Overclock.net › Forums › Software, Programming and Coding › Networking & Security › Do i have a keylogger?
New Posts  All Forums:Forum Nav:

Do i have a keylogger?

post #1 of 9
Thread Starter 
Hey guys, my account was recently hacked in WoW today and for the life of me i can't figure out how on earth they got my account information.

I didn't have an authenticator ( but i do now!!) so hopefully that will tighten up my security for now but i still worry i might have something on my PC.

I ran MSE and Malwarebytes which came back with nothing.

I never type in my WoW password. I always copy and past it in. Its also a somewhat complicated password because i use a program called Keepass and randomly generate a password made up of letters and numbers.

Is there a way to tell that i may have a keylogger on my PC?
Dust Magnet v1.0
(14 items)
 
  
CPUMotherboardGraphicsRAM
AMD Phenom 1090T Asus Crosshair lV Forumla MSI R9 380 4GB Mushkin Redline DDR3  
Hard DriveCoolingOSMonitor
Corsair Force GT 90GB SSD + Western Digital 640... Phanteks PH-TC14PE Windows 10 64bit Asus VE247H 
PowerCase
550W OCZ Fatal1ty Gaming HAF 932 
  hide details  
Reply
Dust Magnet v1.0
(14 items)
 
  
CPUMotherboardGraphicsRAM
AMD Phenom 1090T Asus Crosshair lV Forumla MSI R9 380 4GB Mushkin Redline DDR3  
Hard DriveCoolingOSMonitor
Corsair Force GT 90GB SSD + Western Digital 640... Phanteks PH-TC14PE Windows 10 64bit Asus VE247H 
PowerCase
550W OCZ Fatal1ty Gaming HAF 932 
  hide details  
Reply
post #2 of 9
Have you logged into the WOW forums from any other PCs lately? Are there any other PCs on your network? Have you answered any e-mails or other promotions from blizzard? Does superantispyware turn up anything?
post #3 of 9
Try to scan with Hijack this

http://free.antivirus.com/hijackthis/

Paste whatever you got into this analyzer or try to go to the forum for other people to help you analyze it.

http://www.hijackthis.de/

My friend got his account brute forced by some hackers. They only need to know your email and then bam...all gone. But if you want your stuff back, just call Blizzard and they should help you out. His account got hacked twice and he got all his stuff back twice. He's a computer science major so I've no idea how he can let his computer get infected. Thus, the only other option would be that someone brute forced his password.
Alpha dawg
(11 items)
 
  
CPUMotherboardGraphicsRAM
i3 2100 Gigabyte z68ma-d2h-b3 GTX 460 Hawk 8GB DDR3 1600 
Hard DriveOptical DriveCoolingOS
WD Scorpio Blue  Asus  H60 Windows 7 64x 
MonitorPowerCase
Asus 24"  Antec neo eco 620W  Corsair 650D  
  hide details  
Reply
Alpha dawg
(11 items)
 
  
CPUMotherboardGraphicsRAM
i3 2100 Gigabyte z68ma-d2h-b3 GTX 460 Hawk 8GB DDR3 1600 
Hard DriveOptical DriveCoolingOS
WD Scorpio Blue  Asus  H60 Windows 7 64x 
MonitorPowerCase
Asus 24"  Antec neo eco 620W  Corsair 650D  
  hide details  
Reply
post #4 of 9
Thread Starter 
Nope, i haven't logged into the Forums or accessed anything WoW related from another coumpter.

There are currently 3 other PCs on my network.

I have not answered any e-mails that seem fishy from Blizzard.

Superanti turned up 21 tracking cookies

Also, i don't know if this is relevant or im just paranoid but ive noticed random spikes in my upload traffic for no reason . Could this mean anything?

Edit: Did a quick hijackthis analysis and seems like everything is in order.

I should also mention that i did get all my stuff back ( or a good percentage of it) im just baffled that i got hacked when i thought i was invincible! lol
Edited by Cheesezilla - 7/22/11 at 6:46pm
Dust Magnet v1.0
(14 items)
 
  
CPUMotherboardGraphicsRAM
AMD Phenom 1090T Asus Crosshair lV Forumla MSI R9 380 4GB Mushkin Redline DDR3  
Hard DriveCoolingOSMonitor
Corsair Force GT 90GB SSD + Western Digital 640... Phanteks PH-TC14PE Windows 10 64bit Asus VE247H 
PowerCase
550W OCZ Fatal1ty Gaming HAF 932 
  hide details  
Reply
Dust Magnet v1.0
(14 items)
 
  
CPUMotherboardGraphicsRAM
AMD Phenom 1090T Asus Crosshair lV Forumla MSI R9 380 4GB Mushkin Redline DDR3  
Hard DriveCoolingOSMonitor
Corsair Force GT 90GB SSD + Western Digital 640... Phanteks PH-TC14PE Windows 10 64bit Asus VE247H 
PowerCase
550W OCZ Fatal1ty Gaming HAF 932 
  hide details  
Reply
post #5 of 9
post the log here
post #6 of 9
Thread Starter 
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:30:52 PM, on 7/22/2011
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\\Program Files (x86)\\MSI Afterburner\\MSIAfterburner.exe
C:\\Windows\\SysWOW64\\Ctxfihlp.exe
C:\\Program Files (x86)\\NEC Electronics\\USB 3.0 Host Controller Driver\\Application\
usb3mon.exe
C:\\Program Files\\iTunes\\iTunesHelper.exe
C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jusched.exe
C:\\Windows\\SysWOW64\\CTXFISPI.EXE
C:\\Users\\Dylan\\AppData\\Local\\Google\\Update\\ 1.3.21.57\\GoogleCrashHandler.exe
C:\\Program Files (x86)\\Mozilla Thunderbird\hunderbird.exe
C:\\Users\\Dylan\\AppData\\Local\\Google\\Chrome\\ Application\\chrome.exe
C:\\Users\\Dylan\\AppData\\Local\\Google\\Chrome\\ Application\\chrome.exe
C:\\Users\\Dylan\\AppData\\Local\\Google\\Chrome\\ Application\\chrome.exe
C:\\Users\\Dylan\\Downloads\\HijackThis.exe

R1 - HKCU\\Software\\Microsoft\\Internet Explorer\\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\\Software\\Microsoft\\Internet Explorer\\Main,Start Page = http://www.google.ca/
R1 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\\Software\\Microsoft\\Internet Explorer\\Search,SearchAssistant =
R0 - HKLM\\Software\\Microsoft\\Internet Explorer\\Search,CustomizeSearch =
R0 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Local Page = C:\\Windows\\SysWOW64\\blank.htm
R1 - HKCU\\Software\\Microsoft\\Windows\\CurrentVersion \\Internet Settings,ProxyOverride = *.local
R0 - HKCU\\Software\\Microsoft\\Internet Explorer\\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Windows Live\\WindowsLiveLogin.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\\PROGRA~2\\MICROS~2\\Office14\\URLREDIR.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\\Program Files (x86)\\Java\\jre6\\bin\\jp2ssv.dll
O4 - HKLM\\..\\Run: [KeePass 2 PreLoad] "C:\\Program Files (x86)\\KeePass Password Safe 2\\KeePass.exe" --preload
O4 - HKLM\\..\\Run: [QuickTime Task] "C:\\Program Files (x86)\\QuickTime\\QTTask.exe" -atboottime
O4 - HKLM\\..\\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\\..\\Run: [UpdReg] C:\\Windows\\UpdReg.EXE
O4 - HKLM\\..\\Run: [NUSB3MON] "C:\\Program Files (x86)\\NEC Electronics\\USB 3.0 Host Controller Driver\\Application\
usb3mon.exe"
O4 - HKLM\\..\\Run: [iTunesHelper] "C:\\Program Files\\iTunes\\iTunesHelper.exe"
O4 - HKLM\\..\\Run: [SunJavaUpdateSched] "C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jusched.exe"
O4 - HKLM\\..\\Run: [HPUsageTrackingLEDM] "C:\\Program Files (x86)\\HP\\HP UT LEDM\\bin\\hppusg.exe" "C:\\Program Files (x86)\\HP\\HP UT LEDM\\"
O4 - HKLM\\..\\Run: [StartCCC] "C:\\Program Files (x86)\\ATI Technologies\\ATI.ACE\\Core-Static\\CLIStart.exe" MSRun
O4 - HKCU\\..\\Run: [Google Update] "C:\\Users\\Dylan\\AppData\\Local\\Google\\Update\ \GoogleUpdate.exe" /c
O4 - HKCU\\..\\Run: [Sidebar] C:\\Program Files\\Windows Sidebar\\sidebar.exe /autoRun
O4 - HKCU\\..\\Run: [Steam] "G:\\Steam\\steam.exe" -silent
O4 - HKCU\\..\\Run: [SUPERAntiSpyware] C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe
O4 - HKUS\\S-1-5-19\\..\\Run: [Sidebar] %ProgramFiles%\\Windows Sidebar\\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\\S-1-5-19\\..\\RunOnce: [mctadmin] C:\\Windows\\System32\\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\\S-1-5-20\\..\\Run: [Sidebar] %ProgramFiles%\\Windows Sidebar\\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\\S-1-5-20\\..\\RunOnce: [mctadmin] C:\\Windows\\System32\\mctadmin.exe (User 'NETWORK SERVICE')
O4 - HKUS\\S-1-5-18\\..\\Run: [CtxfiReg] CTXFIREG.exe /FAIL1 (User 'SYSTEM')
O4 - HKUS\\.DEFAULT\\..\\Run: [CtxfiReg] CTXFIREG.exe /FAIL1 (User 'Default user')
O4 - Startup: CurseClientStartup.ccip
O4 - Startup: Xfire.lnk = C:\\Program Files (x86)\\Xfire\\Xfire.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\\PROGRA~1\\MICROS~3\\Office14\\EXCEL.EXE/3000
O10 - Unknown file in Winsock LSP: c:\\program files (x86)\\common files\\microsoft shared\\windows live\\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\\program files (x86)\\common files\\microsoft shared\\windows live\\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\OFFICE14\\MSOXMLMF.DLL
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\\Program Files\\SUPERAntiSpyware\\SASCORE64.EXE
O23 - Service: @%SystemRoot%\\system32\\Alg.exe,-112 (ALG) - Unknown owner - C:\\Windows\\System32\\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\\Windows\\system32\\atiesrxx.exe (file missing)
O23 - Service: AMD FUEL Service - Advanced Micro Devices, Inc. - C:\\Program Files\\ATI Technologies\\ATI.ACE\\Fuel\\Fuel.Service.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\\Program Files (x86)\\Common Files\\Apple\\Mobile Device Support\\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\\Program Files (x86)\\Bonjour\\mDNSResponder.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\\Program Files (x86)\\Common Files\\Creative Labs Shared\\Service\\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\\Program Files (x86)\\Creative\\Shared Files\\CTAudSvc.exe
O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - G:\\Dragon Age Origins\\Dragon Age\\bin_ship\\DAUpdaterSvc.Service.exe
O23 - Service: @%SystemRoot%\\system32\\efssvc.dll,-100 (EFS) - Unknown owner - C:\\Windows\\System32\\lsass.exe (file missing)
O23 - Service: @%systemroot%\\system32\\fxsresm.dll,-118 (Fax) - Unknown owner - C:\\Windows\\system32\\fxssvc.exe (file missing)
O23 - Service: HP LaserJet Service - HP - C:\\Program Files (x86)\\HP\\HPLaserJetService\\HPLaserJetService.ex e
O23 - Service: HP SI Service (HPSIService) - Unknown owner - C:\\Windows\\system32\\HPSIsvc.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\\Program Files\\iPod\\bin\\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\\Windows\\system32\\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\\Windows\\System32\\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\\System32\
etlogon.dll,-102 (Netlogon) - Unknown owner - C:\\Windows\\system32\\lsass.exe (file missing)
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\\Windows\\system32\\GameMon.des.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\\Windows\\system32\\PnkBstrA.exe
O23 - Service: @%systemroot%\\system32\\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\\Windows\\system32\\lsass.exe (file missing)
O23 - Service: @%systemroot%\\system32\\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\\Windows\\system32\\locator.exe (file missing)
O23 - Service: @%SystemRoot%\\system32\\samsrv.dll,-1 (SamSs) - Unknown owner - C:\\Windows\\system32\\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\\system32\\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\\Windows\\System32\\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\\system32\\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\\Windows\\System32\\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\\system32\\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\\Windows\\system32\\sppsvc.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\\Program Files (x86)\\Common Files\\Steam\\SteamService.exe
O23 - Service: @%SystemRoot%\\system32\\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\\Windows\\system32\\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\\system32\\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\\Windows\\system32\\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\\system32\\vds.exe,-100 (vds) - Unknown owner - C:\\Windows\\System32\\vds.exe (file missing)
O23 - Service: @%systemroot%\\system32\\vssvc.exe,-102 (VSS) - Unknown owner - C:\\Windows\\system32\\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\\system32\\Wat\\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\\Windows\\system32\\Wat\\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\\system32\\wbengine.exe,-104 (wbengine) - Unknown owner - C:\\Windows\\system32\\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\\system32\\wbem\\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\\Windows\\system32\\wbem\\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\\Windows Media Player\\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\\Program Files (x86)\\Windows Media Player\\wmpnetwk.exe (file missing)

--
End of file - 9341 bytes
Dust Magnet v1.0
(14 items)
 
  
CPUMotherboardGraphicsRAM
AMD Phenom 1090T Asus Crosshair lV Forumla MSI R9 380 4GB Mushkin Redline DDR3  
Hard DriveCoolingOSMonitor
Corsair Force GT 90GB SSD + Western Digital 640... Phanteks PH-TC14PE Windows 10 64bit Asus VE247H 
PowerCase
550W OCZ Fatal1ty Gaming HAF 932 
  hide details  
Reply
Dust Magnet v1.0
(14 items)
 
  
CPUMotherboardGraphicsRAM
AMD Phenom 1090T Asus Crosshair lV Forumla MSI R9 380 4GB Mushkin Redline DDR3  
Hard DriveCoolingOSMonitor
Corsair Force GT 90GB SSD + Western Digital 640... Phanteks PH-TC14PE Windows 10 64bit Asus VE247H 
PowerCase
550W OCZ Fatal1ty Gaming HAF 932 
  hide details  
Reply
post #7 of 9
You may have a bootsector/MBR rootkit thats invisible to any AV run from your system, even in safe mode.

Boot directly off MS Standalone System Sweeper and scan your bootdrive offline. Make sure to get the right 32bit/64bit version depending on your OS.

http://connect.microsoft.com/systemsweeper
Nehalem
(13 items)
 
  
CPUMotherboardGraphicsRAM
i7 950 @ 4.3GHz Evga X58 3SLI 2X SLI Evga GTX 275 FTWs 756/1620/1296 6GB Mushkin Blackline 1600MHz 78720591T 
Hard DriveMonitorPower
OCZ Vertex2 60GB Sony FW900 Corsair 850TX 
  hide details  
Reply
Nehalem
(13 items)
 
  
CPUMotherboardGraphicsRAM
i7 950 @ 4.3GHz Evga X58 3SLI 2X SLI Evga GTX 275 FTWs 756/1620/1296 6GB Mushkin Blackline 1600MHz 78720591T 
Hard DriveMonitorPower
OCZ Vertex2 60GB Sony FW900 Corsair 850TX 
  hide details  
Reply
post #8 of 9
Quote:
Originally Posted by Cheesezilla View Post
im just baffled that i got hacked when i thought i was invincible! lol
Yup. That was what my friend thought too...He didn't think so anymore after the second time getting hacked.
Alpha dawg
(11 items)
 
  
CPUMotherboardGraphicsRAM
i3 2100 Gigabyte z68ma-d2h-b3 GTX 460 Hawk 8GB DDR3 1600 
Hard DriveOptical DriveCoolingOS
WD Scorpio Blue  Asus  H60 Windows 7 64x 
MonitorPowerCase
Asus 24"  Antec neo eco 620W  Corsair 650D  
  hide details  
Reply
Alpha dawg
(11 items)
 
  
CPUMotherboardGraphicsRAM
i3 2100 Gigabyte z68ma-d2h-b3 GTX 460 Hawk 8GB DDR3 1600 
Hard DriveOptical DriveCoolingOS
WD Scorpio Blue  Asus  H60 Windows 7 64x 
MonitorPowerCase
Asus 24"  Antec neo eco 620W  Corsair 650D  
  hide details  
Reply
post #9 of 9
looks ok just remove older versions of java and adobe and update it if you havent done so.

Then you know this
C:\\Program Files (x86)\\MSI Afterburner\\MSIAfterburner.exe

And this
C:\\Windows\\system32\\PnkBstrA.exe

dont play nice together
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Networking & Security
Overclock.net › Forums › Software, Programming and Coding › Networking & Security › Do i have a keylogger?