Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Account Compromised


  • Please log in to reply
1 reply to this topic

#1 JD56

JD56

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 27 May 2010 - 09:15 PM

Hi,

I recently had a gaming account compromised. I got the account returned to me and the password reset. I just would like to make sure the breach/keylogger/etc wasn't from my end. I may have logged in on a separate unsecured computer of a friend and picked it up that way.

Anyway, the DDS file is attached.

The GMER program gave me an error. Here is a screenshot of it too

Attached Files


Edited by JD56, 27 May 2010 - 09:18 PM.


BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:06:41 PM

Posted 30 May 2010 - 06:51 AM

hi JD56,

Gmer isnt supported on Windows7. Log looks ok as far as malware goes. Perhaps you lost the password some other way. Some guide lines for passwords:

At least fifteen (15) characters in length.
Does not contain your user name, real name, organization name, family member's names or names of your pets.
Does not contain your birth date.
Does not contain a complete dictionary word.
Is significantly different from your previous password.


Should contain three (3) of the following character types.

Lowercase Alphabetical (a, b, c, etc.)
Uppercase Alphabetical (A, B, C, etc.)
Numerics (0, 1, 2, etc.)
Special Characters (@, %, !, etc.)



I posted in the DDS log;

DDS (Ver_10-03-17.01) - NTFSX64
Run by Jay at 20:43:37.96 on Thu 05/27/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_17
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.4091.2219 [GMT -4:00]

SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Program Files (x86)\AVG\AVG9\avgchsva.exe
C:\Program Files (x86)\AVG\AVG9\avgrsa.exe
C:\Windows\system32\lsm.exe
C:\Program Files (x86)\AVG\AVG9\avgcsrva.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\AVG\AVG9\avgwdsvc.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\AVG\AVG9\avgam.exe
C:\Program Files (x86)\AVG\AVG9\avgnsa.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files (x86)\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
C:\Program Files (x86)\AVG\AVG9\avgtray.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Users\Jay\AppData\Local\Apps\2.0\QR50VB63.WLR\5CHWWPXB.BZ0\curs..tion_eee711038731a406_0004.0000_152ef8e82e8f5a48\CurseClient.exe
C:\Program Files (x86)\AVG\AVG9\avgemc.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files (x86)\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\AVG\AVG9\avgcsrva.exe
C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\PROGRA~2\Java\jre6\bin\jp2launcher.exe
C:\Program Files (x86)\Java\jre6\bin\java.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Jay\Downloads\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

mLocal Page = c:\windows\syswow64\blank.htm
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files (x86)\avg\avg9\toolbar\IEToolbar.dll
mWinlogon: Userinit=userinit.exe
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files (x86)\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files (x86)\spybot - search & destroy\SDHelper.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files (x86)\avg\avg9\toolbar\IEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files (x86)\java\jre6\bin\jp2ssv.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files (x86)\avg\avg9\toolbar\IEToolbar.dll
uRun: [Sidebar] c:\program files (x86)\windows sidebar\sidebar.exe /autoRun
uRun: [Steam] "c:\program files (x86)\steam\Steam.exe" -silent
uRun: [Pando Media Booster] c:\program files (x86)\pando networks\media booster\PMB.exe
uRun: [SpybotSD TeaTimer] c:\program files (x86)\spybot - search & destroy\TeaTimer.exe
mRun: [AVG9_TRAY] c:\progra~2\avg\avg9\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files (x86)\java\jre6\bin\jusched.exe"
mRun: [AppleSyncNotifier] c:\program files (x86)\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files (x86)\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files (x86)\itunes\iTunesHelper.exe"
StartupFolder: c:\users\jay\appdata\roaming\microsoft\windows\start menu\programs\startup\CurseClientStartup.ccip
StartupFolder: c:\users\jay\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files (x86)\openoffice.org 3\program\quickstart.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files (x86)\avg\avg9\avgpp.dll
BHO-X64: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - c:\program files (x86)\avg\avg9\avgssiea.dll
BHO-X64: WormRadar.com IESiteBlocker.NavFilter - No File
TB-X64: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
mRun-x64: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun-x64: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
AppInit_DLLs-X64: avgrssta.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\jay\appdata\roaming\mozilla\firefox\profiles\gtme3mok.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://m.www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files (x86)\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files (x86)\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files (x86)\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files (x86)\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files (x86)\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files (x86)\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files (x86)\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\users\jay\appdata\roaming\mozilla\firefox\profiles\gtme3mok.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 AvgRkx64;avgrkx64.sys;c:\windows\system32\drivers\avgrkx64.sys [2009-11-21 56008]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-5-23 69152]
R1 AvgLdx64;AVG AVI Loader Driver x64;c:\windows\system32\drivers\avgldx64.sys [2009-11-21 269320]
R1 AvgMfx64;AVG On-access Scanner Minifilter Driver x64;c:\windows\system32\drivers\avgmfx64.sys [2009-11-21 35464]
R1 AvgTdiA;AVG Network Redirector x64;c:\windows\system32\drivers\avgtdia.sys [2009-11-21 317520]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 173984]
R2 avg9emc;AVG E-mail Scanner;c:\program files (x86)\avg\avg9\avgemc.exe [2010-3-5 916760]
R2 avg9wd;AVG WatchDog;c:\program files (x86)\avg\avg9\avgwdsvc.exe [2010-3-5 308064]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files (x86)\lavasoft\ad-aware\AAWService.exe [2010-2-4 1314704]
R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2009-5-7 125328]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2009-12-2 40832]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\drivers\netw5v64.sys [2009-6-10 5434368]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt64win7.sys [2009-6-10 187392]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\spybot - search & destroy\SDWinSec.exe [2010-5-24 1153368]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-3-3 1255736]

=============== Created Last 30 ================

2010-05-26 14:42:23 2048 ----a-w- c:\windows\syswow64\tzres.dll
2010-05-26 14:42:23 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-24 21:29:26 0 d-----w- c:\users\jay\appdata\roaming\Malwarebytes
2010-05-24 21:29:17 0 d-----w- c:\programdata\Malwarebytes
2010-05-24 21:29:16 24664 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-24 21:29:16 0 d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2010-05-24 15:44:31 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-05-24 15:44:31 0 d-----w- c:\program files (x86)\Spybot - Search & Destroy
2010-05-23 22:10:44 0 d-----w- c:\program files (x86)\Microsoft Antimalware
2010-05-23 22:10:40 0 d-----w- c:\program files\Microsoft Security Essentials
2010-05-23 17:52:43 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-05-23 17:45:05 69152 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-05-23 17:45:01 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-23 17:41:21 0 dc-h--w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-05-23 17:41:11 0 d-----w- c:\programdata\Lavasoft
2010-05-23 17:41:11 0 d-----w- c:\program files (x86)\Lavasoft
2010-05-20 04:32:22 0 d-----w- c:\users\jay\.worldoflogs
2010-05-12 07:57:53 976896 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-12 07:57:52 740864 ----a-w- c:\windows\syswow64\inetcomm.dll
2010-05-07 07:04:20 65536 --sha-w- c:\users\jay\ntuser.dat{eb7191c6-595c-11df-a651-0090f58f13e1}.TM.blf
2010-05-07 07:04:20 524288 --sha-w- c:\users\jay\ntuser.dat{eb7191c6-595c-11df-a651-0090f58f13e1}.TMContainer00000000000000000002.regtrans-ms
2010-05-07 07:04:20 524288 --sha-w- c:\users\jay\ntuser.dat{eb7191c6-595c-11df-a651-0090f58f13e1}.TMContainer00000000000000000001.regtrans-ms
2010-04-28 14:25:29 223448 ----a-w- c:\windows\system32\drivers\fvevol.sys
2010-04-28 14:25:26 12867072 ----a-w- c:\windows\syswow64\shell32.dll
2010-04-28 14:25:25 96768 ----a-w- c:\windows\syswow64\sspicli.dll
2010-04-28 14:25:25 22016 ----a-w- c:\windows\syswow64\secur32.dll
2010-04-28 14:25:25 153160 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2010-04-28 14:25:25 1446912 ----a-w- c:\windows\system32\lsasrv.dll

==================== Find3M ====================

2010-05-12 15:21:16 270208 ------w- c:\windows\system32\MpSigStub.exe
2010-04-20 12:43:55 317520 ----a-w- c:\windows\system32\drivers\avgtdia.sys
2010-03-08 21:59:59 612352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-08 21:33:56 427520 ----a-w- c:\windows\syswow64\vbscript.dll
2010-03-05 15:44:53 12976 ----a-w- c:\windows\system32\avgrssta.dll
2010-02-27 15:17:00 5509008 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-27 12:07:48 3954568 ----a-w- c:\windows\syswow64\ntkrnlpa.exe
2010-02-27 12:07:48 3899280 ----a-w- c:\windows\syswow64\ntoskrnl.exe
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:54:24 174 --sha-w- c:\program files\desktop.ini
2009-07-14 04:54:24 174 --sha-w- c:\program files (x86)\desktop.ini
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 20:44:08 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2010-01-22 19:44:45 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2010-01-22 19:44:45 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2010-01-22 19:44:45 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
2010-01-22 19:44:45 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2010-02-02 08:45:10 245760 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-07-14 01:39:53 398848 --sha-w- c:\windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_4d4d1f2f696639a2\WinMail.exe
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 20:44:14.88 ===============

How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users