The BullGuard products and services are part of NortonLifeLock Inc., a global leader in consumer Cyber Safety with a portofolio of brands including Norton, Avira and more. Learn more at NortonLifeLock.com

Email and wow account gets compromised repeatedly

Posted 6/3/2010 5:44 PM
#86412
User avatar

markusg Advanced member

Date Joined Nov 2016
Total Posts: 406
ok we will make at first an other rootkit scan.
download radix:
https://www.usec.at/rootkit.html
unpack, klick the radixgui.exe check all on one-klick-check.
disconect from internet, turn off al programms like by the gmer scan.
start the scan. please use the attachment anager and attach the log
Posted 6/4/2010 11:41 AM
#86437
User avatar

Splaffer Valued member

Date Joined Nov 2016
Total Posts: 20
first of all, sorry for the late reply. I must have been tired or something last night; I missed the part where we proceeded to page 2, so kept refreshing page 1 for your reply :/. oh well, I got some reading done.

about the Radix scan:
I installed the program, disabled all other programs and the internet connection, and checked all the boxes under the "1-check-click".
I then clicked "check" and it starts scanning.
When it reaches the "hidden processes" part the program stalls/hangs. The rest of the computer is fine, but Radix doesn't respond. I tried it 3 times. Each time it freezes in the same part of the scan. The longest ive waited for it to become responsive again is 30+ minutes.

so ive got no log for you

EDIT:

not quite true - I looked in the Radix folder and theres a logfile. Apparently it has created a log up to the point where it freezes. Ive tried attaching it but I get this error message
:" * You cannot upload files that use MIME type : text/plain."

I looked in the log itself - it looks like 3 identical passages corresponding to the 3 scans. If you want i can copy either the first third of the log or the whole thing into a reply instead of attaching file.
Posted 6/4/2010 2:28 PM
#86438
User avatar

markusg Advanced member

Date Joined Nov 2016
Total Posts: 406
sorry, was a long day today. can you uncheck hidden files and scan again?
please try to upload it at
www.file-upload.net
klick "durchsuchen" search the log and klick "datei hochladen" to upload.
Posted 6/4/2010 4:57 PM
#86447
User avatar

Splaffer Valued member

Date Joined Nov 2016
Total Posts: 20
ok so heres what happened:

I ran the scan with "hidden files" unchecked (as the only one). It froze at "hidden processes" again.
I ran the scan with "hidden processes" unchecked (as the only one). It froze at "object routines".
I ran the scan with "hidden processes" + "object routines" unckecked. It froze at "IRP hooks".
I ran the scan with "hidden processes" + "object routines" + "IRP hooks" unckecked. It froze at "patched modules".

At this point I figured the log wouldnt be very useful with all these things unchecked. I uploaded it anyway. It contains data from all the failed attempts, so its kinda large and kinda repetitive.

https://www.file-upload.net/download-2573845/log.txt.html
Posted 6/4/2010 5:02 PM
#86448
User avatar

markusg Advanced member

Date Joined Nov 2016
Total Posts: 406
i need time to check it
Posted 6/4/2010 5:12 PM
#86449
User avatar

markusg Advanced member

Date Joined Nov 2016
Total Posts: 406
this is not the full log...
use atf cleaner:
https://majorgeeks.com/ATF_Cleaner_d4949.html
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
de- and reactivate system restore:
https://windows.microsoft.com/en-US/windows-vista/Turn-System-Restore-on-or-off
perhaps the scan can now run faster.
activate all again and wait one hour or so. the scan ends every time different i do not think it hangs. but at first delete the logfile.
Posted 6/4/2010 6:42 PM
#86452
User avatar

markusg Advanced member

Date Joined Nov 2016
Total Posts: 406
is this program known to you?
c:\programmer\gyldendal\sde\sde.exe
are you using the ame pws for wow and gmail?
Posted 6/4/2010 7:47 PM
#86453
User avatar

Splaffer Valued member

Date Joined Nov 2016
Total Posts: 20
sde = store danske encyklopædi

its an encyclopedia i used extensively a couple of years ago, before i met wikipedia, my new best friend.
So yes, I know what sde is, but uninstalling it wont be a problem if you think that helps.

regarding the wow/gmail passwords - I use different passwords. Both are made up of random letter/number sequences which arent stored on the computer but typed in from memory every time. That was also the case before I got hacked (or pw got stolen by keylogger or whatever the right term is) the first time.

EDIT:

the scan btw is still "running". Meaning it's reached the aforementioned state where I would normally consider it frozen. I'll leave it like that for a couple of hours to see if it recovers.
Posted 6/4/2010 7:49 PM
#86454
User avatar

markusg Advanced member

Date Joined Nov 2016
Total Posts: 406
no, do not need to uninstall. i will back tomorrow.
Posted 6/5/2010 6:20 AM
#86476
User avatar

Splaffer Valued member

Date Joined Nov 2016
Total Posts: 20
I left the computer on during the night to see if Radix would finish the scan. This morning it still looked very much frozen. Heres the log.
Scan length approximately 12 hours.

https://www.file-upload.net/download-2575056/log.txt.html
Posted 6/6/2010 1:20 PM
#86511
User avatar

markusg Advanced member

Date Joined Nov 2016
Total Posts: 406
sorry, im back :-)
Download and install DrWebCureit:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
to your desktop.    

Doubleclick the "drweb-cureit.exe" and click "ok" in the prompt window that will open , asking "start the express scan now".

It will first make a quick scan of your system, let it clean what it find, and when it says "done"

Click on the green screwdriver-

Actions Tab- Adware-Dialers-Riskware-Hacktools, use dropdown menu and select -delete

Click on the drive(s) you want to scan . A red dot will mark the selected drive(s) . Then hit the green  arrow in lower right corner It will now scan your 
drive(s), say yes to all 

After the scan, in the Dr.Web CureIt menu on top, click file and choose save report list

Save the report to your desktop. The report will be called DrWeb.csv

Close Dr.Web Cureit. 

Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot. 

After reboot, post the contents of the log from Dr.Web you saved previously in your next reply. 
if the log is to large, upload it to file-upload and post the download link
Posted 6/10/2010 3:30 PM
#86582
User avatar

Splaffer Valued member

Date Joined Nov 2016
Total Posts: 20
ok, im back - defended my bachelor project at the university yesterday, thats why I'd fallen off teh grid.

I tried to do what you asked.
In the following I did not succeed:

"Click on the green screwdriver-

Actions Tab- Adware-Dialers-Riskware-Hacktools, use dropdown menu and select -delete"

I did not see any green screwdriver, nor did I manage to find the hacktools in any other way. I did however run a scan (both initial express and a complete one). Im not however sure that the log i saved is really the kinda log you were looking for. Its very short:

Process.exe C:\Documents and Settings\Anders\Skrivebord\wow\lag, latency og computer cleaning\account theft\SmitfraudFix Tool.Killproc.3
restart.exe C:\Documents and Settings\Anders\Skrivebord\wow\lag, latency og computer cleaning\account theft\SmitfraudFix Tool.ShutDown.14
SmitfraudFix_v2.423.exe\SmitfraudFix\Process.exe C:\Documents and Settings\Anders\Skrivebord\wow\lag, latency og computer cleaning\account theft\SmitfraudFix\SmitfraudFix_v2.42 Tool.Killproc.3
SmitfraudFix_v2.423.exe\SmitfraudFix\restart.exe C:\Documents and Settings\Anders\Skrivebord\wow\lag, latency og computer cleaning\account theft\SmitfraudFix\SmitfraudFix_v2.42 Tool.ShutDown.14
SmitfraudFix_v2.423.exe C:\Documents and Settings\Anders\Skrivebord\wow\lag, latency og computer cleaning\account theft\SmitfraudFix Archive contains infected objects Moved.
Process.exe C:\Programmer\Mozilla Firefox\SmitfraudFix Tool.Killproc.3
restart.exe C:\Programmer\Mozilla Firefox\SmitfraudFix Tool.ShutDown.14
Process.exe.vir C:\Qoobox\Quarantine\C\WINDOWS\system32 Tool.Killproc.3
A0074630.exe\SmitfraudFix\Process.exe C:\System Volume Information\_restore{E31D5F97-6B8D-4206-BD61-1A9CEF42E578}\RP264\A0074630.exe Tool.Killproc.3
A0074630.exe\SmitfraudFix\restart.exe C:\System Volume Information\_restore{E31D5F97-6B8D-4206-BD61-1A9CEF42E578}\RP264\A0074630.exe Tool.ShutDown.14
A0074630.exe C:\System Volume Information\_restore{E31D5F97-6B8D-4206-BD61-1A9CEF42E578}\RP264 Archive contains infected objects Moved.

If this is wrong, please try to explain one more time :/
Posted 6/22/2010 8:36 AM
#86706
User avatar

Splaffer Valued member

Date Joined Nov 2016
Total Posts: 20
Hi there
I know bumping is rude seeing as you're helping out for free and in your sparetime. It has however been 12 days since my last post.
Am I to conclude that my computer is clean now?
Or is it more a case of "nothing more can be done"?
I really appreciate your help so far :)
Posted 6/22/2010 3:00 PM
#86709
User avatar

markusg Advanced member

Date Joined Nov 2016
Total Posts: 406
no, this is ok, but i can not see any malware on your pc.
perhaps the best thing is to reformat. after this all must work i think
Posted 6/22/2010 6:09 PM
#86711
User avatar

Splaffer Valued member

Date Joined Nov 2016
Total Posts: 20
thanks for the help :)
hopefully I wont be needing your services again ;)
take care
  • Unread posts or replies
  • No unread posts or replies
  • Unread Posts (Read Only Forum)
  • No Unread Posts (Read Only Forum)

Forum Information

Currently it is Saturday, May 21, 2022, 10:56 AM (GMT +2)
There are a total of 61,974 posts in 13,697 threads.
In the last 3 days there were 1 new threads and 1 reply posts.

Who's online

This forum has 38,684 registered members. Please welcome our newest member, james44.
148 Guest(s), 0 Registered Member(s) are currently online.