Account repeatedly hacked: Trying to get to the bottom of this

[Tack980]

I will confirm that this is not only true, but it's happened to me. Someone at Blizzard repeatedly removed my authenticator because of this, even after my account was flagged for what they called the "highest possible security" protocols. All it took was some asshole opening a petition with "lost my phone lol". Literally, "lost my phone lol". The GMs didn't even ask questions.

I didn't even realize that there was an option to kill active locations. Is that a new capability?

Now a-days to remove the authenticator you need to send in proof of id. that being said it's not to hard to do that....

[Freighter]

You would think that, but at least when i first put authenticator on, that was still possible. Not sure about now.

You have to actively select an option to make it require authentication upon every login.

[chazus]

For antivirus software, I would suggest Norton at least. Symantec's AV product currently is one of the best out there

I wouldn't bother with paid AV, especially Norton. It's one of the worse ones from my experience (experience being repairing 50-100 systems a week).

If you haven't already found it, and assuming there IS something in your system, AV is not going to find it. It will be something that they are designed not to find (like keyloggers or monitors)

It's more likely a loophole than software.

[Vulcanasm]

not to my knowledge. We will find out when I go home in 2.5 hours and post my processes.

I ask because I believe I had someone keylog me through a cracked version of ... lets say "a popular scientific computing language whose annual license is no longer affordable without student discounts", in which I had about ten thousand lines of code that I needed for research. Said program is Java-based. In simplest terms, no antivirus program would know how or where to scan it.

[Wramp]

after reading all of the above, here is my take and your choices (I am a Certified Network Security Specialist btw):
1.) i think your PC is either compromised by remote access or a rootkit that gives the hacker Administrator privileges.
2.) you are never going to get rid of the hacker unless you do a complete scan and removal for said rootkit, or by cleaning your active directory (User Account Database, or SAM repository) of ANY users that you arent 100% certain belong on there (research microsoft's online help for lists of required active directory accounts so you dont make Windows unbootable)
3.)i would suggest a complete wipe of your Hard Disk and re-installation of Windows with a scrutiny on making sure you turn off or disable ANY remote access services, this includes third-party access through paid software distributions.
4. Get a great Anti-virus (Norton has already been suggested here, or you can buy a Corporate product (BlackIce, BitDefender, which i recommend) for even MORE protection that includes IDS protections and services) and also a great malware monitor and removal system
5.) learn to use and understand your router's access tables and access logs, those will help you more than anything in finding out where said attack is coming from, and also will help you to lock out intuders from your router FIRST, there fore preventing any access to devices or your PC.

i know this all seems extreme and alot to do, but believe me you would rather have/learn all this stuff instead of trying to put your life back together after all your information, credit rating and money is stolen and used against you through a data breach that YOU are solely responsible for.

[Noomz]

And use a script blocker and/or ad blocker in the future. uBlock Origin and AdBlock are extensions I use together in Chrome that have often warned me or outright stopped sites from opening because of the security risk.

It is also worth remembering that any kind of adult websites you might visit are huge security risks, so don't go around Googling for adult stuff that takes you to random sites.

[Lathais]

Do you have SMS protect? This has been a life saver for me as I dealt with a similar situation years ago. The thing with the authenticator is, it will only ask for authentication if logging in from a new or unrecognized computer. If the hacker is spoofing you, it will not ask him for authenticator. With SMS Protect on the other hand any time a password is changed, authenticator added/removed or anything really, it will text you a code that must be entered. Turning on SMS protect and changing my password prevented getting hacked anymore.

- - - Updated - - -

Now a-days to remove the authenticator you need to send in proof of id. that being said it's not to hard to do that....

Not if you have SMS Protect. If you have SMS Protect, you can remove authenticator with a code sent to your phone. I just did this a few weeks ago as I started playing D3 again and my authenticator was on my old phone that I don't have anymore. So I had to remove it and it was easy with SMS Protect on.

- - - Updated - - -

Well. Yeah I suppose that's fine. Make sure you click a detailed view.

It would be nice to also see a list of installed programs on your computer. (Click the W10 search bar and type "add or remove program" and click the best match.)

-----

This may seem like a stupid question, but did you let anyone use your computer or give anyone your WoW login? Or done something stupid like posted a video of you logging in or anything like that?

It's hard to identify what the problem is based on what you said, but it's a bigger problem if your online passwords are stolen more than it is for some dumb WoW account.

I thought it was "Programs and Features" in W10?

[Tack980]

I thought it was "Programs and Features" in W10?

Either works, they bring up the same list.

[Lathais]

Either works, they bring up the same list.

Good to know I guess. I've been using Programs and Feature, which means I generally have to type out "Programs a" before it finds it, since there is something else not what I want that starts with Programs. Maybe "Add/" can get me where I want to go a little faster.

[david0925]

Good information. Thanks all

Slight minor issue that I was facing in the past 2 hours: when I was looking at my authenticator option on battle.net i accidentally unchecked "Enter an authenticator code every time I type my credentials in a game client or the Blizzard Account desktop app" and now it gives me an error every time i try to re-check it again. I will contact Blizzard about this as well.

[oakley1261]

I wouldn't bother with paid AV, especially Norton. It's one of the worse ones from my experience (experience being repairing 50-100 systems a week).

I work in the security field myself (I assume you do as well, if you are touching that many systems a week) But I have seen more people protected by Norton, than any other AV product (Free, or paid). I tend to see worse issues with the "free" AV solutions out there.

-oak

[chazus]

I work in the security field myself (I assume you do as well, if you are touching that many systems a week) But I have seen more people protected by Norton, than any other AV product (Free, or paid). I tend to see worse issues with the "free" AV solutions out there.

I've got a hand in both SMB and residential repair, and yeah. A lot of people are using those.. That doesn't mean they're 'protected'

I would say (just guessing, no actual numbers), about 30% have McAfee, 20% have Norton, 20% have AVG, and another 20% have everything else (Avast, Kasp, BitDef, fake progs) and 10% have nothing at all.

And all of those come in with multiple viruses and spyware. Even the one we sell (Webroot) has some, but much lower rates, however we also manage a lot of those systems so they get cleaned more often. I didn't want to say "I recommend Webroot because I sell it" but I certainly don't recommend anything else. Personally, I run no AV whatsoever on my own machines, because I feel they're a waste unless cleaning a specific thing... In which case, go free programs.


In this situation, I think it's a matter of configuring proper security and baselines (i.e. reformat)

[david0925]

Here are the screenshots
http://imgur.com/a/fslJt

And yeah, it looks like a mess that I should be cleaning up, with or without keyloggers

[Blueobelisk]

Here are the screenshots
http://imgur.com/a/fslJt

And yeah, it looks like a mess that I should be cleaning up, with or without keyloggers

It seems fine. The yundetectservice.exe looks weird but evidently you downloaded it when you installed one of the 60 anti-virus programs you got.

I'd still love to see what programs you have on your computer.

Again, if I were you I'd wipe the computer and reinstall Windows.

[Heathy]

when i had a keylogger i found it as some random numbered .dll running at boot using rundll32.exe i found it in the startup it was something like 923954294592.dll

have you checked all the programs loading with windows? i check startup weekly now to make sure nothing has magically added itself to there. ill admit it was a while ago around cata it happened for me.

[Aquinan]

A physical authenticator might be good to have as well