Really Hidden Trojan, or, Not?

How do you remove malware you can't find?

We have a PC here which has been hacked by what appears to be a keylogger. So far various accounts have been hacked including warcraft, email / msn, and possibly a few other bits and bobs. The accounts were recovered then hacked again hours later which indicates to me there is a keylogger present.

We have run several advanced scans of the machine with several different anti-malware products. No signs of a trojan being present on the system. HiJackThis & Process Monitor also look clean. We then assumed this trojan / keylogger is being hidden by a rootkit. We downloaded and run GMER, AVG AntiRoot, Rootkit Revealer, Sophos AntiRoot. There was one small finding from Sophos which found a hidden tmp file in the windows temp folder. The temp file has now been removed but this doesn't help find the malware.

What is the next course of action?

 

Have you considered backing up your data then reformatting your system drive?

Also, when you try to recover your accounts and change your passwords use a different PC.

 

The passwords were changed after the accounts were hacked for the first time, shortly after they were changed they hacked again.

Reformatting is an easy quick-fix which I may have to use but right now I am looking for the educational solution. How can I be sure there is malware, and how can I find it?

 

Do change your security questions and all....If you were hacked once, there will be more possibility that somebody read all your security questions and now he's trying to use that method to hack your accounts. Even i request you to shoot some random mails and delete them from your account and do remember those ID's to whom you sent those mails, this will help you to get back your mails....

I know all this because once i hacked some email ID through social engineering, lock back and after that compromise those emails through this method.

I know this crime but i did that...

 

@Gasp

Hi,

Highly recommended and should prevent keylogging.

Zemana AntiLogger Fully functional 15-day trial http://www.zemana.com/AntiloggerOverview.aspx

You could have one of the TDL3 type rootkits, these can help.

TDL3 detectors & removers available for download http://www.kernelmode.info/forum/viewtopic.php?f=16&t=19

As you've already used Gmer etc, here's some further suggestions for you.

Rootkit Unhooker LE 3.8.386.589 SR1 https://www.rootkit.com/blog.php?newsid=997

IceSword 1.22 (english) http://www.kernelmode.info/ARKs/IceSword122en.zip

Kernel Detective v1.3.1 http://www.at4re.com/f/showthread.php?4385-Kernel-Detective-v1.3.1-by-GamingMaster-AT4RE

Hidden Driver Detection Test, and lots more http://www.ntinternals.org/driver_detection_test.php

Hope you sort it out

 

Thanks Clone, I have tried a few of your suggestions but nothing.

One thing which was strange was when running Sysinternals Rootkit Revealer it started to list a few registry entries and files but before I had change to read them the computer blue screened. Rebooted and tried again. As soon as it started to list, it BSOD'd again.

 

have u tried hitman pro?

 

@Gasp

What OS is it ?

http://technet.microsoft.com/en-gb/sysinternals/bb897445.aspx

RKR was a nice effort at the time, but hasn't been updated for several years, and has been superceeded by other ARK's, such as those i listed.

RKR can give lots of FP's, especially if you don't shut down as many App etc as possible beforehand, and if you use the comp for ANYTHING else whilst scanning.

http://forum.sysinternals.com/forum_posts.asp?TID=2351

http://forum.sysinternals.com/forum_topics.asp?FID=15

 

have u tried hitman pro or root repeal?

 

Okay for the sake of education, try scanning your system drive in another computer (preferably, a pc with a cleanly installed OS in a newly formatted HD). Make an image of the pc before you connect your possibly infected HDD. This image shall serve as the control for the experiment. After your through with this, turn off the pc, connect the possibly infected HDD then reboot. Now, scan your HDD using Sysinternals Rootkit Revealer or any rootkit scanner. If a rootkit is detected then good. However, removing them can be a pain. That is why i recommend a full reformat.

If a BSOD appears, turn off the pc, disconnect the possibly infected HDD or just disable it in bios, then load the image you made awhile ago. Now, scan your system. If nothing comes up then good because we now know that there is an infection in your HDD cause by a worm/virus (other malwares don't replicate) and a rootkit (or many rootkits) that hides them. As for the presence of a keylogger, we don't know yet.

As for your accounts try changing all the details (as suggested by avinash and with a strong password) using a different PC and if possible an ISP. After that, immediately delete all the notifications you received regarding the account changes.

P.S. Have you received emails from noreply @ blizzard . com?