*Compromised accounts* Potential Trojan

Technical Support
Prev 1 3 4 5 17 Next
Thanks, I edited my original post about me finding a similar rundll32.exe but it's under a different name. Thoughts?

The dll you mentioned isn't one known to be an issue. It's normal to have dll files on a Windows system. You have many of them.
If its using auth data you input you might want to suggest for people to wait till the very last second before it changes before they enter the last couple of numbers and hit enter.

Every since I downloaded the mobile auth app on my devices i always wait till the bar is literally all the way till the end before i type in the last four numbers then hit enter.

Now I wasnt doing this for fear of a virus/trogan/malware lol it just so happened i always liked to beat the clock and was to lazy to wait for a new auth code to pop up especially if i had already entered some of the numbers.

Since the auth code is unique (hopefully not RSA based lol) then i dont care how fast this thing is it wouldnt be possible for the info to be used by another system to log in if in the meantime people log in like that.
Thanks, I edited my original post about me finding a similar rundll32.exe but it's under a different name. Thoughts?

Rundll32.exe is used by a lot of programs, since it's a common program to tap into your little DLL files for your games and stuff.
Just find "disker" in your MSInfo - if it doesn't pop up, then you're good! I just did that.
Thanks, I edited my original post about me finding a similar rundll32.exe but it's under a different name. Thoughts?

That's safe.. Its a Creative-related file - aka sound related.
Technical Support MVP
For un-official live support, http://webchat.freenode.net/?channels=wowtech
so rundle is a trojan too im confused?
so rundle is a trojan too im confused?

No. Its a normal Windows file.
Technical Support MVP
For un-official live support, http://webchat.freenode.net/?channels=wowtech
If I 'Ctlr F' and typed in Disker would it show up in the MSInfo? Cause I have a hard time finding it with all this huge long text file

I found the .exe program but it's under a different name. Is it still the Trojan?

THXCfg64 c:\windows\system32\rundll32.exe c:\windows\system32\thxcfg64.dll,rundllentry thxcfg64 Public HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

I tried and [CTRL] F does work within the saved msinfo.txt file, (or at least mine reported not being able to find the search term) however, I had to search for "disker " (a space after the "r"). When I searched with "disker" it stopped on the term "diskerror" which shares the spelling.

So, am I to understand that if the "startup programs" area does NOT contain the "Disker" or "Disker64" that the Trojan is not present on the PC? I don't want to sound paranoid, but I lost my whole system two years ago (including my external drives) to a nasty, horrible virus. I can't afford to lose that kind of data or hardware again....

I lost my whole system two years ago (including my external drives) to a nasty, horrible virus. I can't afford to lose that kind of data or hardware again....

Regardless of any potential trojan or other threat, it's ALWAYS advisable to back up your system. You never know when there will be a hard drive failure or any other sorts of system failures that can cause loss of data. Use one of your external drives to do regular backups and don't leave it plugged in when not backing up.

We've been receiving reports regarding a dangerous Trojan that is being used to compromise player's accounts even if they are using an authenticator for protection. The Trojan acts in real time to do this by stealing both your account information and the authenticator password at the time you enter them.

Authenticator passcodes change every 30-60 seconds, so unless they have hacked the authenticator algorithm so that they can reverse engineer the serial number, they would only have access to the legitimate number for a short period of time. (If I understand how the process works.)

Is there an issue with the malware throwing (turning on) the "Remember This PC" flag and spoofing the PC's identification information as well so that authenticator info is not asked for at the next (and illegitimate) log-in? If this turns out to be the case, should this feature (the flag) be temporarily disabled?

Just some thoughts.....

Ive removed a trojan before for those of you who dont know how. Once you notice it popping up (Its quite obvious when it does) restart your computer and run it in safe mode. Once you've done this, turn on task manager and look for something with Win32 on it (Could be the other file they've stated here) Do not end the process instead go to file containing folder and remove all the files and permanently delete them.

This should fix your problem with trojan, if you have problems still try locating the other item that the blues have stated
Should i turn my authenticator off or have it set up so i have to input the athinticator code ever time i log onto WoW?

just now when i logged onto this battle.net website it took a longer then usual time to verify my athenticator code. I also cant get into my "account" tab ATM.
01/02/2014 03:59 PMPosted by Kaltonis
Does this affect people who dont use addons? or only people that do? I am bit confused because I use my authenticator.

While this is not conclusive, every occurence I've examined has been a new or recently reformatted system that was hit shortly after downloading addons. There have been no other hardware or software commonalities that can be seen in an MSInfo. Due to these observations, something related to addons or the aquiring of addons leads our suspect list. Again though, not conclusive.

Also, I just received a report that an updated Malwarebytes might have removed the infection, but this is unconfirmed. We're trying to get removal logs from the player to examine.

This imho does not affect the Authenticator App. This Trojan is an variant of the old Trojan:Win32/Bamital.E, found 2010/11, Dr. Web had listed it as Trojan.Siggen.64331 while other AV Producer had it listed as a Zapchast Gen
Quote:"What is Trojan.Agent/Gen-Siggen

Trojan.Agent/Gen-Siggen is a tricky trojan risk that will enable full access for remote attackers to control the victimized system. You may get infected with Trojan.Agent/Gen-Siggen via Free files or programs download or corrupted sites that are embedded with hidden virus codes. Trojan.Agent/Gen-Siggen is of multiple characteristics and uses sophisticated techniques to steal your confidential information once inside. The removal of Trojan.Agent/Gen-Siggen is never easy, for its infections are concealed with randomly generated files. And extra virus registries will be added to allow its automatic running when you start the Windows. Critical system components, files or programs could be ruined and result in basic functional disabilities. What is more, the computer performance is really poor and sluggish. And Trojan.Agent/Gen-Siggen has a habit to come packed with other viruses to worsen the infections. Domain Name Server settings may be modified to mess up Internet connection and it is not surprised at all if your search results are hijacked to random sites."
Source: http://www.yac.mx/en/guides/removal-tips/how-to-remove-trojan-agentgen-siggen-virus-removal-hep.html

Curse and the Curse client are offering an notable attack vector; if you use it to log in directly into your account for example. Generally spoken clients like these can help me to perform an MITM and other funny things on a targeted system.

However, there are a plethora of other possibilities to spread this malware.
To mention an example; the above mentioned Siggen Trojan used the mIRC scripting language [mSL]. Addons are made using the programming language Lua, you can perfectly embed malware in a Lua script.
Just checked my sysInfo; I'm in the clear. The addons I use are Bartender, Xperl, Bagnon, and Deadly Boss Mods. All were downloaded directly from curse.com, without the client.

Using the BNet client, so login is automatic on my machine. Will run a v-scan this weekend (avast!).
Been reading the posts with this Potential Trojan and i have just tried to log on to my account using the authenticator and it does seem to take a little bit longer then normal to log on but it takes longer to look at the curse site and i think that most of the post are right in saying that it has something to do with addons? Remove them off your computer or if the Potential Trojan is on your pc do a format and make sure u have a backup that does not include the addons or any wow type software or hacked keygens or anything that you may think will cause problems for your pc old or new?
At the same time put all blizzard emails in the spam folder and if u get any in the future remove them asap.
Keep your pc up to date change the settings on your antivirus software to delete the problem as soon as it appears?
Do a scan after every game session or even when using the internet to surf the web.
That's all i can really think off, but do keep those posts up as i am keen to find out whats going on with this Potential Trojan.
Potential Trojan.

It's not a "potential" trojan. It's a real threat that's hitting people.
Ran MSInfo and I appear to be clean of Disker. However, on the off-chance this may be even the least bit helpful...

At some time during the last 4-6 weeks my AV program reported prevention of a high-risk intrusion attempt while viewing a Wowhead page. I looked to see if I could dig up details on this but apparently this particular AV program (which I'm reluctant to name publicly) doesn't store data that long. On 12/31, I did find a disturbing record of 41 separate medium-risk blocked attempts for unauthorized access, almost all of them consecutive. From my recollection, these occurred during a time when I was playing WoW.

The only addons I've been running since 12/23 are: Altoholic (with DataStore) and TitanPanel, both downloaded and installed using Curse client.

Do you have any details on the Wowhead blocked intrusions?

I currently run BitDefender. I've been on Wowhead several times everyday for the past few weeks with no notifications of any sort of blocks. It may be because I also actively run NoScript and Adblocker so most of the malware drops that come through contaminated ads don't ever show up.

I also found one more notable hit while researching this malware:


That was uploaded on December 23rd. It's not quite as informative as the prior links, although the malware did appear to be detected.

This malware isn't heavily detected at this point. If anyone has any further information, please share it so that this can be properly identified and cured by more anti-malware software.

Sry, but can't see any connection between this link and the Disker-Malware...

Join the Conversation

Return to Forum