Mobile Authenticator Issue after Compromise

90 Human Priest
13310
While I can offer little in regards to the specific issue at hand, I do want to say I feel for you! I was a victim of a man in the middle attack as well, and it's not fun. That being said if you haven't, I would still change your email password, if they were able to get through you authenticator, your email (if you ever logged into it from there anyway) is absolutley not safe.

Good luck!
Reply Quote
43 Pandaren Monk
11875
There is maleware that interrupts the client and makes it appear that your authenticator is not working. Then you remove it and they are able to hack into your account. This would only apply to in game logging and not account management or the forums. This is probably what is happening. Especially after trying two different authenticators, and after having Orlyia trying to nudge the account. Sometimes it does take the game authentication system a little while to catch up to the account management when changing a password. However I would assume here that you probably have not caught the source and cleaned your computer thoroughly to get rid of this maleware/virus.
Reply Quote
Support Forum Agent
Tibbz,

I don't know if you are still checking this thread - but I need you to check your email for some correspondence. Still trying to get this ironed out.

Thanks!
Reply Quote
90 Tauren Paladin
6930
Ive been able to log on using a laptop that i downloaded wow on last night. so apparently there is still something on my computer.

I haven't received any additional emails from you, only a response from a gm that "answered" my ticket. so i assume my email has been compromised as well. and thats extremely troubling since i use all of gmails security features..

i ran Malwarebytes AND Spybot S&D... again. this time using a technique i found on the forums to open WoW, type in random letters in the password/email field THEN run Malwarebytes only to find found 15 objects it didnt see before three of them being "Trojan.Gamestheif"

I apologize for stating this was on blizzards end, but at the time after exhausting all recources i had, it seemed the case.

I am currently in process of removing these, and then RE-securing my gmail/battle.net.

Would posting the logs here help in anyway?
Reply Quote
100 Human Paladin
15845
Yikes. That is a serious compromise.

I really hope everything gets ironed out for you. I know how frustrating it probably is, but you seem to be handling it quite and well and I commend you for your patience and willingness to work through the issue.

Good luck!
Reply Quote
90 Tauren Paladin
6930
Thanks Amorachhia. Don't get me wrong, I'm frustrated.. but that is no reason to take it out on the blizzard staff. they really have been here to help, and i know that if for some reason i end up getting compromised again while in the middle of doing all this, their staff will continue to help me the best they can.

But apparently this IS all on my end.

I'm just now trying to figure out how this malicious files got onto my computer. i suspect it has to be a child in the home. apparently my 16 digit alphanumeric passwords aren't strong enough for them.

but i'll restate the question above for anyone that can answer, would posting the "Malwarebytes" log help in any way?
Reply Quote
- Technical Support
12 Human Mage
9315
It can't hurt as long as there is no personal information in it. You are not the only one compromised this way and unfortunately people are following advice to remove the "broken" authenticator and getting compromised as a result.

Letting people know to SCAN FIRST, as well as what to look for, may help prevent people from being tricked into removing the Auth.
Reply Quote
90 Tauren Paladin
6930
ok i'll post the log, its pretty technical

alwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.12.20.01

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
<Censored> :: <Censored> [administrator]

12/20/2012 10:18:57 AM
Malwarebytes log.txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 191716
Time elapsed: 4 minute(s), 29 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 1
C:\Users\William\AppData\Local\Temp\1289301.txt (Trojan.GamesThief) -> No action taken.

Registry Keys Detected: 4
HKCU\Software\Google\Chrome\Extensions\bbjciahceamgodcoidkjpchnokgfpphh (PUP.Funmoods) -> No action taken.
HKCU\Software\Google\Chrome\Extensions\cjpglkicenollcignonpgiafdgfeehoj (PUP.FunMoods) -> No action taken.
HKLM\SOFTWARE\Google\Chrome\Extensions\bbjciahceamgodcoidkjpchnokgfpphh (PUP.Funmoods) -> No action taken.
HKLM\SOFTWARE\Google\Chrome\Extensions\cjpglkicenollcignonpgiafdgfeehoj (PUP.FunMoods) -> No action taken.

Registry Values Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Configuring (Trojan.GamesThief) -> Data: rundll32.exe C:\Users\William\AppData\Local\Temp\1289301.txt,M -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Video Library (Trojan.Agent) -> Data: C:\Windows\system32\rundll32.exe C:\Users\William\AppData\Local\Temp\Rpcqt.dll,Sets -> No action taken.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 3
C:\Program Files\Funmoods (PUP.FunMoods) -> No action taken.
C:\Program Files\Funmoods\1.5.23.22 (PUP.FunMoods) -> No action taken.
C:\Program Files\Funmoods\1.5.23.22\bh (PUP.FunMoods) -> No action taken.

Files Detected: 5
C:\Users\William\AppData\Local\funmoods.crx (PUP.Funmoods) -> No action taken.
C:\Users\William\Local Settings\Application Data\funmoods.crx (PUP.Funmoods) -> No action taken.
C:\Users\William\AppData\Local\Temp\1289301.txt (Trojan.GamesThief) -> No action taken.
C:\Program Files\Funmoods\1.5.23.22\escortShld.dll (PUP.FunMoods) -> No action taken.
C:\Program Files\Funmoods\1.5.23.22\FavIcon.ico (PUP.FunMoods) -> No action taken.

(end)


For reference, this log was saved BEFORE i removed the Malicious files. Hence "No Action Taken"

if for some reason a search brought you here because your authenticator isnt working in game only but it fine for everything else, it's most likely you have Malware on your computer. DO NOT REMOVE YOUR AUTHENTICATOR. contact blizzard via a ticket/customer support and they'll walk you through the steps.
Reply Quote
Blizzard Employee
12/20/2012 08:46 AMPosted by Tibbz
but i'll restate the question above for anyone that can answer, would posting the "Malwarebytes" log help in any way?
It won't necessarily help customer support with finding damages on the account, but it's definitely great info to have for others to see.

I'd like to mention a few things from your log file though.

12/20/2012 09:03 AMPosted by Tibbz
Time elapsed: 4 minute(s), 29 second(s)
Make sure you run a full scan, not just a quick scan. Full scans generally take much longer.

12/20/2012 09:03 AMPosted by Tibbz
C:\Users\William\AppData\Local\Temp\1289301.txt (Trojan.GamesThief)
This type of trojan targets gamers specifically. If you have other games on your computer that require logging in, make sure you also secure those accounts.

12/20/2012 09:03 AMPosted by Tibbz
PUP.Funmoods
PUP in this case stands for Potentially Unwanted Program. Funmoods is the program mentioned here. Make sure you double check your programs for Funmoods toolbar and remove it.
Reply Quote
90 Tauren Paladin
6930
12/20/2012 09:30 AMPosted by Roraks
Make sure you run a full scan, not just a quick scan. Full scans generally take much longer.


I'll run another scan just to be sure, Roraks.

Small update: I was able to successfully log in to WoW using my desktop and mobile authenticator.

I appreciate the support ALL of you provided, is there anyway for me to voice my appreciation to supervisors or managers? i've had outstanding interactions with 5 GM/Support Agents and feel they should be recognized in some way other than a survey.
Reply Quote
90 Blood Elf Paladin
11675
The tickets should generate their own satisfaction surveys, and if you wish to leave feedback about the SFAs here:

Forum Feedback - To provide feedback on the performance of the community team, forum moderators, or MVPs, please email wowcmfeedback@blizzard.com. Please note that while emails sent to this address will likely not receive a response, each one will be read and handled accordingly.
Reply Quote
90 Tauren Paladin
6930
Thanks, Taamane. i appreciate that.
Reply Quote
90 Tauren Paladin
6930
Ok so it must have quick-scanned somehow but it seems it found everything in the initial scan.

Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.12.20.01

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
<Censored> :: <Censored> [administrator]

12/20/2012 11:37:37 AM
mbam-log-2012-12-20 (11-37-37).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 364682
Time elapsed: 47 minute(s), 25 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
Edited by Tibbz on 12/20/2012 10:28 AM PST
Reply Quote

Please report any Code of Conduct violations, including:

Threats of violence. We take these seriously and will alert the proper authorities.

Posts containing personal information about other players. This includes physical addresses, e-mail addresses, phone numbers, and inappropriate photos and/or videos.

Harassing or discriminatory language. This will not be tolerated.

Forums Code of Conduct

Report Post # written by

Reason
Explain (256 characters max)
Submit Cancel

Reported!

[Close]