Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How can I be sure I'm clean? Online gaming account hacked twice...


  • This topic is locked This topic is locked
4 replies to this topic

#1 ashamednerdygirl

ashamednerdygirl

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:28 AM

Posted 13 December 2011 - 02:11 AM

Well, this is embarrassing. I play World of Warcraft (I know...) and someone reset my password without my permission and went into my account. I went through password recovery, scanned my computer with Avast without finding anything, changed my WoW and email password and then the next day I got hacked again. So today I scanned with Spybot which only found tracking cookies and Malware Bytes that found what to me looked like maybe false positives. I also scanned with SUPERantiSpyware. I didn't even bother with Avast again. I installed all outstanding Windows Updates. How can I be sure my computer is clean? (This assumes there is a keylogger on my system. Frankly, I don't trust WoW's servers all that much. When my password reset was requested by the hacker, the email to verify hadn't been read that I can tell. I wonder if they do this in a way that doesn't involve physical typing in my passwords. I don't know. I also haven't shared my account info with anyone. I'm embarrassed even just telling strangers I play WoW.)

FYI I have Windows XP. I can't recall any shady websites or downloads that would've exposed me to a keylogger. I do use torrents. I can post logs and whatever else may be useful. I will get a WoW authenticator which has a digital code every 15 seconds to log into my account, but this still makes me uncomfortable, even though my online banking and other email accounts seem totally fine...

Thanks in advance so much!

Edited by ashamednerdygirl, 13 December 2011 - 02:12 AM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:28 AM

Posted 13 December 2011 - 08:26 AM

How can I be sure my computer is clean?

There are no guarantees or shortcuts when it comes to malware removal, especially when dealing with backdoor Trojans, Botnets, IRCBots and rootkits that can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Security vendors that claim to be able to remove rootkits and backdoor Trojans cannot guarantee that all traces of it will be removed as they may not find all the remnants.


I play World of Warcraft...I don't trust WoW's servers all that much

I would not trust them either. In many cases gaming sites are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. They can lead to other sites containing malware which you can inadvertently download without knowledge. Users visiting such sites may encounter innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. For these reasons gaming sites can put you at risk to fraud, phishing and theft of personal data. Even if the gaming site is a clean site, there is always the potential of some type of malware making its way there and then onto your system. In some instances an infection may have caused so much damage to your system that it cannot be successfully cleaned or repaired. In those cases, recovery is not possible and the only option is to reformat/reinstall the OS.

...Microsoft Security has issued a research report where it notifies that virus creators are continuously assaulting online video game players...a malicious family of software programs are seeking out popular online computer games such as World of Warcraft, Maple Story, Lineage and several others. According to Microsoft’s seventh Security Intelligence Report, cybercrooks use computer worm parasites for stealing confidential personal information from local computer users through online games, unsecured file sharing and removable disk drives...The most dangerous and prevalent malware involve Taterf and Conficker worms which have infected millions of computer systems worldwide...

Malware Makers Target Online Games to Spread Worms

Microsoft warned video game developers...that their PC games are now a target for criminals...Popular massively multiplayer online games, such as World of Warcraft, have created a market for valuable game identities...Using malware or software designed to infiltrate a computer system, hackers steal account information...

Microsoft warns game developers of cyber thieves

...Gaming sites are becoming a growth area for malware and other security threats. The newer threats are sophisticated and are designed to draw in unsuspecting users...

Game Sites Next Big Malware Target?

The design of online game architecture creates an open door for hackers...hackers and malware hoodlums go where the pickings are easy -- where the crowds gather. Thus, Internet security experts warn game players that they face a greater risk of attack playing games online because few protections exist....traditional firewall and antimalware software applications can't see any intrusions. Game players have no defenses...Online gaming sites are a major distribution vehicle for malware....

MMO Security: Are Players Getting Played?

...Moral of the story?
1. Do not allow online games
2. Block ports used by online games
3. Block sites related to these online games
4. Educate your users...

online game + online trade = Trojan Spy

Security researchers...poked around in World of Warcraft and other online games, finding vulnerabilities and exploiting the system using online bots and rootkit-like techniques to evade detection...Some Trojan Web sites have done what they can do to collect gamers' authentication information so they can loot their characters (and) accounts.

Real Flaws in Virtual Worlds: Exploiting Online Games

...a very significant release for Gamers everywhere with the addition of a variety of password stealers directly targeting Online games. The main targets are mostly based in Eastern Asia (Lineage Online, Legend Of Mir, ZT Online just to name a few), but World of Warcraft and Valve’s Steam client are high on the hit-list too...

Taterf – all your drives are belong to me!

Using gaming sites is almost a guaranteed way to get yourself infected!!


I do use torrents

Using any torrent, peer-to-peer (P2P) file sharing program (i.e. Limewire, eMule, Kontiki, BitTorrent, BitComet, uTorrent, BitLord, BearShare, Azureus/Vuze) or visiting such sites is a security risk which can make your system susceptible to a smörgåsbord of malware infections, remote attacks, and exposure of personal information. File sharing networks are thoroughly infected and infested with malware according to Senior Virus Analyst, Norman ASA. As such, it is not uncommon for some anti-virus/anti-malware disinfection tools to detect torrent related files and programs as a threat and attempt to remove them.

The reason for this is that file sharing relies on its members giving and gaining unfettered access to computers across the P2P network. This practice can make you vulnerable to data and identity theft, system infection and remote access exploit by attackers who can take control of your computer without your knowledge. Even if you change the risky default settings to a safer configuration, downloading files from an anonymous source increases your exposure to infection because the files you are downloading may actually contain a disguised threat. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install malware. Many malicious worms and Trojans, such as the Storm Worm, target and spread across P2P files sharing networks because of their known vulnerabilities. In some instances the infection may cause so much damage to your system that recovery is not possible and a Repair Install will NOT help!. In those cases, the only option is to wipe your drive, reformat and reinstall the OS.

Even the safest P2P file sharing programs that do not contain bundled spyware, still expose you to risks because of the very nature of the P2P file sharing process. By default, most P2P file sharing programs are configured to automatically launch at startup. They are also configured to allow other P2P users on the same network open access to a shared directory on your computer. The best way to eliminate these risks is to avoid using P2P applications and torrent web sites.Since the nature of P2P programs is counter productive to restoring your computer to a healthy state, I strongly recommend that you remove all such programs to reduce the risk of infection and keep your system clean.

Using such programs or browsing torrent sites is almost a guaranteed way to get yourself infected!!


With that said, try doing an online scan to see if it finds anything else that the other scans may have missed.

Please perform a scan with Eset Online Anti-virus Scanner.
  • If using Mozilla Firefox, you will be prompted to download and use the ESET Smart Installer. Just double-click on esetsmartinstaller_enu.exe to install.
  • Vista/Windows 7 users need to run Internet Explorer/Firefox as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.
  • Click the green Posted Image button.
  • Read the End User License Agreement and check the box:
  • Check Posted Image.
  • Click the Posted Image button.
  • Accept any security warnings from your browser and allow the download/installation of any require files.
  • Under scan settings, check Posted Image and make sure that the option Remove found threats is NOT checked.
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click the Start button.
  • ESET will install itself, download virus signature database updates, and begin scanning your computer.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop as ESETScan.txt.
  • Push the Posted Image button, then Finish.
  • Copy and paste the contents of ESETScan.txt in your next reply. If no threats are found, there is no option to create a log.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 ashamednerdygirl

ashamednerdygirl
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:28 AM

Posted 13 December 2011 - 01:53 PM

Here you go. I'm no expert but these just look like unwanted programs and false positives to me, not any keyloggers.

C:\Documents and Settings\Katie\My Documents\Applications\cnet2_rt60ln90_exe.exe a variant of Win32/InstallCore.D application
C:\Documents and Settings\Katie\My Documents\Applications\cnet_OutpostProInstall_exe.exe a variant of Win32/InstallCore.D application
C:\Documents and Settings\Katie\My Documents\Applications\InternationalPrimoPDF.exe Win32/OpenCandy application
C:\Documents and Settings\Katie\My Documents\Applications\Unlocker1.9.1.exe a variant of Win32/Toolbar.Babylon application
C:\Documents and Settings\Katie\My Documents\Applications\winamp558_full_emusic-7plus_en-us.exe Win32/OpenCandy application

Just FYI, since Avast didn't find anything and Spybot and Superantispyware just found a bunch of cookies, here is what MalwareBytes found when I scanned, just in case this is useful:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8363

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/13/2011 1:48:39 AM
mbam-log-2011-12-13 (01-48-39).txt

Scan type: Full scan (C:\|M:\|)
Objects scanned: 361447
Time elapsed: 1 hour(s), 4 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{8B498502-1218-11CF-ADC4-00A0D100041B} (Malware.Packer.Gen) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Katie\my documents\applications\autoi.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\t5rdv.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\ecesq.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8365

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

12/13/2011 11:13:50 AM
mbam-log-2011-12-13 (11-13-50).txt

Scan type: Full scan (C:\|M:\|)
Objects scanned: 361160
Time elapsed: 1 hour(s), 11 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\system volume information\_restore{dfdfc41d-61cc-4b49-9084-429b5c01b2bb}\RP145\A0085198.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.
c:\system volume information\_restore{dfdfc41d-61cc-4b49-9084-429b5c01b2bb}\RP145\A0085199.dll (Malware.Packer.Gen) -> Quarantined

Those also just look like unwanted crap, not virus/keyloggers, etc. What should I do now? Thanks again for the help.

Edited by ashamednerdygirl, 13 December 2011 - 01:54 PM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:28 AM

Posted 13 December 2011 - 02:28 PM

The detected _restore{GUID}\RP***\A00*****.xxx file(s) identified by your Malwarebytes scan are in the System Volume Information Folder (SVI) which is a part of System Restore. The *** after 'RP' represents a sequential number automatically assigned by the operating system. The ***** after 'A00' also represents a sequential number where the original file(s) (shown in the first log) were backed up and renamed except for its extension. To learn more about this, refer to:System Restore is the feature that protects your computer by monitoring a core set of system and application files and by creating backups (snapshots saved as restore points) of vital system configurations and files before changes are made. These restore points can be used to "roll back" your computer to a clean working state in the event of a problem. This makes it possible to undo harmful changes to your system configurations including registry modifications made by software or malware by reverting the operating systems configuration to an earlier date. See What's Restored when using System Restore and What's Not.

System Restore is enabled by default and will back up the good as well as malevolent files, so when malware is present on the system it gets included in restore points as an A00***** file. If you only get a detection on a file in the SVI folder, that means the original file was on your system in another location at some point and probably has been removed. However, when you scan your system with anti-virus or anti-malware tools, you may receive an alert that a malicious file was detected in the SVI folder (in System Restore points) and moved into quarantine. When a security program quarantines a file, that file is essentially disabled and prevented from causing any harm to your system. The quarantined file is safely held there and no longer a threat. Thereafter, you can delete it at any time.

If your anti-virus or anti-malware tool cannot move the files to quarantine, they sometimes can reinfect your system if you accidentally use an old restore point. If your anti-virus or anti-malware tool is able to move (quarantine) the file(s) let it do so. When an anti-virus or security program quarantines a file and moves it into a virus vault (chest) or a dedicated Quarantine folder, that file is safely held there and no longer a threat. The file is essentially disabled and prevented from causing any harm to your system through security routines which may copy, rename, encrypt and password protect the file the file before moving. Quarantine is just an added safety measure which allows you to view and investigate the files while keeping them from harming your computer. When the quarantined file is known to be malicious, you can delete it at any time by launching the program which removed it, going to the Quarantine tab, and choosing the option to delete.


I'm no expert but these just look like unwanted programs and false positives to me, not any keyloggers.

If you recognize any of the detections as legitimate programs, then you can leave them alonge. Eset's detection rate is high and can include files which it considers MAY be a risk, suspicious or a potential threat..that's why I asked you to have the scanning engine not to remove found threats.

For example, OpenCandy is an advertising application distributed by the OpenCandy Software Network which displays ads in other programs. The use of advertisement is a way to promote software packages and recover development costs. OpenCandy is not installed on a computer, does not collect personally identifiable information and in most cases allows the user to choose whether or not to install advertised software recommended by the vendor. Although no personal information is collected, the software does collect anonymous statistics about events and other data during installation. See What information does OpenCandy collect?

The OpenCanday network has partnered with various popular and trusted software developers who bundle their product as part of the program's software installation package. A list of such developers can be found here. Some vendors will clearly advise the use of OpenCandy before downloading their software, while others may provide confusing or no information at all. An example would be SIW (System Information for Windows) which clearly indicates on their website the use of OpenCandy.

What is OpenCandy?
OpenCandy is similar to Google AdSense, except it displays advertisements in installation program instead of websites. These advertisements promote another software packages. The advertisements are selected by providers of software being installed. When user installing a software (SIW) chooses to install promoted package, revenue is generated and shared between OpenCandy and software providers (SIW developers).

SIW Home Edition is bundled with OpenCandy

This is what OpenCandy has to say about their product.

OpenCandy provides a plug-in that developers include in their software to earn money by showing recommendations for other software in their installers. Developers use this money to keep their software free and invest in further software development. The installer uses the OpenCandy plug-in to present a software recommendation...during installation. You have complete control to accept the software recommendation by selecting either the “Install” or “Do not install” options on the software recommendation screen.

What is OpenCandy?

OpenCandy is not a virus or malware. However, since it is responsible for displaying advertisements, it may be detected (and sometimes removed) by various anti-virus and other security scanning tools as Adware, a classification that broadly defines the term as any software package which automatically displays advertisements in any form in order to generate revenue. For example, the Microsoft Malware Protection Center (MMPC) detects the program as Adware:Win32/OpenCandy, a low level threat and so does McAfee.

In response to this detection, OpenCandy has provided the following information:Of course OpenCandy is in business to make money so they are going to defend their product and portray it in a positive light. For another opinion, you may want to read: OpenCandy: A New Kind of Adware/Spyware.

IMO, removal of OpenCandy detections is an optional choice. I have provided the information so you can make an informed decision as whether to remove it or not.

If you're not sure or want a second opinion, submit the file(s) to one of the following online services that analyzes suspicious files:In the "File to Scan" (Upload or Submit) box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis. If you get a message saying "File has already been analyzed", click Reanalyze or Scan again.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:28 AM

Posted 13 December 2011 - 03:13 PM

I have moved (split away) your log(s) to the Virus, Trojan, Spyware, and Malware Removal Logs forum as they are not permitted in this forum.

Please go here, click on the Options button in the upper right corner of that thread and choose Track this topic. Subscribe to that topic to ensure you are notified when a helper replies.

Now that your log is posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Response Team member...nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the member assisting you and could complicate the malware removal process or make things worst which would extend the time it takes to clean your computer.

From this point on the Malware Response Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take several days to get a response because the Malware Response Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have posted your log and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the Malware Response Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another Malware Response Team member is already assisting you and not open the thread to respond.

It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable. If HelpBot replies to your topic, please follow Step One so it will report your topic to the team members.

If HelpBot replies to your topic, please follow Step One so it will report your topic to the team members.

To avoid confusion, I am closing this topic.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users