WoW got hacked and i suspect keylogger
TheLostSwede
Trondheim, Norway Icrontian
Hi all,
Long time no seen. I hope you all are ok. For the first time, i have had security issues and yesterday my WoW account got hacked and pretty much emptied. Been searching everywhere. I have used Kaspersky up until now (subscription ended and before i get a chance to buy a new license, AVG would do i thought)
I ran Malwarebytes Antimalware and it didn't show anything and then i ran Bazooka scanner and it gave 2 objects. SystemDir.Explorer and SystemDir.Regedit
From the looks of it, the only application that find theese files are Bazooka, which make me feel it is intened to be found by it, but it's pretty vague. Here is the log from it.
Bazooka Scanner v1.13.03
http://www.kephyr.com/spywarescanner/
http://www.kephyr.com/spywarescanner/library/
support@kephyr.com
Log created 00:40:35.
OS: Windows NT 6.1
Database version: 2.730000
Database format version: 1.020000
Database date: 20050314
Current date: 2009-09-29 00:40
****************************************
Result when scanning:
SystemDir.explorer 545.505.000 %SystemDir%\explorer.exe
C:\Windows\system32\\explorer.exe
http://www.kephyr.com/spywarescanner/library/systemdir.explorer/index.phtml
SystemDir.regedit 544.500.000 %SystemDir%\regedit.exe
C:\Windows\system32\\regedit.exe
http://www.kephyr.com/spywarescanner/library/systemdir.regedit/index.phtml
****************************************
Auto start entries:
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
C:\Users\Mackanz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
C:\Users\Mackanz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
Go here to analyse the startup entries and the associated files:
http://www.kephyr.com/filedb/index.php
****************************************
Run entries:
StartCCC "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\StartCCC
Malwarebytes Anti-Malware (reboot) "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Malwarebytes Anti-Malware (reboot)
PlayNC Launcher
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\PlayNC Launcher
Go here to analyse the run entries and the associated files:
http://www.kephyr.com/filedb/index.php
****************************************
Browser helper objects:
{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} WormRadar.com IESiteBlocker.NavFilter C:\Program Files (x86)\AVG\AVG8\avgssie.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
{9030D464-4C02-4ABF-8ECC-5164760863C6} not set C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}
****************************************
Toolbars:
ITBar7Layout Error when opening a registry key, the key doesn't exist. Key: HKEY_CLASSES_ROOT\CLSID\ITBar7Layout\InprocServer32
System error message: The system cannot find the file specified.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout
ITBar7Height Error when opening a registry key, the key doesn't exist. Key: HKEY_CLASSES_ROOT\CLSID\ITBar7Height\InprocServer32
System error message: The system cannot find the file specified.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Height
ITBar7Layout Error when opening a registry key, the key doesn't exist. Key: HKEY_CLASSES_ROOT\CLSID\ITBar7Layout\InprocServer32
System error message: The system cannot find the file specified.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout
****************************************
All processes:
[System Process]
System
smss.exe
csrss.exe
wininit.exe
csrss.exe
services.exe
lsass.exe
lsm.exe
svchost.exe
winlogon.exe
svchost.exe
atiesrxx.exe
svchost.exe
svchost.exe
svchost.exe
audiodg.exe
svchost.exe
svchost.exe
atieclxx.exe
spoolsv.exe
svchost.exe
avgwdsvc.exe
IAANTmon.exe
avgrsa.exe
avgnsa.exe
taskhost.exe
dwm.exe
explorer.exe
MOM.exe
CCC.exe
SearchIndexer.exe
wmpnetwk.exe
svchost.exe
iexplore.exe
iexplore.exe
iexplore.exe
iexplore.exe
iexplore.exe
svchost.exe
msnmsgr.exe
wlcomm.exe
spywarescanner.exe
iexplore.exe
SearchProtocolHost.exe
Go here to analyse the running processes:
http://www.kephyr.com/filedb/index.php
****************************************
Internet Explorer Settings:
Default_Page_URL http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
Default_Search_URL http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
Local Page C:\Windows\SysWOW64\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
Search Page http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
Start Page http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix\
www http://
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes\www
Local Page C:\Windows\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
Search Page http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
Start Page http://deliverance-wow.com/forum.php
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
Thank you in advance.
Long time no seen. I hope you all are ok. For the first time, i have had security issues and yesterday my WoW account got hacked and pretty much emptied. Been searching everywhere. I have used Kaspersky up until now (subscription ended and before i get a chance to buy a new license, AVG would do i thought)
I ran Malwarebytes Antimalware and it didn't show anything and then i ran Bazooka scanner and it gave 2 objects. SystemDir.Explorer and SystemDir.Regedit
From the looks of it, the only application that find theese files are Bazooka, which make me feel it is intened to be found by it, but it's pretty vague. Here is the log from it.
Bazooka Scanner v1.13.03
http://www.kephyr.com/spywarescanner/
http://www.kephyr.com/spywarescanner/library/
support@kephyr.com
Log created 00:40:35.
OS: Windows NT 6.1
Database version: 2.730000
Database format version: 1.020000
Database date: 20050314
Current date: 2009-09-29 00:40
****************************************
Result when scanning:
SystemDir.explorer 545.505.000 %SystemDir%\explorer.exe
C:\Windows\system32\\explorer.exe
http://www.kephyr.com/spywarescanner/library/systemdir.explorer/index.phtml
SystemDir.regedit 544.500.000 %SystemDir%\regedit.exe
C:\Windows\system32\\regedit.exe
http://www.kephyr.com/spywarescanner/library/systemdir.regedit/index.phtml
****************************************
Auto start entries:
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
C:\Users\Mackanz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
C:\Users\Mackanz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
Go here to analyse the startup entries and the associated files:
http://www.kephyr.com/filedb/index.php
****************************************
Run entries:
StartCCC "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\StartCCC
Malwarebytes Anti-Malware (reboot) "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Malwarebytes Anti-Malware (reboot)
PlayNC Launcher
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\PlayNC Launcher
Go here to analyse the run entries and the associated files:
http://www.kephyr.com/filedb/index.php
****************************************
Browser helper objects:
{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} WormRadar.com IESiteBlocker.NavFilter C:\Program Files (x86)\AVG\AVG8\avgssie.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
{9030D464-4C02-4ABF-8ECC-5164760863C6} not set C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}
****************************************
Toolbars:
ITBar7Layout Error when opening a registry key, the key doesn't exist. Key: HKEY_CLASSES_ROOT\CLSID\ITBar7Layout\InprocServer32
System error message: The system cannot find the file specified.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout
ITBar7Height Error when opening a registry key, the key doesn't exist. Key: HKEY_CLASSES_ROOT\CLSID\ITBar7Height\InprocServer32
System error message: The system cannot find the file specified.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Height
ITBar7Layout Error when opening a registry key, the key doesn't exist. Key: HKEY_CLASSES_ROOT\CLSID\ITBar7Layout\InprocServer32
System error message: The system cannot find the file specified.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout
****************************************
All processes:
[System Process]
System
smss.exe
csrss.exe
wininit.exe
csrss.exe
services.exe
lsass.exe
lsm.exe
svchost.exe
winlogon.exe
svchost.exe
atiesrxx.exe
svchost.exe
svchost.exe
svchost.exe
audiodg.exe
svchost.exe
svchost.exe
atieclxx.exe
spoolsv.exe
svchost.exe
avgwdsvc.exe
IAANTmon.exe
avgrsa.exe
avgnsa.exe
taskhost.exe
dwm.exe
explorer.exe
MOM.exe
CCC.exe
SearchIndexer.exe
wmpnetwk.exe
svchost.exe
iexplore.exe
iexplore.exe
iexplore.exe
iexplore.exe
iexplore.exe
svchost.exe
msnmsgr.exe
wlcomm.exe
spywarescanner.exe
iexplore.exe
SearchProtocolHost.exe
Go here to analyse the running processes:
http://www.kephyr.com/filedb/index.php
****************************************
Internet Explorer Settings:
Default_Page_URL http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
Default_Search_URL http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
Local Page C:\Windows\SysWOW64\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
Search Page http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
Start Page http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix\
www http://
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes\www
Local Page C:\Windows\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
Search Page http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
Start Page http://deliverance-wow.com/forum.php
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
Thank you in advance.
0
Comments
"Yes, you got a keylogger, no virus scanners can't pick it up, yes format"
(He's in the room with me)