ui.worldofwar.net currently has a keylogger on their website. If you've visited their website recently search your computer for "NTLDR.exe" (not to be confused with NTLDR.dll) and delete it immediately. I would also recommend scanning your computer for viruses.

The keylogger is downloaded via JavaScript, which you can block or enable for website of your choice with the following FireFox plug-in: https://addons.mozilla.org/firefox/722/

Thank You Ghwrin And Nimloth for the info!!

- XShadowXKingX

Also, NoScript:

https://addons.mozilla.org/firefox/722/

For those things that FF is vulnerable to, almost all of them are Javascript related. Browse with JS off by default, one-click to permanently allow scripts from trusted domains. Protects you from JS attacks such as the worldofwar one, or the occasional hacked advertising server ones.

Problem with the "65.98.12.xxx" ip javascript and css links. is that a good idea to have this stuff on a ip based url?

another problem is that the url will changes.

More infos about keyloggers:

http://www.worldofraids.com/forum/viewtopic.php?t=2487

its also a keylogger on curse ( refering to worldofraids and its sources)

bye smurfy

Please whipe this member out of C-G database.

http://www.curse-gaming.com/en/accounts/details/cedricbensonbrunson/

Check his posts, it will clarify why.

Good to see you guys reacting quickly. GL.

Nimloth, they might be not up to date to your current situation, but it was worth mentioning, because ppl might have been infected from your site in the time period before you discovered the problem.

GHWRIN: "ui.worldofwar.net currently has a keylogger on their website. If you've visited their website recently search your computer for "NTLDR.exe" (not to be confused with NTLDR.dll) and delete it immediately. I would also recommend scanning your computer for viruses. The keylogger is downloaded via JavaScript, which you can block or enable for website of your choice with the following FireFox plug-in: https://addons.mozilla.org/firefox/722/"

I have this NTDLR.EXE on my computer and I have deleted it already a couple of times, it keeps coming back on my harddrive C. I have already checked my whole system several times daily with various security tools and programs, and also manually. But still it is not possible to find the cause why this file is being renewed everytime on startup. Off course ma secutity tools and programs are up to date. What can I do?

I also have another file in my task manager since about a week. It's name is NSCSRVCE.EXE. Is it possible, that this file is also a keylogger? My firewall always reports, that it is trying to act as a server as soon as I try to log on into WoW. It shuts down WoW as soon as I forbid it to do so oO

try:

http://www.microsoft.com/technet/sysinternals/utilities/filemon.mspx

with this tool you could see which process is doing what on your filesystem

bye smurfy

NoScript is nice & all when you know the site is secure. However since most people have curse-gaming.com listed as ok, stuff coming from media1.curse-gaming.com will get through as well.

And ya, what's the deal with the "65.98.12.xxx" ip, I had to allow that for the beta tab on some addons to work.

ThorsLiebling, no, NSCSRVCE.EXE is an executable attatched to Norton. And it is shutting your WoW windows down because when you tell it that it can not run, it is executing the program it was monitoring for you.

@ThorsLiebling,

If your computer automatically creates system restore points, you can try restoring from a point before you believe you were infected.

Also, make sure you delete all of your temporary internet files. There may be a process running that automatically restore the keylogger, so try running an anti-virus/other security programs that can scan before Windows and other processes fully boot.

If all else fails, you may have to format. I myself wasn't infected, so I am not 100% sure of the steps you need to follow to remove the virus.

Another tip!

Go to www.firefox.com , head over to the AddOns section of their's and search for the AddOn called NoScript.

Install NoScript for Firefox (done in 1 min tops).

This makes you in charge of what scripts that you allow to run in your firefox.

Cheers, merry christmas!

• sigh* so much FUD..

FACT: NTLDR.EXE in the root of your system drive is a windows system file..

It processes Boot.ini and loads the OS of choice (either blindly on a single install of win2k/xp or with a menu presenting various choices if you are on a dualboot or otherwises "nonstandard" system)

You cannot get rid of NTLDR.EXE and get windows to load, having people who cannot run an antivirus program delete files is always a BAD IDEA.. especially when they are presented as the fix from clearly clueless individuals such as those who posted this information originally.

Isn't this like the second time that ui.worldofwarcraft.net have had Trojans in their advertising?

gorgeth; NTLDR.EXE is not a windows system file, NTLDR *without an extansion* is

Also, the (virus/trojan) file talked about here is actually named NTDLR.EXE (mind the spelling!)

Also note; by default the real NTLDR file is marked as a protected operating system file and will not be seen in the root of your first harddrive (where it must reside for the system to be able to boot up, the name is short for NT LoaDeR)

A quick google search confirms this pretty good... Note; always look up the file on google before you delete it on just anyones recommendation...

i was wondering if media1.curse-gaming.com is safe again. Cause i clicked on "auto select fastest mirror" while downloading ecasting bar latest version and it took this url. (im using IE7). I aborted the download & cleaned out my temp files just to be on the safe side. But can anyone of curse confirm it is safe again please. Dont wanna lose my 2yrs account ^^

ui.worldofwar.net has recently had another (third time this year) malicious trojan which was spread by their advertisement program... really poor advertising for them tbh, many accounts were hacked yet again.