Jump to content

Recommended Posts

I was told to repost the topic here with logs, so here goes:

I was kicked out of World of Warcraft while playing, and realized quickly that I was being hacked by someone else logging in with my account and pword (my account was automatically temporarily disabled). What I realized is that my Hotmail and Wow account pwords are the same--my other email account, which is actually the acct keyed to my World of Warcraft account, wasn't hacked into, but because my hotmail and WoW account had the same password at the time, I'm guessing the hackers got in that way. This is the 2nd time I've been hacked--the first time I had no antivirus or spyware stuff, this time I had Online Armor, Malwarebytes, NoScript, and Spybot S and D, which I updated regularly and checked regularly (I used the free versions if that helps). Online Armor had both the Program Guard and Keyloggers detector checked as active at the time.

After I was hacked, I ran scans on MBM and Spybot S and D. Scans showed no keyloggers. What I suspect might have happened is that I clicked on a phishing link via my Hotmail at some point (it said it was a Blizzard address--and this was before I reactivated my WoW account and before Hotmail wised up and spotted these emails seemingly sent from Blizzard as fakes).

How can I find and root out the likely keylogger presence on my desktop, and if I can't do that, what would you recommend I do? I have changed my Hotmail password, and deactivated my WoW account temporarily while I wait for my authenticator to get here and while I prepare the account recovery form I need to send to Blizzard (basically it asks for proof I'm me).

I run a Windows 7 desktop, if that helps. I could post the MBM log here but it literally just says "0" threats were detected, so I don't think it'll be of much value. Still, if you'd like logs posted, please let me know.

Any help would be much appreciated. Thanks!

Malwarebytes log:

Malwarebytes' Anti-Malware 1.50

www.malwarebytes.org

Database version: 5259

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

12/7/2010 3:36:08 PM

mbam-log-2010-12-07 (15-36-08).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 378581

Time elapsed: 11 minute(s), 58 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

GMER log:

Showed up as blank when saved as .txt (said "no system modifications were found"). I had checked Services, Registry and Files (with C drive).

Link to post
Share on other sites

I don't mean to push, but....I'm afraid that as the thread was on page 5 as of today, this won't be spotted by anyone until I bump it...so here it is. I'm quite afraid my computer is not secure. If it helps, I think I clicked on one of the phishing emails in my Hotmail, and though the page didn't load, it must have logged my current password or some such? Or did it install a keylogger that is still active on my computer? None of my scans are showing anything, including Lavasoft's Ad-aware.

Link to post
Share on other sites

Hi,

Please download DDS and save it to your desktop.

  • Disable any script blocking protection.
  • Double click dds.com to run the tool..
  • When done, DDS will open two logs (DDS.txt and Attach.txt).
  • Save both reports to your desktop.

Please include the contents of DDS.txt in your next reply.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please download Rootkit Unhooker and save it to your Desktop

  • Double-click on RKUnhookerLE to run it
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth Code and uncheck the rest
  • Click OK
  • Wait until it's finished and then go to File > Save Report
  • Save the report to your Desktop

Copy the entire contents of the report and paste it in a reply here.

Note - you may get this warning it is ok, just ignore: "Rootkit Unhooker has detected a parasite inside itself!

It is recommended to remove parasite, okay?"

Link to post
Share on other sites

How would I disable Noscript? I'm using a Korean desktop so I can't really understand all the stuff it's saying--and how would I reenable it after disabling it?

Would simply not opening Firefox work to allow Noscript to not interfere with DDS, even though the internet connection would be active?

Thanks for the reply! I'll get the logs to you as soon as I know how I can get Noscript safely disabled and then reenabled.

Link to post
Share on other sites

Hi,

Please skip the DDS instructions and do this instead:

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them:
    Click me
    If you can't disable them then just continue on.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

Link to post
Share on other sites

  • 1 month later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.