WoW got hacked and i suspect keylogger

TheLostSwede

Hi all,
Long time no seen. I hope you all are ok. For the first time, i have had security issues and yesterday my WoW account got hacked and pretty much emptied. Been searching everywhere. I have used Kaspersky up until now (subscription ended and before i get a chance to buy a new license, AVG would do i thought)

I ran Malwarebytes Antimalware and it didn't show anything and then i ran Bazooka scanner and it gave 2 objects. SystemDir.Explorer and SystemDir.Regedit

From the looks of it, the only application that find theese files are Bazooka, which make me feel it is intened to be found by it, but it's pretty vague. Here is the log from it.

Bazooka Scanner v1.13.03
http://www.kephyr.com/spywarescanner/
http://www.kephyr.com/spywarescanner/library/
support@kephyr.com
Log created 00:40:35.
OS: Windows NT 6.1
Database version: 2.730000
Database format version: 1.020000
Database date: 20050314
Current date: 2009-09-29 00:40


****************************************
Result when scanning:

SystemDir.explorer 545.505.000 %SystemDir%\explorer.exe
C:\Windows\system32\\explorer.exe
http://www.kephyr.com/spywarescanner/library/systemdir.explorer/index.phtml

SystemDir.regedit 544.500.000 %SystemDir%\regedit.exe
C:\Windows\system32\\regedit.exe
http://www.kephyr.com/spywarescanner/library/systemdir.regedit/index.phtml

****************************************
Auto start entries:
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
C:\Users\Mackanz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
C:\Users\Mackanz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini

Go here to analyse the startup entries and the associated files:
http://www.kephyr.com/filedb/index.php

****************************************
Run entries:
StartCCC "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\StartCCC

Malwarebytes Anti-Malware (reboot) "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Malwarebytes Anti-Malware (reboot)

PlayNC Launcher
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\PlayNC Launcher


Go here to analyse the run entries and the associated files:
http://www.kephyr.com/filedb/index.php

****************************************
Browser helper objects:

{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} WormRadar.com IESiteBlocker.NavFilter C:\Program Files (x86)\AVG\AVG8\avgssie.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}

{9030D464-4C02-4ABF-8ECC-5164760863C6} not set C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}


****************************************
Toolbars:

ITBar7Layout Error when opening a registry key, the key doesn't exist. Key: HKEY_CLASSES_ROOT\CLSID\ITBar7Layout\InprocServer32

System error message: The system cannot find the file specified.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout

ITBar7Height Error when opening a registry key, the key doesn't exist. Key: HKEY_CLASSES_ROOT\CLSID\ITBar7Height\InprocServer32

System error message: The system cannot find the file specified.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Height

ITBar7Layout Error when opening a registry key, the key doesn't exist. Key: HKEY_CLASSES_ROOT\CLSID\ITBar7Layout\InprocServer32

System error message: The system cannot find the file specified.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout


****************************************
All processes:

[System Process]
System
smss.exe
csrss.exe
wininit.exe
csrss.exe
services.exe
lsass.exe
lsm.exe
svchost.exe
winlogon.exe
svchost.exe
atiesrxx.exe
svchost.exe
svchost.exe
svchost.exe
audiodg.exe
svchost.exe
svchost.exe
atieclxx.exe
spoolsv.exe
svchost.exe
avgwdsvc.exe
IAANTmon.exe
avgrsa.exe
avgnsa.exe
taskhost.exe
dwm.exe
explorer.exe
MOM.exe
CCC.exe
SearchIndexer.exe
wmpnetwk.exe
svchost.exe
iexplore.exe
iexplore.exe
iexplore.exe
iexplore.exe
iexplore.exe
svchost.exe
msnmsgr.exe
wlcomm.exe
spywarescanner.exe
iexplore.exe
SearchProtocolHost.exe

Go here to analyse the running processes:
http://www.kephyr.com/filedb/index.php

****************************************
Internet Explorer Settings:

Default_Page_URL http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL

Default_Search_URL http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL

Local Page C:\Windows\SysWOW64\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page

Search Page http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page

Start Page http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page

http://
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix\

www http://
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes\www

Local Page C:\Windows\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page

Search Page http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page

Start Page http://deliverance-wow.com/forum.php
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page

Thank you in advance.

primesuspect

Thrax says:

"Yes, you got a keylogger, no virus scanners can't pick it up, yes format"

(He's in the room with me)