Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hacked WoW Account


  • Please log in to reply
1 reply to this topic

#1 Igrac

Igrac

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:42 PM

Posted 24 December 2010 - 03:42 PM

I cant seem to find the keylogger on my computer. I have run TrendMicros housecall and KL Detector and cant seem to find the problem.
Here are a few logs. I am running Malwarebytes at the moment

TCP
[System Process] 0 TCP 192.168.0.101 2226 74.125.224.28 80 TIME_WAIT
[System Process] 0 TCP 192.168.0.101 2252 208.43.87.4 80 TIME_WAIT
[System Process] 0 TCP 192.168.0.101 2254 216.34.207.177 80 TIME_WAIT
[System Process] 0 TCP 192.168.0.101 2250 216.34.207.177 80 TIME_WAIT
[System Process] 0 TCP 192.168.0.101 2225 74.125.224.28 80 TIME_WAIT
[System Process] 0 TCP 192.168.0.101 2235 24.143.207.10 80 TIME_WAIT
[System Process] 0 TCP 192.168.0.101 2227 74.125.224.28 80 TIME_WAIT
[System Process] 0 TCP 192.168.0.101 2228 74.125.224.28 80 TIME_WAIT
[System Process] 0 TCP 192.168.0.101 2239 24.143.207.112 80 TIME_WAIT
[System Process] 0 TCP 192.168.0.101 2240 24.143.207.112 80 TIME_WAIT
[System Process] 0 TCP 192.168.0.101 2237 24.143.207.112 80 TIME_WAIT
[System Process] 0 TCP 192.168.0.101 2241 24.143.207.112 80 TIME_WAIT
[System Process] 0 TCP 192.168.0.101 2238 24.143.207.112 80 TIME_WAIT
alg.exe 1280 TCP 127.0.0.1 1046 0.0.0.0 0 LISTENING
DivXUpdate.exe 1812 UDP 127.0.0.1 1036 * *
firefox.exe 2884 TCP 127.0.0.1 2038 127.0.0.1 2037 ESTABLISHED 10 10
firefox.exe 2884 TCP 127.0.0.1 2039 127.0.0.1 2040 ESTABLISHED
firefox.exe 2884 TCP 127.0.0.1 2040 127.0.0.1 2039 ESTABLISHED
firefox.exe 2884 TCP 127.0.0.1 2037 127.0.0.1 2038 ESTABLISHED 10 10
firefox.exe 2884 TCP 192.168.0.101 2246 74.125.19.148 80 ESTABLISHED
firefox.exe 2884 TCP 192.168.0.101 2248 216.34.207.176 80 CLOSE_WAIT
firefox.exe 2884 TCP 192.168.0.101 2200 184.51.104.74 80 ESTABLISHED
firefox.exe 2884 TCP 192.168.0.101 2219 74.125.224.25 80 ESTABLISHED
firefox.exe 2884 TCP 192.168.0.101 2202 208.89.13.133 80 ESTABLISHED 2 1,598 4 1,260
firefox.exe 2884 TCP 192.168.0.101 2224 74.125.224.28 80 ESTABLISHED
firefox.exe 2884 TCP 192.168.0.101 2249 24.143.207.17 80 ESTABLISHED
firefox.exe 2884 TCP 192.168.0.101 2255 207.46.140.150 80 ESTABLISHED
firefox.exe 2884 TCP 192.168.0.101 2197 74.125.224.45 80 ESTABLISHED
firefox.exe 2884 TCP 192.168.0.101 2221 74.125.224.25 80 ESTABLISHED
firefox.exe 2884 TCP 192.168.0.101 2209 74.125.224.25 80 ESTABLISHED
firefox.exe 2884 TCP 192.168.0.101 2247 216.34.207.176 80 CLOSE_WAIT
lsass.exe 724 UDP 0.0.0.0 500 * *
lsass.exe 724 UDP 0.0.0.0 4500 * *
svchost.exe 988 TCP 0.0.0.0 135 0.0.0.0 0 LISTENING
svchost.exe 1124 UDP 0.0.0.0 1527 * * 19 839 19 1,478
svchost.exe 1124 UDP 0.0.0.0 1063 * *
svchost.exe 1080 UDP 127.0.0.1 123 * *
svchost.exe 1080 UDP 192.168.0.101 123 * *
svchost.exe 1124 UDP 0.0.0.0 1064 * *
svchost.exe 1124 UDP 0.0.0.0 1037 * *
svchost.exe 1124 UDP 0.0.0.0 1076 * *
svchost.exe 1124 UDP 0.0.0.0 1150 * *
svchost.exe 1228 UDP 127.0.0.1 1900 * *
svchost.exe 1228 UDP 192.168.0.101 1900 * *
System 4 TCP 0.0.0.0 445 0.0.0.0 0 LISTENING
System 4 TCP 192.168.0.101 139 0.0.0.0 0 LISTENING
System 4 UDP 192.168.0.101 137 * * 27 1,350
System 4 UDP 192.168.0.101 138 * *
System 4 UDP 0.0.0.0 445 * *


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:32:58 PM, on 12/24/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox 4.0 Beta 7\firefox.exe
C:\Program Files\Mozilla Firefox 4.0 Beta 7\plugin-container.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\HijackThis.exe

R3 - URLSearchHook: Vuze Remote Toolbar - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\tbVuze.dll
O2 - BHO: vShare Plugin - {043C5167-00BB-4324-AF7E-62013FAEDACF} - C:\Program Files\vShare\vshare_toolbar.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngine.dll
O2 - BHO: Vuze Remote Toolbar - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\tbVuze.dll
O3 - Toolbar: Vuze Remote Toolbar - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\tbVuze.dll
O3 - Toolbar: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngine.dll
O3 - Toolbar: vShare Plugin - {043C5167-00BB-4324-AF7E-62013FAEDACF} - C:\Program Files\vShare\vshare_toolbar.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Gadwin PrintScreen] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - C:\Program Files\vShare\vshare_toolbar.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe

--
End of file - 4845 bytes

THANKS FOR ANY HELP

BC AdBot (Login to Remove)

 


#2 Igrac

Igrac
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:42 PM

Posted 24 December 2010 - 03:53 PM

Sorry for posting in here i did see the notice that said dont put logs but i though i was in the hacked topic. If a moderator could move that would be appreciated.
I did a KL log and got this

KL-Detector has found some suspicious files:
C:\Program Files\World of Warcraft\Logs\Downloader.log
C:\Program Files\World of Warcraft\Logs\Sound.log
C:\Program Files\World of Warcraft\Logs\connection.log

Please check; someone might have installed a keylogger on your computer!


You MAY want to take a look at:
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Blizzard Installer Temporary Data - 8fbc8c9c\
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\
C:\Program Files\World of Warcraft\Logs\
C:\Documents and Settings\Administrator\
C:\WINDOWS\system32\config\




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users