Another trojan on incgamers' UICentral
It seems that unfortunately, incgamers' UICentral has been compromised again. Shirik downloaded a fresh copy of it from their site today and decompiled it. In the process, he was able to determine that:
Quote:
Now luckily for everyone (in one sense) it is the same one as showed up previously. Therefore, we already know how to get rid of it. From the previous thread about it, here is what you need to do if you believe you may be infected: What you need to do If you downloaded UICentral and think you may have been infected, here is what you need to do: Updated! 12/3/07 12AM CST - ScytheBlade1 has written a batch file to remove all 3 versions of the keylogger. Dolby has verified that this does work. Download: RemoveKeylogger.zip (Contains one .bat file and one .reg file) Download and extract the files to your hard drive (for example, C:\). I wouldn't recommend extracting it to your desktop for simplicity reasons. Once you've got it downloaded and extracted, reboot into safe mode and then run RemoveKeylogger (the file that looks like a gear). Reboot once more into "normal" mode and the keylogger should be removed. Please follow the steps in the original post to ensure that it is actually gone before you trust your computer. Once you're clean, go ahead and delete the files (RemoveKeylogger and WZCSVBC). OR, if you feel more secure doing it manually .... 1) Boot into safe mode 2) Delete the bad files (wzcsvbc.dll, mouse.dll, printfpool.exe) Start --> run --> cmd.exe Copy and paste the following lines into the box, one by one: attrib -H -S %systemroot%\system32\wzcsvbc.dll attrib -H -S %systemroot%\system32\mouse.dll attrib -H -S %systemroot%\system32\printfpool.exe del %systemroot%\system32\wzcsvbc.dll del %systemroot%\system32\mouse.dll del %systemroot%\system32\printfpool.exe sc delete printfpool exit 3) Fix the registry Start --> run --> regedit Navigate to My Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WZCSVC\Parameters Double-click on "ServiceDLL" and change that value to "%SystemRoot%\System32\wzcsvc.dll" (remove the "b") 4) Reboot 5) Start WoW, and then close it. Do NOT log in. 6) Verify that the bad files don't exist(search your computer for "wzcsvbc.dll" - be sure to search in hidden and system folders) 7) Run a complete anti-virus scan. AntiVir (http://freeav.com) has been known to successfully detect these files. 8) Login to the WoW account management (http://www.worldofwarcraft.com/account/) and change your password.
|
|
Not again...was hit by this the first time. I am not planning on getting this a second time.
( my account were compromised and chars deleted..so my sympathies for those who has it! ) And good luck fixing it! |
It's not us, it's incgamers. We're fine. :) incgamers is in the process of dealing with it on their site.
|
Quote:
|
Quote:
|
Quote:
|
Yes, i know it isnt here, i did download UICentral at that moment when the last trojan struck. =)
|
LOL, i told them before about this crap and they tryed to ban me from there site.. #$%^ them.... I'll never down load anything from that site again..
|
Hi, just wanted to point out a potentially destructive typo. The original post says:
Once you're clean, go ahead and delete the files (RemoveKeylogger and WZCSVC) The line should read ...RemoveKeylogger and WZCSVBC. The file WZCSVBC.DLL is the keylogger, but WZCSVC.DLL is the "Wireless Zero Configuration Service," a part of the Microsoft Windows operating system, and should not be removed. Just an FYI. :) |
Thanks for the catch ThornyJohn. :)
|
Funny but, No mention of this Trojan on there site..? that's just #$%&ed up..
|
Hi, I downloaded proximo from that site but not that uicentral updater thing. Does that mean I am ok or should I run that removekeylogger.zip?
|
Quote:
As far as I'm aware the vulnerability was limited to UI Central. |
http://wow.incgamers.com/forums/showthread.php?t=408823
They have confirmed that the trojan was real, but in my own PM to Rushster, he basically commented that he had no intention of posting a news article about it or anything else for that matter. In his words: Quote:
I usually stay out of politics, and after this I will probably go back to my previous method of simply not using another website at all if I don't agree with the way they do business, but I just have to get this off my chest: I am so sick and tired of the attitude people have against "other sites". I know full well that comments have been made on all sides, and that they may or may not have been true. In my experience you can ALWAYS find poo to sling if you are looking to sling it. But this is supposed to be a COMMUNITY, and at least for me that signifies users on ALL websites. When someone who downloads their mods from curse comes to me for advise or help on an addon, I don't throw them to the wolves and refuse to help them. The same goes when someone from wowui comes to me. This retarded "my site is better than yours" mantra that some sites seem to hold to needs to stay in the background and NOT become evident in public forums, irc, or any other form of communication that regular users can see. It only fosters ill-will and ultimately makes YOU look bad. I know there will always be competition among site-staffers simply because our sites make money based on the number of visitors and traffic we get. That competition will always be there, but it should not EVER taint our user-base. If you don't like the way a certain site does business the solution is simple. Don't use them at all! I know this can be hard for regular users sometimes because there may be situations where an addon is available on one site but not the other. But if you have a choice, and you would like to support one site over another, the solution is as simple as using your preferred site for everything you possibly can, and then only use those other sites when you absolutely must. This is how I support one site over another. I don't EVER want to see a wowi poster make comments like the one that Asteria did... |
Rushter said:
Quote:
And that user said they had downloaded it two days before (so, on Jan 8th). They posted on their site on the 10th. Rushter finally agreed that there might be a problem on the 11th. That's not a few people in a couple hours. That's probably a couple hundred over 3 days. I am deeply sorry for anyone who may be affected by this. As I mentioned on the blizz forums, I would be distraught if Seerah and my other characters were hacked and deleted. I wouldn't wish it on anyone. |
Thank You
:):)
Thank you, for the wonderful information. it was a great help to me. |
I'm sorry to hear you needed the info in the first place. =/
|
Bleh. I watch communities rot from the core all the time. Sad to see, but it happens. And all it takes is some outside influence like gold farmers to do it....
Yea... so totaly fatalistic and pessimistic. Shoot me =P. Comments... let's see... Nope. Nothing usefull. Yea, this is prolly classified as spam. But as Cairenn said, Sorry to hear people need this info in the first place. Bloody Gold farmers. |
All times are GMT -6. The time now is 05:48 AM. |
vBulletin © 2024, Jelsoft Enterprises Ltd
© 2004 - 2022 MMOUI