*Compromised accounts* Potential Trojan

Technical Support
Prev 1 6 7 8 17 Next
So here is an update.

i ran the MSinfo and found the Disker on it.

From curse client resent addons are postal and auctionator.

the only recent download is the flashplayer from wowhead.

from my first post webroot and avg did not show anything.
whats being done for them who are hacked?
You can see all the antiviruses which detect it already here:
https://www.virustotal.com/en/file/850dc3ebb2437edaf3352eee79ee704cdb881779684c2128f1f07d8dd79c0344/analysis/1388723212/

This includes Ad-aware, BitDefender, F-Secure, Ikarus, Mcafee, Panda, Symantec/Norton, TrendMicro-HouseCall & VIPRE.

These don't pick it up yet, but I've submitted the trojan to them:
AVG, Avast, ClamAV, Comodo, DrWeb, ESET/NOD32, F-Pro, Kaspersky, Malwarebytes, MSE, Norman, SuperAntiSpyware, Sophos, TrendMicro, nProtect.
________________________________________________
Technical Support MVP
For un-official live support, http://webchat.freenode.net/?channels=wowtech


Ressie, could you submit your info to Emsisoft please?

http://www.emsisoft.com/en/
You can see all the antiviruses which detect it already here:
https://www.virustotal.com/en/file/850dc3ebb2437edaf3352eee79ee704cdb881779684c2128f1f07d8dd79c0344/analysis/1388723212/

This includes Ad-aware, BitDefender, F-Secure, Ikarus, Mcafee, Panda, Symantec/Norton, TrendMicro-HouseCall & VIPRE.

These don't pick it up yet, but I've submitted the trojan to them:
AVG, Avast, ClamAV, Comodo, DrWeb, ESET/NOD32, F-Pro, Kaspersky, Malwarebytes, MSE, Norman, SuperAntiSpyware, Sophos, TrendMicro, nProtect.
________________________________________________
Technical Support MVP
For un-official live support, http://webchat.freenode.net/?channels=wowtech


Ressie, could you submit your info to Emsisoft please?

http://www.emsisoft.com/en/

How does mcafee update and track/find/identify a thing like this faster than malwarebytes, superantispyware, avg AND avast?
This is why I don't have java enabled on a web browser and have removed my cc from blizzard yet again, 2nd time this month I have had to cancel my sub just to remove my details from their system. (just in case is better than I should have been more careful)

I don't have the trojan but will reformat over the weekend anyway.
Ressie,

I was able to follow all your manual deletion steps of the Disker file. Currently I no longer finding any rundll32 exe file that says Disker when I hover over it in the process explorer. When I started my msinfo32 had 2 lines now they are down to one. Has the Disker been resolved on my PC or should I continue to wait for Kaspersky to remove the last line? I cannot get the last line removed.

Before your steps:
Disker rundll32.exe c:\users\jodys\appdata\local\temp\w_win.dll,dw Jodys-PC\Jodys Startup
Disker64 rundll32.exe c:\users\jodys\appdata\local\temp\w_64.dll,dw Jodys-PC\Jodys Startup

After your steps:
Disker64 rundll32.exe c:\users\jodys\appdata\local\temp\w_64.dll,dw Jodys-PC\JodysStartup


I know you asked Ressie, but Ressie may have gone to bed by now & I thought you should have an answer. Hopefully Ressie will confirm later and provide more info but until then-

I suggest you do not assume your system is safe while that line is still on your pc.
This is why I don't have java enabled on a web browser and have removed my cc from blizzard yet again, 2nd time this month I have had to cancel my sub just to remove my details from their system. (just in case is better than I should have been more careful)

I don't have the trojan but will reformat over the weekend anyway.

uhm the trojan hasnt actually breached their systems.....it just sits on YOUR COMPUTER AND replaces their client with a fake version that swipes your login info. your cc number is stored on a seperate database. correct me if im wrong. either that or it swipes it in a 60 second time frame and uses it to login while disconnecting you. i might be getting the trojan and the mitm attack mixed up.


I don't really know what to think with the topics about someone taking down battlenet and today getting disconnected like it was maintenance day with no warning and now the topic on GM that directed me here.
This also sounds like they figured out the way around the authentication - and that blizzard needs to revamp their approach to the algorithm used to generator numbers.

What will Blizzard be doing about the authentication being cracked?
They didn't crack anything. If they did, there would be a much larger problem than just WoW accounts getting hacked.
They didn't crack anything. If they did, there would be a much larger problem than just WoW accounts getting hacked.


The authentication numbers are "randomly generated" only....now that all the hackers seem to need to get in is one of the numbers from your authenticator and they somehow can then get in. The number expire quickly. So how is it they are getting in after the number has expired?
Can i be affected, if i don't play since 2-3 days ??

We need to be connected to infect our account ??
Yikes, I just downloaded some addons a couple of days ago. I checked the "startup programs" section in the MSinfo file and luckily no Disker or Disker64 was found on both of my computers.

Hope this gets resolved soon, sounds nasty.
A nicer explanation is actually here -> http://en.wikipedia.org/wiki/Man-in-the-middle_attack
01/03/2014 04:30 AMPosted by Banshih
The authentication numbers are "randomly generated" only....now that all the hackers seem to need to get in is one of the numbers from your authenticator and they somehow can then get in. The number expire quickly. So how is it they are getting in after the number has expired?


The attack appears to work by swiping the login credentials (authenticator included) right as they're entered, then immediately using that information to log you in elsewhere. Basically, the information you're typing in isn't sent to Blizzard's servers; your login info is going to wherever the attacker has decided it will go.
[quote]

Before your steps:
Disker rundll32.exe c:\users\jodys\appdata\local\temp\w_win.dll,dw Jodys-PC\Jodys Startup
Disker64 rundll32.exe c:\users\jodys\appdata\local\temp\w_64.dll,dw Jodys-PC\Jodys Startup

After your steps:
Disker64 rundll32.exe c:\users\jodys\appdata\local\temp\w_64.dll,dw Jodys-PC\JodysStartup [/quote

I suggest you do not assume your system is safe while that line is still on your pc.


Sorry guys, I took off to bed last night - was wiped.
Jody, you do still have 1 of the 2 files so youre still affected. Can you retry the steps for the 2nd file, making sure top do the delete with super antispyware for w_64.dll?
Ive removed a trojan before for those of you who dont know how. Once you notice it popping up (Its quite obvious when it does) restart your computer and run it in safe mode. Once you've done this, turn on task manager and look for something with Win32 on it (Could be the other file they've stated here) Do not end the process instead go to file containing folder and remove all the files and permanently delete them.

This should fix your problem with trojan, if you have problems still try locating the other item that the blues have stated


This is stupid and highly dangerous. There are multiple legit files and folders in a Windows installation that have "Win32" in their name and deleting such files could harm your system. The person I am quoting is either ignorant or a troll.
Perfect example of why you should never trust anyone to automatically install anything on your computer, including Curse (or someone possibly posing as Curse.) If you don'y understand the technical details, the added convenience isn't worth the hassle. Always get your addon from a reputable location and update the manually so you know what's going on in your own computer system.

Join the Conversation

Return to Forum