1,105,423 Community Members

WoW account hacked due to keylogger

Member Avatar
delliron
Newbie Poster
5 posts since Dec 2009
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

Ok, so, short version, my WoW account was hacked yesterday, and all my stuff was deleted. I uninstalled WoW, ran AVG virus scanner, and Advanced System Care scan, then I came here and ran the scans on the site, malewarebyte came up with 2, the rest negative, I just want to make sure that I'm completely keylogger and other nasty free, here's the results of the scans.
Malwarebytes' Anti-Malware 1.42
Database version: 3421
Windows 6.1.7600
Internet Explorer 8.0.7600.16385

12/24/2009 3:20:30 AM
mbam-log-2009-12-24 (03-20-30).txt

Scan type: Full Scan (C:\|)
Objects scanned: 153071
Time elapsed: 34 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

ESET came up negative, I wasn't sure how to post the log from there.

C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Users\Brady\Desktop\windows-kb890830-v3.2.exe
c:\24d2fd2a5cd1f27068bc8210c6\mrtstub.exe
C:\Windows\system32\MRT.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe
C:\Windows\system32\conhost.exe
C:\Users\Brady\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [SansaDispatch] c:\users\brady\appdata\roaming\sandisk\sansa updater\SansaDispatch.exe
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\users\brady\appdata\roaming\microsoft\windows\start menu\programs\startup\CurseClientStartup.ccip
StartupFolder: c:\users\brady\appdata\roaming\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\logitech webcam software\eReg.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
AppInit_DLLs: avgrsstx.dll
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHrw7x;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSwx.sys [2009-12-8 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-12-8 161800]
R1 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwd6x.sys [2009-12-8 24856]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-12-8 360584]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-12-8 333192]
S1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-12-8 28424]
S2 avg9emc;AVG E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2009-12-8 906520]
S2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-12-8 285392]
S2 avgfws9;AVG Firewall;c:\program files\avg\avg9\avgfws9.exe [2009-12-8 2303680]
S2 AVGIDSAgent;AVG9IDSAgent;c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [2009-12-8 5832712]
S3 AVGIDSDriverw7x;AVG9IDSDriver;c:\program files\avg\avg9\identity protection\agent\driver\platform_win7\AVGIDSDriver.sys [2009-12-8 122376]
S3 AVGIDSFilterw7x;AVG9IDSFilter;c:\program files\avg\avg9\identity protection\agent\driver\platform_win7\AVGIDSFilter.sys [2009-12-8 30216]
S3 AVGIDSShimw7x;AVG9IDSShim;c:\program files\avg\avg9\identity protection\agent\driver\platform_win7\AVGIDSShim.sys [2009-12-8 21208]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

=============== Created Last 30 ================

2009-12-24 15:51:20 0 d-----w- c:\program files\ESET
2009-12-24 15:22:39 0 d-----w- C:\24d2fd2a5cd1f27068bc8210c6
2009-12-24 04:16:41 0 d-----w- C:\World of Warcraft
2009-12-24 03:36:32 0 d-----w- c:\users\brady\appdata\roaming\Malwarebytes
2009-12-24 03:36:27 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-24 03:36:25 0 d-----w- c:\programdata\Malwarebytes
2009-12-24 03:36:23 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-24 03:36:22 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-21 07:28:42 0 d-----w- c:\programdata\Spybot - Search & Destroy
2009-12-21 07:28:42 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-12-20 03:41:08 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-18 03:08:41 0 d-----w- c:\programdata\Hewlett-Packard
2009-12-15 06:37:48 0 d-----w- c:\program files\Ventrilo
2009-12-15 06:37:44 262 ----a-w- c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2009-12-15 06:37:09 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-12-13 22:58:25 0 d-----w- c:\users\brady\appdata\roaming\SanDisk
2009-12-13 22:49:14 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2009-12-13 22:10:21 0 d-----w- c:\program files\Screen Movie Studio
2009-12-10 06:51:58 0 d-----w- c:\programdata\ATI
2009-12-10 06:48:23 0 d-----w- c:\program files\ATI Technologies
2009-12-10 06:48:21 0 d-----w- c:\program files\ATI
2009-12-10 06:46:37 0 d-----w- C:\ATI
2009-12-10 04:26:42 0 d-----w- c:\users\brady\appdata\roaming\TERMINAL Studio
2009-12-10 04:26:38 92216 ----a-w- c:\windows\system32\bass.dll
2009-12-10 04:26:38 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-12-10 04:26:38 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-12-10 04:26:38 0 d-----w- c:\program files\Free Fireplace 3D Screensaver
2009-12-10 04:26:17 0 d--h--w- C:\temp
2009-12-09 03:18:43 0 d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-12-08 23:00:14 257024 ----a-w- c:\windows\system32\msv1_0.dll
2009-12-08 22:59:48 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-12-08 22:59:28 2048 ----a-w- c:\windows\system32\tzres.dll
2009-12-08 22:55:34 713888 ----a-w- c:\windows\system32\PerfStringBackup.INI
2009-12-08 22:55:12 0 d-----w- c:\windows\system32\wbem\Performance
2009-12-08 22:45:42 0 ----a-w- c:\windows\ativpsrm.bin
2009-12-08 22:45:17 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2009-12-08 22:42:50 0 d-----w- c:\windows\Panther
2009-12-08 22:42:37 8192 --sha-r- C:\BOOTSECT.BAK
2009-12-08 22:42:36 383562 --sha-r- C:\bootmgr
2009-12-08 22:42:35 0 d-sh--w- C:\Boot
2009-12-08 22:13:21 0 d-----w- c:\users\brady\appdata\roaming\IObit
2009-12-08 22:13:20 0 d-----w- c:\program files\IObit
2009-12-08 21:52:14 0 d-----w- c:\programdata\Blizzard
2009-12-08 21:51:31 0 d--h--w- C:\$AVG
2009-12-08 21:51:30 25608 ----a-w- c:\windows\system32\drivers\AVGIDSwx.sys
2009-12-08 21:51:30 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-12-08 21:51:29 161800 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-12-08 21:51:28 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-12-08 21:51:23 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-12-08 21:51:21 0 d-----w- c:\windows\system32\drivers\Avg
2009-12-08 21:50:51 24856 ----a-w- c:\windows\system32\drivers\avgfwd6x.sys
2009-12-08 21:50:51 0 d-----w- c:\program files\AVG
2009-12-08 21:50:45 0 d-----w- c:\programdata\avg9
2009-12-08 21:46:21 0 d-----w- c:\users\brady\Tracing
2009-12-08 21:43:37 0 d-----w- c:\program files\Microsoft
2009-12-08 21:43:19 0 d-----w- c:\program files\Windows Live SkyDrive
2009-12-08 21:42:30 0 d-----w- c:\windows\PCHEALTH
2009-12-08 21:38:08 0 d-----w- c:\program files\common files\Windows Live
2009-12-08 20:16:34 0 d-----w- c:\program files\common files\Blizzard Entertainment
2009-12-08 20:07:22 0 d-----w- c:\programdata\LogiShrd
2009-12-08 20:06:42 0 d-sh--w- c:\windows\Installer

==================== Find3M ====================

2009-09-30 03:58:10 442368 ----a-w- c:\windows\system32\ATIDEMGX.dll
2009-09-30 03:56:14 159744 ----a-w- c:\windows\system32\atitmmxx.dll
2009-09-30 03:55:56 348160 ----a-w- c:\windows\system32\atipdlxx.dll
2009-09-30 03:55:42 274432 ----a-w- c:\windows\system32\Oemdspif.dll
2009-09-30 03:55:34 12288 ----a-w- c:\windows\system32\atimuixx.dll
2009-09-30 03:55:26 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2009-09-30 03:55:14 278528 ----a-w- c:\windows\system32\Ati2evxx.dll
2009-09-30 03:54:10 733184 ----a-w- c:\windows\system32\Ati2evxx.exe
2009-09-30 03:42:48 3839488 ----a-w- c:\windows\system32\atiumdag.dll
2009-09-30 03:26:12 4946432 ----a-w- c:\windows\system32\atiumdva.dll
2009-09-30 03:14:36 51712 ----a-w- c:\windows\system32\amdpcom32.dll
2009-09-30 03:14:04 135168 ----a-w- c:\windows\system32\atiadlxx.dll
2009-09-30 02:51:38 11513856 ----a-w- c:\windows\system32\atioglxx.dll
2009-09-30 02:11:06 53248 ----a-w- c:\windows\system32\aticalrt.dll
2009-09-30 02:10:52 53248 ----a-w- c:\windows\system32\aticalcl.dll
2009-09-30 02:09:46 3235840 ----a-w- c:\windows\system32\aticaldd.dll
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 9:59:55.60 ===============

Hopefully that'll do, anything else lemme know, thanks a bunch!

Attachments Attach.txt (3.9KB)
Member Avatar
PhilliePhan
Central Scrutinizer
1,667 posts since Dec 2006
Reputation Points: 171 [?]
Q&As Helped to Solve: 115 [?]
Skill Endorsements: 5 [?]
Team Colleague
 
0
 

At quick glance (and I mean very quick), those logs look OK.

If you want to double-check, you could try a scan with the Kaspersky Online Scanner 7.0
* Note that you may need to temporarily disable your Anti-virus program for the duration of this scan.

-- Accept the agreement and allow the scanner to load and update its definitions. This may take a few minutes.
-- After the program files are downloaded and the anti-virus database is successfully updated, please select the Scan section in the left part of the main program window.
-- Click My Computer to begin a complete scan of your computer, including critical areas.
-- Once the scan has finished, select the Reports section in the left part of the main program window. Click the Save report button in the report viewing window. The Saving window will open.
-- Name the file KAS 1 and choose to save it to the Desktop as a .txt file and then click the Save button.
Please post that for me - unless it's clean, of course.

If you like, there are also some rootkit scans you could try, but Kaspersky is pretty thorough....

Cheers :)
PP

Member Avatar
delliron
Newbie Poster
5 posts since Dec 2009
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

Heya Phillie, thanks for the reply! I did the scan last night after the eset one, both came up clean, I did have 3 lines that included along the lines of wormrader etc etc, i removed them already, so hopefully this will keep me free, lol. thanks again, merry xmas!

At quick glance (and I mean very quick), those logs look OK.

If you want to double-check, you could try a scan with the Kaspersky Online Scanner 7.0
* Note that you may need to temporarily disable your Anti-virus program for the duration of this scan.

-- Accept the agreement and allow the scanner to load and update its definitions. This may take a few minutes.
-- After the program files are downloaded and the anti-virus database is successfully updated, please select the Scan section in the left part of the main program window.
-- Click My Computer to begin a complete scan of your computer, including critical areas.
-- Once the scan has finished, select the Reports section in the left part of the main program window. Click the Save report button in the report viewing window. The Saving window will open.
-- Name the file KAS 1 and choose to save it to the Desktop as a .txt file and then click the Save button.
Please post that for me - unless it's clean, of course.

If you like, there are also some rootkit scans you could try, but Kaspersky is pretty thorough....

Cheers :)
PP

Member Avatar
PhilliePhan
Central Scrutinizer
1,667 posts since Dec 2006
Reputation Points: 171 [?]
Q&As Helped to Solve: 115 [?]
Skill Endorsements: 5 [?]
Team Colleague
 
0
 

I did have 3 lines that included along the lines of wormrader etc etc....

Happy XMas to you as well :)

Everything seems to be rootkitted these days, so you need to be extra vigilant. Looks to me like you're doing a good job.

Cheers,
PP

Member Avatar
delliron
Newbie Poster
5 posts since Dec 2009
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

Thank you again for your help, just one last question, what combo of free virus scanners/spyware scanners would you suggest? right now I have avg, and malewarebytes installed, along with advanced system care from iobit.

Happy XMas to you as well :)

Everything seems to be rootkitted these days, so you need to be extra vigilant. Looks to me like you're doing a good job.

Cheers,
PP

Member Avatar
PhilliePhan
Central Scrutinizer
1,667 posts since Dec 2006
Reputation Points: 171 [?]
Q&As Helped to Solve: 115 [?]
Skill Endorsements: 5 [?]
Team Colleague
 
0
 

Thank you again for your help, just one last question, what combo of free virus scanners/spyware scanners would you suggest? right now I have avg, and malewarebytes installed, along with advanced system care from iobit.

Happy to help :)

-- That's a very subjective question these days. There are a number of good tools out there and each has its legion of fans.

I think keeping MBAM on hand for "on demand" scanning is obviously a good idea.
Also, the Kaspersky Online Scan is good to use if you feel you need a "second opinion" to AVG.

There are many in the anti-malware community upset with Iobit for their alleged recent theft of Malwarebytes database and they would recommend removing Iobit. Personally, I have not looked too closely at Iobit to know how effective it is.....


I do like the "real-time" protection afforded by WinPatrol
Likewise, I think SpywareBlaster is a good tool.

I like the tools from a-squared as well, but seem to be in the minority there. I believe they offer solid protection, but the detractors cite a number of false positives generated by their real-time protection heuristics.
Frankly, MBAM has done much worse in FPs the last few months - so, like I say, recommendations can be subjective.

Best thing you can do is keep all your protective measures up to date with builds and definitions. Keep your Java and other vulnerable items up to date as well.

Keeping Windows and everything else up to date with patches and staying vigilant are the keys to staying secure.

Cheers :)
PP

Member Avatar
Falkons
Newbie Poster
1 post since Mar 2012
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

This could help. It is no easy task getting rid of trojans or key loggers. This is one of the best guids I have found about this.
http://cognitiveanomalies.com/simple-ways-in-detecting-key-loggers/

Member Avatar
jbennet
Moderator
17,127 posts since Apr 2005
Reputation Points: 1,618 [?]
Q&As Helped to Solve: 736 [?]
Skill Endorsements: 38 [?]
Team Colleague
Featured
 
0
 

You should get one of those WoW encryption dongles, which generate a one-time password.

You
This article has been dead for over three months: Start a new discussion instead
Post:
Start New Discussion
Tags Related to this Article