Popup images with my passwords in middle

Discussion in 'malware problems & news' started by Whisper, May 29, 2005.

Thread Status:
Not open for further replies.
  1. Whisper

    Whisper Registered Member

    Joined:
    May 29, 2005
    Posts:
    2
    Hello,
    When I connect to the net (seems always to happen at same time of day roughly), I get pictures popping up of different stuff, some linked to a simpsons website. I right-click the pictures, go to properties and they have actually been put on my hard drive (I havent downloaded them, they just appear and pop up).
    In the middle of the pictures is a little box with my passwords, or something I have typed in to Google. I dont know how its bringing up my passwords though, because it happens within a few minutes of me connecting to the web, and I havent actually typed my pass in during that time. The only place my passwords are stored on my PC is via Outlook express - when it happened yesterday I went online, changed all my passwords, but then today again I got these pictures popping up with the new passwords right in the middle!
    I deleted all offline content in IE and all cookies.
    I am running ZoneAlarm Firewall Pro (fully updated and blocking all advert blocking, cookie control, 'program control' and 'internet zone security' all on high).
    I have run McAfee AntiVirus Pro 2005 (fully updated) and that produces nothing.
    I have run Lavasoft Adaware latest version (fully updated) and that produces nothing.
    I have also run Spybot search and destroy latest version (fully updated), removed the things that brought up, and still im getting this problem.
    I ran the PestPatrol online scan and that brings up Look2Me homepage hijacker, Rapidblaster adware, Com.com tracking cookie, ISTbar hijacker. I cant afford to buy PestPatrol but i dont know where these things would be installed on my computer, or if they would produce such a problem as i have described. My other software i mentioned above doesnt pick them up.

    An example of the picture name would be simpsonz or homerned1280.lllll, but have had other pictures too linking to porn sites and others... the usual fare.
    The picture is downloaded to my hard drive, and an internet shortcut link to it appears as well - or at least it did last time - but the shortcut just directs you to the file on my hard drive.

    I have been completely unsuccessful in finding any program responsible for this! Im not sure if someone is watching me or if something is logging my keystrokes, also I dont know if it would be possible to automatically generate an image with someones password in the middle of it, or if someone would have to be doing this themselves... in which case it might suggest they are watching me!

    Thankyou very much for your help in advance :)

    (Sorry for my previous post with a Hijack this log - I scanned the general guidelines but missed that :))
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi there, welcome to the forum!
    You did all the main steps from the generasl cleansing instructions, i mean the scanners you used.
    https://www.wilderssecurity.com/showthread.php?t=50662
    Did you close all the other scanners including their default protection when using another one to give it free access to all files? Some can hide files for others and block all access!
    Make sure all hidden files and extensions are showing.
    Did you also try scanners like TDS,which detects worms, trojans, rats, keyloggers, spyware, adware and lots more?
    After install (with all scanners closed) reboot, get the latest radius update from the site and do a full system scan.
    You can repeat that in safe mode.
    Did PestPatrol tell which files were identified as infected and does your TDS scan say anything about them?
    You can upload them to the online scanner at www.kaspersky.com/remoteviruschk for instance for a second opinion or to the TDS lab (see my sig).

    Things to look at also among others is your HOSTS file. Is that still clean?
    In your browser, in View > Taskbars, are there any strange bars like Istbar or others you might not have installed yourself? MSN toolbar for instance?
    You cleansed a lot, but did you also disable system restore - reboot - enable system restore and make a new restore point to get rid permanently of whatever you deleted?

    Looks like adware placed on your system by some program, like a downloader, ftp pgrogram, unwanted content from a searchbar / toolbar, anyway some unwanted additional "service".

    In your ZAPro did you also block the webbugs on the cookie control page?
     
  3. Whisper^

    Whisper^ Guest

    Hi m8,
    Thanks for your reply.
    When i ran each scanner, all the other ones were disabled / not running. All hidden and system files were showing.
    I downloaded TDS and ran it, that turns up nothing.
    PestPatrol did not say which files were infected, it was only the online scan and sadly the link to the evaluation version is not working at the moment.

    Im quite worried about the hosts file, how do i check that is clean and recover it if it isnt? The one in system32/drivers/etc/hosts? Im not too sure what this file does or what i should do with it.

    View > Toolbars shows nothing unusual.

    Unfortunately I dont have any system restore points and it was already disabled, i had a problem a while ago which needed me to mess around with this and i must have forgotten to reenable it :(

    ZAPro - webbugs were disabled in cookies area.

    Thanks for your suggestions - i am worried about the hosts file though. How do i clean this? Are there any other things i should try?
     
  4. Whisper^

    Whisper^ Guest

    Not key logging. I went on the net, did not type my password in, and one of these pictures appeared with my NEW password of yesterday. The file was called 'greg' too (my first name).
    I even tried going to websites like yahoo which require a password and putting in a fake one to check if its key logging. The other thing ive noticed is that my mouse respons strangely during these attacks, and again they are at the same time of day :(

    Any ideas?
     
  5. Whisper^

    Whisper^ Guest

    I made sure the only place on my hd that my pass is stored is in a single word file, and i didnt type it in, i just copied and pasted to my accounts in outlook express. So it was really in the word file and OE.
     
  6. Chef

    Chef Guest

    Interesting problem, i'll get right on it.
     
  7. Whisper^

    Whisper^ Guest

    Something else last night as well. I was on MSN, and something started typing stuff in for me, i couldnt believe it. Just sat there watchin the letters appear, really scarin me heh
    Also, when i disconnected from the net, there was still network activity going on - ZoneAlarm was showing traffic :O
     
  8. Whisper^

    Whisper^ Guest

    Thanks for any help you can give me though, i am really at a loss for how to stop it.
     
Loading...
Thread Status:
Not open for further replies.