 4.44.0.09170 2009.04.03 -
eSafe 7.0.17.0 2009.04.02 -
eTrust-Vet 31.6.6434 2009.04.03 Win32/PcClient.FW
F-Prot 4.4.4.56 2009.04.02 -
F-Secure 8.0.14470.0 2009.04.03 Trojan:W32/Agent.IKS
Fortinet 3.117.0.0 2009.04.03 W32/Agent.1EA9!tr
GData 19 2009.04.03 -
Ikarus T3.1.1.49.0 2009.04.03 Trojan-Spy.Agent.NJP
K7AntiVirus 7.10.690 2009.04.01 Trojan-Spy.Win32.Agent.NJP
Kaspersky 7.0.0.125 2009.04.03 -
McAfee 5572 2009.04.02 Generic PWS.y
McAfee+Artemis 5572 2009.04.02 Generic PWS.y
McAfee-GW-Edition 6.7.6 2009.04.03 BlockReason.0
Microsoft 1.4502 2009.04.03 -
NOD32 3984 2009.04.02 -
Norman 6.00.06 2009.04.02 -
nProtect 2009.1.8.0 2009.04.03 Trojan-Spy/W32.Agent.6656.C
Panda 10.0.0.14 2009.04.02 Trj/Agent.LKW
PCTools 4.4.2.0 2009.04.02 -
Prevx1 V2 2009.04.03 -
Rising 21.23.41.00 2009.04.03 -
Sophos 4.40.0 2009.04.03 Mal/Generic-A
Sunbelt 3.2.1858.2 2009.04.03 Trojan-Spy.Agent.NJP
Symantec 1.4.4.12 2009.04.03 Trojan Horse
TheHacker 6.3.4.0.300 2009.04.03 Trojan/Agent.gen
TrendMicro 8.700.0.1004 2009.04.03 -
VBA32 3.12.10.2 2009.04.02 -
ViRobot 2009.4.3.1675 2009.04.03 -
VirusBuster 4.6.5.0 2009.04.02 -
Additional information
File size: 6656 bytes
MD5...: 2d2cfd52b636a3acdd036b74e55b9a7a
SHA1..: df8b83e169053cf8f806a02ef35b9d19b6cf3ba9
SHA256: 61c4b83ca42cd72e90ac46557547994c1aa4a49412e7b1190c610d1837ef8819
SHA512: b99ca60a8f80810084d4f888fb57efaa4dfdd1f83568a8c9a7b28abbd01410f8<br>7c4df395f0abbf6b89e7a296721de03c548c2a0a667394c83ab3b17cd63c5aee
ssdeep: 48:OEPDnVTXagwDAk70wmXAp4byWHgs8SHpG89HWBFdLTmtcQ9wkIZMHBYnO3O7E<br>1J:nPDnFXApTsL889aFhicCPGO3Og1<br>
PEiD..: -
TrID..: File type identification<br>Win32 Executable Generic (38.4%)<br>Win32 Dynamic Link Library (generic) (34.1%)<br>Win16/32 Executable Delphi generic (9.3%)<br>Generic Win/DOS Executable (9.0%)<br>DOS Executable Generic (9.0%)
PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x1c1d<br>timedatestamp.....: 0x4649d618 (Tue May 15 15:47:36 2007)<br>machinetype.......: 0x14c (I386)<br><br>( 5 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>CODE 0x1000 0xc2c 0xe00 5.70 3dd073383b20c611a463431861c16973<br>DATA 0x2000 0x8 0x200 0.04 532dd4aa9cd9b1a3dad1f0b610d1d6cc<br>BSS 0x3000 0xa22f5 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<br>.idata 0xa6000 0x2d8 0x400 3.57 1ca6e665e111aa0d5ca04c130721765d<br>.reloc 0xa7000 0x10c 0x200 3.99 ce7e4bf50b046fae2ca28edba741b101<br><br>( 4 imports ) <br>&gt; kernel32.dll: VirtualProtectEx, Sleep, SetErrorMode, OutputDebugStringW, LocalUnlock, LocalReAlloc, LocalLock, LocalFree, LocalAlloc, HeapFree, HeapAlloc, GetVolumeInformationW, GetProcessHeap, GetCurrentProcess, GetCommandLineW, FindFirstFileExW, FindClose, ExitProcess<br>&gt; ntdll.dll: ZwQueryInformationFile, ZwCreateFile, ZwClose, RtlInitUnicodeString<br>&gt; advapi32.dll: StartServiceCtrlDispatcherW, SetServiceStatus, RegisterServiceCtrlHandlerW<br>&gt; kernel32.dll: FindNextFileW<br><br>( 0 exports ) <br>
RDS...: NSRL Reference Data Set<br>-
ThreatExpert info: <a href="http://www.threatexpert.com/report.aspx?md5=2d2cfd52b636a3acdd036b74e55b9a7a" target="_blank">http://www.threatexpert.com/report.aspx?md5=2d2cfd52b636a3acdd036b74e55b9a7a</a>
lizzy9
2009-04-03, 14:26
A couple more things:

Once I noticed a process called HDbg9c.ocx running at the top of the task manager when the gmail website was taking a long time to load. It only lasted for a few seconds before disappearing. I Googled it but it didn't come up with anything; however, 9c.ocx is apparently related to Flash Player in some way, and that has been known to contain spyware, or make systems vulnerable to hacking. (It is possible that I wrote it down wrong and the process actually had a slightly different name.)

On my friend's computer (which I am using now) I found TR/CRYPT.XPACK.GEN. According to one or two sites (e.g. http://www.scanforfree.com/06/tr.crypt.xpack.gen-removal.html), this can be very malicious and even record keystrokes, though others imply it is not a serious infection. My software (either Avira or Ad-Aware, I forget which I used) quarantined it, and after restarting I rescanned but didn't find anything. The same software did not find the same trojan on my computer (the 'problem' one).

Thanks.
shelf life
2009-04-03, 23:32
Ok you can delete the 39F0791E.exe from the system32 dir if you havent already.
Older versions of flash player do contain a vulnerability that could be exploited. You should update to the latest version which will "patch" it

http://www.adobe.com/support/security/bulletins/apsb09-01.html

If your software quarantined TR/CRYPT.XPACK.GEN then I wouldnt worry about it. Its harmless in quarantine.


start HJT, click the "Scan" button. check the items below, close any open windows, then click "Fixed checked"

O4 - HKCU\..\Run: [cdoosoft] C:\WINDOWS\system32\olhrwef.exe

Looks like you have two AV, Anitvir and ESET. Only one is needed on a machine. Two isnt better than one in this case.
lizzy9
2009-04-04, 12:17
Thanks for your help.

Do you know how dangerous that olhrwef.exe or 39F0791E.exe were, or what exactly they might have been doing? Likewise the HDbg.ocx and TR/CRYPT.XPACK.GEN.

I have quite a lot of sensitive information stored on my computer and in my email accounts. It is very important for me to know what, if anything, has been compromised so I can take appropriate steps. Are you able to give me an assessment of this? For example, could they have had access to all documents on my machine, or recorded keystrokes, or recorded all online activities, or accessed email accounts?

I had Flash Player 9.0.45.0 installed at the time of the possible attack.

The behaviour of my gmail accounts has also made me suspicious. It may not be within your remit, but I would be grateful if you could tell me if there are possible explanations for the following other than someone gaining unauthorised access.

1. One time I was using chat and the person I was chatting with mentioned our concerns about the person who I suspect of getting into my account. Not wanting her to say any more about him in case he could read it, I quickly closed the chat window and logged out. I also logged out of my other gmail account which was open in a different browser (Firefox). When I logged back in about 5-10 minutes later, the acct in Firefox opened directly onto the Acct Settings page, which I had not used that day. The other acct, which I had been chatting in, opened straight to the saved chat message about that guy. Again, I had not even been on that page before I logged out.

The possible attacker was on the same wireless network as me at that time. It was the same day that I noticed the odd HDbg9c.ocx running. But at the bottom of the page, it said nobody else was logged onto the account; nor did it show anyone else in the history of account activity.

2. Several times the following has happened: I change my password, and save the changes. I switch to another browser and do unrelated work. The first browser suddenly becomes active (i.e. comes to the front of all the other windows and the page reloads. Sometimes it has said, just for a few seconds, at the bottom of the page that one other user was logged onto the account, but at the same IP address. This has happened even after changing the password (and security question) on a 'clean' computer (a friend's, or in a cafe). This did not happen to my friend's account when she changed her pswd.

3. There were a few other occasions where the display was unusual: (a) The 'Invisible' option disappeared from chat for at least a few days around the time I think i was attacked.
(b) For a few days there was a blank space around the size and shape of a name+status line in the list of contacts, just below my name and status. Nothing happened if I clicked on it.
(c) Once when i was chatting, I minimised the chat window, but then it popped up again. This was repeated a few times before stabilising. The only other time i've noticed this behaviour was when sharing another account with someone else: when one user minimised the window, that minimised it on the other user's account too.

At no time have I seen anyone online from a different ISP, or noticed in the record that my account had been accessed at a time when I was sure I was not in it myself. I have signed out other users. There are no unrequested filters.

As I say, it is extremely important for me to know whether my accounts/machine were compromised, to what extent, and whether they are still vulnerable (e.g. if they could have set up some kind of backdoor in my accounts to gain continued access). Even better would be to get some evidence of who put it on there, when and how. I really appreciate any help you can give me in this regard.

Thanks.
shelf life
2009-04-04, 21:39
hi,

In answer to your question: first, I have seen much worse logs than yours as far as malware goes. there is really nothing in the log that points to a specific malware that you could say what it was doing or what it had the potential to do like steal passwords, upload information, remote access etc. Nothing points to it being part of keylogger or anything. Loads of malware might install and run as a Windows Service.
Iam not familiar with gmail. I couldnt tell you if those events you describe would be part of a hacked account or not. I would suggest you download malwarebytes as a antimalware app for your computer.

http://www.malwarebytes.org/mbam.php