*Compromised accounts* Potential Trojan

(Locked)

MVP - Technical Support
100 Human Priest
15900
I always downloaded it right from the website, never have downloaded it anywhere else.


Awesome.

Some have been talking about a bad ad on wowhead pushing something as well.. I know they've had a few ones recently, and are still attempting to track'em down. If you get a 'update flash' popup while on wowhead, make sure to click no.
________________________________________________
WoW Technical Support MVP
For un-official live support, http://webchat.freenode.net/?channels=wowtech
86 Dwarf Warrior
0


Thank you.

When I get home I'll do a therough search for it.

If I find it, before I delete it... Do you guys need any info on my computer BEFORE it's deleted? Do you want a screen shot or copy of the MSinfo?


Check the MSInfo, and if you have both, can you run an updated malwarebytes scan to see if it picks up both copies, or just the Disker64? Thank you! :)

If you do have it, and MBAM doesn't remove Disker (but did remove Disker64), come visit us in IRC, and we'll grab it from your system, and submit it to the AVs. :)
________________________________________________
Technical Support MVP
For un-official live support, http://webchat.freenode.net/?channels=wowtech


Sounds great. I get off at 7 central time, be home around 7:30 and I should have an update at around 7:45.
72 Night Elf Druid
0
01/03/2014 09:03 AMPosted by Ressie
I always downloaded it right from the website, never have downloaded it anywhere else.


Awesome.

Some have been talking about a bad ad on wowhead pushing something as well.. I know they've had a few ones recently, and are still attempting to track'em down. If you get a 'update flash' popup while on wowhead, make sure to click no.
________________________________________________
WoW Technical Support MVP
For un-official live support, http://webchat.freenode.net/?channels=wowtech


I've gotten the update flash popup while on wowhead, i never did click yes, because i have common sense. :P

AVG also says im clean of all viruses.
Edited by Longshoot on 1/3/2014 9:05 AM PST
90 Night Elf Hunter
10920
I HAVE NOT Downloaded anything for my WoW account other then the curse client right from the website. what is the percent chance i'm infected?


Go to the first post in this thread and follow the instructions that tell you how to determine whether you're infected.
MVP - Technical Support
100 Human Priest
15900
It is also attached to a Wowmatrix download as I do not use the Curse Client/downloader


Good to know as well. Thank you!
________________________________________________
WoW Technical Support MVP
For un-official live support, http://webchat.freenode.net/?channels=wowtech
72 Night Elf Druid
0
I have not had any strange activity on my account since this "virus" started, and i've logged in plenty of times.
72 Night Elf Druid
0
I just looked at the startup programs part of MSinfo, and i dont have the trojan. ^_^

Exact words:

[Startup Programs]

Program Command User Name Location
CurseClientStartup curseclientstartup.ccip VALINNISLAPTOP\Dorris Startup
AVG-Secure-Search-Update_1213b c:\users\dorris\appdata\roaming\avg 1213b campaign\avg-secure-search-update-1213b.exe /prompt /mid=705b95915e8447d39dc6ed3ea0937d69-1b16dd2f627b0c467ac81abe7d6bccc5a16e83db /cmpid=1213b VALINNISLAPTOP\Dorris Startup
Edited by Longshoot on 1/3/2014 9:11 AM PST
100 Dwarf Death Knight
7815
Great job guys!
I just checked and I don't have it.

FYI I have the proper Curse Client, installed it months, if not a year ago and I ran a full addon update right around Christmas.
Logged in a few times to get Merrymaker and no issue.

I'm running Norton full scan right now just to be safe.
And on a related note I see a lot of you mention Malawarebytes, I've never run it but is it considered better than SuperAntiSpyware?
Support Forum Agent
I just wanted to say thanks to Blizz and the MVPs for working so hard to fix this problem. I'll keep an eye on my system too.


Our pleasure!

To summarize for those of you that haven't read the green posts:

-The trojan is built into a fake (but working) version of the Curse Client that is downloaded from a fake version of the Curse Website. This site was popping up in searches for "curse client" on major search engines, which is how people were lured into going there.

-At this point, it seems the easiest method to remove the trojan is to delete the fake Curse Client and run scans from an updated Malwarebytes. Should you still have issues, there is a more manual method that Ressie posted earlier in the thread.

-Thanks to Ressie's efforts, most security programs should be able to identify this threat shortly, if not by the time I type this.

-If you were compromised, follow the instructions here and we'll do our best to set everything right (as we always do).

-For those of you interested in these MitM style attacks, this is the only confirmed case we've seen in several years outside of the "Configuring/HIMYM" trojan in early 2012 that hit a handful of accounts. These sort of outbreaks are annoying, but an Authenticator still protects your account 99% of the time. Stay safe!
Edited by Kaltonis on 1/3/2014 10:24 AM PST
100 Night Elf Priest
10555
Ressie,

I have updated and run Malwarebytes and I have both 32 and 64 versions and it has removed them both!!!!! I want to thank you for all your help you saved me hours of reformatting!

Before run
Disker rundll32.exe c:\users\jodys\appdata\local\temp\w_win.dll,dw Jodys-PC\Jodys Startup
Disker64 rundll32.exe c:\users\jodys\appdata\local\temp\w_64.dll,dw Jodys-PC\Jodys Startup

After Malwarebytes
Unable to find Disker
100 Undead Mage
7075
01/03/2014 09:03 AMPosted by Ressie
I always downloaded it right from the website, never have downloaded it anywhere else.


Awesome.

Some have been talking about a bad ad on wowhead pushing something as well.. I know they've had a few ones recently, and are still attempting to track'em down. If you get a 'update flash' popup while on wowhead, make sure to click no.


Ressie all I have to say is that you, and the entire support team you enjoy (both from the community and from Blizzard) ROCK.

I am 99% certain I do not have this virus (no way for anyone to be 100% sure of any malware infections anymore), and really do not follow your recommendation that you gave in what I quoted. I feel much safer when a website issues an update box to kill the web browser process rather than clicking ANYTHING on the popup box. It is possible to hijack the code in a popup so that when "no" is clicked it installs the malware anyway.
What I do requires knowing the executable for the web browser I use.
Ctrl+Alt+Del find web browser process, "End Task".
It makes me feel much safer (I guess you could say I am extremely paranoid)
MVP - Technical Support
100 Human Priest
15900

I am 99% certain I do not have this virus (no way for anyone to be 100% sure of any malware infections anymore), and really do not follow your recommendation that you gave in what I quoted. I feel much safer when a website issues an update box to kill the web browser process rather than clicking ANYTHING on the popup box. It is possible to hijack the code in a popup so that when "no" is clicked it installs the malware anyway.
What I do requires knowing the executable for the web browser I use.
Ctrl+Alt+Del find web browser process, "End Task".
It makes me feel much safer (I guess you could say I am extremely paranoid)


Very very true. Wasn't thinking about that. :)
________________________________________________
WoW Technical Support MVP
For un-official live support, http://webchat.freenode.net/?channels=wowtech
86 Dwarf Warrior
0
Okay, I do not have it.

Thanks for the in depth guide to root it out.
100 Dwarf Warlock
10260
Just had a reply from techs at Emsisoft Anti-Malware. They had dealt with this well before I notified them of it. :)

Best $40. for software I ever spent.
Edited by Caolela on 1/3/2014 11:17 AM PST
I sent this infomation into Webroot my Antivirus software I use. They sent me a reply which may help others

Hello,

We can catch all Trjoans without issue. I am a little perplexed as to why they stated that no AV can catch/remove it. However, with just a name of the file and it's directory location is not nearly enough for us to verify that we detect it - however it is very suspicious and any file that meets that criteria will get detected. The trojan is built into a fake (but working) version of the Curse Client that is downloaded from a fake version of the Curse Website. As long as you use the regular curse website for your addons you should be just fine.

Let us know if you have any further questions.

Thank you,
Webroot Advanced Malware Removal Team
90 Draenei Mage
11770
Since I mentioned it earlier in this thread ( http://us.battle.net/wow/en-us/forum/topic/11041384892?page=3#59 ) I thought I'd go ahead and post a bit more info that I dug up.

By switching some filters, I was finally able to locate the archived high-risk intrusion attempt I mentioned in my AV program. It occurred while browsing Wowhead on 12/23/2013 -- I'm not positive I understand the details about the attempt but, to a layman, it does indeed appear to have come from an ad.
90 Undead Mage
20375
I would like to know if I'm safe or not.

I've used the method about using the Windows Key + R and typed in Disker/Disker64 and it didn't find anything, I've ran a AVG scan about 3 times now and it found zero threats, also I haven't downloaded anything from Curse in about 1 week now nor have I accepted anything that would download to my computer from Wowhead. Is there anything else that I should do to protect my account? Thanks.
86 Dwarf Warrior
0
I would like to know if I'm safe or not.

I've used the method about using the Windows Key + R and typed in Disker/Disker64 and it didn't find anything, I've ran a AVG scan about 3 times now and it found zero threats, also I haven't downloaded anything from Curse in about 1 week now nor have I accepted anything that would download to my computer from Wowhead. Is there anything else that I should do to protect my account? Thanks.


When you do windows + R you need to type out 'msinfo32' then click run.

Then save it to your desktop, then control + F in that text file to search for 'disker'.
Does anyone know how recent this is? I've had curse installed for a while now, so I don't suspect to be subject to any malware related to it, but you never know how long it's been going on.
90 Undead Mage
20375
Just did that for Disker/Disker64 and it didn't find anything :)
This topic is locked.

Please report any Code of Conduct violations, including:

Threats of violence. We take these seriously and will alert the proper authorities.

Posts containing personal information about other players. This includes physical addresses, e-mail addresses, phone numbers, and inappropriate photos and/or videos.

Harassing or discriminatory language. This will not be tolerated.

Forums Code of Conduct

Report Post # written by

Reason
Explain (256 characters max)

Reported!

[Close]