Hacked ;(

**Gethsemane** · 2009-10-29 04:25

Honestly man I don't want to blame her. So if you didn't find anything on either computer you might have to go for a full format or something. Perhaps others could chime in on this post for you and suggest something. But if you've tried CCLeaner, Ad-aware and a virus checker. And it didn't find something then I'm not exactly sure how safe you're going to be able to use your computer to play FFXI. Usually when a company has a security vulnerability it's usually best to see HOW and WHY it was able to get in. In your case if those programs didn't catch anything then format seems in order. I can't suggest anything else.

Sucks you didn't find a virus or something. Did you run all those programs? They're all easily available from download.com

**LinkNZ** · 2009-10-29 04:57

Tried CCleaner, Malwarebytes and SpyBot. Didn't try Ad-aware but will if you reckon there's a chance it could find something the others didn't?

**Gethsemane** · 2009-10-29 05:09

No those 3 are fine. And you scanned with a virus scanner and didn't get anything either. I don't know what to say though. Either it's something that's still on your computer and you need to reboot. And no one has your account information except your girlfriend. It's hard to say what is to blame. I'm going to give your gf the benefit of the doubt. You can basically get Windows 7 free and what not so perhaps it's time to upgrade both computers to the new OS. Her computer might still be infected.

But you have to admit the fact that your account was taken and then the mules were made on X server. It's quite suspect to me so I don't know. Maybe they didn't worry about locking you out and just wanted to send the stuff asap. Almost like they know what your play schedule is and did it when they knew you weren't around. You could try hijack this and post the log here. I and others could point something out right away.

If that still doesn't show anything, just reformat. I know I wouldn't be able to feel safe without doing that if malware programs or antivirus didn't pick something up lol. Do Hijack this log and post it here first though. We'll go from there.

**LinkNZ** · 2009-10-29 06:07

Yeah virus scan was with AVG, not sure if that is good enough or not.

I'll try and get the HijackThis one tomorrow. Cheers for the help.

**LinkNZ** · 2009-10-29 08:38

Here's the log for GF laptop in spoiler tags, no idea what any of it means so hopefully someone does. ^_^;

Spoiler: show

**Hanyoko** · 2009-10-29 09:10

Only thing that looks suspicious to me is:

C:\DOCUME~1\Mieke\LOCALS~1\Temp\7zS16A.tmp\stub.ex e

MaachaQ · 2009-10-29 09:29

Sounds like almost the same thing that happened to my sister's account.

I'm not sure when it was initially hacked, as my sister did not really play anymore and could not remember changing her password, so couldn't help me when I tried to log into her account ~Sept 10th to cancel it. I had been paying for her account since she started, to try to lure her away from WoW to play with me on FFXI, but she never really got into it.

I called and had the password reset on Sept. 16th and changed it back (stupidly) to the password it had been before, since that's what was saved on our other machines and I was lazy >< I logged in and at the time nothing seemed to be wrong. I think I did a few quests with her character and logged back off, planning to get items off her character later in the week before I cancelled it. Well, the next time I tried to log in a few days later I was told the password was wrong and I had a really bad feeling...

I didn't get a chance to contact SE until a little after the beginning of October, and I had the password reset again and logged in to find this:

http://i193.photobucket.com/albums/z...lieaccount.png

The account had last been logged in on September 20th. RMTs had created a ton of new content IDs (the account only had 1 chara before), unlinked my sister's character from her original Handle so we wouldn't know she was online, and charged a world transfer to the account, even though the original character wasn't even moved to a new server... Only 5 new characters remained on the account, all lvl 1 war blond hume males, all on different servers, all logged out at the AH item sending character.

My credit card had been charged almost $70 instead of the normal $13.

I had the account locked later that day, and it has now been cancelled, but until my sister sends in the notary form they cannot refund me for all the charges the RMT caused.

I warned my sister she may have a virus on her computer, which could threaten her WoW account as well, but she hasn't yet found anything. We had rarely logged her account on from our place, but still, virus scans on our computers here showed nothing. All 3 of our other accounts have security tokens, my sister's account did not.

PS - I cannot find a phone number on the SE service site anymore, only e-mail or web chat... just FYI

**Gethsemane** · 2009-10-29 18:25

Yeah that stub.exe is definitely suspect. It may be in the startup processes as well. You could kill it, and delete the directory that it is in. I think to see startup process you go to run and type: msconfig. Go to Startup tab and deselect the box. Hijack this can delete the registry entry too I believe. Interesting stuff thoughI'm going to do a search on this and see what i find.

**LinkNZ** · 2009-10-30 00:52

Here's another hijackthis log.

Spoiler: show

**Theinen** · 2009-10-30 02:28

Originally Posted by MaachaQ

PS - I cannot find a phone number on the SE service site anymore, only e-mail or web chat... just FYI

Square-Enix Support Center
858 790-7529

**Gethsemane** · 2009-10-30 03:01

C:\Program Files\GetRight\getright.exe
C:\Program Files\GetRight\getright.exe
Getright Information = THIS IS A WORM!

C:\WINDOWS\system32\libusbd-nt.exe - Generic USB file for something

C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe - Run a MySQL server? No idea why it's here.

C:\WINDOWS\System32\tcpsvcs.exe

C:\WINDOWS\System32\snmp.exe smnp.exe = THIS IS A WORM

Looks like you have a couple worms from what I see from the two I pointed out. I'm sure there's sites you could go to for removing these threats. I'm not entirely sure why AVG and other programs didn't pick these up. So my best recommendation is a full format. Removing this stuff doesn't always work as they're normally programmed to hide somewhere and scan your processor list to see if its running. If it isn't it'll re-install. Good luck. I would change both POL account passwords immediately and discontinue logging onto FFXI from this infected computer. Who knows how much information has been compromised excluding FFXI itself. Honestly man I'll be upfront. You should format both computers. If you need help on getting a clean copy of XP3 or Windows 7 just let me know I'll help you out to the best of my ability. I got 7 Ultimate running now with BIOS Mods. Just PM me don't post anything here.

Okay. Since you have to reformat I made a guide on Warhammer Online forums. I suggest going to your computer manufacturer's website and pre-download the LAN and WAN drivers onto a USB drive or burn them onto a CD-R considering XP SP3 doesn't always pick up a LAN/WAN on a new install. Windows 7 will however. Post your two computers and their model numbers. I don't need their stats I can look it up and help you out. Here's the guide though:

Greetings fellow players! You can call me Anderson, it's my last name. I have always preferred to go by my last name for some reason. Regardless I'm going to give you a quick run down on how to solve easy technical problems with your computer. First things first. No one should ever use dxdiag, or system information from within windows for any kind of system information. It's total garbage. It's quite sad that you have to use third parties within an operating system to find out about your system.

I recommend using the program 'Everest Ultimate Edition'. You can just go to download.com and download the latest version available there. This program is really great. 90% of the time this program can identify everything that is installed in your computer from BIOS version to your hard drive manufacturer. When you install the program just let it launch aftewards. To get a summary of the basic of what your computer has.

Click on 'Computer' and then 'Summary. It will list everything for you. Go to http://www.afn.org/~afn05420/Everest.htm to see an example. For some reason the link didn't work in this post.

If you click on 'Report' button, choose 'System Summary' , then save as HTML file. You can send this to various people through e-mail that will basically see a snapshot of your computer. This will usually identify any device you have and what drivers you should download for it. You'd normally go to the manufacturer's website. If you can't find it there go to your computer's website, like dell.com, toshiba.com etc. They usually have all the drivers that came with your computer available for download that was installed into your computer.

If you ever reformat a computer which I do often. Everest is a godsend when you need to know specifically what drivers to install once your OS is running again. I usually recommend this in order.

1: Turn off Automatic Updates, double check in settings it's off when Windows loads

2: Load Internet Explorer (choose express options or custom) then close it.

3: Load Windows Media Player (choose express options or custom) then close it.

4. Load Media Center (If Applicable) (choose express or custom) then close it.

5. Load Internet Explorer, Go to Adobe.com (Install latest flash player)

6. Go to Java.com (Install latest java)

7. Go to Graphic Card's Website (ati.com/nvidia.com), Download Drivers then Install Them

8. (Usually you'll restart your computer once/twice after this step)

9. Go to your computer's website (dell.com/toshiba.com/etc)

10. Normally here you download your Sound Driver, Network Driver, Dial-up Modem Driver, Wireless Driver

11. Look At Computer Summary on Everest. Mine says: Motherboard Chipset Intel Lakeport i945p

Go to intel.com or amd.com for your processor and search for i945p or whatever chipset drivers.

Install them, it will prompt a reboot.

12. Look at Computer Summary on Everest. Mine says: IDE Controller Intel(R) ICH7 Family Ultra ATA Storage Controllers - 27DF. A lot of hard drives these days use a Intel Controller. You'll want to download Intel Storage Matrix Manager. It will usually be an option when you search for your chipset.

13. After all of these steps, Reboot one final time. Now go back and turn automatic updates on. If your computer is missing a driver usually XP and above will notice and install it if it can. Always double check 'Device Manager' to make sure you didn't miss anything. Your computer's website usually has your computer's specifications if Everest doesn't show it.

14. Then install Antivirus, whether this be Avast, AVG, any of the free ones. I personally like Avast.

15. And for the love of God, INSTALL FIREFOX with NOSCRIPT and AD BLOCK PLUS. If you're not used to Noscript you have to click on the Options box to allow sites you trust from the getgo to run any kind of scripting. It's pretty safe verse sites installing trojans and stealing your game information.

16. That should be good enough to get you going from a fresh format. And give you the general idea of what to do if you don't know what devices you have and need drivers. USE EVEREST!

There's tons of other problems that can happen with computers but for the most part I find a lot of problems point to having low memory. I'm pushing it running Warhammer with 2gbs of memory I don't suggest doing that unless you're using XP then you should be safe. For Vista and Windows 7, use 3 to 4gbs at least. With a 64 bit Windows you can use even more.

If anyone ever has any technical problems, or questions just ask. I'll be happy to help. Remember. If you START suddenly having a problem, it's usually because you changed something or your computer automatically changed something. If you can't do a system restore, then try tracing it backwards from when it happened back through everything that went on the day before.

- Anderson, Un-official Warhammer Player Tech Support

**Mistress Stowastiq** · 2009-10-30 03:34

Originally Posted by LinkNZ

Its definitely RMT as the account names are stupid like Emxdia, Emxlev, Emxgil and so on, unless my GF is RMT (lol why am I lending her gil for scrolls then!).

And when I checked the sent box of them at the AH there is 1mil being sent somewhere but of course you can't see anything as it vanishes instantly. So the account has been used and then just left I suppose.

Thanks for all the advice guys, have spent the whole day trying to 'clean' all the computers. Haven't found anything obvious spyware or virus etc wise, so I don't know what to think.

We use Firefox, but she didn't have adblock, noscript etc on her laptop. So maybe somethings got in somewhere along the way. That's all loaded now so at least the future might be safer.

My biggest fear now is that they server hopped on my dime also, there are 4 mules that aren't on Leviathan so I fear for the worst unwanted fee wise.

Even though its not my main account and the GF doesn't play 'seriously' enough to warrant it, I think now I'll try and get a security token all the same. Would have been much better than this crazy situation. Hacked by RMT but not quite stolen account. :\

EDIT: So I've been digging round the Content ID section of the account, some really detailed info there lol, never even looked in it before this. >_<

They were created on the 3rd of October, 12 POL IDs and 1 World Transfer.

So I'm out $37USD (I think), money down the RMT toilet. So yeah, despite it not really having anything worth stealing I still wish I had protected the account better now with a token. Something like this never even crossed my mind. All I thought is meh nothing worth stealing on it in game not what can they charge to my credit card with the account details.

I know it could have been worse (and HAS been for some), but still lame.

SE will refund your lost transfer money if you go through the compromised account process and they verify that it was compromised. Do not mention that you let your gf use it or they will likely repeat the TOS to you about how it is against policy to share accounts, possibly denying you.
They have two separate situations one for accounts with token and without but they are in the same area and have the right info for you. There is lots of information on the Square Enix Support Center web site about how to do it as well as an easy to read FAQ.

Good luck

**LinkNZ** · 2009-10-30 11:12

Ugh, yeah formatting sucks but it was prolly time to start-a-fresh anyway. Computer has been running sluggishly.

I have no idea why AVG doesn't find this stuff, its always the question for me, does it not find anything cause its useless or because there is nothing there? lol.

Thanks for the help Gethsemane and everyone else, I've got XP discs but I might have a look at the new Windows, heard its ok.

Guess I know what I'm doing with my weekend now!

Ordered another security token earlier for the GF, bit late now but at least it should help avoid this crazy situation in the future.

**Gethsemane** · 2009-10-30 16:14

Well when you re-installed make sure you follow the install guide I gave for the most part. AVG works but that stuff may have gotten on your computer before AVG was installed. I know some viruses can evade any AV program with certain programming. Regardless the new Windows is pretty awesome, it's basically XP SP3 And Vista SP2's love child. Works well for FFXI too. But yeah definitely use firefox, noscript, adblock plus addons from now on.

I'll send you a pm with some information about some stuff. Good luck. And also to anyone else that may be paranoid. Hijack This! is probably the best program to find suspicious processes that are running on your computer. But I'm sure these accounts being stolen only happen to maybe 5% of FFXI's population. Regardless everyone should secure their computer to the best of their ability and always install updates. If anyone else needs help just PM me or reply here.

**cdgreg** · 2009-10-30 22:34

What mistress said about getting money back is what I also went through. They had to investigate/verify it was RMT before I could apply for the transfers funds to be charged back. So it took 2 months to verify it was a hacking then about 6 months for the 29.95 to be transferred back. I actually gave up on getting the money back so it was a nice surprise when it showed up.

Thread: Hacked ;(

Thread Tools

Similar Threads

JPButton hack, can you do it?

Bikwin hacks

Draw Distance Hack Movie

BG hacks, steals, RMTs, destroys other LSes, creates drama

i got hacked by ...

Bikkwin hacks

Screenshot Translation Please (New hacks?)

New Stealing hack?

Latest Threads

Up & Coming Threads

Hottest Threads