Pesky Keylogger

[Cruzin99]

Howdy all! Kinda have a little annoyance on my hands the past four days. I play the game World of Warcraft and I have some unreplaceable time spent on the game that has been recently been compromised. I log onto my account, and found my game character naked and ashamed with all my item gone. The hacker got into my account and somehow knew my password. So I changed my password in both of my email and my WoW account, and waited to see what would happen. Again, this happened the next morning when i woke up. So I made a file on another computer that had my passwords written out, saved the file to the computer in question, then copied and pasted new passwords into my account and email. Went to sleep and again my account had been hacked. So now im guessing that the keylogger can not only track my keystrokes, but also copy text on my clipboard. I have since started playing the game on another computer with no problems, but would like to solve this problem as soon as possible. Thank you for your help and i hope you can solve this problem for me I have attached my RSIT log and its sister log....thanks again!

 

[touch]

Hello Cruzin99


You have a Zbot keylogger ->
"Zbot "call" home at regular intervals and reports the web pages the machine has visited. This information is subtracted from the cookies and the store. It performs also keylogging on the machine"

I´ll therefore suggest you proceed as follows -

Please run the steps in this guide:

8-step Viruses/Spyware/Malware Preliminary Removal Instructions

Post attached log´s from:

Malwarebyte
Superantispyware
Hijackthis

In your next reply

 

[Cruzin99]

8 step process finished!

Thank you touch for the response, i did follow the 8 step process and i got the three logs that you needed...hopefully this got the keylogger off, i would tell you symptoms, but that would mean i would have to wait till I was hacked again Thanks again for helping!

 

[touch]

It looks like malwarebyte got rid of your keylogger ->
"C:\WINDOWS\system32\sdra64.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully."

I assume you have Comodo as antivirus program. I´ll therefore suggest you remove Symantec/Norton:

Download the Norton Removal Tool (SymNRT) to your Desktop.
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039

Once downloaded please close ALL open browsers, also save any work because this may require a restart.

Go to your desktop and double click on the removal tool and then click Setup.
Once open Click Next
Accept the license agreement and click Next
Type in the letters/numbers that you see into the text box then click Next.
Then click Next and the tool will start running.
Once finished restart the PC and run the tool again to ensure everything has been removed.
Delete Nortonremoval tool from your Desktop.

You also have viewpoint running -

Viewpoint is considered foistware and is not needed on your computer.


Download and unzip to own folder on Desktop - http://bellsouthpwp.net/p/r/prprogramsstudios/viewpointkiller.zip

Run ViewpointKiller.exe

Reboot.

Your logfiles show a large number of infections, so I suggest you run combofix to check whether there are any infections hiding ->

Please download Combofix:
http://subs.geekstogo.com/ComboFix.exe

And save to the desktop.

Close all other browser windows.

Please connect all your external hard drive/flash drive before running Combofix, if you have any


Double-click on the combofix icon found on your desktop.

Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post