Account Hacked, what software and cleanup did you use?

[crowdx]

So as an update, I nuked all my machine's OS's and did clean installs from a format ( I have the OS on a seperate partition). I then used multiple pieces of software to scan the existing drives for any keyloggers or trojans and so far I seem to be clean.
I also setup a new email address and moved my battlenet account onto it and as some have said on the forum before, I will keep this email address solely for WoW. I then did another update on my password and then logged back into the game. What seems to have happened is that they did not delete any of my toons, instead they transferred 3 of them to other realms, when I am restored, will blizz automatically move these toons back or do I have to add this to my ticket?
I did question the failed paid transfers with a GM and he said it happened after I submitted my ticket, what I am wondering here was, were they logged into my bnet account when I logged in and so it allowed them to do the transfers while I was logged on, not sure. Anyhow, all the above steps to clean my machines were taken later in the day and so I am hoping I am clear of the mess.

So now I think I am into the waiting game to have the accounts restored, luckily I have one account untouched which is the account that I have my tanks on and was using to powerlevel some alts and so the wait for restore will not affect my gaming at all.

Overall, a pain to have to do fresh installs etc but I am glad that I got hacked on my WoW account and not some other real world bank accounts or some such which I have also now changed all the passwords for.

Still no idea where the compromise came from but I think one of the posters here may have been correct in stating that the hack may have been a few months ago and the hackers are just doing mass onslaught on people's accounts, I suppose the logic might be to overwhelm blizzards support and so inexperienced users may be left vunerable longer due to trying to call blizzard etc instead of taking immediate action.

[jinkobi]

You might have got hacked through 2 recent techniques listed on MMO Champion. The Flash player or the Google Ads vulnerabilities.

http://www.mmo-champion.com/

For the whole story check out MMO champions front page and read these 2 sections below.

Important - Adobe Flash Player Vulnerability

Quote from: Lucytr (Source)
A critical vulnerability has been discovered in Adobe Flash Player 10.0.45.2 and Adobe Reader/Acrobat 9.x, and could potentially be used to target World of Warcraft players and accounts. The newest available version of Adobe Flash 10.1, Release Candidate 7 (available at http://labs.adobe.com/technologies/flashplayer10/), does not appear to contain this vulnerability, and we recommend that everyone upgrade their Flash player as soon as possible. Earlier versions of Adobe Reader and Acrobat, specifically version 8.x, do not appear to contain this vulnerability, either.

For more information, please visit Adobe.com: http://www.adobe.com/support/security/advisories/apsa10-01.html

Get an Authenticator if you haven't got one already. Get your very own guard dog and secure your account at the same time. Visit http://us.battle.net/security for more info!

I would also like to add that this is NOT a virus. The only way to protect yourself from this kind of vulnerability is to keep your system up-to-date in all ways, including Flash.



Curse Client Google Ad Scam
A few months ago a couple of people got hacked because of malicious google ads redirecting to fake armory pages. (See this news)

The same problem is now affecting the Curse.com client that many of you use to update and download addon.

[crowdx]

Well I use the Curse Client to update my add ons, I have never used any link from the client but I do use it to update my addons.
My machines run windows updates automatically each day but I am not 100% sure about the Adobe stuff, they may have not been 100% up to date, but I do not surf a lot on these computers and so I would think the vulnerability is when these apps hit sites that take advantage of the exploit?
I have been using Bitdefender as a virus scanner but after the hack I tried a few others including AVG and NOD32, I do not like McAfee and Norton so stayed clear of them. I also used a couple of the previously listed apps in this thread for trojans and keyloggers.

[crowdx]

So the plot thickens, I was busy boosting toons in scholo and the RAF accounts got disconnected. When I tried to log in it kept giving me an incorrect password. When I checked the email associated with the account it reflected that there was a password reset request.
I quickly did a second reset got back into the account and changed the password. When I then went to log back into the toons it told me that the accounts were suspended.

So my confusion here is that I did a fresh install, changed all the Bnet passwords and the main accounts email (did not change the RAF email) and ran multiple virus scanners including several of the ones listed in this thread.

Maybe they just tried to reset the password to get into the account? There is an authenticator on all accounts and so maybe that is all they got to do from previously collected data?

This has been very traumatic, and when I try to call I get a message to just call back later, so much for customer service!!!

FRUSTRATED!!

[jinkobi]

So the plot thickens, I was busy boosting toons in scholo and the RAF accounts got disconnected. When I tried to log in it kept giving me an incorrect password. When I checked the email associated with the account it reflected that there was a password reset request.
I quickly did a second reset got back into the account and changed the password. When I then went to log back into the toons it told me that the accounts were suspended.

So my confusion here is that I did a fresh install, changed all the Bnet passwords and the main accounts email (did not change the RAF email) and ran multiple virus scanners including several of the ones listed in this thread.

Maybe they just tried to reset the password to get into the account? There is an authenticator on all accounts and so maybe that is all they got to do from previously collected data?

This has been very traumatic, and when I try to call I get a message to just call back later, so much for customer service!!!

FRUSTRATED!!

This is some very weird stuff crowd...Especially if you formatted and everything I don't even know how it'd be physically possible unless you reinfected yourself from backups.

You need the help of the Customer Service forum then they can at least see where the logins are coming from and maybe more insight to what's going on.

[MiRai]

This is some very weird stuff crowd...Especially if you formatted and everything I don't even know how it'd be physically possible unless you reinfected yourself from backups.

You need the help of the Customer Service forum then they can at least see where the logins are coming from and maybe more insight to what's going on.

I've been told a virus could potentially hide in the memory. That's why you're supposed to do a full system shutdown and flip the power switch off [or unplug the PSU] and wait like 30 seconds to make sure all the power was removed from the board. But infecting yourself from backups is quite possible too.

[raylion]

So the plot thickens, I was busy boosting toons in scholo and the RAF accounts got disconnected. When I tried to log in it kept giving me an incorrect password. When I checked the email associated with the account it reflected that there was a password reset request.
I quickly did a second reset got back into the account and changed the password. When I then went to log back into the toons it told me that the accounts were suspended.

So my confusion here is that I did a fresh install, changed all the Bnet passwords and the main accounts email (did not change the RAF email) and ran multiple virus scanners including several of the ones listed in this thread.

Maybe they just tried to reset the password to get into the account? There is an authenticator on all accounts and so maybe that is all they got to do from previously collected data?

This has been very traumatic, and when I try to call I get a message to just call back later, so much for customer service!!!

FRUSTRATED!!

Have you tried Kaspersky virus checker? You can get it for a free 30 day trial but I would consider it the best out there (switched from Norton years ago as it was finding viruses Norton couldn't see). If you want a thorough check I would recommend a full scan with that (I use the Internet Security version).

http://www.kaspersky.co.uk/trials

EDIT: I should add it does more than virus checking, it's also a full firewall and detects keylogging etc.

[moosejaw]

When you do your system scans have the wow login screen up and type in some jibberish. Some of the malware won't show itself until wow.exe is active.

[crowdx]

Well the really strange part to me is that to do a password reset on this latest Bnet account it needs a challenge question answered which I have not used in a long time and no would ever guess due to being an answer from back home when i was a child.
At this point I am wondering is it an issue with blizzards authentication servers.
I have tried multiple times to call them and keep getting a call back again later message, which is ridiculous.

[jinkobi]

Do you have any roommates or other people with access? Or gremlins, poltergeists, living on an indian burial ground?

I meant the Customer Service forum to at least get some feedback. The only way to get through by phone is spam redial then they put you in a queue where you wait. Spam redial like it's a radio contest.