A friend of mine had his WoW account Compromised...

[SilthDraeth]

Anyone who helps I am throwing out a big Thank you ahead of time.

Basically, the guy has been running XP home, and using Windows Firewall, AVG free edition, Spybot, and Adaware.

Says he never gave account info to anyone. States he only goes to a handful of sites. (probably more) but one of which is the official world of warcraft forums, which are a hive nest of keyloggers.

Anyways. He came home from work, couldn't get on his account, so he immediately reset the password, logged on his 70 and half his gear was missing. And several characters deleted.

SOOO.

I had him download kaspersky trial internet security suite, rootkitrevealer from sysinternals, and hijackthis from trendmicro.

He states AVG found 1 piece of spyware, (of course he doesn't remember what it was)

So he ran a full scan of Kaspersky, it is still running as I post this. Found at least 1 trojan.
Ran hijack this, and I will be posting his log soon.
Is running rootkitrevealer and I will post it's log again soon.

Any other recommendations?

 

[CalvinHobbes]

Have him contact Blizzard, they should be able to restore his account after they do an investigation.

 

[mechBgon]

That sounds like a good start, and if he can handle using a non-Admin user account, that would probably be about a +9 Deterent against it happening again There's some other tips in that link as well that may help in the future.

It could be helpful for him to give you the exact names of whatever malware is found by the scans, so see if he can save that info.

 

[SilthDraeth]

Thank you Mech, and Calvin

Yes he contacted Blizzard first thing to get his account restored. I told him, he will need to probably change his password again shortly. And perhaps a phone call to lock his account may be in order until he can unlock it using the CD key.

Mech, I asked for the malware that was found so far, but he had deleted it/cleaned it, and didn't think to record the information.

Kaspersky should have a log of past scans/infections though. I can look on mine and see if I can get him to give that info.

I spoke to him about the limited user account over Ventrilo. I told him it is in his best interest to do that, as a WoW theft is small time crime compared to identity theft.

As soon as I receive the log files I will throw them up on here.

 

[SilthDraeth]

Well, there will be no incoming logs. The friend said his computer kept locking up, and rootkitrevealer was telling him he had corrupted drive or something. (this is what he posted on my guild forum) and couldn't save the file. Kaspersky found a total of 3 trojans, but kept freezing his system causing him to do hard shut downs.

So he is going to format the whole hard drive.

 

[Fokks]

A reformat is basically the best solution at that point anyway.

Like you mentioned, I hope he didn't do any online banking or anything like that on there. I recommend using a linux live CD for those types of things in the future.

 

[degibson]

I compromised WoW account is not proof of a compromised machine -- he may have simply had a weak password (and usernames aren't hard to guess from WoW characters and forums). Your friend should be careful, of course (and a reformat is a good option), and change all the passwords that happen to match the cracked one.

 

[SilthDraeth]

Originally posted by: degibson
I compromised WoW account is not proof of a compromised machine -- he may have simply had a weak password (and usernames aren't hard to guess from WoW characters and forums). Your friend should be careful, of course (and a reformat is a good option), and change all the passwords that happen to match the cracked one.

Obviously. But the fact is, his system was compromised.