Secuirty problems - Three accounts been hacked

doodah · 3 Aug 2009 at 15:53

My thread on GD has been closed. Basically my Steam, Hotmail and Gmail accounts have been hi-jacked (the first two twice in recent weeks).

I am 99% sure I haven't been phised, as a long term user of OcUK my internet security is effective enough.

My PC is a Vista 64bit with Spybot, NOD32 and Vista Firewall control running. It runs on our home wireless network (which has a security key). Both my mum and my computer run off the network; SSID is on but I am not comfortable logging on to the router in case a key logger is on.

Can anyone suggest what on earth is going on? How do I check if It is a key logger? What are methods could they be using?

Sin_Chase · 3 Aug 2009 at 15:58

Do you have weak "Forgotten your password?" security questions or a compromised secondary e-mail?

do a full scan with superantispyware (www.superantispyware.com)

wozencl · 3 Aug 2009 at 16:01

It definately sounds as if you've got a trojan or Spyware on your system. Have you scanned your system in Safe Mode? I'd update everything and give it a try, I'd also download Hijack This and get someone from their forums to have a look over reg keys etc.

As for your router I tend to only allow local connections perhaps you should consider disabling remote logons too.

Change your passwords regularly and don't use the same one for multiple sites. I have one for my Hotmail, another for my Gmail and another for my online banking. I tend to use the same one for forums tough - too many to remember

doodah · 3 Aug 2009 at 16:11

Sin_Chase said:
Do you have weak "Forgotten your password?" security questions or a compromised secondary e-mail?

do a full scan with superantispyware (www.superantispyware.com)

There is no way this person could guess my favourite teacher!!!

Will try scans.

doodah · 3 Aug 2009 at 16:45

Hijackthis scan - I am not going to even pretend what this means......

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:43:56, on 03/08/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files (x86)\ATI Multimedia\RemCtrl\ATIRW.EXE
C:\Program Files (x86)\ESET\nod32kui.exe
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
C:\Windows\SysWOW64\CTHELPER.EXE
C:\Program Files (x86)\FlashGet\flashget.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\SysWow64\rundll32.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
F:\Steam\Steam.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files (x86)\FlashGet\jccatch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files (x86)\FlashGet\getflash.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files (x86)\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AsioThk32Reg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Flashget] "C:\Program Files (x86)\FlashGet\flashget.exe" /min
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files (x86)\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files (x86)\ATI Multimedia\RemCtrl\ATIRW.EXE
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DevconDefaultDB] C:\Windows\system32\READREG /SILENT /FAIL=1 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DevconDefaultDB] C:\Windows\system32\READREG /SILENT /FAIL=1 (User 'Default user')
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files (x86)\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files (x86)\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files (x86)\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files (x86)\FlashGet\FlashGet.exe
O13 - Gopher Prefix:
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: FLEXnet Licensing Service 64 - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files (x86)\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Logitech Bluetooth Service (LBTServ) - Unknown owner - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files (x86)\Eset\nod32krn.exe
O23 - Service: O&O Defrag - Unknown owner - C:\Windows\system32\oodag.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: VistaFirewallService - Sphinx Software - C:\Program Files\VistaFirewallControl\VistaFirewallService.exe
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~2\COMMON~1\X10\Common\x10nets.exe
O23 - Service: Marvell Yukon Service (yksvc) - Unknown owner - RUNDLL32.EXE (file missing)

--
End of file - 8934 bytes

MrMacca · 3 Aug 2009 at 16:48

Give Combofix a Run - http://www.bleepingcomputer.com/combofix/how-to-use-combofix

See if that finds anything suspicious.

doodah · 3 Aug 2009 at 17:01

Google are morons! Why don't they have an additional info box like hotmail. I haven't got a clue what month or year I got my gmail account. I could bloody tell them the contents of recent emails but there isn't anywhere to enter that!

Uhtred · 3 Aug 2009 at 17:08

When you say your wireless has a security key...wep or wpa?

wozencl · 3 Aug 2009 at 17:11

After a quick glance nothing jumps out at me as majorly suspicious. As has been suggested do a full scan in Safe Mode with SpyBot and MBAM (I think that's what it was called - it managed to clean Virtumonde of my friend's stepdad's PC).

You can also do a more in-depth scan with Hijick This, once you've done that post the results.

As for Gmail I think the questions they ask change each time you try, so if your memory fails on one set try again...

doodah · 3 Aug 2009 at 17:16

Zap said:
When you say your wireless has a security key...wep or wpa?

I believe it is some form of WPA

doodah · 4 Aug 2009 at 11:19

I have got my Hotmail and Gmail back, just waiting for my Steam account (hijacked successfully requested a password change with Steam via my hotmail).

doodah · 7 Aug 2009 at 11:16

Anyone know how I can get my steam account back. The first time it got hijacked I emailed them with my bank/card details. I brought steam over the internet years ago with my Barclays account (different card as it has since expired). Send them my last 4 digits, card type etc and they responded and aknowledged it was the correct information.

However they are not this time. They claim it does not match. I have asked why did they do it the fist time and this time I am providing them with more information. I don't know what to do.

theheyes · 7 Aug 2009 at 11:21

Can't help with Steam, but have you ever logged into your gmail/hotmail account on a public computer? e.g. internet cafe or even a friend's computer? Your machine might not be the problem.

edit - also, regarding your secret question, it might be hard for a human to guess your favourite teacher but if it is an actual name it is quite susceptible to a dictionary attack.

I don't like secret questions - they are a massive risk to Joe Average. If I ever have to choose one I just stick in another password e.g. Q: Favourite colour? A: dfg9tyh113. If you put in "red", "blue", "green" etc. imagine how easy it would be to guess.

One of my friends, the biggest red I know, got his hotmail account hijacked by someone he knew. Secret question: "Favourite football team?"

He won't be making that mistake again.

doodah · 7 Aug 2009 at 11:24

No I can't think of any instances. Only computers I have used in the last month or so are my girlfriends, my mum's netbook and my own PC. I think it is over (I have Hotmail and Gmail back). It just frustrates me that steam gave me my account back a couple of weeks ago and with the same information are refusing too now.

theheyes · 7 Aug 2009 at 16:29

dbappa said:
No I can't think of any instances. Only computers I have used in the last month or so are my girlfriends, my mum's netbook and my own PC. I think it is over (I have Hotmail and Gmail back). It just frustrates me that steam gave me my account back a couple of weeks ago and with the same information are refusing too now.

It could easily be your mum or your girlfriend's computer. It would be worth finding out where the leak is so it doesn't happen again.

doodah · 7 Aug 2009 at 19:32

Doubt it was either to be honest. I never used Steam on either of their computers, hotmail is the only one I have logged on all 3 computers. Also my GFs dad has made her laptop very secure, prob more secure than mine.

theheyes · 7 Aug 2009 at 19:41

Steam is linked to your hotmail account, correct? I don't know how Steam works but I assume you can request a password reset to be sent to your hotmail address, which is how that got owned without you ever going near Steam on those computers.

doodah · 7 Aug 2009 at 20:36

Yes it was but if it was her computer - surely ther hacker/trojan would have gone for everything they could have got. I am 99% sure the breach was on my computer. There is no evidence of password requests (fair enough hacker may have deleted emails but they didn't the other time).

EDIT - Scans before my format came up with a couple of unwanted nasties.

doodah · 12 Aug 2009 at 11:34

Well that is it, they still won't believe me. I have lost my account - Steam IMO are dreadful! I have done nothing wrong and am been treated like crap

IAmATeaf · 12 Aug 2009 at 12:56

dbappa said:
Well that is it, they still won't believe me. I have lost my account - Steam IMO are dreadful! I have done nothing wrong and am been treated like crap

Can't you contact the bank or even go through old statements to get the actual card number you paid with?