1. Don't click any links in Steam chat. Scammers are sending links with special characters that look exactly like real Steam-related websites.

Official Guide How to recover from a Hijack.

Discussion in 'SteamRep Guides' started by SilentReaper(SR), Dec 19, 2014.

  1. SilentReaper(SR)

    SilentReaper(SR) Retired Staff

    Messages:
    11,992
    SteamRep Admin:
    STEAM_0:0:89705646
    The Original Source of this guide:
    http://forums.steamrep.com/threads/how-to-recover-from-a-hijack.86363/
    If you don't read this on SteamRep, this guide might be out of date or incomplete.

    Introduction:
    This thread is a work in progress, and I will need to expand a lot of parts to get it completer and split those up again into separate posts. Regaining your accounts and fighting the hijackers is not some that most ppl will know very much about. The guide gives you general steps to follow.

    Things you will NOT find here are, for example, what exactly to say to Steam Support or such. You have to recount your own story. This is also NOT a "support" thread, where one can ask for help etc. For that is this guide itself. If you don't understand what is written here, get help from a REAL LIFE friend or relative who can. There is also no point in adding me. I cannot determine if you are hijacked or not, and I'm for sure not going to spend time on helping somebody while this guide is here. This is a SELF-help guide. Not a "add me, I help" guide. Time spend on helping 1 person can better be spent on helping a lot more people at the same time by writing guides like these.

    This guide is the result of a lot of hours of writing, researching etc. You may copy it to your favorite site/community under these conditions:
    1. You reference to THIS guide by including the link on top to SteamRep for this guide.
    2. You copy it whole as is.
    3. You may translate it into your own language, if you have enough understanding of English to do it fully.
    4. You reply below here on SteamRep with a link to it.
    Even so, it will be a VERY beefy thread to get people to jump all the right hoops. I know the type of ppl that get hijacked aren't the ones that like to read such long texts, just that the trouble they got into is just too much to get a "easy" solution.

    General Overview:
    1. First step is to determine if and how you are hijacked. There are several ways one can be hijacked. Recognizing them is key in the way to solve them the quickest and the safest without being hijacked again when you finally have regained your account.
    2. Second step is damage control by making sure the hijacker cannot abuse your steam or email account(s) even further. Most times its too late for this, but maybe you can put a halt to their abuse to prevent worse.
    3. Third step is securing your computer if malware has been run on your computer. This one is the hardest, and really falls a bit outside the scope of this guide. References/links will be given, but there is no 100% guarantee this will work for you. Really depends on the malware. This might involve re-installing your computer with windows to get rid of any remnants.
    4. Fourth step is to get your account back via Steam Support. You will need to create/have a steam support account and create a Steam support ticket to ask Steam Support to return the account to you. This process can take weeks before you have your account back.
    5. Fifth step is if the hijacker was especially malicious and went scamming with your account. This could have caused your account to be reported on SteamRep or its Partner Communities for scamming. You will have to address the report(s) or Appeal the tag(s) there.
    Last edited: Dec 27, 2014
  2. SilentReaper(SR)

    SilentReaper(SR) Retired Staff

    Messages:
    11,992
    SteamRep Admin:
    STEAM_0:0:89705646
    1. Fake Steam website / Phished.
    • Description: You tried logging into a FAKE website with your Steam account details like Steam login name, steam password, Steam Guard code, and maybe even your email account details, and this resulted in you being logged out from the Steam client and lost access or lost a bunch of items to a unknown to you account, or your account spamming phishing links as a result of this to your friends list.
    • Prerequisites: Your computer itself was never compromised, as in: You never opened a file linked by somebody or downloaded it from some website you got told by somebody in the last few days. Your computer was NOT infected by something. Also, you didn't upload any file from your steam folder. The information below will go forward from that, and will only help if you did NOT run some malware on your computer AND did NOT upload any file.
    • Method step by step: The method exists out of that someone randomly tells you some reason to go on a fake website that needs steam login.
      • Step 1: Once you opened the website you find that you need to log into the website to see the content or be able to interact with it. This can either be a fake trade site or a fake Steam page.
      • Step 2: When you try to log into the site, your login information (name & password) is send to another computer of the hijacker, where a program controls a steam client which will then try to log in steam with your login information. This will trigger a email to be send by the REAL steam systems.
        • In some occasions they try to get your email address and its password too.
        • In some occasions they also try to get your secret question's answers too.
      • Step 3: The fake website will then ask in exactly the same manner for the Steam Guard activation code as the real site. When you give it, it will be send to the other computer of the hijacker to activate it and you will be logged out of Steam by that.
    • Currency:
      • This method is nowadays less common, for Valve added the requirement to have Steam Guard on and to wait 7 days before one can trade with a new computer, browser or device. This is however defeated now with other methods. See variations below.
    • Variations:
      • E-Mail hijack: In the process above, they also gained your email address and its password, and they changed your password. You will need to get your email address back via their support or system.
    • Solution:
      • Steam Password Change: Change your steam password if you still can. (Steam has a password reset option you can use, but you need access to your connected email account for this)
      • E-Mail Password Change: If your email password was requested or is the same password, change it too if you still can (by logging into steam they can see your email). Never again use the same password for 2 different things or even remotely the same.
      • Lock your Steam Account: If you lost access to your Steam account AND you uploaded files, you should go into your email (if you still can) and find the last email with the Steam Guard authentication code. Open that email, there is a link there to LOCK your steam account. Click it and follow up. WARNING: only steam support can undo this, and you will have to prove its your account.
      • Steam Support Ticket: Make a Steam Support ticket telling them you got hijacked here: https://support.steampowered.com/ Steam support takes between 1 and 2 weeks to respond, and will ask questions. Steam support site does NOT use your steam login, you need a separate account there to make a ticket.
      • SteamRep Reported/Appeal: If you due the hijack got reported to SteamRep or marked as scammer on SteamRep, you can only respond here once you have fully regained your account via Steam Support. If the report wasn't processed yet you should respond on the report. If you where marked, you need to appeal to us.
    2. Fake Steam website/Phished but with uploading files by you.
    • Description: You visited a website that convinced you to upload some files that where located within your steam folder.
    • Prerequisites: Your computer itself was never compromised, as in: You never opened a file linked by somebody or downloaded it from some website you got told by somebody in the last few days. Your computer was NOT infected by something. The information below will go forward from that, and will only help if you did NOT run some malware on your computer.
    • Method step by step: The method exists out of that someone randomly tells you some reason to go on a fake website that needs steam login.
      • Step 1: Once you opened the website you find that you need to log into the website to see the content or be able to interact with it. This can either be a fake trade site or a fake Steam page.
      • Step 2: When you try to log into the site, your login information (name & password) is send to another computer of the hijacker, they then proceed to ask to upload some specific files from your Steam Client folder.
        • In some occasions they try to get your email address and its password too.
        • In some occasions they also try to get your secret question's answers too.
      • Step 3: The fake website will then ask in exactly the same manner for the Steam Guard activation code as the real site. When you give it, it will be send to the other computer of the hijacker to activate it and you will be logged out of Steam by that.
    • Currency: Not much used anymore nowadays. It was the reaction to the requirement to have steam guard activated for at least a number of days on any new device before one could trade. Its occasionally encountered but not often, for most are nowadays that one downloaded something.
    • Variations:
      • E-Mail hijack: In the process above, they also gained your email address and its password, and they changed your password. You will need to get your email address back via their support or system.
    • Solution:
      • Steam Password Change: Change your steam password if you still can. (Steam has a password reset option you can use, but you need access to your connected email account for this
      • E-Mail Password Change: If your email password was requested or is the same password, change it too if you still can (by logging into steam they can see your email). Never again use the same password for 2 different things or even remotely the same.
      • Regenerate Steam Authentication Keys: If you uploaded files to a website, you will need to clear out some files from the Steam client folder to get it to generate new authentication keys so someone else cannot use them. This is a guide that will later be added below, for now the very simple and crude way:
        • Uninstall steam, and remove all files and folders within it except the SteamApps folder.
        • Once you have steam installed and it is running, open its settings
        • Open the "Account" submenu, and click the "Manage Steam Guard Account Security" button.
        • Enable the tickbox for "Deauthorize all other computers now" and click "Next".
        • Click "Finish"
    Steam File upload: They may ask you to provide 1 or more files from within Steam's config folder (Really, never should do that, for whatever reason, EVER). It can be a few days before you become aware of this variation, for they will then wait for you to go offline on steam and do their thing. These files are containing your private "keys" which are your Steam Guard activation. Those should never be given out to anyone.
    Last edited: Dec 27, 2014
  3. SilentReaper(SR)

    SilentReaper(SR) Retired Staff

    Messages:
    11,992
    SteamRep Admin:
    STEAM_0:0:89705646
    3. Opened a link, and it downloaded "something" and you tried to "open" it.
    • Description: You clicked a link someone gave you, and the website you opened gave you some file to download. And then you opened the downloaded file. The harm is pretty severe for the victims, as you will find below.
    • Prerequisites: You opened malware, and ended up with the problems. And your anti-virus didn't protect you from this apparently.
    • Method step by step:
      • Step 1: You get linked something, and you opened that link and downloaded a file.
      • Step 2: You clicked to OPEN that file.
      • Step 3: The script or program that you opened can do any of the below, or combinations of them:
        • Upload Steam Authentication configuration files of your steam client installation to a server online. They can use this to login to Steam with YOUR account on their own computers and use it.
        • Install malware in your computer, such as keyloggers, remote control software the hijacker can access your computer, or any of the other types of malware that sends them your files (documents etc), Information, website access, etc. (So they can keep access to your steam account, or paypal account, or other valuable accounts like email, electronic banking, etc.)
        • Buy items from steam market, or games from the Steam Store using your Steam Wallet balance (emptying your steam wallet for items that can be traded).
        • Create or accept trade offers with your items and/or games in your steam inventory that got automatically set up with a account of the hijacker. (All your valuable items traded away).
        • Any action involving anything you have access to via your computer.
    • Currency:
      • This is currently the most (ab)used hijacking type nowadays. If you don't know how you got hijacked, it can be assumed with near surety it was by this method.
    • Variations:
      • Direct Link: Most of those links are direct links, which means as soon as you open them in your web browser you get the dialog box to download a file. These files are either a executable or a script which takes control of your computer and do things with your steam account. Most are of this type.
      • Indirect link: You get linked to a site, which has the file there for you to download. You have to click a button or link there again to get it to start downloading.
      • One-time "script": While a good bunch are of this type, just getting your authentication files from your steam client, you cannot
      • Infection: Infecting your computer with malware.
      • Different stories run around to get you to click:
        • Hey, look what they said here about you [BAD LINK HERE]
        • You need a newer version of this program to be able to connect (the case I saw was with Mumble, claiming not being able to connect to "their" server for its running a beta, and victim had to download and install a "beta" version of Mumble to be able to connect to it)
    • Solution (please mind that this is intended in the below order):
      • Move to a clean computer: The damage to your steam account has already happened. You first need to protect yourself now. Turn off the computer. And then get on another computer that was NOT infected. Call someone if you have to, to get access to a unaffected computer. If you cannot, you will have to start with cleaning your computer before you do anything else. This will cost you a lot of time and can cost you even money or problems before you can fight the hijack itself.
        So again: Turn the infected computer OFF, and get onto another computer that is uninfected to handle the following steps.
      • Change passwords of all important accounts that you can think of: All Email addresses that are linked to any of the following and the linked service itself like, paypal, electronic banking, and those sites that are important to you, like facebook, instagram, Dropbox (with all your documents) etc. Think of it this way: sites and services that contain financial information, social security information, personal information. I cannot possibly link all sites that may be important to you, but you will know them. But please, be thorough with this. If you find that someone else accessed those services, make sure that no configuration information has been altered, like the email address that the service uses to communicate with you, the secret questions to verify its you, etc.
      • Make sure your email is yours: As you reset passwords, you will have to clean out your email addresses of forwarders, rules, filters, delegation etc that might have been set up by a hijacker. Please see this topic here to get on top of that, for its a complicated matter to secure them: General E-Mail Security Considerations
      • Steam Password Reset: Try logging into steam, and do a Steam Password reset
      • Lock your Steam Account: If you cannot reset the password of your steam account on the uninfected computer and therefore lost access to your Steam account, you should go into your email (if you still can) and find the last email with the Steam Guard authentication code. Open that email, there is a link there to LOCK your steam account. Click it and follow up. WARNING: only steam support can undo this, and you will have to prove its your account.
      • Steam Support Ticket: Make a Steam Support ticket telling them you got hijacked here: https://support.steampowered.com/ Steam support takes between 1 and 2 weeks to respond, and will ask questions. Steam support site does NOT use your steam login, you need a separate account there to make a ticket.
      • Clean up your infected computer: This will be partly provided later below. I'm not specialized in cleaning computers, and had to research each individually myself for those cases where others where infected. But I can point to places where they help victims of such, and a bit of general overview of what to expect. Or just walk the other route with this, a re-installation of your Operating System.
      • SteamRep Reported/Appeal: If you due the hijack got reported to SteamRep or marked as scammer on SteamRep, you can only respond here once you have fully regained your account via Steam Support. If the report wasn't processed yet you should respond on the report. If you where marked, you need to appeal to us.
    Last edited: Dec 27, 2014
  4. SilentReaper(SR)

    SilentReaper(SR) Retired Staff

    Messages:
    11,992
    SteamRep Admin:
    STEAM_0:0:89705646
    4. You let someone use TeamViewer to control your computer.

    Another /facepalm story.

    5. You let someone else use your computer/steam account.

    At loss for words....
    Last edited: Dec 27, 2014
  5. SilentReaper(SR)

    SilentReaper(SR) Retired Staff

    Messages:
    11,992
    SteamRep Admin:
    STEAM_0:0:89705646
    Lessons to be learned from this:
    • Don't click links from random people. If they refer to something, search for it yourself via Google and other sites.
    • Don't ever upload configuration or other files from your computer to a site. Its NEVER needed, REALLY.
    • Learn to recognize when Extended Validation Certificates (wiki) are used.
    • Use different LONG passwords for everything. Change them regularly (once a year is enough). Write them down if you have to.
    • If you open ANY image, via a online link, it WILL open in your browser. It will SHOW it directly and not let you download it. If your browser cannot display it, it is NOT a image. And even if it is, you should not want to open it. For if you didn't know, .SCR stands for "SCReensaver" (arguably which R, ask Microsoft for their "wisdom" of 3 letter file extensions), and is effectively just the same as an EXEcutable ( .EXE ) program file.
    • Don't let others remote control your computer.
    • Don't let others use your steam account.
    • Beta versions of normal applications or their servers, do not require users to use beta versions of that software to be able to connect to it.
      IE: if you have a latest version of Mumble on your computer, you can connect to any recent Mumble server (if you have access to it either being public or having a password for it). If the mumble server is a beta, nice, but that does not require the users (you) to use a beta version of the Mumble client software, and certainly not one you cannot find on the mumble site, but that guy has "automagically" the link for it.
      Please replace "mumble" for any application they can come up with (teamspeak, xfire, spotify, steam client, or w/e).
    References:
    Last edited: Dec 27, 2014
  6. SilentReaper(SR)

    SilentReaper(SR) Retired Staff

    Messages:
    11,992
    SteamRep Admin:
    STEAM_0:0:89705646
    Edited again, some things where not as it should be. To be continued.
    Wrath likes this.
  7. SilentReaper(SR)

    SilentReaper(SR) Retired Staff

    Messages:
    11,992
    SteamRep Admin:
    STEAM_0:0:89705646
    Regenerate Steam Authentication Keys:

    Warnings:
    • This will reset your device/computer for Steam Guard, that means you cannot trade after this for 15 days, or if Valve has changed this w/e period Valve has set for this.
    • If you use Steam Libraries to store your games on different hard disks etc, you will have to re-setup those.
    • If you do this as part of any of the above guided steps to recover from a hijack, please do it in the right order of the above proposed steps, otherwise you may be doing it for nothing, or need to do it again.
    Requirements:
    • Steam Login name
    • Steam Login password
    • Access to your email account that is linked to your steam account.
    Step by step:
    • Exit steam, by right-click with the mouse on the Steam icon in the tray.
    • Use the Windows Explorer to open the location where steam is installed, by default its installed in C:\Program Files (x86)\Steam\
    • You will find one or more files in this location without a extension with names like: ssfn463451614646 the numbers are random. The only part of the filename that is recognizable is the "ssfn" at the beginning. Delete all the SSFNxxxxxxxx files.
    • Go to the "config" subfolder of steam ( C:\Program Files (x86)\Steam\Config\ )
    • Delete or rename the following files:
      • config.vdf
      • loginusers.vdf
      • SteamAppData.vdf
    • Start Steam
    • Log into Steam with your login name and password.
    • Activate your steam client for Steam Guard using your email address that is linked to your steam account to find the email.
    • Go into Steam Settings via right-clicking the tray icon or the menu in the steam browser.
    • Click in Steam Settings dialog on the left the "Account" selector.
    • Click in Steam Settings dialog on the right the "Manage Steam Guard Account Security..."
    • Enable the selection box for "Deauthorize all other computers now" and click the "Next >" button.
    See:
    [​IMG]

    Done, you will have to wait 15 days before your computer will be able to trade again.
    Last edited: Dec 27, 2014
  8. SilentReaper(SR)

    SilentReaper(SR) Retired Staff

    Messages:
    11,992
    SteamRep Admin:
    STEAM_0:0:89705646
    Moar crap.
  9. SilentReaper(SR)

    SilentReaper(SR) Retired Staff

    Messages:
    11,992
    SteamRep Admin:
    STEAM_0:0:89705646
    I've rewritten the first part(s) for Introduction and the General overview, split out the rest in separate posts below it. working more on that later. I also fore-see I need more replies on this topic :S....
  10. SilentReaper(SR)

    SilentReaper(SR) Retired Staff

    Messages:
    11,992
    SteamRep Admin:
    STEAM_0:0:89705646
    Reserved Post for later.
  11. SilentReaper(SR)

    SilentReaper(SR) Retired Staff

    Messages:
    11,992
    SteamRep Admin:
    STEAM_0:0:89705646
    Reserved Post for later.
  12. SilentReaper(SR)

    SilentReaper(SR) Retired Staff

    Messages:
    11,992
    SteamRep Admin:
    STEAM_0:0:89705646
    Reserved Post for later.
  13. SilentReaper(SR)

    SilentReaper(SR) Retired Staff

    Messages:
    11,992
    SteamRep Admin:
    STEAM_0:0:89705646
    Reserved Post for later.
  14. SilentReaper(SR)

    SilentReaper(SR) Retired Staff

    Messages:
    11,992
    SteamRep Admin:
    STEAM_0:0:89705646
    Reserved Post for later.
  15. SilentReaper(SR)

    SilentReaper(SR) Retired Staff

    Messages:
    11,992
    SteamRep Admin:
    STEAM_0:0:89705646
    Reserved Post for later.
  16. SilentReaper(SR)

    SilentReaper(SR) Retired Staff

    Messages:
    11,992
    SteamRep Admin:
    STEAM_0:0:89705646
    Reserved Post for later.
  17. MrSp3ctre

    MrSp3ctre New User

    Messages:
    5
    Steam:
    STEAM_0:1:23508498
    Thank you! This helped
  18. a Gentleman

    a Gentleman SteamRep Moderator Partner Community Donator - Tier V

    Messages:
    2,546
    Steam:
    STEAM_0:0:25990581
    Didn't see this until now. I recently recovered from a hijacking (and got my items back with help from Steam Support in one business day!) using the methods found here.

    Keep in mind that hijacking methods are varied and extensive. Always, always, be sure that your computer is fully secure before entering any login credentials again. Remember that if they can get control of your Steam/Email, they can access everything else on your browser.

    In my case, they were able to:
    1. Edit my Win7 Registry.
    2. Corrupt System Restore/Rollback.
    3. Access multiple work/personal email accounts.
    4. Access my Paypal.

    To resolve this I:
    1. Went through A LOT of cmd commands. If you are unfamiliar with this particular part, please message me. Don't fry your system.
    2. Deleted the corrupt restore points.
    3. Reset ALL my emails. Created a new email for steam from another laptop. Reset my Steam Guard. Changed all my passwords.
    4. Called PayPal.

    To get hijacked items back:
    1. Make sure your items are HIJACKED, not scammed.
    2. Provide all the evidence possible. Screenshots, user urls, timelines are useful.
    3. Be patient.

    That said, SilentReaper has made a kickass guide, which could have saved me hours of fretting and freaking out. Big huge thank you!
  19. SilentReaper(SR)

    SilentReaper(SR) Retired Staff

    Messages:
    11,992
    SteamRep Admin:
    STEAM_0:0:89705646
    did you have UAC turned off? if so, thats the reason they could kill your system restore.
    And system restore doesn't "solve everything" either. the system restore is not a full "image" of the system, its just the basic core of drivers/updates within windows. It doesn't change anything for user applications (where the viruses/malware most often reside).
    Hitman Sparky likes this.
  20. a Gentleman

    a Gentleman SteamRep Moderator Partner Community Donator - Tier V

    Messages:
    2,546
    Steam:
    STEAM_0:0:25990581
    My UAC was off. I'm still not 100% sure that my system is secure. I have too many things stored to do a clean wipe, so I'll just quarantine every download/program I've used for the past month, and reinstall the rest. Thanks for the heads up re: UAC.
    Skinigxe_Alice likes this.