• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Danqx

Hacked WoW account

8 posts in this topic

Hi there, thanks in advance for your help. My WoW account got hacked 3 times in the last month and I have scanned my system with Avast, SUPERantispyware, SpybotS&D and Malwarebytes Anti-Malware but to no avail. This is my Hijackthis log, i hope you guys can help me identify the issue.

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10.44.16, on 05/12/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe

C:\Programmi\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Programmi\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe

C:\Programmi\iTunes\iTunesHelper.exe

C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Programmi\Java\jre1.6.0_02\bin\jusched.exe

C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe

C:\Programmi\Hamlet HDSL640S USB ADSL Modem\CnxDslTb.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Programmi\Logitech\GamePanel Software\LgDevAgt.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\System32\CTsvcCDA.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programmi\Messenger\msmsgs.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe

C:\Programmi\MSN Messenger\MsnMsgr.Exe

C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Programmi\Skype\Phone\Skype.exe

C:\Programmi\Logitech\SetPoint\SetPoint.exe

C:\Programmi\VIA\RAID\raid_tool.exe

C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe

C:\Programmi\Alwil Software\Avast4\ashWebSv.exe

C:\Programmi\iPod\bin\iPodService.exe

C:\Programmi\File comuni\Logishrd\KHAL2\KHALMNPR.EXE

C:\Programmi\Skype\Plugin Manager\skypePM.exe

C:\DOCUME~1\Daniel\IMPOST~1\Temp\Rar$EX00.640\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [CTSysVol] C:\Programmi\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe /r

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [ATIPTA] "C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_02\bin\jusched.exe"

O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe

O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Programmi\Hamlet HDSL640S USB ADSL Modem\CnxDslTb.exe"

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [Launch LgDevAgt] "C:\Programmi\Logitech\GamePanel Software\LgDevAgt.exe"

O4 - HKLM\..\Run: [Launch LCDMon] "C:\Programmi\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"

O4 - HKLM\..\Run: [Launch LGDCore] "C:\Programmi\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE

O4 - HKLM\..\Run: [MS_MASTER] RUNDLL32.EXE C:\WINDOWS\System32\xml_inc.dll,i

O4 - HKLM\..\Run: [OutpostMonitor] C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noservice

O4 - HKLM\..\Run: [OutpostFeedBack] "C:\Programmi\Agnitum\Outpost Firewall\feedback.exe" /dump:os_startup

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [ccleaner] "C:\Programmi\CCleaner\CCleaner.exe" /AUTO

O4 - HKCU\..\Run: [updateMgr] "C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKCU\..\Run: [skype] "C:\Programmi\Skype\\Phone\Skype.exe" /nosplash /minimized

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Logitech SetPoint.lnk = C:\Programmi\Logitech\SetPoint\SetPoint.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: VIA RAID TOOL.lnk = C:\Programmi\VIA\RAID\raid_tool.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_02\bin\npjpi160_02.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_02\bin\npjpi160_02.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab

O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab

O16 - DPF: {BD0D1F18-5561-11DC-A0D9-692F56D89593} - http://cav.t.youprog.info/code/2029.exe

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: c:\progra~1\agnitum\outpos~1\wl_hook.dll \\?\c:\windows\system32\com4.ici

O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.DLL

O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe

O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Programmi\File comuni\Logishrd\Bluetooth\LBTServ.exe

 

--

End of file - 8432 bytes

Share this post


Link to post
Share on other sites

Hi Danqx, and Welcome to SWI

 

I suggest printing out each set of instructions and reading the entire post before proceeding. It will make following them easier. Please follow the directions in the order listed.

 

Why have you never updated you Windows XP installation to Service Pack 3 (SP3)? Until you do, you system is needlessly vulnerable. Do NOT update to SP3 yet through, we need to clean the system first; installing a Service Pack on an infected system can create a mess.

 

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:

1) Run Spybot-S&D

2) Go to the Mode menu, and make sure "Advanced Mode" is selected

3) On the left hand side, choose Tools -> Resident

4) Uncheck "Resident TeaTimer" and OK any prompts

 

When everything is done and your log is clean again, you can enable it again.

If teatimer gives you a warning afterwords that some changes were made, allow this instead of blocking it.

Please don't forget this step to disable teatimer.

 

 

I have scanned my system with Avast, SUPERantispyware, SpybotS&D and Malwarebytes Anti-Malware but to no avail.

Please post the log from MBAM in your next reply so I can see what (if anything) it detected.

I do see a file in your HijackThis log that's Identified by Kaspersky as Trojan-Game Thief.Win32.WOW.ikz, which we will delete.

 

 

Clean your Cache and Cookies in IE:

  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click the Delete button.
    - For IE 7:
    • In the window that opens, click the Delete all button.
    • When prompted, place a check in: "Also delete files and settings stored by add-ons.", click Yes.

    - For IE8:

    • In the window that opens place a checkmark in all options.
    • Click the Delete and OK buttons.

Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):

  • Go to Tools > Options > Privacy.
  • Click "clear your recent history".
  • Go to the Advanced tab, and click the Clear Now button
  • Click OK to close the Options window

Clean other Temporary files + Recycle bin

  • Go to start > run and type: cleanmgr and click OK.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.

 

Now you need to run HijackThis and click "Do a system scan only." Place a check next to the following entries (if they are still there):

 

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [MS_MASTER] RUNDLL32.EXE C:\WINDOWS\System32\xml_inc.dll,i

O16 - DPF: {BD0D1F18-5561-11DC-A0D9-692F56D89593} - http://cav.t.youprog...o/code/2029.exe

 

You can optionally check the following entry. This is a reminder to register your Creative Labs SoundBlaster Live! Card, and not necessary to running your system:

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

 

You can optionally check the following entry. This is part of Microsoft Office located in your Startup folder, but it's not needed, and it's a resource hog:

O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE

 

Now close all browser and other windows except for HijackThis, and click "Fix Checked" to have HijackThis fix the entries you checked.

 

 

Using Windows Explorer, locate the following file, and delete it (if still there):

C:\WINDOWS\System32\xml_inc.dll

 

 

Please do a scan with Kaspersky Online Scanner

 

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

 

Please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.


  1.  
  2. Tick the box next to YES, I accept the Terms of Use.
  3. Click Start
  4. When asked, allow the ActiveX control to install
  5. Click Start
  6. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  7. Click Scan
    Wait for the scan to finish
  8. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  9. Copy and paste that log as a reply to this topic

 

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

Updating Java:

  • Download the latest version of Java Runtime Environment (JRE) 6.
  • Scroll down to where it says "Java SE Runtime Environment (JRE), JRE 6 Update 17".
  • Click the "Download" button to the right.
  • In the Window that opens, select Windows, and check the "agree" box and click "Continue".
    - Note: If you are running an x64 (64-bit) version of Windows, you need to install both the Windows (x32) and Windows x64 version.
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add or Remove Programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 2

    [*]Click the Remove or Change/Remove button.

    [*]Repeat as many times as necessary to remove each Java versions.

    [*]Reboot your computer once all Java components are removed.

    [*]Then from your desktop double-click on jre-6u17-windows-i586.exe that you downloaded to install the newest version (the x64 version is jre-6u17-windows-x64.exe).

    - Note: If you are running Vista, you may need to right-click on the installation file and select Run as Administrator.

 

Download Security Check by screen317 from here or here and save it to your Desktop.

  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

You're running Agnitum Outpost, which is an excellent firewall, and should have stopped the trojan from sending your account information outside your system. Do you turn off the firewall when you play WoW? If you do, that's what allowed the trojan to steal your account information.

 

For your WoW account, you may want to consider adding an Authenticator to your accounts and converting your account to a battle.net account. The former is a RSA hard token that works with WoW; it generates a new six-digit key every 30 seconds (Blizzard Authenticator FAQ). The latter ties an account permanently to an e-mail address (What is the Battle.net Account?). If you have an iPhone or iPod touch, Blizzard has released the Battle.net Mobile Authenticator application that you can download for free:

http://news.softpedia.com/news/Free-Battle-net-Mobile-Authenticator-App-Released-for-iPhone-108547.shtml (the Battle.net Mobile Authenticator requires an Airtime or Wi-Fi connection).

 

 

Please post a new HijackThis log, the log from ESET's online scanner, the log from Security check, the log from when you ran MBAM, and note any errors encountered.

Share this post


Link to post
Share on other sites

Hi, thanks for the reply, i hope i haven't missed anything. Oh unfortunately (?) i updated my system to service pack 3. Here are the logs you asked, let me know if i missed something. As for the Firewall I've only installed this the other day, i didn't have it running when my account got hacked.

 

MBAM:

 

Malwarebytes' Anti-Malware 1.42

Versione del database: 3289

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

 

06/12/2009 22.52.09

mbam-log-2009-12-06 (22-52-09).txt

 

Tipo di scansione: Scansione rapida

Elementi scansionati: 116630

Tempo trascorso: 6 minute(s), 5 second(s)

 

Processi delle memoria infetti: 0

Moduli della memoria infetti: 0

Chiavi di registro infette: 0

Valori di registro infetti: 0

Elementi dato del registro infetti: 0

Cartelle infette: 0

File infetti: 0

 

Processi delle memoria infetti:

(Nessun elemento malevolo rilevato)

 

Moduli della memoria infetti:

(Nessun elemento malevolo rilevato)

 

Chiavi di registro infette:

(Nessun elemento malevolo rilevato)

 

Valori di registro infetti:

(Nessun elemento malevolo rilevato)

 

Elementi dato del registro infetti:

(Nessun elemento malevolo rilevato)

 

Cartelle infette:

(Nessun elemento malevolo rilevato)

 

File infetti:

(Nessun elemento malevolo rilevato)

 

 

ESET log:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

 

 

 

security check log:

Results of screen317's Security Check version 0.99.1

Windows XP Service Pack 3

``````````````````````````````

Antivirus/Firewall Check:

avast! Antivirus

ESET Online Scanner v3

Outpost Firewall 2009

Antivirus up to date!

``````````````````````````````

Anti-malware/Other Utilities Check:

SpywareBlaster 4.1

Yahoo! Anti-Spy

Spybot - Search & Destroy

SUPERAntiSpyware Free Edition

HijackThis 2.0.2

CCleaner (remove only)

Java 6 Update 17

Java SE Runtime Environment 6 Update 1

Java 6 Update 2

Out of date Java installed!

Adobe Flash Player 10

Adobe Reader 7.0.9 - Italiano

Out of date Adobe Reader installed!

``````````````````````````````

Process Check:

objlist.exe by Laurent

Alwil Software Avast4 aswUpdSv.exe

Alwil Software Avast4 ashServ.exe

Alwil Software Avast4 ashDisp.exe

Alwil Software Avast4 ashMaiSv.exe

Alwil Software Avast4 ashWebSv.exe

``````````````````````````````

DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

 

`````````End of Log```````````

 

 

 

 

New Hijackthis log

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 0.05.02, on 07/12/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe

C:\Programmi\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Programmi\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe

C:\Programmi\iTunes\iTunesHelper.exe

C:\Programmi\QuickTime\qttask.exe

C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe

C:\Programmi\Hamlet HDSL640S USB ADSL Modem\CnxDslTb.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Programmi\Logitech\GamePanel Software\LgDevAgt.exe

C:\Programmi\Logitech\GamePanel Software\LCD Manager\LCDMon.exe

C:\Programmi\Logitech\GamePanel Software\G-series Software\LGDCore.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\Programmi\Messenger\msmsgs.exe

C:\Programmi\Logitech\GamePanel Software\Applets\LCDCountdown.exe

C:\Programmi\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe

C:\Programmi\Logitech\GamePanel Software\Applets\LCDMedia.exe

C:\Programmi\Logitech\GamePanel Software\Applets\LCDPop3.exe

C:\Programmi\Logitech\GamePanel Software\Applets\LCDRSS.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Programmi\MSN Messenger\MsnMsgr.Exe

C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Programmi\Skype\Phone\Skype.exe

C:\Programmi\Logitech\SetPoint\SetPoint.exe

C:\Programmi\VIA\RAID\raid_tool.exe

C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe

C:\Programmi\File comuni\Logishrd\KHAL2\KHALMNPR.EXE

C:\Programmi\Alwil Software\Avast4\ashWebSv.exe

C:\Programmi\iPod\bin\iPodService.exe

C:\Programmi\Skype\Plugin Manager\skypePM.exe

C:\Programmi\Java\jre6\bin\jusched.exe

C:\Programmi\Java\jre6\bin\jqs.exe

C:\Programmi\Mozilla Firefox\firefox.exe

C:\DOCUME~1\Daniel\IMPOST~1\Temp\Rar$EX00.938\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [CTSysVol] C:\Programmi\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe /r

O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [ATIPTA] "C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programmi\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe

O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Programmi\Hamlet HDSL640S USB ADSL Modem\CnxDslTb.exe"

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [Launch LgDevAgt] "C:\Programmi\Logitech\GamePanel Software\LgDevAgt.exe"

O4 - HKLM\..\Run: [Launch LCDMon] "C:\Programmi\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"

O4 - HKLM\..\Run: [Launch LGDCore] "C:\Programmi\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE

O4 - HKLM\..\Run: [OutpostMonitor] C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noservice

O4 - HKLM\..\Run: [OutpostFeedBack] "C:\Programmi\Agnitum\Outpost Firewall\feedback.exe" /dump:os_startup

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ccleaner] "C:\Programmi\CCleaner\CCleaner.exe" /AUTO

O4 - HKCU\..\Run: [updateMgr] "C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKCU\..\Run: [skype] "C:\Programmi\Skype\\Phone\Skype.exe" /nosplash /minimized

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Logitech SetPoint.lnk = C:\Programmi\Logitech\SetPoint\SetPoint.exe

O4 - Global Startup: VIA RAID TOOL.lnk = C:\Programmi\VIA\RAID\raid_tool.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab

O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: c:\progra~1\agnitum\outpos~1\wl_hook.dll \\?\c:\windows\system32\com4.ici

O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.DLL

O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe

O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Programmi\File comuni\Logishrd\Bluetooth\LBTServ.exe

 

--

End of file - 9389 bytes

Share this post


Link to post
Share on other sites

When Java updates itself now, it will uninstall previous versions. It didn't always do that, so the outdated versions need to be uninstalled. Go to Start > Control Panel > Add or Remove Programs and uninstall the following programs:

Java™ SE Runtime Environment 6 Update 1

Java™ 6 Update 2

 

Your version of Adobe Acrobat Reader is outdated and vulnerable. Go to Start > Control Panel > Add or Remove Programs and remove the following program:

Adobe Reader

Then go to to http://www.adobe.com and download and install the current version, When you install it, be careful to UNcheck any optional toolbar installation unless you really want the toolbar.

 

Create a Restore Point

  • Go to Start > Programs > Accessories > System Tools > System Restore
  • Select Create a Restore Point and then Next.
  • In the box for "Restore point description", enter a descriptive name and press Create
  • When the "Restore Point Created" window appears, click Close

Run Disk Cleanup

  • Go to Start > Run and type the below line:
    cleanmgr
  • Click OK
    • If you have more than one drive, select the drive Windows is installed on
    • Click OK

    [*]When Disk Cleanup opens, select the More Options tab

    [*]In the System Restore section (bottom of window), click Cleanup

    • In the confirmation window that opens, click Yes

    [*]Now click on the Disk Cleanup tab and select the following items:

    • Downloaded Program Files
    • Temporary Internet Files
    • Recycle Bin
    • Temporary Files

    [*]Click OK

    [*]in the confirmation window, select Yes (Disk Cleanup will close).

To help keep malware off your system:


  •  
  • Keep Windows updated at Windows Update or Microsoft Update.
  • Keep your other applications updated, there are vulnerabilities that rely on exploits through other programs like Java, Microsoft Office, Adobe Reader, Flash, and others.
  • Run a program like Secunia Software Inspector Scan to see what programs need to be updated.
  • Be careful with flash drives, as they can spread infections. See this post on USB/flash drive safety.
  • Stay away from P2P software; even with a clean P2P program, their networks are often riddled with malware.
  • Don't click on attachments or links in e-mail, and read your e-mail in text-only mode for the highest safety.
  • Don't click on links received in instant message programs.
  • In place of Internet Explorer, browse with Firefox with the NoScript and AdBlock Plus add-ons.
  • A HOSTS file will prevent Internet Explorer from communicating with sites known to be associated with adware or spyware. A good regularly updated HOST file is MVPS HOSTS File, available at http://www.mvps.org/winhelp2002/hosts.htm.
  • A free non-resident utility to prevent the installation of ActiveX-based malware is JavaCool's SpywareBlaster. For real-time protection, there is SpywareGuard. Both are available at http://www.javacoolsoftware.com/products.html.
  • I recommend reading Tony Klein's article So How did I get Infected in the First Place? at http://www.spywareinfoforum.com/index.php?showtopic=60955

Does your problem appear resolved?

Share this post


Link to post
Share on other sites

Some things to consider:

  • Did you purchase an authenticator for your account? I'd call it money well spent at this point.
  • Change your WoW password, but NOT from this system. If you change your password from an infected system, your new password is at risk. Be sure you change your password from a clean, uninfected system.
  • Don't play WoW on this system until it's been cleaned again.

 

You had TeaTimer installed, so be sure you have it turned off:

1) Run Spybot-S&D

2) Go to the Mode menu, and make sure "Advanced Mode" is selected

3) On the left hand side, choose Tools -> Resident

4) Uncheck "Resident TeaTimer" and OK any prompts

 

When everything is done and your log is clean again, you can enable it again.

If teatimer gives you a warning afterwords that some changes were made, allow this instead of blocking it.

Please don't forget this step to disable teatimer.rned off.

 

Please also turn off any other anti-spyware program that you may have installed.

 

Please Run Malwarebytes' Anti-Malware.

  • Click the Update tab.
  • Click Check for Updates.
  • If an update is found, it will download and install.
  • Click the Scanner tab.
  • Select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy & Paste the entire report in your next reply along with a fresh HijackThis log.

Note:

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.

Click OK to either and let MBAM proceed with the disinfection process.

If asked to restart the computer, please do so immediately.

 

Please do a scan with Kaspersky Online Scanner

 

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

 

Click on the Accept button and install any components it needs.

  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Please post a new HijackThis log, the log from MBAM, the log from Kaspersky's online scanner, and note any errors encountered.

Share this post


Link to post
Share on other sites

It seems I definitely might have to consider buying a blizzard authenticator. Anyhow, if there is nothing on the MBAM and kaspersky's logs, does that mean my pc is clean atm?

Here are the MBAM quick scan and a complete scan which i did yesterday and the kaspersky's log.

 

Malwarebytes' Anti-Malware 1.42

Versione del database: 3308

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

 

08/12/2009 11.08.00

mbam-log-2009-12-08 (11-08-00).txt

 

Tipo di scansione: Scansione rapida

Elementi scansionati: 119557

Tempo trascorso: 8 minute(s), 51 second(s)

 

Processi delle memoria infetti: 0

Moduli della memoria infetti: 0

Chiavi di registro infette: 0

Valori di registro infetti: 0

Elementi dato del registro infetti: 0

Cartelle infette: 0

File infetti: 0

 

Processi delle memoria infetti:

(Nessun elemento malevolo rilevato)

 

Moduli della memoria infetti:

(Nessun elemento malevolo rilevato)

 

Chiavi di registro infette:

(Nessun elemento malevolo rilevato)

 

Valori di registro infetti:

(Nessun elemento malevolo rilevato)

 

Elementi dato del registro infetti:

(Nessun elemento malevolo rilevato)

 

Cartelle infette:

(Nessun elemento malevolo rilevato)

 

File infetti:

(Nessun elemento malevolo rilevato)

 

 

 

 

Malwarebytes' Anti-Malware 1.42

Versione del database: 3308

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

 

07/12/2009 14.54.02

mbam-log-2009-12-07 (14-54-02).txt

 

Tipo di scansione: Scansione completa (C:\|)

Elementi scansionati: 186776

Tempo trascorso: 1 hour(s), 30 minute(s), 16 second(s)

 

Processi delle memoria infetti: 0

Moduli della memoria infetti: 0

Chiavi di registro infette: 0

Valori di registro infetti: 0

Elementi dato del registro infetti: 0

Cartelle infette: 0

File infetti: 0

 

Processi delle memoria infetti:

(Nessun elemento malevolo rilevato)

 

Moduli della memoria infetti:

(Nessun elemento malevolo rilevato)

 

Chiavi di registro infette:

(Nessun elemento malevolo rilevato)

 

Valori di registro infetti:

(Nessun elemento malevolo rilevato)

 

Elementi dato del registro infetti:

(Nessun elemento malevolo rilevato)

 

Cartelle infette:

(Nessun elemento malevolo rilevato)

 

File infetti:

(Nessun elemento malevolo rilevato)

 

 

 

 

 

 

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Tuesday, December 8, 2009

Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Tuesday, December 08, 2009 05:57:55

Records in database: 3341874

--------------------------------------------------------------------------------

 

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

 

Scan area - My Computer:

A:\

C:\

D:\

 

Scan statistics:

Objects scanned: 67686

Threats found: 0

Infected objects found: 0

Suspicious objects found: 0

Scan duration: 02:07:33

 

No threats found. Scanned area is clean.

 

Selected area has been scanned.

Share this post


Link to post
Share on other sites
It seems I definitely might have to consider buying a blizzard authenticator.

I certainly would after having your account broken into, especially after the second time.

 

It seems I definitely might have to consider buying a blizzard authenticator. Anyhow, if there is nothing on the MBAM and kaspersky's logs, does that mean my pc is clean atm?

No scanner detects everything, but that's one of the best scanners, so you are most likely clean right now.

 

Does your problem appear resolved?

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0