So they randomly downloaded some file from a random topic on this forum claiming to be hacks and got keylogged? Retards >_>
So they randomly downloaded some file from a random topic on this forum claiming to be hacks and got keylogged? Retards >_>
I thought of several more reliable methods, but I'd rather not discuss them here, seeing as he's probably reading this thread.Originally Posted by Zigma
Can't wait to see how this ends up. I wanna see pictures of the dude crying in court or something. YOU MUST PLEASE THE MOB!
Let's find his address and lynch him.Originally Posted by Kiro
Tar and feather first.Originally Posted by Taj
He's probably some 15 year old kid, and is currently shitting his pants.
I will wear his most left toenail around my neck in a beautiful golden chain.Originally Posted by Kiro
Lol, as soon as you mentioned that, I thought of Monkey Island... Such a great game! :DOriginally Posted by Kiro
or he's an 80 year old pedophile rapistOriginally Posted by MisterBob
this thread makes me hot irl.
I took care of the FTP Server. Shouldn't be a problem anymore.
lol go dezz
To find out if you're infected:
Start -> Search -> All or Part of File Name: "bpk"
If you find any of the following files:
bpk.dat (C:\WINDOWS\System32\)
bpkch.dat (C:\WINDOWS\System32\)
You are infected.
Start -> Run -> regedit -> HKEY_LOCAL_MACHINE
If there is a folder called:
"TKD Data Systems"
You are infected.
Start -> Run -> regedit -> HKEY_LOCAL_MACHINE -> Software -> Microsoft -> Windows -> CurrentVersion -> Run
If there is an entry called:
"DamageProc", or "FAOF"
You are infected.
As of right now, I haven't found a way to completely remove the Keylogger, as it includes both "Blazing Tools Perfect Keylogger", and some proprietary software to take screenshots of the Main PlayOnline menu (Your POL ID.) If you find out that you are infected, I would recommend you reformat, if that is an option. If not, get a good Firewall and completely block Port 21.
I found the exe and disassembled it. It's pretty creative the way he wrote it but also pretty stupid. I tried logging on to the ftp but it was down, anyway...
As soon as you open the program, It puts a webserver that comes with it into your windows directory and and names itself webservicex.exe
It launches that program in the backround and calls home to (finalfantasyxi2.no-ip.info, better yet resolved to 8.4.112.108 better yet resolved to
3047 E. Warm Springs Rd.
Suite #400
Las Vagas
NV
89120
US
1-702-459-8444)
This might not be his real address but this is where the server is at when you do a simple trace route to the IP.
webservicex.exe grabs the file login_w.bin located in PlayOnline\SquareEnix\PlayOnlineViewer\usr\all which contains your pol id (i'm not sure if this also contains your password because it is encrypted).
It also writes a few keys into your registry like what taj put and makes itself run automatically when you restart your computer. Removing it isn't very hard.
You can follow the steps that taj posted or you can scan your computer to see if you have the file called webservicex in your windows directory.
Delete those keys, delete webservicex.exe and delete whatever you downloaded. The best thing however is to pretty much format your computer because the server can be named something else.
Now, Having his IP is very good because the server is still up. It does not matter if he takes it down, IP changes or anything because ISP's keep logs and the FBI has the ability to trace everything back via this.. If he's not running this from his house (prob was because of the slow transfer rate like diz said) They can still catch him by viewing the logs from that server, finding out who is is etc.
I didn't run the program itself on my computer but I will do it tomorrow at school (those pc's make good test benches :D ) From there I'll be able to learn more.
lolOriginally Posted by Zigma
BG's Cyber Police. (BRB FBI)
It's cool to get rid of people trying to steal accounts this way, but i am bothered by how many people use or try to use fleetool these days...
And the number of accounts you say you found on his FTP site is another indication of this problem.
I called a GM on 2 random lvl 30ish whm and bst /anon people i saw running at way faster than flee speed near windurst toward low lvl NM areas.
As usual I got a "we'll look into it" msg from a GM that couldn't really speak english, nothing was done to them. I can't walk anywhere without seeing someone fleehacking, it's depressing
So have the FBI changed their 'policy' of only giving a shit about internet crime where over $30k USD of 'damage' has been done?
Admittedly it's been a while since I was in a position where I cared about internet law, but they really never used to give a fuck about 'petty' incidents like this. Maybe things have changed with the recent climate of identity theft?
When it involves an account linked to credit card information, I'm pretty sure you don't need a dollar amount set as far as damage done.