Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

WoW Hacked, Can't Find Any Infection


  • Please log in to reply
7 replies to this topic

#1 Fuss Pot

Fuss Pot

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 10 April 2009 - 06:48 PM

My World of Warcraft account has recently been hacked, and since I don't give my info to anyone, I can only suspect that my computer has been somehow infected, because there's no other way these guys could get my information more than once.

I'm running Windows XP Professional, SP3. Comodo serves as both my virus scanner and firewall. Now, when I run Spybot, it doesn't turn anything up. I don't find anything when I run a virus scan through Comodo either, but the firewall has been blocking a very large number (1000+ per day) of intrusion attempts, so I know there has to be something going on. It's bad enough that's affecting my gaming, but I don't want any more of my information getting out where it doesn't belong.

I should probably add that I was using Chrome up until today, when I discovered that I'd been hacked again. I got rid of it and went back to strictly using Firefox for fear that it might have been part of the problem.

I'm wondering what the next step might be, if anyone is able to assist me in this matter? It's starting to make me a little nuts. :thumbsup:

Thanks for reading.

Edited by Fuss Pot, 10 April 2009 - 06:55 PM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,961 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:26 AM

Posted 10 April 2009 - 09:18 PM

but the firewall has been blocking a very large number (1000+ per day) of intrusion attempts

A firewall serves two basics purposes: Prevent incoming communications that you did not request from entering your computer and to monitor what programs on your computer are allowed to communicate out. It does this by enforcing an access control policy to permit or block (allow or deny) inbound and outbound traffice. Thus, the firewall acts as a central gateway for such traffic by denying illegitimate transfers and facilitatint access which is deemed legitimate. The goal of the firewall is to prevent remote computers from accessing yours and provide notification of any unrequested traffic that was blocked along with the IP address.

If your firewall provides an alert that indicates it has blocked access to a port but does not necessarily mean your system has been compromised. Firewall alert messages are a response to unrequested traffic from remote computers. The alert means that your firewall has blocked an attempt from an external host to access a port on your computer that is commonly used by a trojan. Even if the port is open, the alert message indicates that your firewall has blocked the attempt to access it. These alerts are often classified by the network port they arrive on and allow you to see the activity of what is happening on your firewall. The alerts allow the firewall to notify you in various ways about possible penetration and intrusion attempts on your computer.

It is not unusal for a firewall to provide numerous alerts regarding such attempted access. Botnets and Zombie computers scour the net and will randomly scan a block of IP addresses. These infected computers are searching for "vulnerable ports" and make repeated attempts to access them. Your firewall is doing its job by blocking this kind of traffic and alerting you about these intrusion attempts. However, not all unrequested traffic is malevolent. Even your ISP will send out regular checks to see if your computer is still there.

To check whether or not the port in question is open on your system you can use netstat from a command prompt to obtain Local/Foreign Addresses, PID and listening state.

Go to Start > Run and in the open box, type: cmd
Press Ok.
At the command prompt, type: netstat -an
Press Enter.

You can also use Process Monitor, an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity or various Internet Traffic Monitoring Tools for troubleshooting and malware investigation.

You can investigate IP addresses and gather additional information at:You need to be using more anti-malware tools than Spybot. Please download Malwarebytes Anti-Malware and save it to your desktop.
Print out and follow these Instructions for scanning with Malwarebytes Anti-Malware and perform a Quick Scan in normal mode.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Fuss Pot

Fuss Pot
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 10 April 2009 - 09:48 PM

Thanks for clearing up my confusion about the intrusion alerts. I'll be sure to use the tips you gave me to keep an eye on things.

For the time being, here's my MBAM log:

Malwarebytes' Anti-Malware 1.36
Database version: 1964
Windows 5.1.2600 Service Pack 3

4/10/2009 9:38:25 PM
mbam-log-2009-04-10 (21-38-25).txt

Scan type: Quick Scan
Objects scanned: 71627
Time elapsed: 6 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Apparently it hasn't found anything. Should I try a full scan?

Thank you, again.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,961 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:26 AM

Posted 10 April 2009 - 10:03 PM

MBAM is designed to remove malware as effectively with a Quick Scan as it will with a Full Scan which takes much longer to complete. Both do full heuristics, memory, load points and multiple other malware checks. The Quick Scan looks at the most prevalent places for active malware so scanning every single file on the drive isn't always necessary. The Full Scan only has the ability to catch more traces in rare circumstances.

Please perform an online scan with Kaspersky WebScanner.
(Requires free Java Runtime Environment (JRE) be installed before scanning for malware as ActiveX is no longer being used.)
  • Click on the Posted Image ...button.
  • The program will launch and fill in the Information section ... on the left.
  • Read the "Requirements and Limitations" then press... the Posted Image ...button.
  • The program will begin downloading the latest program and definition files.
    It takes a while... please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image ...button, if you made any changes.
  • Now under the Scan section on the left:Select My Computer
  • The program will start and scan your system. This will run for a while, be patient... let it run.
    Once the scan is complete, it will display if your system has been infected.
  • Save the scan results as a Text file ... save it to your desktop.
  • Copy and paste the saved scan results file in your next reply.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Fuss Pot

Fuss Pot
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 12 April 2009 - 04:59 PM

I'm sorry it took me so long to respond again. I've been away from my computer for the last couple of days.

Anyway, I used Kapersky as you told me, and it also turned up nothing. This was the report:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Sunday, April 12, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Saturday, April 11, 2009 19:15:08
Records in database: 2034884
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 101694
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 04:08:26

No malware has been detected. The scan area is clean.

The selected area was scanned.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,961 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:26 AM

Posted 13 April 2009 - 08:03 AM

I don't see any evidence of malware infection with the scans I asked you to do and your scans found no evidence either so it appears your machine is clean.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Fuss Pot

Fuss Pot
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 13 April 2009 - 08:43 AM

Alright. I've changed a bunch of my passwords, so hopefully wherever they have gotten in, they can't get into anymore.

Thanks for your help. :thumbsup:

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,961 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:26 AM

Posted 13 April 2009 - 08:45 AM

You're welcome.

Tips to protect yourself against malware and reduce the potential for re-infection:Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

Keeping Autorun enabled on USB (pen, thumb, jump) and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. To learn more about this risk, please read:Many security experts recommend disabling this feature as a method of prevention. Microsoft recommends doing the same.

...Disabling Autorun functionality can help protect customers from attack vectors that involve the execution of arbitrary code by Autorun when inserting a CD-ROM device, USB device, network shares, or other media containing a file system with an Autorun.inf file...

Microsoft Security Advisory (967940): Update for Windows Autorun
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users