Keylogger Problem? DSO Exploit
I am playing an on-line game out of Germany called Tibia. There is another thread about it here. There are a lot of hackers playing this game and visiting any of the fan-sites is likely to lead to some kind of infection. I don't go to them.
I have two accounts. I logged into the Tibia home site on account 1 using Mozilla Firefox and was doing some account maintenance when a pop-up window appeared and invited me to change my password for account 2. This appeared several times. I logged out and ran Spybot and found DSO Exploit and removed it. My operating system is Windows 2000 Personal Edition. I am pretty sure it is at the correct patch level.
I don't know that the IE exploit DSO is anyhow related to my experience using Firefox but I have some evidence that there is a problem. I also have Norton Firewall, Norton Anti-Virus, Adaware, and Hijack This on this machine but haven't run scans with these latter yet.
What's going on? Where do I start? I am not looking for an exhaustive list of all possible removal tools but analyze the problem if you can, provide a solution or further troubleshooting steps.
I have two accounts. I logged into the Tibia home site on account 1 using Mozilla Firefox and was doing some account maintenance when a pop-up window appeared and invited me to change my password for account 2. This appeared several times. I logged out and ran Spybot and found DSO Exploit and removed it. My operating system is Windows 2000 Personal Edition. I am pretty sure it is at the correct patch level.
I don't know that the IE exploit DSO is anyhow related to my experience using Firefox but I have some evidence that there is a problem. I also have Norton Firewall, Norton Anti-Virus, Adaware, and Hijack This on this machine but haven't run scans with these latter yet.
What's going on? Where do I start? I am not looking for an exhaustive list of all possible removal tools but analyze the problem if you can, provide a solution or further troubleshooting steps.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
What I want to do is figure out what is happening in the case. I have been reviewing the products listed by knoxj81 and see some stuff I am going to install. However, I want to know what is on my machine now. It seems to know when I log into the Tibia home site and then spoof the password change interface. How does it do that? I want to see what's in the process list when it happens. What should I be looking for?
Spybot didn't find it and I want to run the other programs when I get off of work. Obviously, if nothing finds it then I need to work with Adaware or Spybot support to figure out what it is.
Spybot didn't find it and I want to run the other programs when I get off of work. Obviously, if nothing finds it then I need to work with Adaware or Spybot support to figure out what it is.
Its not going to be in your processes. Most likly its just a popup from the website. If in fact it is a program running on your PC, All you have to do is run, Adaware scan and an updated virus scan, and anything of that nature would be removed. I would install the programs I listed then I would update them all.
Also: If you using Mozilla, I would recommend uninstalling your current version and updating to there latest release, to patch for the found exploits.
http://www.majorgeeks.com/download2248.html - This version of Mozilla Firefox was released yesterday.
Let me know if you have any further concerns,
Jorden
Also: If you using Mozilla, I would recommend uninstalling your current version and updating to there latest release, to patch for the found exploits.
http://www.majorgeeks.com/download2248.html - This version of Mozilla Firefox was released yesterday.
Let me know if you have any further concerns,
Jorden
I wonder if that pop-up isn't Firefox save password feature, because as you probably know Firefox can store several auto logon passwords for the same site.
Try this:
Tools > Options > Privacy > Saved Passwords
Click the "Clear" button to delete all stored passwords.
When logging on to the Tibia site, and asked to save, click "Never for this site" (or similar wording). I suspect this will end the pop-ups, but you will need to retype the name and password every time you want to log on to that site.
Interesting will be Process Explorer:
http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
Download, install and run.
This will show you All processes running and their details.
Maybe you can find something suspicious there...??
Post back if you have any doubts.
Good luck,
Zee
ASKER
knoxj81, When I get home I'll try what you are suggesting. I did run Adaware last night and it didn't find anything significant either. I logged onto the site again this morning and it very reliably invites me to change the password for my second account. I can't imagine that this thing is a feature of the Tibia Cipsoft home. The dialog box isn't inviting me to SAVE the password, it's inviting me to CHANGE the password. I figure once I do that and put in my old password I'm toast. I'm too chicken to select yes and see what comes next.
I agree with your "chicken" decison, but that is also the wise decision.
Maybe worth a try:
Logon with your second account and change password from within the Tibia interface.
Save and check if the problem persits.
That popup could also be, and there are some sites that do that, a reminder for old passwords that should be periodically changed, as a safety precaution.
But, I'm only guessing, of course.
Zee
Regardless of weather its locally or remotely. If you have the right tools, thit doesn't have to be a concern.
If, it was a keylogger, you wouldn't have to be asked to enter your password. They would see you login and that would be that.
Either way: You need to run the best security tools, fully updated.
Good Luck,
Jorden
If, it was a keylogger, you wouldn't have to be asked to enter your password. They would see you login and that would be that.
Either way: You need to run the best security tools, fully updated.
Good Luck,
Jorden
The DSO exploits flagged by Spybot S&D are caused by a bug in its current release.
This will be sorted in the next release.
Latest news on this:
>>Please note the current beta release of the application (v 1.3.1b) corrects the DSO bug. If you are not comfortable with installing the beta ignore the DSO items until the final is released. Again, please note it is an application update and not an includes update that fixes this bug<<
From:
http://forums.net-integration.net/index.php?showtopic=17159
Zee