+ Reply to Thread
Page 1 of 8 1 2 3 4 5 ... LastLast
Results 1 to 15 of 117

Thread: Has your account been hacked? Read here.

  1. #1
    Shadowlander
    Join Date
    Jan 2011
    Posts
    38

    Exclamation Has your account been hacked? Read here.

    I've found a trojan on my system that I believe is related to the accounts being stolen in Rift. I'm going to give you a step-by-step guide on how to get rid of this, and similar, garbage. Read and print out these instructions before attempting to do anything. If you aren't sure what you're doing, don't do anything. I accept no responsibility if you **** something up. This is do-at-your-own-risk.

    First things first, I suggest you download these:
    Malwarebyte's Anti-Malware: http://www.malwarebytes.org/
    Dr. Web CureIt: http://www.freedrweb.com/cureit/?lng=en
    Dr. Web Live CD: http://www.freedrweb.com/livecd/?lng=en (optional)
    UnHackMe: http://www.greatis.com/unhackme/download.htm
    MSE: http://www.microsoft.com/security/pc-security/mse.aspx

    You may be asking, "Why do I need so many things? Shouldn't any anti-virus software work!?" No! These softwares all provide a very different service, and should be used as they are designed to. Additionally, no anti-virus software will detect every virus (even if you keep up to date). Instead, we're going to work at the root of the problem and prevent the malware from running to begin with.

    Now, about the trojan, itself. The trojan will actually be hidden from you and difficult to remove. This is because you, probably, have a rootkit installed. A rootkit subverts the kernel (the Windows OS core, in this case -- I doubt any of you are playing under Linux yet) and may actually prevent the OS itself from seeing files or performing certain actions. Many trojans rely on rootkits to hide themselves and allow them to perform successfully. This particular trojan works as a backdoor, allowing the attacker to install additional malware onto your system without your knowledge. Among them is another piece of malware which is responsible for logging information (ie. your email/password). After some time, a new process is launched that will actually upload the logged information to (one of) the attackers server(s).

    The first thing you should do is install UnHackMe. Once installed, open it up and click 'Check Me Now!' It will state that there is no trojan found; this is fine. Very rarely will it actually find anything at this stage. You should now see a window that gives you three options. Choose 'Scan for Malware...' Now, you'll have an additional 3 options. Select 'Scan Windows Startup...', and when it asks you to reboot your system, do so using the button in the bottom left of the window.

    Once you have restarted and logged in, a subset of UnHackMe will scan your startup programs and report any unknown softwares as well as known malware. Do not be alarmed if something is found! It will give many false positives. You should select "Get It Out!" for anything that resides in the 'Windows' folder (including 'system32', 'SysWOW64', etc.), and the 'User' folder ('C:/Documents and Settings/Username/' [which is aliased to 'C:/Users/...' in Vista and 7] and similar) unless you are absolutely certain that it is legitimate. You might also have entries from 'Program Files' and 'Program Files(x86)'. You can be a bit more relaxed with those and virii typically don't make use of those paths (but expect a lot of malware from 'Program Data'), however, you should still "Get It Out!" on anything suspicious; especially something with a very strange name such as "x8sdf900.exe". After you've gone through everything, you'll be asked to restart again to delete anything suspicious. Do so.
    In this step, I found 2 hidden drivers (.sys files) in the 'SysWOW64' directory, as well as some other arbitrary garbage. The names of these files will most likely be random, so I cannot tell you what to expect.

    Now, hopefully, you're back at your desktop. Go ahead and run Dr. Web's CureIt! It'll run in a protected environment that prevents you from doing anything in the background, so you'll have to find something else to do while waiting. First, do the essential scan (or whatever it is called), and then the complete scan (even if the basic scan finds nothing). Move anything that it finds that you aren't absolutely certain is legitimate.
    In this step, I found one infected file: C:\Documents and Settings\USERNAMEHERE\AppData\Local\instschedule.e xe
    It was a 'normal' executable with the infection concatenated to the file.
    You may also see mention of 'KMS.exe', 'KMS Schedule.exe', or similar variants.

    You may again be asked to restart your computer. Do so.


    Hopefully, by this point, you've removed or at least hindered the underlying rootkit. You should now boot into safemode with networking (press F8 while Windows is starting; but do so after your BIOS or it may ask you to select a boot device). Install Malwarebyte's Anti-malware and update it. Now, perform a complete scan. Now that the rootkit isn't hiding the trojans, you'll probably actually find something. Allow it to remove anything that you are not certain is legitimate. Restart again (this time into normal mode).

    Install Microsoft's Security Essentials. Now, very rarely will you actually see me promoting a Microsoft product, but I actually have to give credit to MS for this one. It actually does something without being a resource hog, intrusive, and annoying to use. Go ahead and let it run a complete scan, as well.

    If you decided to download the Dr. Web Live CD, go ahead and burn it to a disk now and pop it in. Restart your computer and allow it to run from the disc. Dr. Web's Live CD is a minimalist Linux-based environment that provides virus scanning. Why are we doing this? Because you are potentially infected with a Windows-based virus and we may want to avoid scanning for viruses within an infected Windows environment where said infection could prevent us from removing it. Simple as that. This is recommended for advanced users only. It's ridiculously easy to use (provided you're not a complete idiot), so I won't give further instructions here.

    Now, boot into your normal Windows setup again. Open the registry editor (Start->run, type regedit [Windows XP and older] Or just click the Start button and type regedit under Vista and 7).
    Navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects
    Delete EVERYTHING inside here. Yes. Everything. They are not necessary and will only slow your computer down. {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} (if you have this) will make mention of 'WormRadar' but do not be alarmed; this is actually part of AVG's link scanner.

    Navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
    Delete everything that you aren't certain is legitimate. Yes, this includes things in the Windows directory. Everything inside this registry location can be deleted safely. It only controls which softwares start up with Windows. Do the same for HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run

    Navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    Look for a key named 'explorer.exe' If it exists, delete it!

    You can now close the registry editor. Now, open Explorer (Start->Computer, My Computer, whatever you want to do). Go to C, then Windows. At this point, change your folder view options to display extensions (if you haven't already). To do this, go to Tools->Folder Options (Under Windows 7, you need to press the ALT key to display this menu at the top of the window). Click the 'View' tab and look below to find the 'Show hidden files, folders, and drives' and make sure it is checked. Look for 'Hide extensions for known file types' and make sure it is unchecked. Click OK, and you'll be back in the Windows directory. Look for 'explorer.exe' (Just select any file/folder and begin typing 'expl'; it should automatically bring you down to the correct file). If you see any mention of 'explorer.bat' or 'explorer.lnk', DELETE THEM! There should only be 'explorer.exe'.

    I would go ahead and do one last boot scan with UnHackMe to make sure you got everything at this point.

    You should, hopefully, now be all clean. You can now uninstall UnHackMe, but the other installed softwares you are recommended to keep. You should, of course, now change your Rift password. If you have any questions or concerns, let me know.
    Last edited by Anajansi; 03-09-2011 at 02:53 AM.

  2. #2
    Soulwalker Kazed's Avatar
    Join Date
    Dec 2010
    Posts
    11

    Default

    /signed, informative thread.

    And since i have heard of quite a few getting hacked they should check this out, though i dont get how stupid people are online now a days, allways clicking way to much **** online.

  3. #3
    Plane Touched infinity's Avatar
    Join Date
    Jan 2011
    Posts
    226

    Default

    thanks OP for this post, it looks extremly helpful for people being hacked, witch is worrying me how many people are being hacked at the moment, hopefully its not as widespread as it seems

  4. #4
    Shield of Telara
    Join Date
    Jan 2011
    Location
    Canada
    Posts
    685

    Default

    Hah, go figure.
    Tried this on my laptop that i use for sinister things and nothing on it.

    Do it on my gaming computer.
    "MALWARE HAS DETECTED 1 BAD FILE SO FAR"
    30 seconds later
    "MICROSOFT SECURITY ESSENTIALS WASN'T PERFORMING A SCAN, BUT WE FOUND A BAD FILE. JUST SO YOU KNOW"

    >.> Srsly...fricken security essentials lol guess it only finds bad files when running other virus software that finds it -.-

    Thanks for the thread mate and /bump.

  5. #5
    Shadowlander
    Join Date
    Jan 2011
    Posts
    38

    Default

    Quote Originally Posted by scfs123 View Post
    Do it on my gaming computer.
    "MALWARE HAS DETECTED 1 BAD FILE SO FAR"
    30 seconds later
    "MICROSOFT SECURITY ESSENTIALS WASN'T PERFORMING A SCAN, BUT WE FOUND A BAD FILE. JUST SO YOU KNOW"
    MSE provides a background scanner that checks things on-access as well as slowly creeping through potential hotspots. What you are describing is pretty common, actually. Had you already done a complete scan with MSE? If so, then it's quite possible that it was a new file (probably either freshly downloaded or extracted from an already-infected executable).

  6. #6
    Shield of Telara
    Join Date
    Jan 2011
    Location
    Canada
    Posts
    685

    Default

    Quote Originally Posted by Anajansi View Post
    MSE provides a background scanner that checks things on-access as well as slowly creeping through potential hotspots. What you are describing is pretty common, actually. Had you already done a complete scan with MSE? If so, then it's quite possible that it was a new file (probably either freshly downloaded or extracted from an already-infected executable).
    Nah i hadn't done a full scan in a while. Just found it cute that it popped up when malware scanner found it heh.
    Used the scans you listed here since my hotmail got busted and spammed people, was very helpful^^

  7. #7
    Champion Linfang's Avatar
    Join Date
    Jan 2011
    Location
    Toledo, OH
    Posts
    485

    Default

    Nice post should help people out greatly
    Online since 1994. MajorMud, UO, EQ 1/2, AC 1/2 DAOC, Earth and Beyond, Anarchy Online, Horizons, SWG, Lineage 2, WoW, LOTR, Pirates of the Burning Sea, Star Trek Online, RIFT!

  8. #8
    Rift Disciple
    Join Date
    Feb 2011
    Location
    Nebraska
    Posts
    162

    Default

    Quote Originally Posted by Linfang View Post
    Nice post should help people out greatly
    You would think so wouldn't you.

    As someone who frequently has to "fix" friends computers. I can tell you people do not read things that are helpful to them. They will read that 50 page QQ about what class is OP, but internet security, hell no that's for nerds.

  9. #9
    Rift Chaser Elite Seraph's Avatar
    Join Date
    Feb 2011
    Posts
    335

    Default

    /bump for great justice.

    Really, people need to start taking responsibility for their own computers and actions.

    Its a pain in the *** to prevent yourself from being hacked. But its a hell of alot less of a pain than actually being hacked.

    Oh, and further /bump for MORE justice because of this quote:

    I accept no responsibility if you **** something up. This is do-at-your-own-risk.
    Last edited by Elite Seraph; 03-09-2011 at 05:47 AM.

  10. #10
    Rift Disciple
    Join Date
    Jan 2011
    Posts
    90

    Default

    I haven't been hacked and don't anticipate that happening (knock on wood) but this is a very good guide for people who have been hacked or just want to be proactive about their computer security but don't know where to start. Five stars for you.

    P.S. It may be worth mentioning that the Dr. Web LiveCD is thorough but extremely slow (you probably want to let it run overnight. And sleep in). It's a fantastic product, but I normally try the Kaspersky rescue disk first and break out the big guns if that doesn't find anything.

  11. #11
    Ascendant Cascadesbiker's Avatar
    Join Date
    Jan 2011
    Location
    Edmonds, WA
    Posts
    1,990

    Default

    I scanned my system a while back and I found that I got some sort of malware from Curse and their installer


  12. #12
    Telaran
    Join Date
    Dec 2010
    Posts
    95

    Default

    Quote Originally Posted by Cascadesbiker View Post
    I scanned my system a while back and I found that I got some sort of malware from Curse and their installer

    The issue back then wasn't the curse installer it was the flash ads since there was a flash exploit and one of the ads was infected. There was just a release to update adobe flash to 10.2 just a week or two ago in fact to adress the exact same security issue that caused the hackings with curse last year.

    So to sum it up make sure your adobe flash player is up to date with 10.2, update firefox also if you use that and run adblock plus.

  13. #13
    Rift Disciple Chaddada's Avatar
    Join Date
    Jan 2011
    Posts
    136

    Default

    Good post man. There are lots of people out there who don't know how to protect themselves online.
    {Emberlord}{Defiant} < Pheonix > - Savage, the warrior.

  14. #14
    Plane Touched
    Join Date
    Jan 2011
    Posts
    233

    Default

    I shall investigate the details here IF I can bring myself to not play for a few hrs. tough call =/
    Bloodiron EU PvP
    ==========
    Kink - 50 Warrior
    Gg - 3X Rogue
    Duke - Mage

  15. #15
    Shadowlander Emberfly's Avatar
    Join Date
    Feb 2011
    Location
    Texas USA
    Posts
    44

    Post

    Thanks for the informative post

    My account hasn't been compromised, but I'll run the scans anyway just to be on the safe side. Sad the game has only been out a week, and already so many have had their accounts hacked. I know people have to take responsibility for the safety of their account and not visit suspicious gaming sites, download third-party addons, blah blah... still, it seems Trion must have left quite a few gaps in their security.
    Last edited by Emberfly; 03-09-2011 at 09:50 AM.
    "Time is the fire in which we burn." ~ Gene Roddenberry

+ Reply to Thread
Page 1 of 8 1 2 3 4 5 ... LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts