Don't be stupid.

**aers** · 2006-06-19 18:17

So they randomly downloaded some file from a random topic on this forum claiming to be hacks and got keylogged? Retards >_>

**Taj** · 2006-06-19 18:17

Originally Posted by Zigma

Originally Posted by Taj

Originally Posted by Zigma

wow, i never actually got the chance to download the parser/keylogger (not that i even wanted to since the risk isn't worth it) but I'm sure if he wrote it poorly, you could easily disassemble it.

If I had a copy I could make something to scan for it/get rid of it. <_<

I though of that too but if he compiles a version of it every time he is about to write one of these threads and changes only a few things than a simple crc check would pretty much be useless.

You could however find a tag of some sort that rarely changes since it's a main component of the program and scan for that specific tag in memory?

I thought of several more reliable methods, but I'd rather not discuss them here, seeing as he's probably reading this thread.

**Kiro** · 2006-06-19 18:20

Can't wait to see how this ends up. I wanna see pictures of the dude crying in court or something. YOU MUST PLEASE THE MOB!

**Taj** · 2006-06-19 18:36

Originally Posted by Kiro

Can't wait to see how this ends up. I wanna see pictures of the dude crying in court or something. YOU MUST PLEASE THE MOB!

Let's find his address and lynch him.

**Kiro** · 2006-06-19 18:37

Originally Posted by Taj

Originally Posted by Kiro

Can't wait to see how this ends up. I wanna see pictures of the dude crying in court or something. YOU MUST PLEASE THE MOB!

Let's find his address and lynch him.

Tar and feather first.

**MisterBob** · 2006-06-19 18:56

He's probably some 15 year old kid, and is currently shitting his pants.

**BRP** · 2006-06-19 18:57

Originally Posted by Kiro

Originally Posted by Taj

Originally Posted by Kiro

Can't wait to see how this ends up. I wanna see pictures of the dude crying in court or something. YOU MUST PLEASE THE MOB!

Let's find his address and lynch him.

Tar and feather first.

I will wear his most left toenail around my neck in a beautiful golden chain.

**Parshath** · 2006-06-19 19:02

Originally Posted by Kiro

Originally Posted by Taj

Originally Posted by Kiro

Can't wait to see how this ends up. I wanna see pictures of the dude crying in court or something. YOU MUST PLEASE THE MOB!

Let's find his address and lynch him.

Tar and feather first.

Lol, as soon as you mentioned that, I thought of Monkey Island... Such a great game! :D

**angst187** · 2006-06-19 19:11

Originally Posted by MisterBob

He's probably some 15 year old kid, and is currently shitting his pants.

or he's an 80 year old pedophile rapist

**Judah** · 2006-06-19 19:12

this thread makes me hot irl.

**Taj** · 2006-06-19 20:14

I took care of the FTP Server. Shouldn't be a problem anymore.

**JoOeetheplatypuS** · 2006-06-19 20:41

lol go dezz

**Taj** · 2006-06-19 20:59

To find out if you're infected:
Start -> Search -> All or Part of File Name: "bpk"

If you find any of the following files:
bpk.dat (C:\WINDOWS\System32\)
bpkch.dat (C:\WINDOWS\System32\)

You are infected.

Start -> Run -> regedit -> HKEY_LOCAL_MACHINE

If there is a folder called:
"TKD Data Systems"

You are infected.

Start -> Run -> regedit -> HKEY_LOCAL_MACHINE -> Software -> Microsoft -> Windows -> CurrentVersion -> Run

If there is an entry called:
"DamageProc", or "FAOF"

You are infected.

As of right now, I haven't found a way to completely remove the Keylogger, as it includes both "Blazing Tools Perfect Keylogger", and some proprietary software to take screenshots of the Main PlayOnline menu (Your POL ID.) If you find out that you are infected, I would recommend you reformat, if that is an option. If not, get a good Firewall and completely block Port 21.

**vudoodoodoo** · 2006-06-19 21:02

**Zigma** · 2006-06-19 23:04

I found the exe and disassembled it. It's pretty creative the way he wrote it but also pretty stupid. I tried logging on to the ftp but it was down, anyway...

As soon as you open the program, It puts a webserver that comes with it into your windows directory and and names itself webservicex.exe

It launches that program in the backround and calls home to (finalfantasyxi2.no-ip.info, better yet resolved to 8.4.112.108 better yet resolved to

3047 E. Warm Springs Rd.
Suite #400
Las Vagas
NV
89120
US
1-702-459-8444)

This might not be his real address but this is where the server is at when you do a simple trace route to the IP.

webservicex.exe grabs the file login_w.bin located in PlayOnline\SquareEnix\PlayOnlineViewer\usr\all which contains your pol id (i'm not sure if this also contains your password because it is encrypted).

It also writes a few keys into your registry like what taj put and makes itself run automatically when you restart your computer. Removing it isn't very hard.

You can follow the steps that taj posted or you can scan your computer to see if you have the file called webservicex in your windows directory.

Delete those keys, delete webservicex.exe and delete whatever you downloaded. The best thing however is to pretty much format your computer because the server can be named something else.

Now, Having his IP is very good because the server is still up. It does not matter if he takes it down, IP changes or anything because ISP's keep logs and the FBI has the ability to trace everything back via this.. If he's not running this from his house (prob was because of the slow transfer rate like diz said) They can still catch him by viewing the logs from that server, finding out who is is etc.

I didn't run the program itself on my computer but I will do it tomorrow at school (those pc's make good test benches :D ) From there I'll be able to learn more.

**NynJa** · 2006-06-19 23:18

Originally Posted by Zigma

I didn't run the program itself on my computer but I will do it tomorrow at school (those pc's make good test benches :D ) From there I'll be able to learn more.

lol

**BRP** · 2006-06-19 23:19

BG's Cyber Police. (BRB FBI)

**genome** · 2006-06-19 23:29

It's cool to get rid of people trying to steal accounts this way, but i am bothered by how many people use or try to use fleetool these days...
And the number of accounts you say you found on his FTP site is another indication of this problem.

I called a GM on 2 random lvl 30ish whm and bst /anon people i saw running at way faster than flee speed near windurst toward low lvl NM areas.
As usual I got a "we'll look into it" msg from a GM that couldn't really speak english, nothing was done to them. I can't walk anywhere without seeing someone fleehacking, it's depressing

**Shuemue** · 2006-06-19 23:31

So have the FBI changed their 'policy' of only giving a shit about internet crime where over $30k USD of 'damage' has been done?

Admittedly it's been a while since I was in a position where I cared about internet law, but they really never used to give a fuck about 'petty' incidents like this. Maybe things have changed with the recent climate of identity theft?

**Totien** · 2006-06-19 23:40

When it involves an account linked to credit card information, I'm pretty sure you don't need a dollar amount set as far as damage done.

Thread: Don't be stupid.

Thread Tools

Similar Threads

If you're on Kujata don't be a dumbass: Pic inside.

stupid speculation I shouldnt be making topics about

Latest Threads

Up & Coming Threads

Hottest Threads