Hello all,

I’m new to the forums, and I know this question has been asked 1000 times, so please bear with me

So recently, I had my WOW account hijacked. I figured that someone was using a keylogger, but I don’t know for sure. I noticed that I didn’t even have an antivirus program installed

I did the boot-scan thing, and it found something in my c:\documents and settings.…\a.exe and said it was the Win32: Rootkit-gen thing. I didn’t know about the store in chest thing (since I had just downloaded avast!) so i just deleted it. I also think I selected delete all, and it deleted a few things that it found (some were from the win32 folder I think). Nonetheless, my windows is still working, so hopefully I didn’t delete anything important.

Also, Malwarbytes deleted some stuff from my Win32 folder, which it will show at the bottom of the log.

So anyways, I am going to post my Hijack log and my Mbam log, and hopefully you guys can tell me if the rootkit is still there.

Thanks guys! Glad to be a part of the forums!

Ok, sorry, but I’m new to these programs.

I can’t post my Mbam or Hijack codes because they’re too big!

Any suggestions?

Attatch them

Attatch them.Heres a image if you don’t know how to

Ok, thanks for the quick reply on attaching the files.

So here are the attached logs for Hijack, Mbam, and also the avast! anti-rootkit. Before you read the logs though, I want to give you an idea of what I did when I found out my computer might have a keylogger or something on it.

1.)Downloaded avast! antivirus and did boot-scan, which deleted said files supposedly.
2.)Downloaded Malwarbytes and did a scan, which deleted more files.
3.)Downloaded and ran spybot s&d, which removed 3 infections or something like that
4.)Downloaded and ran the avast! antiroot kit.**

**I wasn’t sure what I was supposed to stop running in order to NOT get false positives, so I kept my antivirus going, and didn’t disable system restore. However, I didn’t get any false positives, as it said no root kits were found.

Have you rebooted yet?If not,do so.After you reboot,can you please run another quick scan with malwarebytes and post back your result.I am not very good at analyzing hijackthis log so my help is limited.You should wait until someone with more experience comes and take a look at your hijackthis log.

Here is the new log. It says nothing was detected.

Thanks

Can you go to Virustotal http://www.virustotal.com/ navigate to C:\WINDOWS\system32\favaapi.dll and upload favaapi.dll for analysis

I don’t have a favaapi.dll file on my computer. Maybe it got deleted in on of the scans i did or something

Maybe,all the same I would fix these two entries, they are to do with your online poker. They are nothing serious,one is already deactivated

O2 - BHO: CoTGT_BHO Class - {C555CF63-747F-4831-94AC-E683D962C63C} - C:\WINDOWS\system32\wavaapi.dll (file missing)

Unknown
O21 - SSODL: WavaApi - {C666CF63-747F-4831-94AC-E683D962C63C} - C:\WINDOWS\system32\favaapi.dll

Thanks for the help so far guys!

Okay, so, in response to micky77, how would I go about fixing those files? You said one is already deactivated, so does that mean I don’t have to fix that one? I don’t know if by fixing them you mean to just delete them, so I’m a little unclear on that.

I have another question about the rootkit problem too. When I initially did the first avast! boot-scan, this is the rootkit it found:

File C:\Documents and Settings\ej\Desktop\a.exe is infected by Win32:Rootkit-gen [Rtk], Deleted

Now, I have heard (in many cases on these forums) that just because avast! says it’s deleted, it doesn’t necessarily mean its gone. I know root kits are hidden so that even by searching for hidden files, you can’t find them. So, I ran cmd and put in this command:

type C:\Documents and Settings\ej\Desktop\a.exe

And it said it could not find the specified file or path. Does that mean that the Win32: Rootkit is gone?

Thanks again guys!

So, on further examination of the avast! logs, I found this:

File C:\System Volume Information_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1216\A0109582.exe is infected by Win32:Rootkit-gen [Rtk], Deleted

Once again, avast! says it deleted the rootkit.

After doing the commands to give me permissions into the system volume information folder, i did a “type” on this directory:

C:\System Volume Information_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1216>type A0109582.exe

And once again got the message that the system cannot find the file specified.

micky77 means run the hijackthis scan again and put a check mark next to the 2 entries he point out and fix it.
It seems like the rootit was found in your system restore so i recommend you to:
Disable system restore
Restart
Enable it again
Hope this helps ;D

I would guess because it has been deleted it won’t be in the system volume information folder.

So if avast has already deleted would you expect it to be in the original location, I wouldn’t.

Also im not sure but if your WoW Account got hijacked i think you can recovery it back by email Blizzard with some proof that its your account.

Be sure you got a 2 Ways Firewall (Online Armor,Zone Alarm,PC Tools,Outpost,Windows Vista Firewall)

Also if you got Vista be sure you got Windows Update Automatic On and all UAC thing also.

I can say me i got Avast!,Malwarebytes,Windows Defender(Include on Windows XP SP2 or SP3 and Vista) with Windows Vista Firewall and UAC + Automatic Update for Windows Only and all run fine. So if you wanna wait another reply on recommendation. Its up to you

Thank and good luck.

Mr.Agent

No I wouldn’t expect it to be there. However, as I said before in my OP, I"m new to avast! and this whole rootkit thing, and I’ve heard that even once avast! says it’s deleted, it may not be.

Yes rootkits can be difficult to remove, whilst avast does a good job of doing so when detected, it doesn’t hurt to confirm.

the spyware.agents were the keyloggers and screenshooters. The bots probably let them in.