Egold security

If you are having your egold hacked, you may want to have a look at this article and see if this applies to you or helps in any way.

Get the word out and for heaven's sake, use firefox especially for surfing!
I've been doing some research on the egold trojan and how accounts are getting hacked. The scary part is that from what I read, most
anti-virus/spyware programs are not going to catch it because it is not in their databases yet.

Not only that, this trojan does not activate until after you have logged into your egold and it uses your own computer to bypass every security measure, IP confirmation, password SRK, everything.

The trojan uses an exploit in IE to infect your computer. DO NOT USE INTERNET EXPLORER. I can't stress that enough. Download and use Firefox.

Here is a description that I found on how this trojan works:
This Trojan does not employ usual phishing techniques, like logging user keystrokes in text files that can be sent to a remote malicious user. Instead, whenever a user tries to access the
e-gold account login form via the URL http://e-gold.com/acct/login.html, it opens a hidden duplicate Internet Explorer (IE) window accessing that same URL. It then proceeds to fill up the duplicate Web form, which eventually leads to illegal account access.

The Trojan periodically drains the funds of the compromised account by a certain percentage. The stolen funds are then transferred to another e-gold account.

To be able to successfully perform this function, this Trojan uses IE's built-in Object Linking and Embedding (OLE) automation functions. This method is similar to API hooks used by file-infectors. In this case, this Trojan executes certain functions for every change in the URL address that occurs while the user continues to navigate through the following e-gold Web pages:
* e-gold.com/acct/acct.asp
* e-gold.com/acct/balance.asp
* e-gold.com/acct/spend.asp
* e-gold.com/acct/verify.asp
* https: //www.e-gold.com/acct/acct.asp
* https: //www.e-gold.com/acct/balance.asp
* https: //www.e-gold.com/acct/spend.asp

(Note: Object Linking and Embedding (OLE) is a compound document standard that enables a user to create objects with one application and then link or embed them in another application.)

The Trojan runs on Windows 95, 98, ME, NT, 2000, and XP.
You all need to check your computers for the file named gdiwxp.dll. This is the most recent variant of the trojan that I could find and was still popping up in late March.

If you have this file on your computer, you are infected with the egold trojan and and you need to get rid of it immediately.
I don't know if the file will show up with a simple file search, it may be a hidden.

I used Hijack This to look at my registry for the file.
You can download Hijack This for free at:
http://www.download.com/HijackThis/3...-10227353.html

This program is mainly used by people so that they can post a registry log in the tech forums and ask for help. Don't remove anything in your registry unless you know what you are doing. Just look for the file containing gdiwxp.dll.

If you find the trojan on your computer, you can use Security Task Manager to get rid of it.
http://www.neuber.com/taskmanager/

I also noticed that RegRun has this file in their trojan database and can remove it for you.
http://www.greatis.com/appdata/d/g/gdiwxp.dll.htm

Again, DO NOT USE INTERNET EXPLORER!!!!!!
One of the symptoms that you are infected with this trojan is that you get the wrong turing number page (at egold) every time you try to log in. On the page you are redirected to, the links at the top of the page will not work.

There are three security recommendations we would like to make to you in case you are not currently doing them.
1. You may want to consider book marking the e-gold IP address versus the URL as your e-gold bookmark and only access it via your bookmark. The IP to bookmark is https://209.200.169.10. The reason for doing this is there are viruses such as this one:
http://us.mcafee.com/virusInfo/defau...&virus_k=99469
that plant fake entries in the host file which windows then uses instead of the correct IP address for the site. Using the e-gold IP address versus the URL will bypass this type of Trojan. Also, never access your e-gold account via an email message even if the message appears to come from e-gold.

2. Always use the SRK feature to access your e-gold account never type it in! You should first change your passphrase using the SRK feature. If your passphrase is changed using the "SRK" feature and the account is only accessed using the "SRK" feature, then your passphrase will be protected even if there is a Trojan virus on your computer. However, this is true only if you are at the correct e-gold site. To ensure you are always at the e-gold site, you may want to click the box next to your account number on the login page that says, "Store my account number on my computer". In the future when you attempt to log into your account and if the account number is not displayed, you should be wary of entering your passphrase because you may be at a fake e-gold site.

a. Log into your account using your current passphrase.
b. Click on the button that says, "account info"
c. Scroll down to passphrase box and click in the box.
d. Click on the button that says SRK
e. A small window will pop up on your screen
f. Enter your new passphrase by clicking on the numbers, letters or symbols in the pop-up window. You will see *** being added to the passphrase box as you use your mouse to click on the numbers, letters or symbols. *See note
g. When ready to confirm your passphrase click on the arrow on the bottom right hand corner of the pop-up window.
h. Confirm new passphrase using the same procedure you followed in item #6.
i. Click update passphrase.

*Note: For upper case letter click on the upper case "ABC", for lower case letters click on the lower case "abc", for numbers click on the "123", for symbols click on the "sym"

3. If you are making a spend via the e-gold shopping cart interface (SCI) always confirm you at the actual e-gold site.

To verify you are at the actual e-gold site when using the SCI spend page, double click on the gold security lock and verify
that the certificate was issued to www.e-gold.com and that the certificate was issued by verisign and is valid from 11/22/2004 to 12/1/2006.
You can also review the certificate details and make sure the certificate serial
number is: F84F 522C E958 A443 5A37 8934 6D77 2D70 096C 6A82.

Good Luck