Sims 4 Malicious Script Mod Advisory

We all know by now that some modders have been hacked and their script mods replaced with malicious malware. Hopefully none of my followers have been hit and if you have, I hope you've taken the necessary steps to safeguard your sensitive data. There has been a list of modders who's scripts are no longer safe to download circulating.

There are a number of ways to find out if you've been hit or not.

To quickly check if you have been compromised, press Windows + R on your keyboard to open the Run window. Enter “%AppData%/Microsoft/Internet Explorer/UserData” without the quotes in the prompt and hit OK. This will open up the folder the this particular malware uses. If there is a file in this folder called “Updater.exe”, you have unfortunately fallen victim to the malware. Some sites will tell you "we don't know what it does". In reality, this updater is designed to download, install and run a data collection app. Passwords, site tracking, bank routing -- all the worst case scenarios you can dream up regarding your personal information.

So, delete the folder if you find it and grab this:

Release Version 1.1 · overwolf/sims4-social-events-cleaner · GitHub

If you're still downloading script mods, download this to help protect yourself:

ModGuard: Mod Malware Protection v1.4 | Patreon

Be aware that your antivirus and most malware detection software will not recognize a script mod as malware or virus.

for windows 10:

if it's the lazzarus program like what infected my computer, you have to search your files for something called 'updater.exe' as well as any file called 'lazzarus' and delete them. You also need to delete all discord folders in %appdata% local and roaming before uninstalling discord entirely. All the virus scanners i used did not pick any of this up, but running a scan can't hurt, and neither would doing all of this booted in safe mode. After reinstalling discord with fresh files though, all traces of the hack were gone

I was really freaked out at first, because when you have the files on your computer and you try to use your account or make any new account, it sends a bot into your DMs that you can't block that makes demands before it takes over your account (or maybe it doesn't? i think it's a lot of smoke and mirrors) I've heard this thing really fucking over chrome users though (taking passwords and emails and all that), which i am not one. Another reason not to use it. For me it was only discord that was effected on this device

How I got it: someone I hadn't talked to in years messaged me talking about their friend wanting people to try out a game beta/demo they were working on. Since I hadn't talked to them in so long I didn't realize the speech patterns were weird so i let my guard down. Lazzarus is downloaded through a password protected rar or zip file (forget which), so it's very dependent on the user in infecting themselves. Just be careful

this is generally how the bot talks, so if your friend suddenly starts talking like this be wary

the bot accounts that start harassing you once you have control of an account on a compromised device look like this. They're unblockable and will say some scary things about being able to see your screen, how they have your info, and to make a deal with them. It's all fake, but if you do actually put sensitive info on discord or you have Nitro, they have it all probably

Remove Ads By Ghostify Advertisements (Removal Guide)

Remove Ads By Ghostify Advertisements (Removal Guide)

Thu, 12 Jan 2017 22:49:29 EST

Read 66 times

  If you see advertisements labeled as Ads by Ghostify or X by Ghostify, then you have an adware program installed that modifies Window’s DNS settings so that it can display advertisements while browsing the web. Currently this adware will change the Windows DNS settings to use the DNS servers located at 82.163.143.174 & 82.163.142.176.

When browsing the web, this adware will inject advertisements into web pages that are labeled as Ads by Ghostify, X by Ghostify, or Powered by Ghostify. These advertisements will be injected into sidebars or as horizontal banners at the top of the page.

Last, but not least, when you click on webpage links this adware will open other pages in new tabs. When testing this adware, the new pages that were opened were typically for tech support scams or other adware.

How did the Ads by Ghostify get on my computer?

It is important to note that the Ads by Ghostify infection is bundled with and installed by free programs that did not adequately disclose that other software would be installed along with it. Therefore, it is important that you pay close attention to license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed. Furthermore, If the license agreement or installation screens state that they are going to install a toolbar or other unwanted adware, it is advised that you immediately cancel the install and not use the free software.

In my opinion, the Ads by Ghostify Adware was designed purely to display advertisements in order to generate revenue for the developer. If you find the Ad by Ghostify advertisements intrusive, you can use this guide to remove it and any other related programs for free.

Array

View Associated Ads by Ghostify Files

C:Program Files (x86)GTFRYDERWOOD C:Program Files (x86)GTFRYDERWOODconfig.ini C:Program Files (x86)GTFRYDERWOODGTFRYDERWOOD.cer C:Program Files (x86)GTFRYDERWOODgtfryderwood.exe C:Program Files (x86)GTFRYDERWOODInfo.rtf C:Program Files (x86)GTFRYDERWOODLicense.rtf C:Program Files (x86)GTFRYDERWOODsettings.ini C:Program Files (x86)GTFRYDERWOODunins000.dat C:Program Files (x86)GTFRYDERWOODunins000.exe C:Program Files (x86)GTFRYDERWOODUnInstall.exe C:Program Files (x86)GTFRYDERWOOD Updater C:Program Files (x86)GTFRYDERWOOD Updatercfg.ini C:Program Files (x86)GTFRYDERWOOD UpdaterGTFRYDERWOOD Updater.exe C:Program Files (x86)GTFRYDERWOOD Updatertemp C:Program Files (x86)GTFRYDERWOOD Updatertempresponse.ini C:Program Files (x86)GTFRYDERWOOD Updatertempupdate.ini C:Program Files (x86)GTFRYDERWOOD Updaterunins000.dat C:Program Files (x86)GTFRYDERWOOD Updaterunins000.exe C:Program Files (x86)GTFRYDERWOOD Updaterupdate C:Program Files (x86)GTFRYDERWOOD UpdaterupdateStatus.ini

View Associated Ads by Ghostify Registry Information

HKLMSOFTWAREda059a482fd494db3f252126fbc3d5b HKLMSOFTWAREMicrosoftWindows NTCurrentVersionScheduleTaskCacheTasks{DCC01329-EDEC-4309-BF93-F03073FA9014} HKLMSOFTWAREMicrosoftWindows NTCurrentVersionScheduleTaskCacheTasks{74686973-7369-7465-6973-746869656621} HKLMSOFTWAREMicrosoftWindows NTCurrentVersionScheduleTaskCacheTreeGTFRYDERWOOD HKLMSOFTWAREWow6432NodeMicrosoftWindowsCurrentVersionUninstallGTFRYDERWOOD Updater_is1 HKLMSOFTWAREWow6432NodeMicrosoftWindowsCurrentVersionUninstall{E1527582-8509-4011-B922-29E3FB548882}_is1 HKLMSOFTWAREWow6432Nodeda059a482fd494db3f252126fbc3d5b HKLMSOFTWAREWow6432NodeGTFRYDERWOOD Updater HKLMSYSTEMCurrentControlSetservicesGTFRYDERWOOD Updater HKLMSYSTEMCurrentControlSetservicesTcpipParametersInterfaces{6E804B20-77AC-49F2-A8CD-46B94366B8A1}NameServer “82.163.143.174,82.163.142.176”

Source: Bleeping Virus

Remove Ads By Ghostify Advertisements (Removal Guide) was originally published on Computer Guru