My Testing Logs

tferrari · Sep 27, 2010

Background Information

I believe I may have been infected with a keylogger as my world of warcraft account was recently compromised on two occasions, in addition to the associated e-mail account.

I've since solved the problem by changing passwords and e-mails on a computer known to be unaffected.

Find attached a copy of the most recent version of my logs.

I completed the the SAS and Malware Bytes testing a couple of days ago, so I hope I have located the correct log files.

Let me know if you require any additional information.

Other Info

The first time I ran combofix, it indicated that a rootkit had been detected, and subsequent tests after regular windows reboot would result in BOSD. The log attached is from a complete combofix scan that was performed in safe mode, which completed without any issues.

tferrari · Sep 27, 2010

Here is the last file.

Kestrel13! · Sep 27, 2010

Take a look at this sticky regarding hacked WOW accounts

WoW Account Hacked?

What are the contents of these two directories?

C:\ASK Video

C:\Program Files\Common Files\Tmp

Also delete all files in the below bold folders except ones from the current date (Windows will not let you delete the files from the current day).

C:\WINDOWS\Temp
C:\Documents and Settings\Tyler\Local Settings\TEMP
Click to expand...

tferrari · Sep 27, 2010

Kestrel13,

Thank you for your prompt reply.

To answer your questions:

C:\ASK Video contains one folder titled 'Cubase 5', and within that is one file without an extension titled CUB5L1-Reg. Cubase 5 is an audio program that I use.

C:\Program Files\Common Files\Tmp has no contents (no hidden files even). I recently wiped all my temp stuff using a tool I found on this website.

To give more background info regarding how I may have been hacked:

I highly doubt that I was phished, but it is entirely possible that some type of malware had infected my computer a couple months ago (when this first compromise occured) because I wasn't running a firewall, or malware protection OR any anti-virus software.

I have heard that a program associated with WoW addons called 'Curse Gaming Client' has had some issues with security and may have been a gateway for certain people to infect others. I was using this client, at the time when my account was compromised.

As a side-note, I was not using out-of-the-ordinary addons for WoW that may have directly caused this compromise (based on my best judgment).

---

I have deleted all of the files in the two 'temp' directories, but there wasn't much 'old' stuff in there as I recently used that tool to clear my temp files.

---

Let me know if you require any additional information to make your diagnosis/assessment of my computer's current status (is it infected??).

-Tyler

Kestrel13! · Sep 27, 2010

Delete this then:

C:\Program Files\Common Files\Tmp
Click to expand...

No, I am not seeing any malware in your logs.

If you are not having any other malware problems, it is time to do our final steps:

We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.

If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)

Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required

"%userprofile%\Desktop\combofix" /uninstall

Notes: The space between the combofix" and the /uninstall, it must be there.

This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.

If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
related to MGtools and some other items from our cleaning procedures.

If you are running Win 7, Vista, Windows XP or Windows ME, do the below:

Refer to the cleaning procedures pointed to by step 7 of the READ ME
for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

tferrari · Sep 27, 2010

Thank you for your assistance - it is much appreciated it.

To ensure all of my bases are covered in the future, will an anti-virus program, firewall, SAS and Malwarebytes be a suitable collection of programs to use, or are there other things I should be doing?

Kestrel13! · Sep 27, 2010

You're welcome. And you can discuss protection software choices in the software forum. But yes, antivirus, a firewall, and SAS and MBAM should be good enough

Log in or Sign up

My Testing Logs

tferrari Private E-2

Attached Files:

ComboFix.txt

mbam-log-2010-09-13 (20-24-22).txt

RRlog.txt

SUPERAntiSpyware Scan Log - 09-26-2010 - 18-07-32.log

tferrari Private E-2

Attached Files:

MGlogs.zip

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

tferrari Private E-2

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

tferrari Private E-2

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member