TechSpot

Passwords stolen, 8 steps completed with logs attached

By DrNowt
Apr 14, 2010
  1. My World of Warcraft account (embarrassed smile) and Facebook have been hacked into. Facebook has been accessed by a 'moblie device in America' according to facebook tech. I dont use applications on facebook, and my hard drive has been recently wiped and had Windows reinstalled. I also dont excessively use P2P software either. I emailed WoW support who told me that it was likely I had a key-logger on my system, so I have downloaded and run the software in the 8 steps.
    When I run full scan on Superspyware, my computer freezes at the same point,
    C:\System Volume Information\_restore{xxx-xxxx-xxx}RP106\A0026453.exe
    so I attached a quick scan result which finishes fine.
    Any help would be greatly appreciated!
    Thanks
     

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot, Dr. Now. I'll help with the malware. Please allow me to point out a couple of things first:
    This is like saying you don't stick your hand in the flame on a stove often. But when you do, you will get burned!
    P2P or 'file sharing Warning:
    Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall any P2P programs for the following reasons:
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The 'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.

    Please read the information on P2P Warning to help you better understand these dangers.

    System Volume ie where the restore points are kept. This particular one contains a Trojan Downloader. It presents no danger to the system if it is only in the restore point, unless you do a system restore and happen to choose this particular one.

    I am going to check the logs now and will return with instructions. hopefully I don't need to remind you to change all your passwords and monitor any online financial transactions.
     
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    The HijackThis log does not appear to be complete. It is possible that malware is suppressing some of the entries, so we will work on that. I notice that you're running a very old version of the Adobe Reader- v5. Considering that the current version is v9.xx and that any older versions are a vulnerability for the system, I suggest you update that now:

    Visit this Adobe Reader site and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.

    Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.

      Important! Save the renamed download to your desktop.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls.
    • Double click on the setup file on the desktop to run
    • If prompted to download and install the Recovery Console, please do so.
      (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
    • If prompted to update, please allow.
    • Click on Yes, to continue scanning for malware.
    • When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.
    Notes:

    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings.
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run.
    .
    Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    Please leave the Combofix report and Eset scan log in your next reply.

    Please do not run any other cleaning or scanning programs while I'm helping you. Do not use a Registry cleaner or make any changes in the Registry.
     
  4. DrNowt

    DrNowt TS Rookie Topic Starter

    Thanks for all that, I ran the programs however I cant seem to find the log files . I even went as far as searching my computer for log(.txt) and combofix(.txt). The Eset scanned the computer and found no threats and the Combofix seemed to run without a hitch. Apologies for the lack of attachments!
    Thank you again for looking at this for me
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Instructions for Combofix are: rename it to Combo-Fix(.exe)

    The fact that you ran these programs with no problem does not mean any/all malware has been found and removed. If you do not wish to continue, I will close the thread.

    You should be able to find the Combofix report if you search for the correct name. and the .exe file should be on the desktop.
     
  6. DrNowt

    DrNowt TS Rookie Topic Starter

    the original .exe file I downloaded is on the desktop, there is another one that has been created that is in C:\ but just displays the same thing as when I click on 'My Computer'. I renamed it when I downloaded it to combo-fix(.exe) but it took the brackets out because they aren't alphanumeric (I thought that it might happen but was unsure if it was a safety precaution for the forum). I ran the program again and still cant find the log file anywhere. Another unusual thing is that the search is looping around and finding the same files repeatedly until I press the stop button.

    Im unsure where to go from here!
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]

    Try starting over:
    Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
      Important! Save the renamed download to your desktop.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls.
    • Double click on the setup file on the desktop to run
      (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
    • If prompted to update, please allow.
    • Click on Yes, to continue scanning for malware.
    • When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.
    Notes:

    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings.
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run.
    .

    Remember to enable the security when finished. See if this gets the log.
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Due to inactivity, this thread is being closed. If you need to have it reopened, please send a PM to your helper.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...