Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

My PC may be infected by malware due to phishing [Solved]


  • This topic is locked This topic is locked

#1
ThatRandomGuy

ThatRandomGuy

    Member

  • Member
  • PipPip
  • 42 posts
Hey guys, this is gonna be a long post but I'm in serious distress here.

So I play this MMORPG by the name of RuneScape. I heard of some giveaway that required me to post on the forums. Like an idiot, I clicked on a disguised hyperlink. It brought me to the forum login page and I logged in, typing In my username and password. However, this is likely a false page that tricked me into typing my information. Then I received a message that the forum post that I was trying to go to " didn't exist". That could have installed some malware on my computer. I used to think only idiots would become phishing victims by writing their password on some form. I guess I must be an idiot too.

So, on with the story. That happened about 12 hours ago and I found that I was unable to log in because my account was being accessed from elsewhere. I thought it was just a bug and went to bed. In the morning, I tried to log in and found my account had been locked. Upon resetting my password and re-entering the game, all my gold was gone. Which was quite a lot for me. :( Then, I found that I had been muted. Upon checking the evidence for this mute, I found that my account was used to advertise for this same "giveaway" that I was scammed by.

So, I immediately ceased logging in to any accounts, though I think I may have logged in to my Yahoo Mail and Battle.net accounts. *gulp* I suspect a key logger has been installed in my system. After all the fact that the criminal accessed my account means he has the password. It is likely that he got the password from the false page and there is in fact no malware on my PC. However, I want to be really sure so that the rest of my accounts are safe. How do I do this? I've been to GeeksToGo before and it know you guys are trustworthy and smart.

Sigh. I really didn't think I would fall for this sort of BS. I guess I was tired at night or something. I installed malwarebytes Free and scanned my system. I quarantined a bunch of the junk files though I'm not sure if they were malware. I also have a Trend Micro software on disc that I haven't installed. Should I install and use it? I have used it before and I liked it.

PS: I'm typing this on my iPad just to be safe.
  • 0

Advertisements


#2
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
HI, in all probability there was no keylogger installed they just stole the login data from that fake page. However, if you use that login/password combination anywhere else then change it immediately

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • Select additions at the bottom
  • Press Scan button.
    frst.JPG
  • It will produce a log called FRST.txt in the same directory the tool is run from.
  • Please attach both logs generated.

  • 1

#3
ThatRandomGuy

ThatRandomGuy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts

Thanks for replying. :) Here are the logs, attached as requested. What does FRST do?

 

EDIT: I also completed a scan with Trend Micro Titanium. It removed a Mal_Hifrm "malware". Not sure what that is but could it be malicious? The logs are from after the scan and removal, FYI.

Attached Files


Edited by ThatRandomGuy, 20 July 2014 - 07:06 AM.

  • 0

#4
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
FRST looks at the system and shows me the results based on where we know that malware lurks :)

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

HKU\S-1-5-21-228239459-1228040494-1754010821-1001\...\Run: [BackgroundContainerV2] => "C:\windows\SysWOW64\Rundll32.exe" "C:\Users\Hubert.ASUS-PC\AppData\Local\Tbccint\BackgroundContaine (the data entry has 34 more characters).
SearchScopes: HKLM-x32 - DefaultScope value is missing.
SearchScopes: HKCU - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKCU - {23784F92-94AE-4757-BE78-381361A7DF86} URL = http://trovi.com/Res...9912625371&UM=1
SearchScopes: HKCU - {AFDBDDAA-5D3F-42EE-B79C-185A7020515B} URL =
Toolbar: HKCU - No Name - {3385E2D6-567B-4FC6-8F0F-D7A8C6E6118C} - No File
Toolbar: HKCU - No Name - {A8864317-E18B-4292-99D9-E6E65AB905D3} - No File
C:\ProgramData\hash.dat
C:\Users\Hubert\jagex_cl_loginapplet_LIVE.dat
C:\Users\Hubert\jagex_cl_runescape_LIVE.dat
C:\Users\Hubert\jagex_cl_runescape_LIVE1.dat
C:\Users\Hubert\jagex_cl_runescape_LIVE_BETA.dat
C:\Users\Hubert\jagex_cl_speccollect_LIVE.dat
C:\Users\Hubert\random.dat
C:\Users\Hubert.ASUS-PC\jagex_cl_loginapplet_LIVE.dat
C:\Users\Hubert.ASUS-PC\jagex_cl_runescape_LIVE.dat
C:\Users\Hubert.ASUS-PC\jagex_cl_runescape_LIVE1.dat
C:\Users\Hubert.ASUS-PC\jagex_cl_runescape_LIVE_BETA.dat
C:\Users\Hubert.ASUS-PC\jagex_cl_speccollect_LIVE.dat
C:\Users\Hubert.ASUS-PC\random.dat
CMD: bitsadmin /reset /allusers
CMD: DEL %TEMP%\*.* /F /S /Q
CMD: RD /S /Q %TEMP%
REBOOT:


Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Scan.
  • After the scan is complete click on "Clean"
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

  • 1

#5
ThatRandomGuy

ThatRandomGuy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts

Ok, I did as requested. Does this further step mean that I do have malware/spyware?

 

EDIT: Glad it helped delete a lot of junk, though.

Attached Files


Edited by ThatRandomGuy, 20 July 2014 - 08:33 AM.

  • 0

#6
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts

Not really, there was just a bit of adware stuff that needed removing :)

 

How is the computer behaving, any problems  


  • 1

#7
ThatRandomGuy

ThatRandomGuy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts

Nope. It's doing fine. Can I safely assume no keylogger? That means no more using virtual keyboards to type in stuff and finally the ability to log in to my mail and Facebook and games, haha.

 

EDIT: To clarify, PC is functioning as per normal. No problems whatsoever aside from sadness stemming from my game gold stolen.


Edited by ThatRandomGuy, 20 July 2014 - 09:25 AM.

  • 0

#8
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Once again I must iterate that any password that are the similar to the stolen one must be changed.
It is always a reasonable policy to use the virtual keyboard whenever you are going to banking sites, a sort of belt and braces approach :)

Subject to no further problems :)

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:

Download and run Delfix

delfix.JPG


: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean


It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe :wave:
  • 1

#9
ThatRandomGuy

ThatRandomGuy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts

Wow, loads of advice. I will definitely heed a lot of them. Thanks a lot, Essexboy. :)


  • 0

#10
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
My pleasure, if you have any questions then do not hesitate to ask :)
  • 0

#11
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP