Taking up the fight against key-loggers

None

Ghwrin — Thu, 21 Dec 2006 06:02:19 GMT

ui.worldofwar.net currently has a keylogger on their website. If you've visited their website recently search your computer for "NTLDR.exe" (not to be confused with NTLDR.dll) and delete it immediately. I would also recommend scanning your computer for viruses.

The keylogger is downloaded via JavaScript, which you can block or enable for website of your choice with the following FireFox plug-in: https://addons.mozilla.org/firefox/722/

None

XShadowXKingX — Thu, 21 Dec 2006 06:02:18 GMT

Thank You Ghwrin And Nimloth for the info!!

- XShadowXKingX

None

dhask — Thu, 21 Dec 2006 06:02:17 GMT

Also, NoScript:

https://addons.mozilla.org/firefox/722/

For those things that FF is vulnerable to, almost all of them are Javascript related. Browse with JS off by default, one-click to permanently allow scripts from trusted domains. Protects you from JS attacks such as the worldofwar one, or the occasional hacked advertising server ones.

None

smurfy — Thu, 21 Dec 2006 06:02:16 GMT

Problem with the "65.98.12.xxx" ip javascript and css links. is that a good idea to have this stuff on a ip based url?

another problem is that the url will changes.

More infos about keyloggers:

http://www.worldofraids.com/forum/viewtopic.php?t=2487

its also a keylogger on curse ( refering to worldofraids and its sources)

bye smurfy

None

Nimloth — Thu, 21 Dec 2006 06:02:15 GMT

World of Raids is slow to update its news apparently. The key logger you are referring to was removed shortly after its discovery and security restrictions have been put in place to prevent repetition.

None

vatosky — Thu, 21 Dec 2006 06:02:14 GMT

Please whipe this member out of C-G database.

http://www.curse-gaming.com/en/accounts/details/cedricbensonbrunson/

Check his posts, it will clarify why.

None

Rupilius — Thu, 21 Dec 2006 06:02:13 GMT

Good to see you guys reacting quickly. GL.

None

lAce — Thu, 21 Dec 2006 06:02:12 GMT

Nimloth, they might be not up to date to your current situation, but it was worth mentioning, because ppl might have been infected from your site in the time period before you discovered the problem.

None

Nimloth — Thu, 21 Dec 2006 06:02:11 GMT

@lAce Right you are! However, it is equally important to mention that the situation has been dealt with, don't you think? :)

@vatosky The entire range of accounts from @exploitsrus have been banned, and all 520 spam comments have been deleted.

None

ThorsLiebling — Thu, 21 Dec 2006 06:02:10 GMT

GHWRIN: "ui.worldofwar.net currently has a keylogger on their website. If you've visited their website recently search your computer for "NTLDR.exe" (not to be confused with NTLDR.dll) and delete it immediately. I would also recommend scanning your computer for viruses. The keylogger is downloaded via JavaScript, which you can block or enable for website of your choice with the following FireFox plug-in: https://addons.mozilla.org/firefox/722/"

I have this NTDLR.EXE on my computer and I have deleted it already a couple of times, it keeps coming back on my harddrive C. I have already checked my whole system several times daily with various security tools and programs, and also manually. But still it is not possible to find the cause why this file is being renewed everytime on startup. Off course ma secutity tools and programs are up to date. What can I do?

I also have another file in my task manager since about a week. It's name is NSCSRVCE.EXE. Is it possible, that this file is also a keylogger? My firewall always reports, that it is trying to act as a server as soon as I try to log on into WoW. It shuts down WoW as soon as I forbid it to do so oO

None

smurfy — Thu, 21 Dec 2006 06:02:09 GMT

try:

http://www.microsoft.com/technet/sysinternals/utilities/filemon.mspx

with this tool you could see which process is doing what on your filesystem

bye smurfy

None

Fendryl — Thu, 21 Dec 2006 06:02:08 GMT

NoScript is nice & all when you know the site is secure. However since most people have curse-gaming.com listed as ok, stuff coming from media1.curse-gaming.com will get through as well.

And ya, what's the deal with the "65.98.12.xxx" ip, I had to allow that for the beta tab on some addons to work.

None

Sikkwolf — Thu, 21 Dec 2006 06:02:07 GMT

ThorsLiebling, no, NSCSRVCE.EXE is an executable attatched to Norton. And it is shutting your WoW windows down because when you tell it that it can not run, it is executing the program it was monitoring for you.

None

Ghwrin — Thu, 21 Dec 2006 06:02:06 GMT

@ThorsLiebling,

If your computer automatically creates system restore points, you can try restoring from a point before you believe you were infected.

Also, make sure you delete all of your temporary internet files. There may be a process running that automatically restore the keylogger, so try running an anti-virus/other security programs that can scan before Windows and other processes fully boot.

If all else fails, you may have to format. I myself wasn't infected, so I am not 100% sure of the steps you need to follow to remove the virus.

None

Regulator — Thu, 21 Dec 2006 06:02:05 GMT

Another tip!

Go to www.firefox.com , head over to the AddOns section of their's and search for the AddOn called NoScript.

Install NoScript for Firefox (done in 1 min tops).

This makes you in charge of what scripts that you allow to run in your firefox.

Cheers, merry christmas!