Valkyria Skrevet 8. november 2010 Del Skrevet 8. november 2010 (endret) Halloen. igår var jeg offer for at min world of warcraft som jeg ikke har vært innpå på over et år ble hacket, og jeg fikk høre av kamerater som logget inn for meg (siden jeg ikke har wow installert) at gear og gull var borte. Like greit egentlig siden jeg aldri spiller det mer, men jeg har linket wow kontoen med starcraft2 kontoen, så vedkommende har vært innpå der også, og slettet alle jeg hadde i vennelisten. Jeg endret så passordet på kontoen, og idag fikk jeg mail igjen fra blizzard om at passordet var blitt skiftet igjen. Så funket det ikke å logge inn, og jeg endret passordet fra en annen PC. Så jeg kjørte en anitvirustest med AVG samt malwarebytes og fant ingenting. Jeg hadde selvfølgelig gjort tabben at jeg hadde samme passord på mailen som på battle.net kontoen, så det er mulig det er via mailen min han har fått tak i passordet. (har selvfølgelig endret på det nå) Så er det noen annen måte å spore en keylogger på når vanlig antivirus ikke kan det? Håper på svar! Endret 8. november 2010 av Valkyria Lenke til kommentar
norbat Skrevet 8. november 2010 Del Skrevet 8. november 2010 Legg ut logg fra enten combofix eller dds (se veiledningen) 1 Lenke til kommentar
Valkyria Skrevet 8. november 2010 Forfatter Del Skrevet 8. november 2010 brukte DDS og her er loggen DDS (Ver_10-11-08.01) - NTFS_AMD64 Run by Fredrik at 19:20:48,69 on 08.11.2010 Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_20 Microsoft Windows 7 Home Premium 6.1.7600.0.1252.47.1044.18.6135.4022 [GMT 1:00] ============== Running Processes =============== C:\Windows\system32\wininit.exe C:\Program Files (x86)\AVG\AVG9\avgchsva.exe C:\Program Files (x86)\AVG\AVG9\avgrsa.exe C:\Program Files (x86)\AVG\AVG9\avgcsrva.exe C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\svchost.exe -k RPCSS C:\Windows\system32\atiesrxx.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\system32\atieclxx.exe C:\Windows\System32\spoolsv.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Program Files (x86)\AVG\AVG9\avgwdsvc.exe F:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe C:\Windows\SysWOW64\PnkBstrA.exe C:\Program Files (x86)\AVG\AVG9\avgemc.exe C:\Program Files (x86)\AVG\AVG9\avgnsa.exe C:\Program Files (x86)\AVG\AVG9\avgcsrvx.exe C:\Windows\system32\taskhost.exe C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\Logitech\G-series Software\LGDCore.exe C:\Program Files\Logitech\G-series Software\LCDMon.exe C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe C:\Program Files\Logitech\G-series Software\Applets\LCDCountdown\LCDCountdown.exe C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe F:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe F:\Program Files (x86)\Steam\Steam.exe C:\Program Files (x86)\Skype\Phone\Skype.exe C:\Program Files (x86)\AVG\AVG9\avgtray.exe C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe F:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe C:\Program Files (x86)\Skype\Plugin Manager\skypePM.exe C:\Windows\system32\SearchIndexer.exe C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Windows\System32\svchost.exe -k LocalServicePeerNet C:\Windows\system32\wuauclt.exe F:\Program Files (x86)\uTorrent.exe C:\Windows\system32\taskhost.exe C:\Program Files (x86)\Mozilla Firefox\firefox.exe C:\Program Files (x86)\Skype\Toolbars\Shared\SkypeNames2.exe C:\Windows\system32\SearchProtocolHost.exe C:\Windows\system32\SearchFilterHost.exe C:\Users\Fredrik\Downloads\dds.scr C:\Windows\system32\conhost.exe C:\Windows\system32\wbem\wmiprvse.exe ============== Pseudo HJT Report =============== mWinlogon: Userinit=userinit.exe BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files (x86)\AVG\AVG9\avgssie.dll BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~2\Office12\GR469A~1.DLL BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll uRun: [DAEMON Tools Lite] "F:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun uRun: [steam] "F:\Program Files (x86)\Steam\Steam.exe" -silent uRun: [RGSC] F:\Program Files (x86)\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe /silent uRun: [skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized mRun: [AVG9_TRAY] C:\PROGRA~2\AVG\AVG9\avgtray.exe mRun: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun mRun: [ATICustomerCare] "C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe" mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" mRun: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW mRun: [Adobe Reader Speed Launcher] "F:\Program Files (x86)\Reader\Reader_sl.exe" mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" mRun: [LogMeIn Hamachi Ui] "F:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start mPolicies-explorer: NoActiveDesktop = 1 (0x1) mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1) mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0) mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3) mPolicies-system: EnableLUA = 0 (0x0) mPolicies-system: EnableUIADesktopToggle = 0 (0x0) mPolicies-system: PromptOnSecureDesktop = 0 (0x0) IE: E&ksporter til Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000 IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~2\MICROS~2\Office12\GRA32A~1.DLL Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG9\avgpp.dll Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~2\Office12\GR469A~1.DLL {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} mRun-x64: [(Standard)] mRun-x64: [Launch LGDCore] "C:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE mRun-x64: [Launch LCDMon] "C:\Program Files\Logitech\G-series Software\LCDMon.exe" mRun-x64: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s mRun-x64: [Cm106Sound] C:\Windows\syswow64\RunDll32.exe C:\Windows\Syswow64\cm106.dll,CMICtrlWnd mRun-x64: [CAHS1Sound] C:\Windows\syswow64\RunDll32.exe C:\Windows\Syswow64\CAHS1.dll,CMICtrlWnd AppInit_DLLs-X64: avgrssta.dll ================= FIREFOX =================== FF - ProfilePath - C:\Users\Fredrik\AppData\Roaming\Mozilla\Firefox\Profiles\7ll5sxfz.default\ FF - prefs.js: network.proxy.type - 0 FF - component: C:\Program Files (x86)\AVG\AVG9\Firefox\components\avgssff.dll FF - component: C:\Program Files (x86)\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll FF - plugin: F:\Program Files (x86)\Reader\browser\nppdf32.dll FF - HiddenExtension: Java Console: No Registry Reference - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- C:\Program Files (x86)\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); C:\Program Files (x86)\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional C:\Program Files (x86)\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified C:\Program Files (x86)\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true); C:\Program Files (x86)\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); C:\Program Files (x86)\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true); C:\Program Files (x86)\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true); C:\Program Files (x86)\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true); C:\Program Files (x86)\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional C:\Program Files (x86)\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified C:\Program Files (x86)\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".no"); ============= SERVICES / DRIVERS =============== R1 AvgLdx64;AVG Free AVI Loader Driver x64;C:\Windows\System32\drivers\avgldx64.sys [2010-7-11 269904] R1 AvgMfx64;AVG Free On-access Scanner Minifilter Driver x64;C:\Windows\System32\drivers\avgmfx64.sys [2010-7-11 35536] R1 AvgTdiA;AVG Free Network Redirector x64;C:\Windows\System32\drivers\avgtdia.sys [2010-7-11 317520] R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2010-5-27 203264] R2 avg9emc;AVG Free E-mail Scanner;C:\Program Files (x86)\AVG\AVG9\avgemc.exe [2010-7-11 921952] R2 avg9wd;AVG Free WatchDog;C:\Program Files (x86)\AVG\AVG9\avgwdsvc.exe [2010-7-11 308136] R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;F:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe [2010-3-30 1823112] R3 amdkmdag;amdkmdag;C:\Windows\System32\drivers\atikmdag.sys [2010-5-27 6856192] R3 amdkmdap;amdkmdap;C:\Windows\System32\drivers\atikmpag.sys [2010-5-27 264192] R3 CorsairCAHS1;CA-HS1 Interface;C:\Windows\System32\drivers\CAHS164.sys [2010-10-1 1309184] R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\System32\drivers\yk62x64.sys [2009-6-10 389120] S3 USBMULCD;USB Multi-Channel Audio Device Interface;C:\Windows\System32\drivers\CM10664.sys [2010-7-11 1306624] S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-7-13 1255736] =============== Created Last 30 ================ 2010-11-07 11:41:54 -------- d-----w- C:\PROGRA~3\PC Tools 2010-11-07 11:24:10 -------- d-----w- C:\Users\Fredrik\AppData\Roaming\Malwarebytes 2010-11-07 11:24:04 38224 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys 2010-11-07 11:24:03 24664 ----a-w- C:\Windows\System32\drivers\mbam.sys 2010-11-07 11:24:03 -------- d-----w- C:\PROGRA~3\Malwarebytes 2010-10-22 23:37:05 -------- d-----w- C:\Windows\SysWow64\AGEIA 2010-10-22 23:37:00 -------- d-----w- C:\Program Files (x86)\Common Files\Wise Installation Wizard 2010-10-13 16:09:02 4582912 ----a-w- C:\Program Files\Windows NT\Accessories\wordpad.exe 2010-10-13 16:09:02 4247040 ----a-w- C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe 2010-10-13 16:09:02 2085376 ----a-w- C:\Windows\System32\ole32.dll 2010-10-13 16:09:02 148992 ----a-w- C:\Windows\System32\t2embed.dll 2010-10-13 16:09:02 1413632 ----a-w- C:\Windows\SysWow64\ole32.dll 2010-10-13 16:09:02 109056 ----a-w- C:\Windows\SysWow64\t2embed.dll ==================== Find3M ==================== 2010-10-30 13:34:23 234280 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr 2010-10-30 13:27:42 234280 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe 2010-10-10 13:47:56 75064 ----a-w- C:\Windows\SysWow64\PnkBstrA.exe 2010-10-10 13:47:56 2434856 ----a-w- C:\Windows\SysWow64\pbsvc_bc2.exe 2010-10-05 15:52:59 2601752 ----a-w- C:\Windows\SysWow64\pbsvc_moh.exe 2010-09-08 05:36:17 1192960 ----a-w- C:\Windows\System32\wininet.dll 2010-09-08 05:34:34 57856 ----a-w- C:\Windows\System32\licmgr10.dll 2010-09-08 04:30:04 978432 ----a-w- C:\Windows\SysWow64\wininet.dll 2010-09-08 04:28:15 44544 ----a-w- C:\Windows\SysWow64\licmgr10.dll 2010-09-08 04:16:38 482816 ----a-w- C:\Windows\System32\html.iec 2010-09-08 03:35:30 1638912 ----a-w- C:\Windows\System32\mshtml.tlb 2010-09-08 03:22:31 386048 ----a-w- C:\Windows\SysWow64\html.iec 2010-09-08 02:48:16 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb 2010-09-01 05:12:09 12625920 ----a-w- C:\Windows\System32\wmploc.DLL 2010-09-01 04:23:49 12625408 ----a-w- C:\Windows\SysWow64\wmploc.DLL 2010-09-01 02:58:34 3123712 ----a-w- C:\Windows\System32\win32k.sys 2010-08-31 04:32:30 954752 ----a-w- C:\Windows\SysWow64\mfc40.dll 2010-08-31 04:32:30 954288 ----a-w- C:\Windows\SysWow64\mfc40u.dll 2010-08-27 06:14:02 236032 ----a-w- C:\Windows\System32\srvsvc.dll 2010-08-27 05:46:48 9728 ----a-w- C:\Windows\SysWow64\sscore.dll 2010-08-27 03:38:04 463360 ----a-w- C:\Windows\System32\drivers\srv.sys 2010-08-27 03:37:48 402944 ----a-w- C:\Windows\System32\drivers\srv2.sys 2010-08-27 03:37:26 161792 ----a-w- C:\Windows\System32\drivers\srvnet.sys 2010-08-21 06:38:47 1024512 ----a-w- C:\Windows\System32\wmpmde.dll 2010-08-21 06:36:49 340992 ----a-w- C:\Windows\System32\schannel.dll 2010-08-21 06:31:06 633856 ----a-w- C:\Windows\System32\comctl32.dll 2010-08-21 06:29:47 558592 ----a-w- C:\Windows\System32\spoolsv.exe 2010-08-21 05:36:33 738816 ----a-w- C:\Windows\SysWow64\wmpmde.dll 2010-08-21 05:36:24 224256 ----a-w- C:\Windows\SysWow64\schannel.dll 2010-08-21 05:33:24 530432 ----a-w- C:\Windows\SysWow64\comctl32.dll 2010-08-18 06:04:26 8724480 ------w- C:\Windows\SysWow64\CAHS1.dll ============= FINISH: 19:21:03,16 =============== Lenke til kommentar
norbat Skrevet 11. november 2010 Del Skrevet 11. november 2010 Kan ikke i farten se noen filer/prosesser knyttet til malware. Fortsatt probl med kontoene? Lenke til kommentar
Valkyria Skrevet 11. november 2010 Forfatter Del Skrevet 11. november 2010 nope, har stabilisert seg nå etter jeg endret passord. De hadde nok ikke gjort annet enn brute force for å finne passordet mitt. men takk for hjelpen Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå