Still an admin, dont freak! lol

[Deep_Pain]

Seems I'm currently being hacked. Or was.

Had a weird issue when on wikia earlier, the wikia tab went back to the rs tab for seemingly no reason, I switched back to wikia to carry on reading a guide, flicked back to RS and I was black screened - I figured it was just some graphics glitch so went back to reading wikia, thinking it would just fix itself like the old white screens would sometimes if u flicked between pages.

I could still hear the music and sounds in the background so didnt worry about it.

went back to the Rs page, still black screened - closed the window - got the regular pop up about leaving the page, left it, logged back in to find I'd moved about 4 squares, and my inv / money pouch had been emptied.


Anyways I have a worm and a Java exploit on my computer,
I'm 99% sure where I got it from, I was watching a guide on YT on herblaw - seemed quite a decent guide - it had a click here for more guides at the bottom of the vid, i clicked took me to a java chat room on a web page, clicked refuse on allowing it to load, but it still loaded somehow anyway. So just closed it... but obviously too late

Not from anywhere else because I dont do anything online anymore really, just RS and trusted sites, Havent downloaded anything in ages, with the exception of a screenshot program, but that was from download.com which is usually very safe and virus scanner hasnt found anything in that download or program.

Virus:

Alert level
Exploit:Java/CVE-2011-3544.gen!A
(?)

Encyclopedia entry
Published: Feb 25, 2012

Aliases
Not available

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection initially created:
Definition: 1.121.385.0
Released: Feb 25, 2012



Summary
This threat is detected by the Microsoft antivirus engine. Technical details are not currently available for this threat.

Money pouch and inv emptied lol

As I say I'm 99% sure it's that, just a word of warning, this happened while I was logged in to RS, no one as far as I can see was able to log into my account or has my password etc.. (ie I had no trouble logging back in.. last log in was my IP - time between closing the window to log out of RS and logging back into the same world was a few seconds).

but just in case as it is a new virus and MSE missed it on the way in and didnt see it as active, only found it on a full scan, I've asked oobs to take away my powers in koa forums and CC - just on the outside chance I am still otherwise infected by a different virus. and I've changed all my IRL passwords etc via another computer.

Housecall and Symnatec both missed this virus and say I had none. MSE missed the virus in entering the computer and active use, but did find it in a deep scan.

If u get a black screen - but RS is still running - log out immediately

[B F O A]

Ah what a shame.

So the malware was received via a youtube vid? or the wiki page itself?

[Deep_Pain]

I believe via the more guides link under the YT guide, it redirected me to a java chat room, that I couldnt stop from opening. Seems the only place.

[Deep_Pain]

Meh symantec is now finding 2 trojans:

Your computer is infected with at least one known virus or Trojan horse.


C:\Users\Daniel\AppData\Local\TempJava.exe is infected with Trojan.Gen
C:\Users\Daniel\AppData\Local\Temp\WinUpdate is infected with Trojan.Gen


Here I was just a few days ago stating how happy with MSE I was, I've had it scan those specific files and its not detecting them. Housecall is also not detecting them. I deleted all those temp files after last scan and before rebooting and running this set of scans, so I'm guessing they're all missing the something that has put them there during start up. Grr

[Dr Brad]

Scarey stuff, Deep!

How could your money pouch be emptied when you didn't have anything in the first place?

[Lady in Ice]

Not good

I hope you get it fixed soon.

Thats a bit weird tho that your money pouch was emptied ( even if you didn´t have anything there as Brad stated) without anyone else going on your account. How would they do that?

PS. I was already organising a party seeing you´re not admin anymore. Dang it!!

[Tamal]

Bloody evil. I hear Malware Bytes works well for these.

Edit: been reading a bit more, ensure your Java is up-to-date (http://www.zdnet.com/blog/security/as-a ... ag=nl.e540)

[Jax]

Seems like a Java hack and it is run by win update. Also there might be a third party hiding somewhere in the system files, which you unfortunately wont find so easily (if they pop up again than thats a bad sign).

http://www.sythe.org/showthread.php?t=1071309

You aren't the first one who has caught something like that. Also virus protection doesn't protect you for innocents non of them to and there isn't a perfect one all of them have good and bad sides.

Edit: Found something useful for all of you to read
http://howto.techworld.com/security/417 ... -browsing/

[Deep_Pain]

Not good

I hope you get it fixed soon.

Thats a bit weird tho that your money pouch was emptied ( even if you didn´t have anything there as Brad stated) without anyone else going on your account. How would they do that?

PS. I was already organising a party seeing you´re not admin anymore. Dang it!!

They most likely did it thru my computer, because I had rs open and was logged in, they had control of that thru my computer, so they didn't log in on their comp, but rather controlled my charachter on my comp, while I was logged in and black screened. Either with the Trojan the exploit or both.

Judging by the date of the java exploit being added to the database, it is very new so I'm guessing the Trojan and w/e else is very recent too, which is no doubt why housecall and mse can't find it at all now and symantec is only finding it as a generic Trojan, I'm guessing using heuristics as its not finding a specific Trojan, just saying that it has the behaviour of one (my java is and was up to date at the time I got this). I do actually enjoy this kinda stuff. But given the time it will take and I'm busy at work, I'll likely just reformat n reinstall Windows

Not spell checked, posted from phone at work.

[DoctorDRAG0N]

Geez-louize. hacked in-game....that's scary stuff. :o
Thanks for the warning Deep.

[Deep_Pain]

Fairly interesting scanned the tempjava file that symantec found via virustotal.com

only 18/43 of the major AV programs out there detect it as a virus.

So I guess I cant be too upset at Microsoft, it's also being missed by mcafee, NOD32, housecall, comodo, sophos, and a heap of others.

https://www.virustotal.com/file/69fce44 ... 330968769/

Code: Select all

Antivirus 	Result 	Update
AhnLab-V3 	- 	20120305
AntiVir 	TR/Dropper.Gen 	20120305
Antiy-AVL 	- 	20120305
Avast 	Win32:Trojan-gen 	20120305
AVG 	Dropper.Generic5.AFON 	20120305
BitDefender 	Trojan.Generic.KDV.533287 	20120305
ByteHero 	- 	20120305
CAT-QuickHeal 	- 	20120305
ClamAV 	- 	20120305
Commtouch 	- 	20120305
Comodo 	- 	20120305
DrWeb 	Trojan.MulDrop3.37795 	20120305
Emsisoft 	Trojan-Dropper.Win32.Injector!IK 	20120305
eSafe 	- 	20120305
eTrust-Vet 	- 	20120305
F-Prot 	- 	20120305
F-Secure 	Trojan.Generic.KDV.533287 	20120305
Fortinet 	- 	20120305
GData 	Trojan.Generic.KDV.533287 	20120305
Ikarus 	Trojan-Dropper.Win32.Injector 	20120305
Jiangmin 	TrojanDropper.Injector.luo 	20120301
K7AntiVirus 	Riskware 	20120302
Kaspersky 	Trojan-Dropper.Win32.Injector.ctcf 	20120305
McAfee 	- 	20120305
McAfee-GW-Edition 	- 	20120304
Microsoft 	- 	20120305
NOD32 	- 	20120305
Norman 	- 	20120304
nProtect 	Trojan.Generic.KDV.533287 	20120305
Panda 	- 	20120305
PCTools 	- 	20120228
Prevx 	- 	20120305
Rising 	- 	20120305
Sophos 	- 	20120305
SUPERAntiSpyware 	- 	20120302
Symantec 	Trojan.Gen 	20120305
TheHacker 	Trojan/Dropper.Injector.cras 	20120305
TrendMicro 	- 	20120305
TrendMicro-HouseCall 	- 	20120305
VBA32 	TrojanDropper.Injector.crtx 	20120305
VIPRE 	Trojan.Win32.Generic!BT 	20120305
ViRobot 	- 	20120305
VirusBuster 	Trojan.DR.Injector!ux8kxPKBK1A 	20120304

[Zaijal]

Let me know if you need any help getting back on your feet and I can help you out

[Deep_Pain]

Thanks, computer wise I'm all sorted tho, and RS wise I was super poor anyway, I havent really played much in the last 3 years, everything I did have, had dropped in value massively, everything else I lost due to a year on DSL with loading - please wait, at bosses lol

So they didnt get all that much, It's really just put me back to where I was a few weeks ago when I came back, had a few kind offers to help out, but considering I had nothing in the first place, I think it would be a bit much to start saying yes to any of these offers, I'd be better off than before I was hacked lol.

But the thought is appreciated.

[Dr Brad]

Deep, I'll donate my entire weed collection to you. (not the smoking kind, sorry)