Viruses that compromise accounts

[Hanayaka]

I recently had my second mule account stolen from me within the span of one month. The reason I am making this thread is to inquire about the types of viruses RMT are using to compromise accounts.

I've run multiple virus scans, I keep a virus protection running at all times, and I change my passwords on the accounts regularly. I changed the password on the account 2 weeks ago.

The only viruses that I have had on my machine are Conficker.A and Conficker.D, which I promptly removed, then proceeded to perform a Windows Update to patch the problem.

My question is, are RMT actively using Conficker worms to compromise accounts? If not, what kind of viruses/keyloggers should I be looking for?

Note: the account was virtually worthless, with almost 0 gil/items and minimal level 75 jobs - which makes me think it is more likely to be RMT than an inside job.

[Demosthenes11]

stop using IE, use updated ad-block / no-script, don't visit sketchy websites, don't type in your password. oh, don't give out your info either

problem solved

[Hanayaka]

stop using IE, use updated ad-block / no-script, don't visit sketchy websites, don't type in your password. oh, don't give out your info either

problem solved

I use firefox, don't visit sketchy sites, etc. This thread is more about me finding out which viruses are being used, so I can specifically look for them.

I have other people who use this network that play FFXI, it is entirely possible that one of them has the virus and it has propagated through the network.

[cpu]

which makes me think it is more likely to be RMT than an inside job.

So you have given this account info out?

[Hanayaka]

To my room mate who lives about 15 feet away from me, yes.

Again, this isn't about me whining that I lost my account - It is about me finding out WHICH viruses are being used to compromise them.

Please don't respond to the thread unless you can comment on the question I've asked, I really don't want this to get cluttered with "Firefox/Noscript/DontShareInfo". I've read it one million times, I'm not interested in that.

[Kriz]

Are you sure you are catching the viruses?

What AV software are you using? Are you augmenting it with MalwareBytes and ComboFix?

Are you sure you yourself haven't legitimately installed a program that is doing it (and is running on boot?)

So many ways you can get hit.

Also, don't discount the ways the info can get out so quickly

[Hanayaka]

Are you sure you are catching the viruses?

What AV software are you using? Are you augmenting it with MalwareBytes and ComboFix?

Are you sure you yourself haven't legitimately installed a program that is doing it (and is running on boot?)

So many ways you can get hit.

Also, don't discount the ways the info can get out so quickly

I use McAfee VirusScan Enterprise + AntiSpyware Enterprise 8.5.0i, and always keep it up to date. I don't augment it with MalwareBytes and ComboFix, I will look into those immediately.

The only third party tool I use is Windower (obtained from the official site), with a few downloaded plugins (blinkmenot), so I don't think this is the problem. I don't use any other third party programs on my accounts as I hold the linkshell bank, and won't risk it being banned.

As for the account info getting out other ways, it is possible but unlikely. I won't discredit it, but I'm more interested in rooting out any possible viruses I may have and discovering what they are before anything else is compromised. I appreciate your post, going to go look into MalwareBytes and ComboFix.

Do you happen to have any idea what kind of trojans/worms RMT are actively using?

[Titanss]

Are you sure you are catching the viruses?

What AV software are you using? Are you augmenting it with MalwareBytes and ComboFix?

Are you sure you yourself haven't legitimately installed a program that is doing it (and is running on boot?)

So many ways you can get hit.

Also, don't discount the ways the info can get out so quickly

hate to derail this but why does MalwareBytes after you dl it lead you to random links when you go to click on a link after you google it? and then will continue to perform a bogus scan? I got this to get rid of that Security tool program and it wants to give me more damn problems.. everyone praises this but I think it's bullshit

[Julian]

Wasn't there a "virus" or something, a while back, that would basically steal your password, and then put in a fake one so it doesn't let you connect, or something like that?

Does anyone know/remember anything about it? :/

[Gergall]

hate to derail this but why does MalwareBytes after you dl it lead you to random links when you go to click on a link after you google it? and then will continue to perform a bogus scan? I got this to get rid of that Security tool program and it wants to give me more damn problems.. everyone praises this but I think it's bullshit

Some viruses are specifically designed to screw up your Malwarebytes installation and make it look like it's helping when in fact it has become your viruses pawn.

Under most circumstances though MWB is amazing.

[Pikarya]

why does MalwareBytes after you dl it lead you to random links when you go to click on a link after you google it? and then will continue to perform a bogus scan?

http://i33.tinypic.com/acadqd.jpg

If you're clicking anything on this page besides what is in red. You deserve to be infected.

[Byrthnoth]

If you're clicking anything on this page besides what is in red. You deserve to be infected.

lol@ you obviously clicking two links on that page

[gaimear]

Lol at the fact that they are the same goddamned URL

[Kriz]

I use McAfee VirusScan Enterprise + AntiSpyware Enterprise 8.5.0i, and always keep it up to date. I don't augment it with MalwareBytes and ComboFix, I will look into those immediately.

Do you happen to have any idea what kind of trojans/worms RMT are actively using?

hate to derail this but why does MalwareBytes after you dl it lead you to random links when you go to click on a link after you google it? and then will continue to perform a bogus scan? I got this to get rid of that Security tool program and it wants to give me more damn problems.. everyone praises this but I think it's bullshit

McAfee Enterprise latest version is 8.7, I'd try to snag the upgrade to that. Also make sure that it scans every now and again, at my office they have it set to only scan On-access and so things sneak by.

I don't know what the RMT use, but I'd bet the anti-virus software would flag it under generic names like GameStealer-a or something dull.

As for why MalwareBytes would redirect after googling... Well, that's a very bad sign. Some viruses hijack your search results- in fact, I'd recommend downloading MalwareBytes and ComboFix from a known clean machine and put it on a flash drive, then run/install from there. If it is a really bad infection, you'd end up having to rename the main MBAM exe, as well as ComboFix.

We've covered a lot of this over in tech in http://www.bluegartr.com/forum/78291...s-malware.html it may be worth your time to look.

Also, Security token if you are the bank.

[cdgreg]

You said you use firefox but did not clarify if you use noscript and ad block correctly configured. Btw if your roommate has your info saved on his pc and has a virus that may be why you're getting hit. May have nothing to do with your pc at all.

[Kuroyou]

My 3 accounts (mine/wife/nephew's) got hacked some months back. I found my PC was infected with "Infostealer.Gamepass" in a recent scan.

I can't post URLs, but do a google search for "virus infostealer.gampass", the first item should be the virus definition on symantec/norton's site.

ww.symantec.com/security_response/writeup.jsp?docid=2006-111201-3853-99
(add the first w)

Hope this helps.

[Neoscrilla]

wow it only took till post 16 for someone to actually try to answer the OP's question. The rest is just everyone's knowledge on how to prevent them, not what they were, which was what the poor bastard was trying to ask. Way to go BG Tech Geeks. I see a job working for SE Customer Service in your futures.

[Missnasty]

Realistically, unless you're an extremely technical person no form of "cleaning" out a virus will be enough. You should just reinstall Windows.

If you are certain that you adopted a stricter policy with respect to browsing the web and you still had your account info stolen then you either somehow contracted a virus again or you really never removed it.

Naming the virus isn't going to help. Is knowing the name really going to change what it did to you or make you say "Oh, that virus is ok, let's just leave it alone" when it pops up in your virus scanner? >_>a

[Kriz]

wow it only took till post 16 for someone to actually try to answer the OP's question. The rest is just everyone's knowledge on how to prevent them, not what they were, which was what the poor bastard was trying to ask. Way to go BG Tech Geeks. I see a job working for SE Customer Service in your futures.

Right, cool.

First of all, every vendor is going to call this stuff something different. Would telling him about PWS-Onlinegames.exe be anymore useful? Not every piece of malware comes with a name that is instantly recognizable like Conficker.

Who specifically looks for a certain vendor's named instance of a virus? In fact, who hand cleans systems? IMO, it's too much to just tweak by hand a system you feel is compromised. In fact, that's why I always suggest MBAM and ComboFix to cover what both automated programs miss.

Maybe one of the problems the OP has is that they look only for certain malware to remove- leaving the rest or traces of the original for reinfection. It's not like malware is just a small exe you uninstall and are done with, that stuff comes in bunches.

And yes, as GMy as it sounds, a token is a solid suggestion.

[didgist]

I have been looking into these things myself ever since some Japanese friends who don't own a computer and only use PS2 were hacked. One of these hacked accounts was even caught blatantly warp hacking in front of a GM and they only received a 72 day ban. Setting up a clean installation of Windows XP/7/Vista that can prevent you from being hacked isn't difficult. After watching hacked accounts get away with anything but murder I would say there is more to this than use Noscrpit/Javablock/whatever the fuck.

The acccounts on Fenrir are used to farm certain camps 24/7. They are primarily retired EU/JP accounts that were more than likely hacked after the player retired and/or sold to the RMT themselves.

The names on Fenrir throughout the last month have been:

Mamikou
Indignation
Ardneth
Evot
Himurakennzi
Ogirl
Kyuubigirl
Warriors
Baga
Akimaximum
Faustine

They never seem to run out of accounts, within days of being banned/sold they have already set up another toon to keep up the work. Whoever is controlling them is going balls to the walls with hacks, with no concern of being banned. No, not as in they always win claim (they don't). They can place themselves anywhere in zone, run up walls and over locked doors, and have flee on constantly. This leads me to believe these are not people who sell characters and turn a small profit while they are waiting to sell them, you wouldn't be running around getting all of your toons banned when you could just make more money selling them. These guys have a hustle going and it's cute to see peoples arrogance protecting it.

So, I would like to ask the OPs question again, personally I would like to see how these things work so I can convince myself that SE employees aren't selling/leaking retired account information.

I find it hard to believe that these hackers on Fenrir are just getting lucky and only hacking accounts that are retired and need to have ID reactivated. Crime is often just a result of opportunity.