1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Trojan: hacked account in online game

Discussion in 'Virus & Other Malware Removal' started by andrecfj, Oct 12, 2008.

Thread Status:
Not open for further replies.
  1. andrecfj

    andrecfj Thread Starter

    Joined:
    Oct 12, 2008
    Messages:
    1
    Yesterday I received an email from Blizzard (related to the game World of Warcraft) telling me my account was accessed by someone...
    Finally, today I entered my account changing my password. However, my problem is that my antivirus is detecting a trojan PSW.WOW.NER and I cant delete him.

    This trojan is using the process svchost.exe... I used Process Explorer (from microsoft), and it shows me that this process is trying to obtain access to my WoW data.

    Every 40 minutes, NOD32 shows a warning about a site called i216.photopuckat.com/8.exe. After this, a file systemX.exe (where X is a number) is created in Windows\system32.

    If anyone has an idea, please answer. I tried the virus database in the support area of Blizzard webite, but PSW.WOW.NER isnt there. Here is a Hijackthis log:


    Logfile of HijackThis v1.99.1
    Scan saved at 10:44:09, on 12/10/2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16608)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Arquivos de programas\GbPlugin\GbpSv.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Arquivos de programas\Eset\nod32krn.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\Arquivos de programas\Eset\nod32kui.exe
    C:\WINDOWS\system32\LXSUPMON.EXE
    C:\Arquivos de programas\Netropa\Multimedia Keyboard\MMKeybd.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Arquivos de programas\DAEMON Tools\daemon.exe
    C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\isuspm.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Arquivos de programas\Netropa\Onscreen Display\OSD.exe
    C:\WINDOWS\svchost.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
    F:\Install\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

    http://www.folha.com.br/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

    http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

    http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

    http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

    http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

    Settings,ProxyServer = proxy.redecasd.ita.br:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

    Settings,ProxyOverride = *.local
    O1 - Hosts: 216.107.242.199 l2authd.lineage2.com
    O2 - BHO: Facilitador de Leitor de Link Adobe PDF -

    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos

    comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Shareaza Web Download Hook - {0EEDB912-C5FA-486F-8334-57288578C627} -

    C:\Arquivos de programas\Shareaza\Plugins\RazaWebHook.dll
    O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} -

    C:\WINDOWS\system32\scpsssh2.dll
    O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} -

    C:\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -

    C:\ARQUIV~1\MI69DF~1\Office12\GRA8E1~1.DLL
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -

    C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6}

    - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows

    Live\WindowsLiveLogin.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper -

    {AE7CD045-E861-484f-8273-0445EE161910} - C:\Arquivos de programas\Adobe\Acrobat

    8.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} -

    C:\ARQUIV~1\GbPlugin\gbieh.dll
    O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} -

    C:\Arquivos de programas\Free Download Manager\iefdm2.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Arquivos

    de programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} -

    C:\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

    C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nod32kui] "C:\Arquivos de programas\Eset\nod32kui.exe"

    /WAITSERVICE
    O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
    O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Arquivos de

    programas\Netropa\Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE

    C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [DAEMON Tools] "C:\Arquivos de programas\DAEMON

    Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [ISUSPM] "C:\Arquivos de programas\Arquivos

    comuns\InstallShield\UpdateService\isuspm.exe" -scheduler
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\K-Lite Codec

    Pack\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [igndlm.exe] C:\Arquivos de programas\Download

    Manager\DLM.exe /windowsstart /startifwork
    O8 - Extra context menu item: Append to existing PDF - res://C:\Arquivos de

    programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Baixar com o FDM - file://C:\Arquivos de

    programas\Free Download Manager\dllink.htm
    O8 - Extra context menu item: Baixar tudo com o FDM - file://C:\Arquivos de

    programas\Free Download Manager\dlall.htm
    O8 - Extra context menu item: Convert link target to Adobe PDF -

    res://C:\Arquivos de programas\Adobe\Acrobat

    8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF -

    res://C:\Arquivos de programas\Adobe\Acrobat

    8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF -

    res://C:\Arquivos de programas\Adobe\Acrobat

    8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF -

    res://C:\Arquivos de programas\Adobe\Acrobat

    8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF -

    res://C:\Arquivos de programas\Adobe\Acrobat

    8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF -

    res://C:\Arquivos de programas\Adobe\Acrobat

    8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Arquivos de

    programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Download selecionado pelo FDM -

    file://C:\Arquivos de programas\Free Download Manager\dlselected.htm
    O8 - Extra context menu item: Download video with Free Download Manager -

    file://C:\Arquivos de programas\Free Download Manager\dlfvideo.htm
    O8 - Extra context menu item: Download with &Shareaza - res://C:\Arquivos de

    programas\Shareaza\Plugins\RazaWebHook.dll/3000
    O8 - Extra context menu item: E&xport to Microsoft Excel -

    res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: E&xportar para o Microsoft Excel -

    res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

    C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console -

    {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de

    programas\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Enviar para o OneNote -

    {2670000A-7350-4f3c-8081-5663EE0C6C49} -

    C:\ARQUIV~1\MI69DF~1\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: &Enviar para o OneNote -

    {2670000A-7350-4f3c-8081-5663EE0C6C49} -

    C:\ARQUIV~1\MI69DF~1\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

    C:\ARQUIV~1\MI69DF~1\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

    %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -

    {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network

    Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

    C:\Arquivos de programas\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger -

    {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de

    programas\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O14 - IERESET.INF:

    SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
    O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) -

    http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US

    .cab
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -

    http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {2E3C3651-B19C-4DD9-A979-901EC3E930AF} (ssh2 Class) -

    https://cpib.bradesco.com.br/scpsssh2.cab
    O16 - DPF: {36C417C6-13C6-448B-9784-DD73A93B0582} (McAfee.com

    Download+Installer Class) -

    http://download.mcafee.com/molbin/shared/mcinsctl/pt-br/4,0,0,83/mcinsctl.cab
    O16 - DPF: {41ACD49D-1974-791A-0981-AA9872721044} (Ganymede Board Games) -

    http://200.212.184.212/g_bin/eng/boards_2_0_0_34.cab
    O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) -

    http://www.eset.eu/buxus/docs/OnlineScanner.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

    http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb

    _site.cab?1191117172296
    O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) -

    http://www.systemrequirementslab.com/sysreqlab2.cab
    O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) -

    https://www14.bancobrasil.com.br/plugin/GbpDist.cab
    O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) -

    http://wcam01.ele.ita.br/activex/AMC.cab
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} -

    C:\ARQUIV~1\MI69DF~1\Office12\GR99D3~1.DLL
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} -

    C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Arquivos

    de programas\Arquivos comuns\Microsoft Shared\Help\hxds.dll
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -

    C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} -

    C:\ARQUIV~1\ARQUIV~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
    O20 - Winlogon Notify: GbPluginBb - C:\ARQUIV~1\GbPlugin\gbieh.dll
    O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file

    missing)
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
    O20 - Winlogon Notify: __GbPluginBb - C:\Arquivos de

    programas\GbPlugin\gbieh.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

    C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. -

    C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet

    Publisher\FNPLicensingService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. -

    C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Arquivos de

    programas\Eset\nod32krn.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools -

    F:\Arquivos de programas\Spyware Doctor\pctsAuxs.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools -

    F:\Arquivos de programas\Spyware Doctor\pctsSvc.exe
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/758393

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice