Account Hacked--Help?

[halite]

My WoW Account was recently hacked and completely cleaned out.

In response to this, I scanned my computer with Malware Bytes, AVG, Avast! (after uninstalling AVG), Spybot SnD, and used ATFcleaner to get rid of possibly anything on my computer.

What's bothering me is that none of the programs found anything. This, in conjunction with the fact that I already practice very safe browsing (Firefox only-noscript/adblock/flashblock updated and used; IE disabled) and this computer is pretty much used for nothing but WoW (and was reformmatted 2 months ago and pretty much only HAS WoW and iTunes on it) confuses and worries me.

I have access to the completely stripped account back but I feel like I should have found something malicious on my system to explain why it happened. Authenticator has been ordered, but until then I still feel uneasy.

Any thoughts or suggestions?

[Ratatapa]

Can you do an post and Hjack this log please?

[Mizango]

Can you do an post and Hjack this log please?

Yep, post the logs and lets have a look.

[halite]

Need 10 posts to post urls so...here I go

[halite]

Again...

[halite]

And again.

[halite]

Ok- logs here. Thanks guy for taking a look.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:46:01 AM, on 10/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Java\jre6\bin\jqsnotify.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Dell Start Page
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN Canada - The all-new MSN Canada, home of world-class services such as Hotmail, Windows Live Messenger, and News, Sports, Financial and Entertainment services
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN Canada - The all-new MSN Canada, home of world-class services such as Hotmail, Windows Live Messenger, and News, Sports, Financial and Entertainment services
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = Dell Start Page
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7471 bytes

[Cephius]

There's really nothing there. Have you ever shared your account info with anyone? Ever signed in on a computer that wasn't your own? Entered your info on a site somewhere?

[halite]

Never used another person's computer. Never entered my info anywhere.

No one has my account info. I'm completely stumped.

[Pun]

There's really nothing there. Have you ever shared your account info with anyone? Ever signed in on a computer that wasn't your own? Entered your info on a site somewhere?

Was just about to ask that. Also, you said this computer is only used for WoW, which makes it seem like you have another computer you use for different tasks. If so, are these computers on the same network - if yes, did you scan any other computers on the network for something that could have been spread?

[Cephius]

I'm not trying to call you out or anything, or act like you know nothing about account security. But I find in these cases that 99 times out of 100, it's something simply careless like letting your info get out once. Your PC sure doesn't seem like it's infected with anything.

[halite]

I have a Powerbook that I use for school. Is it possible for an Apple laptop to have spread something to my Windows PC?

[halite]

I'm not trying to call you out or anything, or act like you know nothing about account security. But I find in these cases that 99 times out of 100, it's something simply careless like letting your info get out once. Your PC sure doesn't seem like it's infected with anything.

I wasn't implying that you were in any way lol >< I was just answering your questions and hoping you'd come up with more to maybe help me understand what happened.

[Cephius]

Yeah, not sure, but it doesn't seem to be anything related to your PC. I'd just rack your brain to think of anything fishy that happened in the last few weeks. A guild member send you a link or PM that seemed shady? Let your little brother use your PC? etc

[halite]

The only thing that I did that was even remotely out of character for me was look at a wow gear score site online (wow heroes or something) on the same computer. No script was on, as was everything else I have installed for protection and since my whole server seems obsessed with gear scores I figured the site wasn't going to hack and rape my character.

Thanks btw, for looking at the log and telling me nothing was wrong, I feel a little bit better -_-

[Norellicus]

If nothing is on your computer it had to be captured somewhere else. Anywhere that you may have logged on to forums.worldofwarcraft.com or wowarmory or ANYTHING that may have used the same credentials as wow -- or even possibly if you use the same username/password on some other website -- any of those things could lead to someone getting access to your account.

Edit: This also isn't meant to be accusatory, just a reminder of being mindful where and how you use various usernames and passwords.

[Ratatapa]

Or it's just bad luck you used the credtial on wow and for something else (exemple Credit card) and hackers just tried on wow and it work

(farfetched but you never knnow lol)

[viperlasson]

Wow my friend's account got hacked too recently. Did the hacker tie your account to a battle.net account? My friend's WoW account had this happen to him saturday. He doesn't give his account info to anyone or anything stupid like that, so I was really surprised. Is there some kind of exploit during this battle.net merging?

[guartz]

I had my account info stolen as well, about 8 months ago.


Couldn't figure out how it happened for the longest time. Turned out to be a tracking cookie that managed to keylog wow.com login. Probably from gold seller's ads on a dif. page, I suspected curse.com

[halite]

Wow guartz, really? Cause the SOLE thing that came up, out of every single scan, was 1 tracking cookie via Spybot SnD. 1. I didn't really think it was a big deal... wow.

My boyfriend's computer (whom also plays WoW) had like 15 of them earlier. Thank god I told him to scan and got rid of all them ><

I wonder if that one little cookie could have been it!

And no, my account was not merged to battlenet, but I did that as soon as I regained access to it, as I ordered an authenticator.