I logged in yesterday and found my main character stripped of all items except mount, hearthstone, quest items and bags. My lowbie alts were untouched and my password wasn't changed.

It seems i was another victim of the svchqs trojan floating around the official wow forums from video links (check the big sticky in the official tech support forum).

I told blizzard and they of course locked my account for security purposes and now i have to prove to them that i am the true owner of this account with a verification form and photo ID. Then they will try to restore my items (but probably not the gold i lost due to stupid policies against giving out "free" gold).

Anyone else been in a position like this and how long did it take for blizzard to restore your lost characters/items ?

I checked the official sticky on those forums and seemed to range from one day to a month or more!

My friends account was stolen, the second we found out we called tech support and were able to validate that he was infact the real owner of the account, they changed the pass right away and we logged in and everything was still intact. We got lucky enough to catch it before his toons got stripped.

Another friends account was hacked and stripped, he was left logged out in the middle of the desert(badlands) naked, even his hearthstone was gone.
Blizz refused to restore his items, go figure :rolleyes: its good to know that your $14 a month and $50 fee for the game is going to good use in protecting our accounts and gameplay experience.

Sent in my fax info saturday afternoon and had my access restored saturday evening

looks like my warrior is still stripped

i sent in a GM ticket but the GM said the "investigation is continuing", hopefully it will take them less than a few centuries

after reading some more on the customer service forum it seems that this keylogger might actually be getting through blizzard's own auto-downloading program in the background!

i noticed myself that something was funny because wednesday afternoon i logged in and for a brief moment the login process said "sending information to (didn't catch last part)" and that afternoon was when i got the trojan (svchqs)

other people posting on the customer service forum relating to this said they had antivirus programs and firewalls running constantly yet this keylogger crap still got through and got their password

either these keyloggers are all due to bad links on the official forums or there is also some serious exploit occuring with the blizz downloader

I logged in yesterday and found my main character stripped of all items except mount, hearthstone, quest items and bags. ....


Glad to hear that Blizz is investigating.

On the prevention side, however, have you taken measures to prevent it from happening again?

1. have you updated/installed a virus checker to catch the trojan before it does harm?

2. Have you installed/verified a firewall?

i had the "svchqs" process in my task manager wednesday and since my warrior was naked on thursday i assume the hackers got in overnight between those two days

i also had the "svch0st" (0 not o) process in my task manager for a while which is a keylogger as well but i don't believe it was responsible for this hacking since i got it months ago

last tuesday i watched some raid videos on google videos and youtube.com and didn't download anything else or visit any other sites that would be even remotely suspicious

after reading a pdf file with the latest trojans and keyloggers i removed all files associated with svchqs and svch0st

i have used firewalls and various antiviruses in the past and at some time or another they eventually let something through which ends up corrupting the protection programs themselves as well, which inevitably leads me once again to format my windows partition

i will format my windows partition again soon just to be certain as windows is guaranteed to start going to crap in terms of performance every few months even if you are careful about installing, uninstalling, registry, defragmentation, etc.

i have used firewalls and various antiviruses in the past and at some time or another they eventually let something through which ends up corrupting the protection programs themselves as well, which inevitably leads me once again to format my windows partition



I think you are focusing on a good issue, but only half of it. It seems like you are justifying not using a virus proggie...which is fine, since it is your computer.

If you have decent virus and firewall progs and use them properly, you'll likely never get the thing that corrupts the proggie...

Mine (firewall and virus) updates every 24 hours, and I haven't had a problem in a very long time.

What's the best way to tell if you have one of these trojans? Is it from the processes running, or are they processes hidden?

i also had the "svch0st" (0 not o) process in my task manager for a while which is a keylogger as well but i don't believe it was responsible for this hacking since i got it months ago

Getting paranoid :-)

Please, for my peace of mind, can you confirm that 'svchost' with an o not an 0 is okay? Because it's running in my processes and my computer's not as secure as it could be...

I did wonder if I'd been reversed hacked earlier tonight as I logged into a character I haven't played for ages and all she had in her bags apart from her hearthstone and a couple of potions were loads of really good green items that I really don't remember being there before :undecided:

I have 6 different processes all under the name svchost.exe....
http://www.processlibrary.com/directory/files/svchost/index.html
that is what processlibrary.com defines svchost.exe as.... as as far as
svch0st.exe (the number 0)
http://www.processlibrary.com/directory/files/svch0st/index.html
which is a trojan.....


Concluding if you have svchost running you're fine but svch0st is a problem....

I'll see if i can find a easy solution to ridding this problem....


-Maniac

I have 6 different processes all under the name svchost.exe....
http://www.processlibrary.com/directory/files/svchost/index.html
that is what processlibrary.com defines svchost.exe as.... as as far as
svch0st.exe (the number 0)
http://www.processlibrary.com/directory/files/svch0st/index.html
which is a trojan.....


Concluding if you have svchost running you're fine but svch0st is a problem....

I'll see if i can find a easy solution to ridding this problem....


-Maniac
Many thanks for this and the links, much appreciated :smiley:

The process "svchost" is a normal process, it's when you see "svch0st" or "scvhost" that you should ring the alarm bell.

I too was hit by this. I think I've gotten if all out of my computer however I dont' know where I got it from. All Iknow its my characters were striped but I lost all my gold, and i just about had my epic mount done. Oh well now I gotta find a way to send off my info to get my account going again. If anyone figured out exactly where this came from let me know. I did download a couple Add ons but they don't seem to have the problem on them.

i doesn't matter whether u even see anything in your task manager or not. the good hackers (too many darn script kiddies) will hide it in another proccess using dll injection, usually explorer.exe. there are no guarentees. the best way is to get good heuristic anti-virus and a system protector that doens't let programs mess around with other programs ( no dll injection). finally a good firewall would prevent trojans from sending information out (by asking you first whether to allow it access to the internet)

Alright now i'm even more confused/angry

I just checked my task manager and now i had the svchs keylogger in there!

It said it was created about a half hour ago and all i was doing at the time as far as internet use is concerned was looking through this site/forums and looking at the official wow main site and main forum link there (not looking at any links in the forums themselves).

I removed all the registry entries that would generate this keylogger upon starting wow or restarting the computer which means that some goddamn wow address on the internet gave me this damn type of keylogger again, it even has the same damn "jiahus" entry in the run folder of the windows folder in registry.

I'm going to format my windows partition and install some firewalls (which won't help me anyways because they never have in the past) but this is really getting on my nerves that essentially anything related to wow on the internet can have a downloader inside the link that automatically downloads keyloggers into your registry and system folders. Of course formatting my windows partition and installing AV/firewalls still will probably not stop some keylogger from being shoved into my registry again when i visit a wow site.

Blizzard really needs to do a better job of moderating THEIR forums because those official forums are costing their customers a lot of accounts.

The trojan comes from this site and is embedded in an ad. The file that installs the trojan is 001.jpg that comes from the website hxxp://www.woo.ne.jp.

So please make sure that the ads running on the site is free from malware in the future!

i noticed myself that something was funny because wednesday afternoon i logged in and for a brief moment the login process said "sending information to (didn't catch last part)" and that afternoon was when i got the trojan (svchqs)


I got that message as well last week. Was way to fast to read it and haven't seen it afterwards. My boyfriend had it as well on his pc. Since it was after a maintenance day I thought it might be related to that. I got virus scan, add scan, firewall installed, do not use IE. I didn't have any troubles with my passwords so far, but reading that you got hacked after you had this message while logging in scares me a bit. Can anyone confirm if this message comes from Blizzard or is really a hack?

Dwiezel

For the paranoid, this is a handy program:
http://www.sysinternals.com/Utilities/ProcessExplorer.html

It will list what programs are actually running, and it has an option to check if the files are digitially signed.

(Also, i hate to say it but ui.worldofwar.net has been infected again it seems..)

i got owned too.. cant login (blizz put my account on hold).. i hope my toons are ok..

that sucks. =(

Well i figure i'll throw my two cents in as well. Here is what happened.

Last week on tuesday i got a lovely e-mail from blizzard stating my account was locked due to suspicious activity, blah blah blah.... So i log on, and wham...my password has changed and i can't access my in game character. So i went and reset it using the secret question and anwser. My friend who is staying with me shares his laptop with me when i play WoW and the day before i was cleaning up his startup progrmas list and i noticed svch0st.exe, (Btw norton did not detect it and neither did Ad Aware) So i quarantined it anyways and deleted it, told my friend right away and he changed his password. Well apparently by the time i discovered the keylogger my account was already FUBAR.

Well by wed. I e-mailed blizzard twice, no response, so i called blizzard on thursday and was told they will send me a list of things i need to provide that i am who i am and that the WoW account is mine. Friday nothing, Saturday, still nothing, sunday..well you get the idea. Monday i call again, same thing, "we will send you out the information to get you account unlocked" Tuesday nothing wed, nothing etc. Four e-mails and phone calls later (With an avg hold time of 20+ minutes for each call), nothing. Not even a status update or "hey we are still looking into your account"

Now the reason i am so irked is the fact that i don't have a lot of time to play WoW (I'm an active duty soldier with three kids and a wife) and when i do get to its my kind of my time to do my thing and relax. Basically i shelled out $15 dollars for a monthly fee and $40 for the game, now i am not to worried about my in game character as it is only a lvl 10 druid so i can start over if need be, but i really wanted to get on and play with my friend now that i have a new computer, but i cant. And as usually the account department can be contacted only by e-mail.

Does anyone have any ideas on what else i can do? I am considering just cancelling my subscription and renewing my planetside one as blizzards help in this has been subpar.

Thanks.

If you look at the forums you can see more and more people are getting infected. I think Blizzard are being swamped by this at the moment. I'm not sure there is anything to do but wait, unfortunately.

lol, its looking at these forums thats getting people infected. its all over this site, every page i go to tells me it blocked the virus. i lost all my gear on all my chars as well, and VirusScan lets me know that its coming from all over this site. an official big thanks to worldofwar.net

I've been on these forums daily, offering my help mainly in the Tech Support.... and to this day I havn't experienced a single problem... and I dont even have any sort of anti-virus software installed on my PC..... I highly doubt that this site is to blame for this problem....

-Maniac

no, its not to blame for all the outbreaks, but its where i got the trojan from. now that ive updated my software it catches it everytime, but it is still too late, as all my charactors are naked and locked down now. the keylogger shows up all over thist site with the new VirusScan software, and i was using this site earlier in the day before my account got ganked. maybe i'm making far-fetched inferences or maybe i'm just adding 1 + 1 here, but those are the facts in my case. either way im stuck typing on here and not playing, since my account is worthless atm.

It's weird that most of the people affected have taken all precautions with their internet security (firewalls etc.) Yet those who haven't, haven't experienced problems like this.

I hope Blizzard do return all of your items though, I've spoken to people who haven't received anything back..

so is this site safe yet?

when i was re-infected before the keyloggers popped up when i accessed the front page of worldofwar.net again

in the official wow forums that are a few posts in which many people are stating they also received keyloggers upon visiting the site, i assume the front page

has this site been spoofed or is there really an infection?

as for my warrior i had him restored a week after submitting the fax info

he had most of his gold, all of his equipped items but no potions, bandages, trade goods (eg. bars/cloth) and some quest items

so is this site safe yet?

has this site been spoofed or is there really an infection?


Link (http://forums.worldofwar.net/showthread.php?t=376737), link (http://forums.worldofwar.net/showthread.php?t=376905) and link (http://forums.worldofwar.net/showthread.php?t=377093).

Issue has been resolved at this point.

"Issue has been resolved at this point."

Resolved for who??????

I still can not logon. I still do not have my character and items back and its been 10 days.

Blizzard has the logs and the tools to fix this. They choose instead to give their paying customers a hard time and not punish the criminals who stole their accounts.

The Asian gold farming gangs, the account hackers and the gold selling web sites could be shut down tommorow if Blizzard wanted to.
They have the logs and the tools.

This is absolutely the last Blizzard product I buy, I am at a point now of being so pissed at Blizzard I am not sure I can even enjoy playing WoW again if I finally do get my character back.
Please no lame ass defences of Blizzard they did sqaut, and continue to do squat to protect their customers.

"Issue has been resolved at this point."

Resolved for who??????

I still can not logon. I still do not have my character and items back and its been 10 days.

Blizzard has the logs and the tools to fix this. They choose instead to give their paying customers a hard time and not punish the criminals who stole their accounts.

The Asian gold farming gangs, the account hackers and the gold selling web sites could be shut down tommorow if Blizzard wanted to.
They have the logs and the tools.

This is absolutely the last Blizzard product I buy, I am at a point now of being so pissed at Blizzard I am not sure I can even enjoy playing WoW again if I finally do get my character back.



. The WOW community alone is somewhere near the 7-8Million player range today.... and that is just one of their titles.... so just put in into prospective, and realize that with all of the people who buy and play blizzard games, so if someone doesn't get immediate results, One should assume that there are prob. at any given moment (complete guesstimate) 500,000 players out that that need help at one time.... be patient.....

Blizzard they did sqaut, and continue to do squat to protect their customers.

Why should blizzard protect their customes from UnOfficial Sites... We all take a risk, some more than other who don't have any protection software, when visiting web-sites....

The Bottom line, you pay for this game you can stop at any point of time you want....


-Maniac

"Issue has been resolved at this point."

Resolved for who??????


Users of this board, who are worried about catching something.



I still can not logon. I still do not have my character and items back and its been 10 days.


You're not exactly the only person who's been hit. It's simply a matter of available manpower vs number of victims vs need to investigate if their claims are correct, (and yes there are plenty of folks who are trying to make a quick buck out of this whole scenario) vs the regular tasks which their staff have to contend with.

I have little doubt, that this is not any comfort to you, and that you'll find it completely unacceptable. Unfortunately, it's the reality we all have to deal with, whether we like it or not..



Blizzard has the logs and the tools to fix this. They choose instead to give their paying customers a hard time and not punish the criminals who stole their accounts.

The Asian gold farming gangs, the account hackers and the gold selling web sites could be shut down tommorow if Blizzard wanted to.
They have the logs and the tools.


Getting them shut down would involve lawsuits (and when dealing with foreign nationals residing elsewhere things always get more complicated), which take time and a lot of money, and there's always the risk of precedent, which would make things harder for the entire industry.

It's a simple cost vs benefit equation.

Especially, when one considers that taking proper precautions (firewall, virus scanner, malware scanner etc etc etc) is a burden which falls upon the shoulders of the end user. If they choose not to bear that burden, then there is little that Blizzard can do as well.


This is absolutely the last Blizzard product I buy, I am at a point now of being so pissed at Blizzard I am not sure I can even enjoy playing WoW again if I finally do get my character back.


Want to give a clear message that you deem their service unacceptable? Then quit. Money talks in the end.

And will this also mean, you will no longer make use of our facilities here?


Please no lame ass defences of Blizzard they did squat, and continue to do squat to protect their customers.

*shrugs*

Have simply stated facts, if you wish to disagree, then that is your choice.

I do have to request that you take some of the heat from your posting. While, I can understand your frustration and need to vent. Still, it is rather close to trolling. And it's quite easy to slip over that thin line and that would be an unfortunate occurence, because it would necessitate additional action by myself or another Mod.

Please no lame ass defences of Blizzard they did sqaut, and continue to do squat to protect their customers.

I don't defend blizz, but there is/was something YOU the USER can do...Protect your comp with good tools....virus checkers, firewalls, etc. Not the free stuff, but stuff that works...

I sympathize, and HATE hackers that took your crap....Please do what YOU can do, in addition to complaining about others....


Getting them shut down would involve lawsuits (and when dealing with foreign nationals residing elsewhere things always get more complicated), which take time and a lot of money, and there's always the risk of precedent, which would make things harder for the entire industry.


No way...It would not take a SINGLE lawsuit to shut down many/most of the gold sellers...

It takes the use of technology...and motivation...It is a problem, to be sure, but not one that is unsolvable with reasonable dedication of resources.

However, it has to be a business decision to move such an effort forward. We do not have info as to Blizz's prioritization of that effort.

what i don't understand is why is it soooo forking easy for a person to change their Password... when you get hit by a virus (mainly cuz your anti virus hasn't be updated) and the "hacker" gets your information and then goes to Account managment then changes your Pasword then logs you out and you can't get back in cuz your PW is different.

why doesn't Blizzard have a "you must answer 3 secret questions before you can change your password" (and it's sent Encrypted) that would stop most of the account thiefts.

some secret questions i have seen are:
1. your fathers middle name
2. your mothers maden name
3. city you were born in
4. last 4 of your social security number
5. your first pet's name
6. your favorite color
7. what high school you went to

if you can't answer correctly the 3 questions the first time (these are no brainer questions if you are the true account holder) then your account is locked and you have to call billing to get it unlocked.

I've been on these forums daily, offering my help mainly in the Tech Support.... and to this day I havn't experienced a single problem... and I dont even have any sort of anti-virus software installed on my PC..... I highly doubt that this site is to blame for this problem....

-Maniac

you must be either useing a *NIX or a Mac box.... if your not and your on a M$ system and you don't have an anti virus program, then you sir are a moron :shocked:

you must be either useing a *NIX or a Mac box.... if your not and your on a M$ system and you don't have an anti virus program, then you sir are a moron :shocked:


No sir I am not a moron, I just have the understanding and knowledge of a good hard and software firewall.

I do Indeed have XP on this particualr PC, i watch my incomingand out going traffic very closely.... it's a matter or knowig everything that comes into and out of your pc...... :thumbsup: :thumbsup: :thumbsup:

-Maniac

Why are the gold sellers being blammed? Can't it be some prepubescent kid that is a little too smart for their own good? Or maybe some Nerds that got mad they can't play WoW for crap?

Just wondering. (Does the US government track these people down?)

Actually, this would be a ca of worms if they did try to persue these guys. I guess they'd have to do it on the premise on the viloation of privacy?

Why are the gold sellers being blammed?

Because they are the ones getting rich off this.

If people didn't buy gold then there would be no market for gold selling. People would not have their accounts hacked and gear sharded, because the gold has no real world value.

Why are the gold sellers being blammed? Can't it be some prepubescent kid that is a little too smart for their own good? Or maybe some Nerds that got mad they can't play WoW for crap?

Just wondering. (Does the US government track these people down?)

Actually, this would be a ca of worms if they did try to persue these guys. I guess they'd have to do it on the premise on the viloation of privacy?
well one reason is this

The file that installs the trojan comes from the website hxxp://www.woo.ne.jp now we all know that the .jp is from Asia if you google the woo.ne.jp it also shows that it is from Asia.... so you tell me why we are blameing the Asian Gold Farms

No way...It would not take a SINGLE lawsuit to shut down many/most of the gold sellers...

It takes the use of technology...and motivation...It is a problem, to be sure, but not one that is unsolvable with reasonable dedication of resources.

However, it has to be a business decision to move such an effort forward. We do not have info as to Blizz's prioritization of that effort.

Small correction then, the only legal way to shut them down is by... etc etc.

Granted, there are other ways of taking them down, but if that can be traced back to you. Even with Blizzard's recently acquired wealth, that would open up a very very big cesspool, especially in nations where the judiciary like to have their palms greased, and where governments thrive on protecting their "national interests" (even if said interests violate international law/agreements).

Microsoft might have the muscle to pull it off, but they know it would boil down to commercial/political suicide. Blizzard isn't even close to Microsoft's league in that sense.

Small correction then, the only legal way to shut them down is by... etc etc.

Granted, there are other ways of taking them down, but if that can be traced back to you. Even with Blizzard's recently acquired wealth, that would open up a very very big cesspool, especially in nations where the judiciary like to have their palms greased, and where governments thrive on protecting their "national interests" (even if said interests violate international law/agreements).

Microsoft might have the muscle to pull it off, but they know it would boil down to commercial/political suicide. Blizzard isn't even close to Microsoft's league in that sense.

What I hear you suggesting, but I believe you don't intend, is that the use of technology to shut down the gold sellers isn't legal...I'm not talking about tracing connections...I'm talking about using information that blizz itself probably has already collected...

surely you aren't suggesting that you think a gold seller would sue blizz for being locked out...heh

maybe you could explain your last two paragraphs differently...

What I hear you suggesting, but I believe you don't intend, is that the use of technology to shut down the gold sellers isn't legal...I'm not talking about tracing connections...I'm talking about using information that blizz itself probably has already collected...

surely you aren't suggesting that you think a gold seller would sue blizz for being locked out...heh

maybe you could explain your last two paragraphs differently...

The use of technology in a certain way can be illegal, yes.. :evil:

You're talking about just trawling through Blizzard's own DB and banning all accounts and preventing them from signing up again. That's doable, though it'll take quite some manpower.

Problem is, it's quite easy to circumvent such measures. Company requests CC's for employees, and employees sign up with them and the whole song and dance will start over again. Especially, when you consider how common certain last and first names are in certain nations. Take Chang or Zhang in China for instance.. In 1997, there were 100 million Zhangs. So, something like D. Zhang, born in 1960 somewhere. You could have several million of folks, who all meet those requirements. Can't exactly ban them all, due to the risk of banning legit clients as well. Toss in rotation of the personel base and constantly getting new CC's. And, it's probably more of a hassle than it's worth.

As of what I was thinking.. A slightly more permanent, or at least expensive for the goldselling company, solution.

Not sure if you know this, but iirc, Microsoft hired some, now ex-, hackers to help safeguard their own business systems. Chaps like that earn topdollars. Several governmental organizations do the exact same thing. Just, because those guys have gone legit, doesn't mean, they've forgotten their old skills.

And a nasty hacker can do a real number on your rig. See what I'm driving at. :evil2:

Buying new games, for new accounts is a relatively inexpensive exercise for these companies, due to the profit margins. Certain other expenses.. They'd seriously cut into the profit margins. Potentially, making it unprofitable.

Plenty of risk associated with such capers though, and that's what I was referring too.

So that means three "solutions":
- The only effective legal way to get them to shutdown is by way of lawsuit. Still plenty of risks there though.
- Another legal way is by way of coming through your DB and perma-banning folks, but that requires a lot of manpower and there are fairly simple ways of getting around this issue.
- And there are less than legal ways, which would be highly effective, but which would be a PR nightmare, in addition to the issues of criminal proceedings etc.

Clearer now?

The use of technology in a certain way can be illegal, yes.. :evil:

You're talking about just trawling through Blizzard's own DB and banning all accounts and preventing them from signing up again.

The first statement is true, but your second statement (which is unrelated to the first), is false....

I am not talking about blizzard banning all of anything...What I am suggesting is that Blizz has the capability to weed out gold sellers, and that several options exist to do so.

It isn't clear to me why you believe you have come up with an all inclusive list of solving the problem...and eliminated the choices you don't like, after mischaracterizing them (IMO)...

The first statement is true, but your second statement (which is unrelated to the first), is false....

I am not talking about blizzard banning all of anything...What I am suggesting is that Blizz has the capability to weed out gold sellers, and that several options exist to do so.


Ok, the saying of assumption is the ..... fill in the rest of the quote.. applies then.

And which options are those??



It isn't clear to me why you believe you have come up with an all inclusive list of solving the problem...and eliminated the choices you don't like, after mischaracterizing them (IMO)...

Uhm.. I don't think I said I had an all inclusive list. I just listed the things that I can think of. If, you've got something else, then I'm quite willing to hear it.

Also, mischaracterizing them? I pointed out both the positive and negative aspects of each "solution", least as far as I can see them. Again, you got something to add, then do so.