Boxanite

HackShield Information & Request

Recommended Posts

I recently installed a free-to-play game called ArcheAge, which was published by a legitimate game developer that has been trusted for some time (Trion Worlds). Well, the Korean developers (XLGames) included an anti-cheat mechanism called HackShield. There was absolutely no indication that this third-party software would be installed during the installation process. Once I realized that this anti-cheat mechanism installed itself as a system driver and was potentially being monitored by a company that I don't fully trust, I opted to uninstall the game. Well, even after you uninstall the game, HackShield remains on the system.

 

I contacted Trion support and was given access to their tier 3 team. I asked them if these were the only files I needed to remove to fully uninstall HackShield and they were unsure. Trion said they would try contacting the developers of HackShield and ask them what files it leaves behind so I could get rid of it. Well, they have yet to contact me back and are largely just ignoring the issue. So, I was left to solve the issue on my own.

 

So far I have found the following service and driver left behind:

 

Hidden Service:

HKLM -> System -> CurrentControlSet -> Services - > XEagle64

 

Driver:

Windows\System32\Drivers\XEagle64.sys

 

BlitzBlank was unable to remove the files after a few attempts. However, I was able to successfully delete the hidden service within the registry, but I was never able to locate the system driver the service was referencing.

 

Could Emsisoft possibly look into this and shed some more light on the issue? I'd love to know how to completely uninstall HackShield. I am afraid it may have left behind more files that I was unable to find.

 

I look forward to hearing back from you all.

  • Upvote 1

Share this post


Link to post
Share on other sites

Hi Boxanite,

If you successfully removed the service, then even if the file is no longer on your system, it won't be able to do anything. Still I understand why you'd rather prefer to be sure it is gone.

 

Can you tell me what tool showed you the hidden service and what blitzblank script you ran? It is possible you found the service in the registry, but the actual file no longer exists. The file name is present in the service key's ImagePath value,  but that doesn't automatically mean the file is still there.

  • Upvote 1

Share this post


Link to post
Share on other sites

1. Yeah, I figured it wouldn't be possible for the driver to load (assuming it is even still installed) without the service. However, for my own personal peace of mind, I'd love to fully remove any/all files associated with HackShield.

 

2. I didn't use any software to find the hidden service. Doing a little research showed me that HackShield installed a hidden service with that name, so all I did was go to the appropriate registry entry and confirmed its existence after uninstalling the game. While it is possible removing the game uninstalled the driver, I have my doubts. Even when the game was running, I was still unable to locate the driver in the specified directory, which is why I believe the driver always remains hidden and could still be installed.

 

3. This is the following BlitzBlank script I attempted to use:

DisableDriver: 
C:\Windows\System32\Drivers\XEagle64.sys
DeleteRegKey: 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XEagle64

The above script just returned error codes and loaded into Windows. I then verified that the service was still installed, so this is when I attempted to manually remove it.

 

My main concern now is two-fold:

 

1) I fear the driver may still be installed, which is undesirable to me. Even if it is dormant, I'd rather not keep a useless driver that I morally disagree with on my machine.

 

2) Considering that HackShield is clearly trying to hide and protect itself from tampering, I can't be sure what else this junk has installed in order to ensure its own integrity on my machine. This is the primary reason why I reached out to Emsisoft, so maybe a little more research could be done and the true behavior of this application could be identified. At the very least this could be considered a PUP to most users, especially since the game installation never asked to install it and the EULA of the game says nothing at all about a third-party monitoring tool. While I might be a little paranoid, I don't see how this practice is any different from other shady companies that manage to be placed into the signature database as potentially unwanted software.

 

When you visit the developers website (http://hackshield.ahnlab.com/hs/site/en/TheService/management.do) you can see that they offer some sort of monitoring service with their HackShield Pro product. While they may only be monitoring game servers and such, I am a little worried this "monitoring service" extends directly to each installed copy of HackShield so they can isolate and block "zero-day exploits" within games. Such monitoring services, especially ones located in other countries with more relaxed privacy laws (South Korea), kind of scares me.

 

Thank you very much for taking the time to respond to my post, Elise. I appreciate your help.

Share this post


Link to post
Share on other sites

Any driver under Windows loads from HKLM\System\CurrentControlSet\Services. The fact that you see it in there means it is not hidden, a hidden service is only visible with a rootkit scanner (or if it is visible, you can only see it, you can get "access denied" errors).

I suspect the uninstaller removed the file but left the service key, this is a bit sloppy but not all that uncommon.

 

To address your concerns:

1) To be absolutely sure, open an elevated command prompt and execute the following commands. They will respectively stop, delete and query the service. Press enter after each line. AFter the last line you'd expect to get an error "the specified service doesn't exist as an installed service".

sc stop xeagle64
sc delete xeagle64
sc query xeagle64

2) This far I haven't seen any evidence that it attempts to hide (as in: make sure Windows isn't aware its running) except for the fact that its service is left on the system after uninstall.

  • Upvote 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.