1. There is no such thing as a "pending" ban or Steam admin. Anyone threatening your account is a scammer trying to scare you. Read more.

Little story about Hijacking files + Question.

Discussion in 'SteamRep General Discussion' started by FranGT (☞゚ヮ゚)☞, Apr 10, 2014.

  1. FranGT (☞゚ヮ゚)☞

    FranGT (☞゚ヮ゚)☞ New User

    Messages:
    11
    Steam:
    STEAM_0:1:32970141
    Yes, I know that preventing is the best medicine, but once a hijacking file penetrated your computer and you double clicked it, where does it go?
    Why I ask that? because I was victim of one hijacking file, a .scf format file and not .exe. It had an icon of one cute "pixelated" Gingerbread and had a name like IMG_8237243..., trying to disguise it like a photo file of one camera, lol...
    I already known that It was a virus, but I wasn't enough smart for not "test" it and see what happens if I open it...
    First of all I closed all programs and disconnected internet, of course, and next I double clicked it... nothing happened on the screen of the computer, typical of one hidden process that will infect your god dammit computer, loal.
    Well, what I done next? activate my 30 bucks Kaspersky anti-virus and try to spot it... clean, so I left this situation and connected internet for log-in in some pages (like steam).
    What I saw the next day? A BLOODLESS .TXT FILE WITH ALL MY F***ING USER NAMES AND PASSWORDS WROTE, and not like "Password: *********", my full uncensored password with the username and page link of the log-in, god...
    And guess what file was on the folder too... an .exe file with the same cute pixelated Gingercrap as an icon of it, wut?
    After that disgusting surprise, I deleted the files (before that I scanned them with my Kaspersky and that obvious .exe keylogger wasn't a virus for my 30$ program... what a waste of money) and changed all my passwords.

    So, here is my question: That keylogger was found on a Temp folder of C:/WINDOWS, but...
    ¿there are more folders where malicious files like this can hide?
  2. gukingofheart

    gukingofheart New User

    Messages:
    452
    Steam:
    STEAM_0:1:49222635
    How did you get the file in the first place?
    Did you accidentally visit a phishing site?
  3. FranGT (☞゚ヮ゚)☞

    FranGT (☞゚ヮ゚)☞ New User

    Messages:
    11
    Steam:
    STEAM_0:1:32970141
    Visited the page purposely, got the file and opened it purposely, I'm so smart.
  4. Ninja Otter With A Taco

    Ninja Otter With A Taco Retired Staff

    Messages:
    641
    Steam:
    STEAM_0:0:35378805
    ummm why?
  5. Chaos

    Chaos Retired Staff

    Messages:
    1,386
    Steam:
    STEAM_0:1:33058557
    [​IMG]
    Sjru, Roudydogg1, Sari and 2 others like this.
  6. Knucklejoe

    Knucklejoe New User

    Messages:
    554
    Steam:
    STEAM_0:0:46918739
    I think everyone who has read this is just as confused as you are Ninja Otter.

    To answer your question, files like that can be pretty much anywhere on a computer. The best thing you can do about them is get a working anti-virus, anti-spyware program. Not Kaspersky, not McAfee, not that sad excuse of a default Windows Defender.

    I use a combination of Webroot and Spybot. What one misses, the other picks up. Bonus to Spybot is it is free.
    Roudydogg1 likes this.
  7. Horse

    Horse Administrator SteamRep Admin

    Messages:
    76,831
    SteamRep Admin:
    STEAM_0:1:34690691
    [​IMG]
    Sjru likes this.
  8. FranGT (☞゚ヮ゚)☞

    FranGT (☞゚ヮ゚)☞ New User

    Messages:
    11
    Steam:
    STEAM_0:1:32970141
    Well, thanks for your suggestion.
    I just want to know more about hijacking programs, there are everytime more hijacked accounts and I don't want to be the next :S
  9. Chaos

    Chaos Retired Staff

    Messages:
    1,386
    Steam:
    STEAM_0:1:33058557
    Clean your computer thoroughly. Use a new device/computer to change the password to your steam account and email account. Don't do it again.
    Roudydogg1 likes this.
  10. derfy

    derfy New User

    Messages:
    75
    Steam:
    STEAM_0:0:1948671
    If I wish to know more about guns, I don't shoot myself...
  11. SilentReaper(SR)

    SilentReaper(SR) Retired Staff

    Messages:
    11,991
    SteamRep Admin:
    STEAM_0:0:89705646
    That just means that you should NOT execute such file.

    As for the opening post:
    • Once you execute such a hijacking program, and you do not know what it exactly is, you cannot predict in ANY way where it went. A executable that runs on your PC has basically unlimited access to install anything under the hood without your permission. It can download files, copy them somewhere hidden where you will never find them, and send stuff up to the control server, disable various anti-virus/anti-spyware/firewall software without you knowing it, etc. etc. etc. Especially when you did not do that within a sandboxie or a Virtual Machine (what real security researchers actually do)
    • Anti-virus is a very different definition from anti-malware. If you want your anti-virus to pick up on malware, you need to buy the bigger package where it scans for them. If not, do not expect the anti-virus to pick up the hijack/malware stuff. For anti-virus is aimed at viruses, which have a certain very defined scope of software "features" that define it to be a "virus".
    • As such an executable can install other stuff without the user knowing, there is no guarantee to be able to clean up the PC. And after, it can even install a scheduled task or w/e to auto-redownload itself when its been removed. Also, as such disables and sabotages security measures in the PC, it can leave your PC permanently vulnerable, for you won't know what has been altered or done. The removal tools almost all just only remove the culprid, but do not much to repair such damage. This is the reason that often after a contamination of a PC, a re-install of the OS is a wise choice.
    With the above, you can understand that my personal opinion is that after a contamination by malware or a virus is to re-install the Operating System from scratch, to be sure any vulnerabilities are removed. From that follows that I see such software more of a system to scan and a defense line, then a solution to a current situation of being contaminated.

    If you really want to know more about security, you should read the security related sites on a daily basis, and study the methods people use. I personally use a remote controlled VM for that, and if its contaminated, I just push it back to the last snapshot.
  12. FranGT (☞゚ヮ゚)☞

    FranGT (☞゚ヮ゚)☞ New User

    Messages:
    11
    Steam:
    STEAM_0:1:32970141
    My most polite thanks for reading my question and answer it with this very helpful information, this will help me a lot now and in the future.
    Now I can see how dangerous are things like this, I will not underestimate them text time.
  13. ^oo^[Linux] (bdmdesign)

    ^oo^[Linux] (bdmdesign) New User

    Messages:
    14
    Steam:
    STEAM_0:0:75452016
    Yes, but why can a Virus/Malwar/Trojaner/Keylogger do that?

    The users use a Administrator Account on Windows.
    Automatic Login on the Deskton is Funny and easy for the users.
    Why you should also use a user account when it comes so easily.

    First of all you should, if you have not already done it, you set up a new "Limited User Account" and protect it with a Cryptic password (like this: yP4s!56m;hGf?3q2xZ3 ). Minimum 6 characters. Better 8 and more.
    The new "Limited User Account" then you should also use only. The user account that you had previously used (administrator account) you have to protect with a Cryptic password.

    How can you activate the "Restricted User" Automatic login again, ask your search engine of your trust.

    Now you must always enter a password if your programs want to install or uninstall, also can be as a "Restricted User" nothing without knowledge of your "C:\Windows" nest.

    I hope you understand this. Google was a bad translator and my english is not the best.
  14. SilentReaper(SR)

    SilentReaper(SR) Retired Staff

    Messages:
    11,991
    SteamRep Admin:
    STEAM_0:0:89705646
    Doesn't work. any executable can promote itself in admin level. a example is hostsman, it needs admin access, and it asks to be promoted to admin access by way of a button WITHIN the program. Windows UAC does not work in such cases. *shrug*. The only way to "block" that is by making a non-admin account that has NO access to admin level access. And anyways, even without admin access, such a executable can still wreck havoc in the profile of the user, changing homepages, search engines, toolbars, etc etc.

    But even then, the above situ would not have worked, for the OP INTENTIONALLY started the program...
    Roudydogg1 likes this.
  15. FranGT (☞゚ヮ゚)☞

    FranGT (☞゚ヮ゚)☞ New User

    Messages:
    11
    Steam:
    STEAM_0:1:32970141
    Another curious thing about the virus:
    when I got infected, I was not able to use the " ´ " correctly. For example, on Spanish language, I tried to write "Más", but with the virus I was not able to put that sign on the "a" letter and it appeared twice pressing the key once,
    so it looked like this: M´´as.
    Since I deleted the .exe file I was able to write it correctly, Más instead of M´´as, so weird.
    That does mean that I'm not infected anymore?
  16. SilentReaper(SR)

    SilentReaper(SR) Retired Staff

    Messages:
    11,991
    SteamRep Admin:
    STEAM_0:0:89705646
    no idea
    For I do not know with which tools you scanned your PC, if those where valid tools (there are a lot of fake tools out there), if they where updated fully, how you scanned, and the results of that, and the actions taken on them, etc etc.

    And as it tends to be that those ppl who can explain that fully, and are aware of what tools to use, etc, I do not need to tell those. hence that means that any others I cannot build on their word, and would have to run scans myself, to ensure that things are done the right way. I have however not the time to do that for other then a very small group of ppl that I help regularly. And for those, I do my best to prevent such outbreaks by installing various measurements, so I wont have to do so.