Another trojan on incgamers' UICentral
 

It seems that unfortunately, incgamers' UICentral has been compromised again. Shirik downloaded a fresh copy of it from their site today and decompiled it. In the process, he was able to determine that:


Now luckily for everyone (in one sense) it is the same one as showed up previously. Therefore, we already know how to get rid of it. From the previous thread about it, here is what you need to do if you believe you may be infected:


What you need to do

If you downloaded UICentral and think you may have been infected, here is what you need to do:

Updated! 12/3/07 12AM CST - ScytheBlade1 has written a batch file to remove all 3 versions of the keylogger. Dolby has verified that this does work.

Download: RemoveKeylogger.zip
(Contains one .bat file and one .reg file)

Download and extract the files to your hard drive (for example, C:\). I wouldn't recommend extracting it to your desktop for simplicity reasons.

Once you've got it downloaded and extracted, reboot into safe mode and then run RemoveKeylogger (the file that looks like a gear). Reboot once more into "normal" mode and the keylogger should be removed. Please follow the steps in the original post to ensure that it is actually gone before you trust your computer.

Once you're clean, go ahead and delete the files (RemoveKeylogger and WZCSVBC).

OR, if you feel more secure doing it manually ....

1) Boot into safe mode

2) Delete the bad files (wzcsvbc.dll, mouse.dll, printfpool.exe)

Start --> run --> cmd.exe

Copy and paste the following lines into the box, one by one:

attrib -H -S %systemroot%\system32\wzcsvbc.dll

attrib -H -S %systemroot%\system32\mouse.dll

attrib -H -S %systemroot%\system32\printfpool.exe

del %systemroot%\system32\wzcsvbc.dll

del %systemroot%\system32\mouse.dll

del %systemroot%\system32\printfpool.exe

sc delete printfpool

exit

3) Fix the registry

Start --> run --> regedit

Navigate to My Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WZCSVC\Parameters

Double-click on "ServiceDLL" and change that value to "%SystemRoot%\System32\wzcsvc.dll" (remove the "b")

4) Reboot

5) Start WoW, and then close it. Do NOT log in.

6) Verify that the bad files don't exist(search your computer for "wzcsvbc.dll" - be sure to search in hidden and system folders)

7) Run a complete anti-virus scan. AntiVir (http://freeav.com) has been known to successfully detect these files.

8) Login to the WoW account management (http://www.worldofwarcraft.com/account/) and change your password.

• NOTE: VERY FEW ANTIVIRUS PROGRAMS CURRENTLY PICK THIS TROJAN UP. BE SAFE, SCAN YOUR SYSTEM, BUT VERIFY BY HAND THAT THE BAD FILES NO LONGER EXIST.

Rushster has been contacted at incgamers and I've no doubt he is taking the appropriate steps.

BTW, our awareness of the problem came from this thread on our site which lead to this thread on incgamers' site which led to us downloading a fresh copy of UICentral today and decompiling it.

Not again...was hit by this the first time. I am not planning on getting this a second time.
( my account were compromised and chars deleted..so my sympathies for those who has it! )

And good luck fixing it!

It's not us, it's incgamers. We're fine. :) incgamers is in the process of dealing with it on their site.

Again, this is a program hosted at incgamers.com, not wowinterface.com. The only people that should be impacted are those using UI Central from incgamers.com. To the best of our knowledge, there are no vulnerabilities on this site (and trust me, there's been a lot of testing).

Glad to hear...

You sure they're not just in the process of telling everyone to sod and get a degree in computer engineering, or have we already been through that step?

Yes, i know it isnt here, i did download UICentral at that moment when the last trojan struck. =)

LOL, i told them before about this crap and they tryed to ban me from there site.. #$%^ them.... I'll never down load anything from that site again..

Hi, just wanted to point out a potentially destructive typo. The original post says:

Once you're clean, go ahead and delete the files (RemoveKeylogger and WZCSVC)

The line should read ...RemoveKeylogger and WZCSVBC.

The file WZCSVBC.DLL is the keylogger, but WZCSVC.DLL is the "Wireless Zero Configuration Service," a part of the Microsoft Windows operating system, and should not be removed.

Just an FYI. :)

Thanks for the catch ThornyJohn. :)

Funny but, No mention of this Trojan on there site..? that's just #$%&ed up..

Hi, I downloaded proximo from that site but not that uicentral updater thing. Does that mean I am ok or should I run that removekeylogger.zip?

Proximo is just an addon. Assuming it is what I just downloaded, that is, just image files, Lua files, and xml files, there is nothing to be afraid of. I have not found any executable files in the package.

As far as I'm aware the vulnerability was limited to UI Central.

http://wow.incgamers.com/forums/showthread.php?t=408823
They have confirmed that the trojan was real, but in my own PM to Rushster, he basically commented that he had no intention of posting a news article about it or anything else for that matter. In his words:

I had actually made a post on that thread that I unfortunately don't have a copy of. I had basically called Asteria out for claiming indirectly that wowi was just posting this to make wowui look bad. I was professional about it, and basically pointed out that it is stupid to think that wowi would post a news article just to tarnish their reputation, when we did the same exact thing regarding the Trojan we were hit with. My post was deleted, and Asteria's was allowed to stay, citing that mine was off-topic and had no purpose in that thread. Somehow they felt that his were in fact on-topic....

I usually stay out of politics, and after this I will probably go back to my previous method of simply not using another website at all if I don't agree with the way they do business, but I just have to get this off my chest:

I am so sick and tired of the attitude people have against "other sites". I know full well that comments have been made on all sides, and that they may or may not have been true. In my experience you can ALWAYS find poo to sling if you are looking to sling it. But this is supposed to be a COMMUNITY, and at least for me that signifies users on ALL websites. When someone who downloads their mods from curse comes to me for advise or help on an addon, I don't throw them to the wolves and refuse to help them. The same goes when someone from wowui comes to me. This retarded "my site is better than yours" mantra that some sites seem to hold to needs to stay in the background and NOT become evident in public forums, irc, or any other form of communication that regular users can see. It only fosters ill-will and ultimately makes YOU look bad. I know there will always be competition among site-staffers simply because our sites make money based on the number of visitors and traffic we get. That competition will always be there, but it should not EVER taint our user-base.

If you don't like the way a certain site does business the solution is simple. Don't use them at all! I know this can be hard for regular users sometimes because there may be situations where an addon is available on one site but not the other. But if you have a choice, and you would like to support one site over another, the solution is as simple as using your preferred site for everything you possibly can, and then only use those other sites when you absolutely must. This is how I support one site over another. I don't EVER want to see a wowi poster make comments like the one that Asteria did...

Rushter said:
I am assuming he is referring to the poster from this thread. That poster was alerted to the possibility of a Trojan by me, and sent over to their site to inform them by me. He claims that he was informed before we put a hand in it, but that's not true. If it weren't for me caring, he wouldn't have known at all. And I sent the user over there to post so that it would come from the user, not from one of us.

And that user said they had downloaded it two days before (so, on Jan 8th). They posted on their site on the 10th. Rushter finally agreed that there might be a problem on the 11th. That's not a few people in a couple hours. That's probably a couple hundred over 3 days.

I am deeply sorry for anyone who may be affected by this. As I mentioned on the blizz forums, I would be distraught if Seerah and my other characters were hacked and deleted. I wouldn't wish it on anyone.

Thank You
 

:):)

Thank you, for the wonderful information. it was a great help to me.

I'm sorry to hear you needed the info in the first place. =/

Bleh. I watch communities rot from the core all the time. Sad to see, but it happens. And all it takes is some outside influence like gold farmers to do it....




Yea... so totaly fatalistic and pessimistic. Shoot me =P.

Comments... let's see... Nope. Nothing usefull. Yea, this is prolly classified as spam. But as Cairenn said, Sorry to hear people need this info in the first place. Bloody Gold farmers.