Warning on intriciate Keylogger

Hey, I just had an experience with a keylogger that resulted in the theft of my account, but the experience was so weird that I thought I should warn you all of the threat. I'm not sure where to put this thread, but people need to read it.

First of all, I have no idea how I got the keylogger, since I have never downloaded ANY third party programs related to Guild Wars except TexMod, which is not only considered safe but even condoned by the Anet employees. I never even visited gold-selling sites or anything, and the only guildwars-related sites I ever visit are this guru, guildwars.wikia.com, wiki.guildwars.com, and guildwars.com.

Now, this is what the keylogger did, and it was particularly weird and malicious, so you should be on the lookout for this:

I was playing guildwars normally, but when I switched characters it said that my password had been changed and I couldn't log on. For details on the original problem, see this thread:
http://www.guildwarsguru.com/forum/c...=1#post5191637

So, scared that I had been hacked, I contacted Arenanet support. They were fantastic, replying very quickly and helping me with everything. I got my passwords change (both NCsoft and guildwars; for those who didn't read the other thread, which you should, my guildwars account was changed through my NCsoft account). I logged on using my new password, and was ecstatic to realize that nothing had been missing and that no one was able to get on the account!
The reason for this is that whoever changed my password through NCsoft was unable to log in, thanks to Anet's new-ish security feature of requiring character names to log in, which the NCsoft account does not carry.

Now this is where it gets weird, and really awful.
So, after about an hour of playing, I closed the client and opened it again to run texmod for cartography.

My account info was again changed, and I got a repeated code=227.

I tried to contact Arenanet Support about it again, but somehow all of the emails kept getting deleted from my mail inbox. After a few days of not receiving any emails from them, I suddenly noticed that my spam folder was empty. I went to it, and realized that the settings had been changed. Not only was spam set to delete automatically, but both the NCsoft and Guild Wars support emails had been added to my BLOCKED list.
So at this point, the keylogger was able to completely cut off communication between me and the support staff, ensuring them plenty of time to empty my account.

Now, I had no idea I had a keylogger, since I've never had one before, so I was just freaking out about all these random settings being changed on my computer. I didn't even consider that my account was in danger, because I figured that since the hacker couldn't get before, it was still safe.

Once again Arenanet support was FANTASTIC, replying quickly and going above and beyond to help me figure out what happened to my computer. I didn't stop to wonder why I was suddenly getting emails back from them. It turns out it was because they were done stripping my account, but I didn't even think about that. The support team sent me instructions on using a program to try to find really deeply hidden malicious programs, and they personally analyzed the log I sent them and told me about a keylogger on my computer, and how to fix it.



I'm sorry I'm not very concise, but I wanted to give all of the details. For those who don't care about all that, here's the TL;DR version which might help you not fall victim to this again:


TL;DR VERSION:

My NCsoft account was hacked, and my guild wars and NCsoft passwords were changed, but my account was still safe since they didn't have my character name.
I got a password and name change from arenanet support, thought the matter was done, and immediately signed onto guildwars, using my new password and character name.
I was able to play for an hour, when I was kicked off.
This time, I was hacked for REAL, because the second logging on gave them the character name (normally, my character name is automatically filled in by the "remember my account details" in the client, so I never type it in).
I lost all of my stuff, my survivor was killed (I have no idea why, I think just spite...) and my account was generally mutilated. I lost over 1000k, 100-ish ectos, and my whole collection of rare minis that I spent years collecting.

So don't fall for this again. If your account information is changed and Arenanet helps you get it back, DO NOT IMMEDIATELY LOG ON TO SEE IF YOUR ACCOUNT IS OK.
If you MUST log on, DO SO ON ANOTHER COMPUTER.

I've never been hacked before, and never thought it'd happen to me, since I followed all of the TOS and never did anything illegal or stupid regarding guild wars.


This was the entry on HijackThis that contained the keylogger (my brother fixed it for me, so I don't really understand the mechanics, hope this helps):

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)


Anyway, if you read the other thread above, you'll notice that both my account and my brother's had their passwords changed. However, while mine was hacked for real, all of his stuff is ok, for one reason: HE DID NOT LOG ON AGAIN AFTER GETTING THE PASSWORD RESET INFORMATION.

I hope this is clear, and maybe one of you can make sense of the above drivel and find a way to make it more clear so people can understand it. This was really awful, and I just wanted to warn more people about it.

Thanks for reading, I sincerely hope this does not happen to any of you. If this post protects even one person from getting their account hacked, I guess it would be worth it.


Good luck.

The BHO listed is safe, it's for Windows Live Messenger.

http://www.systemlookup.com/CLSID/54865-wlchtc_dll.html

They simply had Windows Live Messenger installed at one point in time and it adds a Browser Helper Object into IE. They may have since uninstalled or upgraded WLM, so the BHO may not exist anymore. I'm not sure since I don't use WLM.


As this thread continues to dance the line of flames, I'm closing it. The warning has already gone out. If you feel you're being flamed or it's close to it; don't add fuel to the fire, report it.

If people think they're infected, pick up my Anti-Malware Toolkit from Lunarsoft and refer to my PC Cleanup page. Once you've got a clean bill of health, the PC Security page is a recommended read.

This behavior is unacceptable! I am taking the liberty to delete ALL OF THE POSTS minus the OP's from this thread. It will remain closed as well.

Shame on the lot of you! This is technical forum, and will be treated as thus. Pokemon? Insulting people's avatars? Let this be a public notice; this is unacceptable. Future threads that take this degenerate route in this forum will see far more strict moderation. This is the first and last warning you will receive in regards to this behavior. You know who you were, and that will be the end of this.