I am reposting by request. Perhaps more people will see it here rather than buried in a hack thread. The latest set of patches for the True Classic(Formerly found @) server, was actually malware that installed a worm into your computer to recruit you into the owners botnet. For those who do not know a botnet is a collection of compromised computers connected to the Internet, termed bots, that are used for malicious purposes. When a computer becomes compromised, it becomes a part of a botnet. This botnet is used to commit illegal activites such as DDOSing webhosts or stealing information. The worm has self-replicating feature and can spread via P2P so it is urgent that you get rid of it as soon as you realize you are infected.
It's a sad case of a formerly legitimate program/server turned to malicious after earning users trust. Anyone infected by will have their bandwidth/internet used to be used to commit illegal activity. If you used True Classic past patch 1044 (IE: Patch 1045 and Patch 1046) you are at risk. Fortunately the worm is designed by a novice and is quite to remove.
Automatic Removal
Just download and install that actually detected this worm.
, , , , or and running a complete scan with one of them, ideally at run-time. It will find this worm and possibly other infections and remove it. If your antivirus isn't one of the above then it wont be found.
Manual Removal
Just enable the ability to view hidden files in folders. For instructions on how to do view hidden files in , , and .
Once this is turned on simply START-->SEARCH your computer for TCAntiBot.EXE
Delete the file(s) and dump your recycle bin to remove all
The search should find the files located at
True Classic\c3\effect\601289
C:\windows\system32
If it does not, please go to those folders and manually look for TCAntibot.exe
If you are using Windows Vista or Windows 7. Please also check this folder
C:\Users\YOURNAMEHERE\AppData\Roaming
Replace 'YOURNAMEHERE' with your windows user name
If you are using Windows XP. Please also check this folder
Documents and Settings\YOURNAMEHERE\Application Data
Replace 'YOURNAMEHERE' with your windows user name
If you are unable to delete the file you will have to open your Task Manager via Ctrl+Shift+ESC. Switch to the process list and end the TCAntibot process.
For more information about this malware read which the information was originally posted in.
For anyone interested, the TCAntibot.exe file I'm talking about can be found (b460e03ac2f9ec50572fd93f32eb967d) and it's virustotal scan . If you use a scanner that doesn't detect it, I suggest you submit the file to them so these kids can't use this as easily again.
It's really pathetic that a server would be desperate enough to infect 150 of their users just to win a DDOS war. And they ended up losing not only the war but also their credibility(lol). If you know someone who was unfortunate enough to play True Classic in the last few days(the latest patches) please direct them here.