Page 1 of 2 12 Last
  • Jump to page:
    #1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2010
    Posts
    8
    Rep Power
    0

    Virus keeps giving someone my personal info/game accounts


    Hello all, I hope you can help me as I have nowhere else to turn at this point, I do not know how I got this virus, so far It has stolen my wow account 3 times, I am unable to get that back, it has also enabled someone to get into my direct 2 drive account and steal around 250$ of video games via that account,

    The first thing I did when I noticed my accounts being stolen is I ran a malwarebytes scan, a super antispyware scan, and avira scan, thinking I was safe I used account recovery and did not save logs.

    Around 1 day later all accounts have been re-hijacked and I am at a loss to where they could of been,

    I have done all the steps in the sticky to do before posting and will now post my logs here

    Malwarebytes Log:

    Database version: 3985

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 6.0.2900.5512

    4/13/2010 7:28:08 PM
    mbam-log-2010-04-13 (19-28-08).txt

    Scan type: Quick scan
    Objects scanned: 107402
    Time elapsed: 3 minute(s), 40 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    Super Anti Spyware Log :


    Generated 04/13/2010 at 07:50 PM

    Application Version : 4.35.1002

    Core Rules Database Version : 4803
    Trace Rules Database Version: 2615

    Scan type : Complete Scan
    Total Scan Time : 00:12:48

    Memory items scanned : 454
    Memory threats detected : 0
    Registry items scanned : 4196
    Registry threats detected : 0
    File items scanned : 13426
    File threats detected : 1

    Adware.Tracking Cookie
    C:\Documents and Settings\OWNER-PC\Cookies\owner-pc@atdmt[2].txt


    And finally

    Hijack This! Log:


    Scan saved at 8:02:13 PM, on 4/13/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\FileZilla Server\FileZilla Server.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\WINDOWS\System32\PRISMSVC.EXE
    C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\PRISMSVR.EXE
    C:\Program Files\Dell Support Center\bin\sprtcmd.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\DAEMON Tools Lite\DTLite.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    I took out a ton of URL looking items here I do not know what http is exactly I think it was this stuff.

    I wasnt sure if I did all of this right or not, I tried to follow your instructions as well as possible if anything is wrong please let me know I'll try to rectify the situation

    Thank you for your time and effort I will check back on this as much as I can.
  2. #2
  3. They're coming to take me away

    Join Date
    Jan 2005
    Location
    Florida
    Posts
    5,103
    Rep Power
    5049
    For the Hijackthis log, post the entire contents. You do need to remove the URL's, but you can just change those up a little so they don't look like a URL... (Ex: change http://www.microsoft.com/ to www dot microsoft dot com)

    Are you sure that your accounts being hacked is a result of an infection on your machine?

    Comments on this post

    • Saltiney agrees
    "I don't need to get a life. I'm a gamer. I have lots of lives!"
  4. #3
  5. <?PHP user_title("gimp"); ?>
    Devshed Supreme Being (6500+ posts)

    Join Date
    Jan 2005
    Location
    Internet
    Posts
    7,652
    Rep Power
    6084
    Check for keyloggers and old "friends" who have your password.

    Comments on this post

    • hiker agrees
    • Saltiney agrees
    Chat Server Project & Tutorial | WiFi-remote-control sailboat (building) | Joke Thread
    “Rational thinkers deplore the excesses of democracy; it abuses the individual and elevates the mob. The death of Socrates was its finest fruit.”
    Use XXX in a comment to flag something that is bogus but works. Use FIXME to flag something that is bogus and broken. Use TODO to leave yourself reminders. Calling a program finished before all these points are checked off is lazy.
    -Partial Credit: Sun

    If I ask you to redescribe your problem, it's because when you describe issues in detail, you often get a *click* and you suddenly know the solutions.
    Ches Koblents
  6. #4
  7. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2010
    Posts
    8
    Rep Power
    0
    can you suggest a good program that can check for keyloggers I highly suspect it is one. but have not been able to find one.
  8. #5
  9. No Profile Picture
    Stumpier old Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Jun 2003
    Posts
    14,409
    Rep Power
    4538
    If it were my machine I would backup important stuff, security erase the disk and reinstall a fresh copy of windows. Malware is very sophisticated these days and none of the detection programs can guarantee your windows a clean bill of health.

    Comments on this post

    • Saltiney agrees : Thank you Doug
    ======
    Doug G
    ======
    It is a truism of American politics that no man who can win an election deserves to. --Trevanian, from the novel Shibumi
  10. #6
  11. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2010
    Posts
    8
    Rep Power
    0
    Thanks for the advice guys, I guess I'll upgrade my windows to 7 this weekend, is there any chance this is still a virus? I feel like its definately a keylogger, if so I'll post the completed hijack this log , I did try to post it twice not sure why it didnt make it through.

    (im at work right now or I would do it)
  12. #7
  13. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2010
    Posts
    8
    Rep Power
    0
    I think I will also buy a new hard-drive being that mine is very old but if I cannot afford that as well, what is a good program to completly erase my hard disk?
  14. #8
  15. They're coming to take me away

    Join Date
    Jan 2005
    Location
    Florida
    Posts
    5,103
    Rep Power
    5049
    Originally Posted by Saltiney
    Thanks for the advice guys, I guess I'll upgrade my windows to 7 this weekend, is there any chance this is still a virus? I feel like its definately a keylogger, if so I'll post the completed hijack this log , I did try to post it twice not sure why it didnt make it through.

    (im at work right now or I would do it)
    For hijackthis logs, you need to edit out the URL's... change them from http://www.domain.com to www dot domain dot com (or something similar). You can't post URL's until either your 5th or 10th post.
    "I don't need to get a life. I'm a gamer. I have lots of lives!"
  16. #9
  17. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2010
    Posts
    8
    Rep Power
    0
    I'll try to get it up when I get home from work, its looking like im going to go new harddrive and windows 7 route though
  18. #10
  19. They're coming to take me away

    Join Date
    Jan 2005
    Location
    Florida
    Posts
    5,103
    Rep Power
    5049
    Originally Posted by Saltiney
    I'll try to get it up when I get home from work, its looking like im going to go new harddrive and windows 7 route though
    That would be your safest bet. If it's something you're considering anyways, then just do that... but if you're unsure or finances are a problem, then post back the HJT log and we'll take a look to see if anything looks abnormal. Also, you could try Spybot if you already haven't. I know Spybot detects a lot of keyloggers and such.

    Comments on this post

    • Saltiney agrees : Hiker helped me out a bunch.
    "I don't need to get a life. I'm a gamer. I have lots of lives!"
  20. #11
  21. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2010
    Posts
    8
    Rep Power
    0
    Great, thanks I'm downloading spybot now, here is the log I think I got them all.

    This is the best anti-vir forum I have seen, very professional, Thanks alot so far for the help so far, I appreciate it.


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:55:38 PM, on 4/14/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\FileZilla Server\FileZilla Server.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\System32\PRISMSVC.EXE
    C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\PRISMSVR.EXE
    C:\Program Files\Dell Support Center\bin\sprtcmd.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\DAEMON Tools Lite\DTLite.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Dell Wireless\PRISMCFG.exe
    C:\Program Files\Windows Live\Contacts\wlcomm.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www dot daemon-search dot com/startpage
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
    O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [FileZilla Server Interface] "C:\Program Files\FileZilla Server\FileZilla Server Interface.exe"
    O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
    O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = ?
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O20 - AppInit_DLLs: C:\DOCUME~1\OWNER-PC\LOCALS~1\Temp\4565sys.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: PRISMSVC - Conexant Systems, Inc. - C:\WINDOWS\System32\PRISMSVC.EXE
    O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

    --
    End of file - 5430 bytes
  22. #12
  23. They're coming to take me away

    Join Date
    Jan 2005
    Location
    Florida
    Posts
    5,103
    Rep Power
    5049
    The only one that looks abnormal to me is 4565sys.dll ... Other than that, I don't see much else that looks out of place.

    As gimp mentioned earlier, could very well be "friends" that have your password.... or if you have a simple password to hack by someone that knows you...

    But to be safe, reinstalling would definitely be a good idea if you're unsure of how your accounts are being accessed; especially if you're already considering a new hard drive.

    Comments on this post

    • jzd agrees
    "I don't need to get a life. I'm a gamer. I have lots of lives!"
  24. #13
  25. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2010
    Posts
    8
    Rep Power
    0
    Ahh problem solved, Spybot did the trick, found 3 "Sckeyloggers" and 3 "superkeylogger", man I need to remember all these programs I got from going on this site.

    Thanks alot for your guys help, is there any way to like report to the site that this was very helpful?
  26. #14
  27. They're coming to take me away

    Join Date
    Jan 2005
    Location
    Florida
    Posts
    5,103
    Rep Power
    5049
    Originally Posted by Saltiney
    Ahh problem solved, Spybot did the trick, found 3 "Sckeyloggers" and 3 "superkeylogger", man I need to remember all these programs I got from going on this site.

    Thanks alot for your guys help, is there any way to like report to the site that this was very helpful?
    There's a little scale icon next to the post numbers... you can click those for any post(s) you found helpful and click agree with (and type a comment if you so choose).

    Glad you found the problems.
    "I don't need to get a life. I'm a gamer. I have lots of lives!"
  28. #15
  29. No Profile Picture
    Stumpier old Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Jun 2003
    Posts
    14,409
    Rep Power
    4538
    For erasing a hard drive I use a linux live CD and usually the shred program. There are lots, I believe spybot includes a disk wiping program, check the advanced mode in spybot.
    ======
    Doug G
    ======
    It is a truism of American politics that no man who can win an election deserves to. --Trevanian, from the novel Shibumi
Page 1 of 2 12 Last
  • Jump to page:

IMN logo majestic logo threadwatch logo seochat tools logo