So it said that my login schedule has changed

Customer Support
So i go to log in and what a surprise! My account was locked. So then i change my password and everything is cool untill i get in game. I am missing 1kg out of my bag. so please i need some help!
Open an in game ticket.

You may also wish to scan your system for malware
It sounds as if your account may have been compromised.

You can start the recovery process here:
http://us.battle.net/wow/en/forum/topic/932784008

And you should start trying to figure out how the compromise happened, because if you don't they will certainly try to come back and do it again.
________________________________________________
Customer Support Forum MVP
HDL - http://hdl-the-guild.com/~nodrama/
E-mail - neppyman.no@spam.gmail.com
To everyone wondering i have a authenticator. O.O; how can they get through it? I already got my account back and norton is up :S
To everyone wondering i have a authenticator. O.O; how can they get through it? I already got my account back and norton is up :S


There is a very specific trojan (emcor.dll and variants) that can bypass an Authenticator.

And Norton is not designed to (and certainly will not) find it, let alone remove it.

________________________________________________
Customer Support Forum MVP
HDL - http://hdl-the-guild.com/~nodrama/
E-mail - neppyman.no@spam.gmail.com
To everyone wondering i have a authenticator. O.O; how can they get through it? I already got my account back and norton is up :S


There is a very specific trojan (emcor.dll and variants) that can bypass an Authenticator.

And Norton is not designed to (and certainly will not) find it, let alone remove it.

________________________________________________
Customer Support Forum MVP
HDL - http://hdl-the-guild.com/~nodrama/
E-mail - neppyman.no@spam.gmail.com


anything you can recommend? I mean its that only thing im missing is 1kg i remember logging off and having 4kg because i was thinking of purchasing Master flight
Anyone in your house have access to to your comp/authenticator?

I've never heard of a hacker taking only 1000g, and leaving everything else. Gold farm hackers are very efficient, and generally leave you naked with empty pockets and an empty bank within minutes of compromising your account. The only exception is when they get caught in the process, and end up getting kicked off before they're done.

Of course, had this happened, you'd have been suspended, and wouldn't have been able to log in.

Sure you didn't spend that 1000g on an AH binge last night? Maybe you were buying stacks of frostweave, and stumbled upon that one idiot who tries to scam people with a 1000g stack of frostweave.

Anyone in your house have access to to your comp/authenticator?

I've never heard of a hacker taking only 1000g, and leaving everything else. Gold farm hackers are very efficient, and generally leave you naked with empty pockets and an empty bank within minutes of compromising your account. The only exception is when they get caught in the process, and end up getting kicked off before they're done.

Of course, had this happened, you'd have been suspended, and wouldn't have been able to log in.

Sure you didn't spend that 1000g on an AH binge last night? Maybe you were buying stacks of frostweave, and stumbled upon that one idiot who tries to scam people with a 1000g stack of frostweave.


1: I didnt log on last night.
2: My account was locked and i had to change my password.
3:I logged on and found out i was missing Gold
anything you can recommend? I mean its that only thing im missing is 1kg i remember logging off and having 4kg because i was thinking of purchasing Master flight


Malwarebytes is a good start. Get the free version, download it, install it, update it. Then fire up the WoW client, type gibberish (like "123") into the password field, and run the full (not quick) scan.

Most variants of emcor.dll "decloak" at that point, and you should get some results (probably randomly-named files in your temp folder).

Check back with your results (a full scan may take a couple of hours, so be patient) and we'll see what it finds. Depending on the results, there may be some other programs we can recommend.

________________________________________________
Customer Support Forum MVP
HDL - http://hdl-the-guild.com/~nodrama/
E-mail - neppyman.no@spam.gmail.com
If you didn't log in last night, then there's no way the malware could've bypassed your authenticator. The only way to do so is if they log into your account the moment you try to log in. Authenticator codes are only good for one log in, and only valid for a few seconds, so they have to log into your account the moment you type the key on screen. Otherwise, they couldn't have.

With only 1000g missing, there has to be another explanation. Hackers don't just grab a thousand and go. Ticket a GM, and have them review your recent transactions. They'll tell you what happened to that money.

There are other ways of acquiring an Authenticator code. Some phishing websites will "borrow" one. And of course, there's the possibility of somebody closer to home.

Let's start with a malware scan anyways, just to help eliminate that as a source.
________________________________________________
Customer Support Forum MVP
HDL - http://hdl-the-guild.com/~nodrama/
E-mail - neppyman.no@spam.gmail.com
Thanks for the help guys. I am scanning right now :)
So there were indeed a couple trojans on my system. What now?
So there were indeed a couple trojans on my system. What now?


Depends. Were any of them of the game-stealing type?

________________________________________________
Customer Support Forum MVP
HDL - http://hdl-the-guild.com/~nodrama/
E-mail - neppyman.no@spam.gmail.com
So there were indeed a couple trojans on my system. What now?


Depends. Were any of them of the game-stealing type?

________________________________________________
Customer Support Forum MVP
HDL - http://hdl-the-guild.com/~nodrama/
E-mail - neppyman.no@spam.gmail.com


My sister just closed out of it after she just clicked remove :( I have no clue. there were 4 of them though.
My sister just closed out of it after she just clicked remove :( I have no clue. there were 4 of them though.


Malwarebytes should have saved a log somewhere. See if you can find it.

It does matter.

________________________________________________
Customer Support Forum MVP
HDL - http://hdl-the-guild.com/~nodrama/
E-mail - neppyman.no@spam.gmail.com
My sister just closed out of it after she just clicked remove :( I have no clue. there were 4 of them though.


Malwarebytes should have saved a log somewhere. See if you can find it.

It does matter.

________________________________________________
Customer Support Forum MVP
HDL - http://hdl-the-guild.com/~nodrama/
E-mail - neppyman.no@spam.gmail.com



Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

11/18/2010 10:39:21 PM
mbam-log-2010-11-18 (22-39-21).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|)
Objects scanned: 328032
Time elapsed: 1 hour(s), 7 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9d425283-d487-4337-bab6-ab8354a81457} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9d425283-d487-4337-bab6-ab8354a81457} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files (x86)\Cheat Engine\Systemcallretriever.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files (x86)\Search Toolbar\SearchToolbar.dll (Trojan.BHO) -> Quarantined and deleted successfully.

That is the whole thing.
All right. Well, there's good news and bad news.

The good news is that none of those are capable of stealing your WoW account. And that it's very unlikely that you have the emcor.dll trojan or any variant on your computer.

The bad news is that means that your Authenticator was probably bypassed in some other method.

Either you entered the code on a malicious webpage, or somebody who has physical access to the device was responsible for this.

You'll need to figure out which one.

________________________________________________
Customer Support Forum MVP
HDL - http://hdl-the-guild.com/~nodrama/
E-mail - neppyman.no@spam.gmail.com
All right. Well, there's good news and bad news.

The good news is that none of those are capable of stealing your WoW account. And that it's very unlikely that you have the emcor.dll trojan or any variant on your computer.

The bad news is that means that your Authenticator was probably bypassed in some other method.

Either you entered the code on a malicious webpage, or somebody who has physical access to the device was responsible for this.

You'll need to figure out which one.

________________________________________________
Customer Support Forum MVP
HDL - http://hdl-the-guild.com/~nodrama/
E-mail - neppyman.no@spam.gmail.com


I only have access to my phone and no one in my house plays. Plus i know exactly how to spot a phishing site i mean how liget do these websites sound like Safe.Battl3.net (That is not a real one) So this is wierd. :S.
I feel silly :S I just logged on the PTR and i realize that i have the same amount of gold as i do on live. I thought that i had like 4k but i guess i spent it on gems :S Im sorry guys. But i do find it wierd my account was locked O.O; could it be i was tethering from my phone?

Join the Conversation

Return to Forum