What's new
By:
  • Visit Rebornbuddy
  • Visit Panda Profiles
  • Visit LLamamMagic
  • Visit Resources
  • Visit Downloads
  • Visit Portal

Demonbuddy Beta infected

20kilo said:
i dont want to flame or anything, but if our information was going somewhere, why they dont use it for something, like clean the accounts for profit? :p
i have wow account with more than 1milion gold in same as diablo that i used to bot, and its not touched, they can be gathering information for months, and sell all it for blizz maybe?
Click to expand...

To be honest, blizzard would not buy details because they can be taken to court for buying such details and further more supporting an infection blizzard would not take the risk or responsibility for that
 
Here is my Offical Version (Virus Sourcecode from packed Executable is attached!):

g5f7h.jpg


How the Virus Works:

1) If you had click onto the launcher the Executable Vanish and nothing happens.
2) The Virus Injected hisself into the System service (svchost.exe)
3) Now it Downloads the Virus ( Its a Passwordstealer :-( )
4) The Virus is Located at WINDOWS\Temp name atixxx.tmp.
5) If you Reboot it gets loaded by AMDEX2.msi


This was my Infected Registry pathes:

Code: [Select]

Local_Machine\SYSTEM\ControlSet001\Services\6to4\Parameters\ServiceDll AMDEx3.msi
Local_Machine\SYSTEM\ControlSet002\Services\6to4\Parameters\ServiceDll AMDEx3.msi
Local_Machine\SYSTEM\CurrentControlSet\Services\6to4\Parameters\ServiceDll AMDEx3.msi

How to remove manulie FOR PROS!!!:
1) Open cmd.exe
2) enter regedit
3) search for the Registrykeys i provided above.
4) Delete all keys that contain AMDEx...
5) Reboot System.
6) Go to Windows\Temp and Delete atixxx.tmp
7) Go to Windows\Installer and Delete AMDEx....msi
cool.gif
That should remove the Virus


This Tool detects and can remove it:

I found the Tool Malwarebytes. It detects and can remove the Virus. Please folow the Instructions on the Malwarebytes homepage.

Malwarebytes Anti-Malware - CNET Download.com



For all who are intrested on the Virus code, that is what i could recover from it:

[C] Virus >.< - Pastebin.com
[C] Virusv2>.< - Pastebin.com
N/U pastebin


Regards from Hamburger and from Crawli ;-)
 
I'm interested. How many of you that got infected downloaded DB from an alternate site OR downloaded someone's "custom trinity giles" folder or some shit (on these forums or somewhere else) that included the full DB folder? I've been botting Diablo III since it came out and I haven't received any viruses.
 
hamburger said:
Here is my Offical Version (Virus Sourcecode from packed Executable is attached!):

g5f7h.jpg


How the Virus Works:

1) If you had click onto the launcher the Executable Vanish and nothing happens.
2) The Virus Injected hisself into the System service (svchost.exe)
3) Now it Downloads the Virus ( Its a Passwordstealer :-( )
4) The Virus is Located at WINDOWS\Temp name atixxx.tmp.
5) If you Reboot it gets loaded by AMDEX2.msi


This was my Infected Registry pathes:

Code: [Select]

Local_Machine\SYSTEM\ControlSet001\Services\6to4\Parameters\ServiceDll AMDEx3.msi
Local_Machine\SYSTEM\ControlSet002\Services\6to4\Parameters\ServiceDll AMDEx3.msi
Local_Machine\SYSTEM\CurrentControlSet\Services\6to4\Parameters\ServiceDll AMDEx3.msi

How to remove manulie FOR PROS!!!:
1) Open cmd.exe
2) enter regedit
3) search for the Registrykeys i provided above.
4) Delete all keys that contain AMDEx...
5) Reboot System.
6) Go to Windows\Temp and Delete atixxx.tmp
7) Go to Windows\Installer and Delete AMDEx....msi
cool.gif
That should remove the Virus


This Tool detects and can remove it:

I found the Tool Malwarebytes. It detects and can remove the Virus. Please folow the Instructions on the Malwarebytes homepage.

Malwarebytes Anti-Malware - CNET Download.com



For all who are intrested on the Virus code, that is what i could recover from it:

[C] Virus >.< - Pastebin.com
[C] Virusv2>.< - Pastebin.com
N/U pastebin


Regards from Hamburger and from Crawli ;-)
Click to expand...

i skipped a step and just deleted my registry, fixed the virus.
 
they should call the next beta "bugsy express build" after the guy who saved alot of ppls accounts
 
Buddyteam had it earlier (months+ ago) in one of the hb or arelog builds, im pretty sure now.

First symptom is strange behavior of Arelog. It often throws random errors and bugs (during login, since trojan that steal your account data conflicts with how arelog logs in, at least it was like this in prev Arelog build) Noone was reporting such Arelog errors at that time so i decided this is because of VM's, later figured this is because of trojan.
So yea this is how data leaked, now i am still unsure how hackers bypassed ip-lock. But i guess i just let em go myself by resetting my password during one of the ip-lock (i decided i fcked with IPs since i use ***s) So after reset they logged in and i lost all my gold in guild banks and they left "dgkjdhgdkh" characters in barrens(noticed charcters later). This happened to 4 VM's/4 accounts. Funny thing after seeing my auctioneers have no gold to even post auctions while i was clearly sure they had like 40k+ each i was still sure its something wrong with me or profiles, even reported that ahbot profile looses gold to nowhere lol, later finally figured its simply hackers dumped all my gold lol and noticed "jdhgjgljkl-alike" characters in barrens. After i cured it Arelog started work perfectly without errors.

Now seeing same atixxxx trojan i am completely sure it was arelog/hb. I mean there is nothing but arelog/hb/open***/windows on my VM's.
I have completely isolated virtual machines and that atixxx sneaked in somehow, the only way really is hb/arelog.
It was months ago and i lost few hundred thousand gold because of it.

I can find antivirus logs if needed i guess. But i remember both cureit-tool and kaspersky-antiviral-toolkit detected it (i ran diff antivirus tools at same time on infected VM's) but cureit only detected one part of trojan(some image file or that thumd.db i dont remember), while kasperky tool detected whole trojan (with atixxx file) and thus cured it completely.

So yea, im actually happy now as i know whole story and thanks to this thread i know now how empty VM's with only wow/hb/arelog were infected. Will not blindly trust buddy products anymore.
Maybe someone will notice or remember similiar syndroms. Dont be dumb like me - run antivirus tools immidiately.
 
hamburger said:
Here is my Offical Version (Virus Sourcecode from packed Executable is attached!):

g5f7h.jpg


How the Virus Works:

1) If you had click onto the launcher the Executable Vanish and nothing happens.
2) The Virus Injected hisself into the System service (svchost.exe)
3) Now it Downloads the Virus ( Its a Passwordstealer :-( )
4) The Virus is Located at WINDOWS\Temp name atixxx.tmp.
5) If you Reboot it gets loaded by AMDEX2.msi


This was my Infected Registry pathes:

Code: [Select]

Local_Machine\SYSTEM\ControlSet001\Services\6to4\Parameters\ServiceDll AMDEx3.msi
Local_Machine\SYSTEM\ControlSet002\Services\6to4\Parameters\ServiceDll AMDEx3.msi
Local_Machine\SYSTEM\CurrentControlSet\Services\6to4\Parameters\ServiceDll AMDEx3.msi

How to remove manulie FOR PROS!!!:
1) Open cmd.exe
2) enter regedit
3) search for the Registrykeys i provided above.
4) Delete all keys that contain AMDEx...
5) Reboot System.
6) Go to Windows\Temp and Delete atixxx.tmp
7) Go to Windows\Installer and Delete AMDEx....msi
cool.gif
That should remove the Virus


This Tool detects and can remove it:

I found the Tool Malwarebytes. It detects and can remove the Virus. Please folow the Instructions on the Malwarebytes homepage.

Malwarebytes Anti-Malware - CNET Download.com



For all who are intrested on the Virus code, that is what i could recover from it:

[C] Virus >.< - Pastebin.com
[C] Virusv2>.< - Pastebin.com
N/U pastebin


Regards from Hamburger and from Crawli ;-)
Click to expand...

I just read this after deleting my existing DB folder.

None of these AMDEx's were found in regedit. Also, no atixxx.tmp file was found in windows/temp. Also, no windows/installer file exist.

1. Is it possible to have removed the virus by simply deleting the DB folder?
2. Upon reinstalling, I will have to repeat your recommended steps to remove the virus? (assuming virus still exists on DB Download file)

3! Should I reformat? Im not super opposed to it. Been doing it a lot lately and can complete it relatively quickly. Just wondering if I should bother.

4. Is there a recompiled DB downlad that has removed the virus? Or should I just do it myself?

thanks in advance for your help.
And mad props to you guys for finding this. the DB team should hire you guys.
 
Big Thanks Bugser! I took your previous warnings days ago, lol at those "pros" flame you and call it false positive in all the other forum threads, they can eat their words now.
 
Ok so I ran Malwarebytes' Anti-Malware (which was recommended on here), and it detected the AMDEx3.msi file and a bunch of buddy updates (saying they were infected) - said it was a trojan - said it cleaned it, rebooted and now all is clean (security essentials didnt find a thing btw lol).

Changing my passwords now as well.

So... am I safe? lol. I know the best way to be sure is to fresh install windows and such but kinda tired of doing that since I just did it not too long ago.
 
So does the infection keylog other details like SKYPE details or not? Also was demonbuddybeta 1.0.1217.108 infected?
 
was curious as to why mine said (i checked the .exe) last date modified 10/26/2012 3:08 am.... does this mean previous releases were infected as well?
 
If the files that you mention is not found means that my pc is not infected?
 
51674 said:
Big Thanks Bugser!
Click to expand...
This! I am shocked, how even moderators just denied the fact, that there was a security-breach instead of checking with the devs first. Tbh, I lost my trust in the stuff and please inform us next time right when you discover it, so that we can protect ourselfes.

So far, we find that one release of Arelog, one release of GW2Buddy and both the HonorbuddyBETA and DemonbuddyBETA builds from last week were infected.
Click to expand...
So please explain to me, how I got the atixxx.tmp and AMDEx3.msi although I did not use or download arelog, GW2Buddy or Beta-Versions of HB. I _only_ used the automated update Honorbuddy provides. Something seems odd there!
 
Last edited:
Buddyteam had it earlier (months+ ago) in one of the hb or arelog builds, im pretty sure now.
Click to expand...

Same here. One of my vmware (yes vmware) were intected by this (found thumb.db but in db folder.. weird) It was something early november. They even stole that account (I get it back next day via blizzard support). And then i installed comodo on vmare.
 
Thank you to the guys who found this and, despite the (quite frankly disrepsectful) treatment of some fellow members, stuck to their guns and got the message across to the DB team that they were compromised!
 
51674 said:
Big Thanks Bugser! I took your previous warnings days ago, lol at those "pros" flame you and call it false positive in all the other forum threads, they can eat their words now.
Click to expand...

yeah i am eating words the last days
 
Donald said:
This! I am shocked, how even moderators just denied the fact, that there was a security-breach instead of checking with the devs first. Tbh, I lost my trust in the stuff and please inform us next time right when you discover it, so that we can protect ourselfes.


So please explain to me, how I got the atixxx.tmp and AMDEx3.msi although I did not use or download arelog, GW2Buddy or Beta-Versions of HB. I _only_ used the automated update Honorbuddy provides. Something seems odd there!
Click to expand...

then you are missing the fact that devs checked it....
 
Was every beta download infected?

I did use one of the beta versions (289 i think), but Microsoft Security Essentials is not picking anything up on a Quickscan...

How can I know for sure if I am infected
 
You must log in or register to reply here.
Back
Top