[ThatRandomGuy]

Hey guys, this is gonna be a long post but I'm in serious distress here.

So I play this MMORPG by the name of RuneScape. I heard of some giveaway that required me to post on the forums. Like an idiot, I clicked on a disguised hyperlink. It brought me to the forum login page and I logged in, typing In my username and password. However, this is likely a false page that tricked me into typing my information. Then I received a message that the forum post that I was trying to go to " didn't exist". That could have installed some malware on my computer. I used to think only idiots would become phishing victims by writing their password on some form. I guess I must be an idiot too.

So, on with the story. That happened about 12 hours ago and I found that I was unable to log in because my account was being accessed from elsewhere. I thought it was just a bug and went to bed. In the morning, I tried to log in and found my account had been locked. Upon resetting my password and re-entering the game, all my gold was gone. Which was quite a lot for me. Then, I found that I had been muted. Upon checking the evidence for this mute, I found that my account was used to advertise for this same "giveaway" that I was scammed by.

So, I immediately ceased logging in to any accounts, though I think I may have logged in to my Yahoo Mail and Battle.net accounts. *gulp* I suspect a key logger has been installed in my system. After all the fact that the criminal accessed my account means he has the password. It is likely that he got the password from the false page and there is in fact no malware on my PC. However, I want to be really sure so that the rest of my accounts are safe. How do I do this? I've been to GeeksToGo before and it know you guys are trustworthy and smart.

Sigh. I really didn't think I would fall for this sort of BS. I guess I was tired at night or something. I installed malwarebytes Free and scanned my system. I quarantined a bunch of the junk files though I'm not sure if they were malware. I also have a Trend Micro software on disc that I haven't installed. Should I install and use it? I have used it before and I liked it.

PS: I'm typing this on my iPad just to be safe.

[Advertisements]

HI, in all probability there was no keylogger installed they just stole the login data from that fake page. However, if you use that login/password combination anywhere else then change it immediately

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

• Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
• Select additions at the bottom
• Press Scan button.
  
• It will produce a log called FRST.txt in the same directory the tool is run from.
• Please attach both logs generated.

[Essexboy]

HI, in all probability there was no keylogger installed they just stole the login data from that fake page. However, if you use that login/password combination anywhere else then change it immediately

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

• Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
• Select additions at the bottom
• Press Scan button.
  
• It will produce a log called FRST.txt in the same directory the tool is run from.
• Please attach both logs generated.

[ThatRandomGuy]

Thanks for replying. Here are the logs, attached as requested. What does FRST do?

 

EDIT: I also completed a scan with Trend Micro Titanium. It removed a Mal_Hifrm "malware". Not sure what that is but could it be malicious? The logs are from after the scan and removal, FYI.

Attached Files

•  Addition.txt   42.11KB   94 downloads
•  FRST.txt   59.69KB   137 downloads

Edited by ThatRandomGuy, 20 July 2014 - 07:06 AM.

[Essexboy]

FRST looks at the system and shows me the results based on where we know that malware lurks

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

HKU\S-1-5-21-228239459-1228040494-1754010821-1001\...\Run: [BackgroundContainerV2] => "C:\windows\SysWOW64\Rundll32.exe" "C:\Users\Hubert.ASUS-PC\AppData\Local\Tbccint\BackgroundContaine (the data entry has 34 more characters).
SearchScopes: HKLM-x32 - DefaultScope value is missing.
SearchScopes: HKCU - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKCU - {23784F92-94AE-4757-BE78-381361A7DF86} URL = http://trovi.com/Res...9912625371&UM=1
SearchScopes: HKCU - {AFDBDDAA-5D3F-42EE-B79C-185A7020515B} URL =
Toolbar: HKCU - No Name - {3385E2D6-567B-4FC6-8F0F-D7A8C6E6118C} - No File
Toolbar: HKCU - No Name - {A8864317-E18B-4292-99D9-E6E65AB905D3} - No File
C:\ProgramData\hash.dat
C:\Users\Hubert\jagex_cl_loginapplet_LIVE.dat
C:\Users\Hubert\jagex_cl_runescape_LIVE.dat
C:\Users\Hubert\jagex_cl_runescape_LIVE1.dat
C:\Users\Hubert\jagex_cl_runescape_LIVE_BETA.dat
C:\Users\Hubert\jagex_cl_speccollect_LIVE.dat
C:\Users\Hubert\random.dat
C:\Users\Hubert.ASUS-PC\jagex_cl_loginapplet_LIVE.dat
C:\Users\Hubert.ASUS-PC\jagex_cl_runescape_LIVE.dat
C:\Users\Hubert.ASUS-PC\jagex_cl_runescape_LIVE1.dat
C:\Users\Hubert.ASUS-PC\jagex_cl_runescape_LIVE_BETA.dat
C:\Users\Hubert.ASUS-PC\jagex_cl_speccollect_LIVE.dat
C:\Users\Hubert.ASUS-PC\random.dat
CMD: bitsadmin /reset /allusers
CMD: DEL %TEMP%\*.* /F /S /Q
CMD: RD /S /Q %TEMP%
REBOOT:

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool.
• Click on Scan.
• After the scan is complete click on "Clean"
• Confirm each time with Ok.
• Your computer will be rebooted automatically. A text file will open after the restart.
• Please post the content of that logfile with your next answer.
• You can find the logfile at C:\AdwCleaner[S1].txt as well.

[ThatRandomGuy]

Ok, I did as requested. Does this further step mean that I do have malware/spyware?

 

EDIT: Glad it helped delete a lot of junk, though.

Attached Files

•  Fixlog.txt   229.6KB   271 downloads
•  AdwCleanerS1.txt   3.81KB   208 downloads

Edited by ThatRandomGuy, 20 July 2014 - 08:33 AM.

[Essexboy]

Not really, there was just a bit of adware stuff that needed removing

 

How is the computer behaving, any problems  

[ThatRandomGuy]

Nope. It's doing fine. Can I safely assume no keylogger? That means no more using virtual keyboards to type in stuff and finally the ability to log in to my mail and Facebook and games, haha.

 

EDIT: To clarify, PC is functioning as per normal. No problems whatsoever aside from sadness stemming from my game gold stolen.

Edited by ThatRandomGuy, 20 July 2014 - 09:25 AM.

[Essexboy]

Once again I must iterate that any password that are the similar to the stolen one must be changed.
It is always a reasonable policy to use the virtual keyboard whenever you are going to banking sites, a sort of belt and braces approach

Subject to no further problems

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:

Download and run Delfix




: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware



Malwarebytes.

Update and run weekly to keep your system clean


It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe

[ThatRandomGuy]

Wow, loads of advice. I will definitely heed a lot of them. Thanks a lot, Essexboy.

[Essexboy]

My pleasure, if you have any questions then do not hesitate to ask

[Essexboy]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.