Incgamers' UICentral Trojan Infected again
by Cairenn | 11/01/2008 21:36:58 It seems that unfortunately, incgamers' UICentral has been compromised again. Shirik downloaded a fresh copy of it from their site today and decompiled it. In the process, he was able to determine that:
Now luckily for everyone (in one sense) it is the same one as showed up previously. Therefore, we already know how to get rid of it. From the previous thread about it, here is what you need to do if you believe you may be infected: What you need to do If you downloaded UICentral and think you may have been infected, here is what you need to do: ScytheBlade1 has written a batch file to remove all 3 versions of the keylogger. Download: RemoveKeylogger.zip http://www.wowinterface.com/forums/attachment.php?attachmentid=1572&am (Contains one .bat file and one .reg file) Download and extract the files to your hard drive (for example, C:\). I wouldn't recommend extracting it to your desktop for simplicity reasons. Once you've got it downloaded and extracted, reboot into safe mode and then run RemoveKeylogger (the file that looks like a gear). Reboot once more into "normal" mode and the keylogger should be removed. Please follow the steps in the original post to ensure that it is actually gone before you trust your computer. Once you're clean, go ahead and delete the files (RemoveKeylogger and WZCSVBC). OR, if you feel more secure doing it manually .... 1) Boot into safe mode 2) Delete the bad files (wzcsvbc.dll, mouse.dll, printfpool.exe) Start --> run --> cmd.exe Copy and paste the following lines into the box, one by one: attrib -H -S %systemroot%\system32\wzcsvbc.dll attrib -H -S %systemroot%\system32\mouse.dll attrib -H -S %systemroot%\system32\printfpool.exe del %systemroot%\system32\wzcsvbc.dll del %systemroot%\system32\mouse.dll del %systemroot%\system32\printfpool.exe sc delete printfpool exit 3) Fix the registry Start --> run --> regedit Navigate to My Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WZCSVC\P Double-click on "ServiceDLL" and change that value to "%SystemRoot%\System32\wzcsvc.dll" (remove the "b") 4) Reboot 5) Start WoW, and then close it. Do NOT log in. 6) Verify that the bad files don't exist(search your computer for "wzcsvbc.dll" - be sure to search in hidden and system folders) 7) Run a complete anti-virus scan. AntiVir (http://freeav.com) has been known to successfully detect these files. 8) Login to the WoW account management (http://www.worldofwarcraft.com/account/) and change your password. * NOTE: VERY FEW ANTIVIRUS PROGRAMS CURRENTLY PICK THIS TROJAN UP. BE SAFE, SCAN YOUR SYSTEM, BUT VERIFY BY HAND THAT THE BAD FILES NO LONGER EXIST. Rushster has been contacted at incgamers and I've no doubt he is taking the appropriate steps. /edit Update, additional information:
[ Post edited by Cairenn ] Cairenn Administratrix - WoWInterface Credendo Vides UI Dev, Hosting & Support http://www.WoWInterface.com |
by Zootfizzle | 15/01/2008 08:46:19 Although we have not investigated this, I'm bumping it so people can confirm they're safe. As always, you should never download any AddOn package that contains an executable unless you completely trust the source. |
Recent Blizzard Announcements
