Hi, was just browsing through Google when i came across ur site.

Earlier this evening, my younger brother was browsing through WoW-Europe forums when he clicked a keylogger link.........

I'm using Firefox btw if it makes any difference, the keylogger post can be found here

http://forums.wow-europe.com/thread.html?topicId=1152956003&sid=1

********DON'T CLICK ANY OF THE LINKS FOUND WITHIN THE POST*******

According to my brother the site in question did not load fully but i guess loading it for 0.5secs is enough really. Anyway, ive been on another computer and changed my WoW account password etc for safety and have been running various Anti-Virus programs, Kaspersky, Spybot S&D and nothing of any great relevance has been discovered by them. I'll continue to run them overnight.

PS. Here is the HijackThis logfile, im just looking for some information telling me whether my computer seems infected with this crap, or hopefully not

This is taken from on the Wow account screen, when i guess the process would be running........

Thanks greatly for any help in this matter.

Thanks for posting the links.

I know, this thread is old and the last post was a while ago, but it seemed the most relevant place to post.

Browsing the WoW forums while half-asleep, I didn't notice the ".cn" in the domain and stupidly followed this link -

www.ocaiq.cn/albums/y287/ShadowedFate/WoWScrnShot_101207_194709.jpg

I visited using Firefox. Does that site use exploits/security holes in IE to inject its malware/trojan? I've done a full scan with AVG already, registry startup folders are clean and the task manager's process list doesn't list anything out of the norm, but I'm still unsure. Any help would be greatly appreciated.

hxxp://world0fwarcraft.net/lese.exe

Already lost my WoW account, but I can't find the keylogger. Everything I scan with comes up negative, including those listed previously as being able to find it.

The file kbass1p.dll (filesize 15872 bytes) exists on my machine under C:\Windows\system32, and is now causing explorer.exe to crash while using iexplore.exe. I looked it up in Process Explorer, and it's literally hooked into everything. I would remove it using the Windows Recovery Console, but I'm thousands of miles from home where the Windows CD is. The memory strings are more than a bit suspicious: "accountName" "password" "FsecretQuestionAnswer". I don't have lese*.exe on my machine however, and no individual running process is something I don't recognize.

Here's the HJT:

HJT log removed by moderator. Please do not post HJT logs anywhere on CastleCops except in our HJT forum. You must also join as a member to post in that forum.

Is this dll the likely problem? And how do I go about deleting it?

Good news! I managed to delete it by terminating every process that was using it with Process Explorer (including Process Explorer itself) while keeping a command prompt up. The repeatable crashes and errors have stopped. I kept a copy of the file in case it was something necessary to re-register. Can I submit this file somewhere to people who would know what to do with it so it might not infect other people?

Err... I should have mentioned: I got this by clicking a link on my realm forums for a "jpg" that had a frameset with a hidden frame which opened a url that ran a script. Was running IE.

Please add the file (and any others you think may be malware) to a .zip file and upload them to this post.

If you know the URL you clicked on please post the url as well but replace http with hxxp so other users don't click on it by mistake.

My guard was down and I clicked one of these links. I realized my mistake and haven't logged on to WoW. The page didn't load long enough to show anything so I'm hoping I'm fine. I'm running some checks with avg to be sure though and I was using Firefox.

It seems the same story is being passed around the forums with the whole druid look.

These following links are being used(Don't copy paste!)

Here's the original thread, http changed to hxxp:

hxxp://forums.worldofwarcraft.com/thread.html?topicId=3547801357&sid=1

And here's the offending links:

hxxp://www.48304.cn/albums/x1/seymourseesmore/currentbearformsize.jpg
hxxp://www.48304.cn/albums/x1/seymourseesmore/proposalbearformlevel10size.jpg
hxxp://www.48304.cn/albums/x1/seymourseesmore/proposalbearformlevel70size.jpg
hxxp://www.48304.cn/albums/x1/seymourseesmore/shoulderarmor.jpg
hxxp://www.48304.cn/albums/x1/seymourseesmore/kittymalevs.female.jpg
hxxp://www.48304.cn/albums/x1/seymourseesmore/loldruid.jpg
hxxp://www.48304.cn/albums/x1/seymourseesmore/?action=view&current=superxxtrollshuntz.jpg
hxxp://www.48304.cn/albums/x1/seymourseesmore/?action=view&current=dyani.jpg

Are these redirects or are they piggybacking on the jpg itself? I'm trying to understand how these actually plant keyloggers onto your system and where they usually reside on the comp.

[edit] removed potentially dangerous links.
submitting to mirt.

http://www.siteadvisor.com/sites/48304.cn
http://www.siteadvisor.com/sites/94564.cn
http://www.siteadvisor.com/sites/766598.com
http://www.siteadvisor.com/sites/cvcvdede.cn
I've already submitted a malcious file for siteadvisor evaluation for cvcvdede.cn using the following link

48304.cn seems to be offline now.

I clicked on the same links as sula_nebouxi. I was wondering what course of action I should take...I've scanned using Norton, Spybot, and Ad-Aware. Ad-Aware was the only program to return anything, which I quarantined. I downloaded Windows Defender and ran that also, to no avail. I was using Firefox when the links were clicked. Just hoping for a response as to what I should do now to make sure I'm safe. Thanks in advance.