Password hijacked

Discussion in 'Malware Help (A Specialist Will Reply)' started by Gomash, Jan 15, 2008.

  1. Gomash

    Gomash Private E-2

    My "world of warcraft" game password was stolen by a hacker. I would like to remove whatever it is that lets him steal my password and make sure i am safe.

    short background:
    * my WinXP SP2 is not really up to date i'm afraid.
    * about a week ago i bought a wireless modem and set up my computer to use that instead of connecting directly to my ADSL modem. Maybe that is related, i dunno.
    * my computer protection consists of: AVG free antivirus, spybot S&D and windows firewall. antivirus does auto updates and auto daily scans. spybot - i just did a full scan a week or so ago, and i had teaTime (which i removed after reading your instructions).
    * In today's AVG antivirus scan the following was found:
    C:\Documents and Settings\Cookie\Local Settings\Temp\t589jso.dll - Virus found Win32/NSAnti
    C:\WINDOWS\system32\amvo0.dll - Virus found Win32/PolyCrypt
    C:\Documents and Settings\Cookie\Local Settings\Temp\t589jso.dll - had Win32/NSAnti
    C:\System Volume Information\_restore{D0D0B5EE-6A5D-42C9-9D40-3B196F5D81E7}\RP674\A0120100.exe - Trojan horse PSW.OnlineGames.ABBC
    C:\System Volume Information\_restore{D0D0B5EE-6A5D-42C9-9D40-3B196F5D81E7}\RP674\A0120101.dll - Trojan horse PSW.OnlineGames.ABBC
    C:\System Volume Information\_restore{D0D0B5EE-6A5D-42C9-9D40-3B196F5D81E7}\RP674\A0122171.dll - Virus Win32/PolyCrypt

    Thanks in advance.
     

    Attached Files:

    Gomash, Jan 15, 2008
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Make sure your router and also your PC user accounts are all password protected. Also make sure you are using wireless encryption privacy (WEP).

    You need to cleanup all the garbage on your Desktop. A cluttered Desktop is an ideal hiding place for malware. Remove all unnecessary items from your Desktop now by either deleting them of save in a more permanent location anything you really need. What are the below on your Desktop?
    Code:
    "C:\Documents and Settings\Cookie\Desktop\"
-6BEE~1       Oct 27 2005              "‘”‰˜- ™‰ˆ…š Ž‡—˜"
-6EF2~1       Feb 17 2007              "‘”‰˜- ‘”‘‘"
-F3A5~1       Jan  5 2007              "‘”‰˜- ™‰ˆ…š Ž‡—˜ €‰‹…š‰…š"
2007~1        Mar  4 2007              "‰š…‡ ™€Œ…‰ 2007"
2007~2        Aug 15 2007              "ƒ…—ˆ…˜ˆ 2007"
2008~1.pdf    Dec 24 2007      415770  "„†Ž„ Œ‰˜‰ƒ ‰…€˜ 2008.pdf"
2008~2.pdf    Dec 24 2007      457950  "‡…˜š ‰˜‰ƒ „š’‘…—„ ‰…€˜ 2008.pdf"
2405~1.doc    Oct 23 2007       25088  "’…†˜ „…˜€„.doc"
296E~1        Oct 30 2007              "„–’š Ž‡—˜ €‰"
3DBF~1        Jan 13 2008              "ƒ‰‘—€…—‰"
4e35~1.doc    Dec 24 2007      134144  "Ž™˜…š ‡Ž…š Œ…‚˜‰.doc"
5872~1        Jul 31 2007              "‚‰€ ƒ…—ˆ…˜ˆ"
6c7c~1.pdf    Aug  8 2007       95146  "Œ…‡ ™„ ‘”‰˜ š™‘‡.pdf"
8301~1        Aug 22 2007              "”‘‰‹…Œ…‚‰„ ‡˜š‰š"
A3447D~1      Sep 26 2005              "a3447db013325f7d7802b023"
asd.txt       Jan 12 2008          78  "asd.txt"
cab6cf~1      Dec 23 2005           0  "CAB6CFR9."
cahgob~1      Dec 19 2005           0  "CAHGOBTL."
D0A5~1        Jul 11 2007              "‡Œ… Œ€—ƒŽ‰„"
d677~1.pdf    Sep 11 2007       63002  "Ž‰Œ‚…š Ž€‰˜…”„.pdf"
e4f8af~1.amo  Jan 11 2008         326  "E4F8AF1.AmosP"
lhemul~1.lnk  Oct 19 2005        1492  "LHeMule š…‹š ™‰š…“ —–‰.lnk"
WOW           Apr  4 2006              "WoW"
‰‘…‰         Apr  9 2007              "‰‘…‰"
‰‘…‰1        Sep 19 2007              "‰‘…‰1"
š€…„         Oct 26 2006              "š€…„"
šŽ……š        Sep 19 2007              "šŽ……š"
    Also what are the below in My Documents?
    Code:
    "C:\Documents and Settings\Cookie\My Documents\"
1.csv         Jan 15 2008        1120  "1.csv"
2007~2.doc    Nov 13 2007      595968  "™‰ˆ…š Ž‡—˜ €‰‹…š‰…š ”‰˜…ˆ –‰…‰ 2007.doc"
28aa9~1.doc   Nov 13 2007      293888  "–‰…‰ ™‰ˆ…š Ž‡—˜ €‰‹…š‰…š ™‰ 2.doc"
813d~1.doc    Oct 21 2007       37376  "™Ž…š „Ž™šš”‰.doc"
bae7~1.doc    Nov 21 2007      174592  "„‰ ™˜‰š.doc"
„‰„          Jan 12 2008              "„‰„"

    Delete the below files now!
    C:\29F.tmp
    C:\d.com
    C:\juok3st.bat

    Now let's remove a left over service from Symantec.
    • Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
    • On the page that opens, scroll down to Symantec Lic NetConnect service
    • then right click the entry, select Properties and press Stop Service.
    • When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
    • Click OK until you get back to Windows.
    • Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
    • At the lower right, click on the Config button
    • Then click the Misc tools button
    • Select Delete an NT Service
    • Copy/pasteCLTNetCnService into the box that opens, and press OK
    • If you receive any error messages just ignore them and continue.
    • Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.
    Uninstall the below old versions of software:
    J2SE Runtime Environment 5.0 Update 5
    J2SE Runtime Environment 5.0 Update 6
    Java(TM) 6 Update 3
    Java(TM) SE Runtime Environment 6 Update 1
    LiveUpdate 3.1 (Symantec Corporation)

    Make sure you reboot after uninstalling the above!

    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment


    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Policies\Explorer\Run: [Task] C:\DOCUME~1\Cookie\taskmgr.exe
    O15 - Trusted Zone: *.bgu.ac.il

    The below may be gone already due to the uninstall above.
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

    After clicking Fix, exit HJT.

    Now reboot again.

    After reboot look for the below files and delete it if found.
    C:\Documents and Settings\Cookie\taskmgr.exe

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created.


    Make sure you tell me how things are working now!
     
    chaslang, Jan 17, 2008
    #2

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds