Hello,

There was a new trojan keylogger uploaded this morning on wow addon files by the name of "titan panel 3.0.6 new", i thought it was a new update of the well known titan panel addon, after installing the exe file, i found out that it was a trojan, i'm posting this message to help anyone that already downloaded the file and got the same virus because i found how to completely remove it, by following these steps :

1- check the task manager of windows and see if you find a file named "scvhost.exe" (not svchost.exe), the tricky letters "vc" are swapped, end the process if you happen to find it.
2- go to your drive c: and look for a hidden directory named "config", you will find three files inside : dskbhook.dll + dxdiag.dll + scvhost.exe, remove these, and now you are clean.

i hope this message gets to the webmaster or administrator so that he can put a warning on the news articles, to prevent the ones that already downloaded the file and the danger of getting their world of warcraft account hacked.

Thank you.

Stickied. These were posted several times throughout the day. We've been trying to remove them as fast as possible but some were up for at least 30+ minutes.

It's getting so bad...

Perhaps addons that are .EXE should be quarantined for a short period? Requires vetting from a 2nd curse-user? Someone with X curse points or less can't post EXEs ?

Has to be a better way...

> kadolar wrote:
> It's getting so bad...
>
> Perhaps addons that are .EXE should be quarantined for a short period? Requires vetting from a 2nd curse-user? Someone with X curse points or less can't post EXEs ?
>
> Has to be a better way...
I will actually consider something like this. We need a better way to control spammers since we can't obviously moderate the site 24/7 as sooner or later something will slip through while people are sleeping.

With our next site push we are putting live levels with which we want to increase uses access on the site on a level basis. I will talk it over w/ the guys and see if we can't come up with a solution.

It's not so much spammers - idiots that want to sell pills and crap are only in the annoying bin.

The keyloggers and virus idiots though: they're worth some effort to shoot down, as the damage they cause is so much more harmful... both to their acount as well as Curse's reputation.

I got a question..

like 3/4 months ago i had 60 priest full epic on hakkar.

I got hacked pretty bad and lost all my items.. I downloaded al my addons from this site.
I dont wanne start over knowing that it cna happen again because it rly sucks :P...

Is it safe already tot play wow with addons again from curse?
Or is there any scan tool or something else to detect if i hav ethis keylogger...

mayb still on my pc? im gonne reroll new wow char on Saturday xD

You will want to find an antivirus tool ramon, but most likely it wasnt from an addon on this site. For the past few months other sites have had problems with their advertising, and various exploits on their websites, allowing people to get keyloggers from simply visiting the website.

The only problems we have had have been mostly recently with people posting up .exe only versions of files that are simply a copy paste of another file on the site. These are usually removed within the hour they are posted. I would just recommend not using anything that is a .exe for addons, as they shouldn't be in .exe format.

Was this people just using IE or was firefox also affected?

It was an exe in an addon file, nothing about IE or FF :)

No in regards to the advertising Zinor was talking about.

o you are talking about other sites, i think it was reach both IE and FF.

I have come to this website for addons since I started playing WoW and I must say recently these "keyloggers" have been getting bad (not just on course, but pretty much anything to do with WoW). As stated earlier, I believe that maybe not hosting files with .exe's in them would be a decent start to solving these problems. I mean think about it, theres nothing an exe can do that you cant do manually besides convenience.

Also as a side note, im not sure if this would help but keyloggers record your key strokes. SO, if you were to use the account name remember thing on the WoW startup screen if you had a keylogger would it only get your PW? or can it leach the account name out of WoW somehow?

Well I for one use the .exe format to supply an addon pack in .msi format compress with LZMA

and if you banned .exe file it would take the key loggers 2 sec to zip the file and upload it anyway.

> LimDul wrote:
> Well I for one use the .exe format to supply an addon pack in .msi format compress with LZMA
>
> and if you banned .exe file it would take the key loggers 2 sec to zip the file and upload it anyway.

Yes, But then you would be able to SEE the file before unzipping it along with the fact that it would set of countless virus programs.

Your virus program should also scan every file you download

I think just plainly disallowing anything executable would be the easiest and best way. Or at least add a warning in BIG, bold letters to all downloads containing executable code. Probably hard to make tho.

> LimDul wrote:
> Well I for one use the .exe format to supply an addon pack in .msi format compress with LZMA
>
> and if you banned .exe file it would take the key loggers 2 sec to zip the file and upload it anyway.

Uhm, why? A zip file is much better, since those msi files are extremely limited in their supported platforms. Any mac user will not be able to extract your addon, even tho it would work perfectly fine, since addons run inside WoW.

Yes I know it wouldn't support Mac (hence a separate mac version in .zip) but with the .msi I can do this:

http://limdul.dk/2.jpg

Wuzit: As far as I know, most were IE, but there may have been one or two that targeted FF on the sites that had them.

Man, this kind of stuff is just rediculous...

I think the real problem is with "ebay"... if they wouldn't let people sell gold and their characters, it wouldn't be so profitable to hack peoples accounts.

I trust CG, and im sure the admins here will come up with something to keep this from happening, at least as much as possible.

> OlympusNS wrote:
> Man, this kind of stuff is just rediculous...
>
> I think the real problem is with "ebay"... if they wouldn't let people sell gold and their characters, it wouldn't be so profitable to hack peoples accounts.
>
> I trust CG, and im sure the admins here will come up with something to keep this from happening, at least as much as possible.

well ebay did that just now, banning all sales of virtual goods:

http://wow-en.curse-gaming.com/general-news/756/ebay-bans-auctions-of-virtual-goods/

Here's my problem. I stupidly downloaded and ran the file (yes, I know. Stupid!). I followed the advice given and deleted said files.

But everytime I reboot my machine, the process scvhost.exe is in the Windows Task manager. How do I get rid of it?

Any help is appreciated in advance.

you sure it's scvhost.exe and not svchost.exe?

scvhost.exe is the virus

svchost.exe is a system process belonging to the Microsoft Windows Operating System which handles processes executed from DLLs

Help!!!

I ended up getting this stupid keylogger on my other PC. I have tried everything to get rid of it and nothing is working. For some reason it won't even let me reformat my Hard drive. Any suggestions???

Try this:

http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.removal.tool.html

or this:

http://www.2-spyware.com/remove-w32-hllw-gaobot.html

ok, tyvm. Hope it works

Personally I never open any addon that is a .exe because of the risk. The only time I ever do is when it is a trusted user and they have never done this kind of thing before.

The best thing you can do is as soon as you down load an addon scan it with your AV and if possable you antispyware as well for not all key loggers fit under the virus catogory and hence not all are picked up by your AV.

> Zinor wrote:
> > kadolar wrote:
> > It's getting so bad...
> >
> > Perhaps addons that are .EXE should be quarantined for a short period? Requires vetting from a 2nd curse-user? Someone with X curse points or less can't post EXEs ?
> >
> > Has to be a better way...
> I will actually consider something like this. We need a better way to control spammers since we can't obviously moderate the site 24/7 as sooner or later something will slip through while people are sleeping.
>
> With our next site push we are putting live levels with which we want to increase uses access on the site on a level basis. I will talk it over w/ the guys and see if we can't come up with a solution.

-points
-original poster of the first addon

Does curse-gaming not keep a log of the files that are uploaded and by who? If so, wouldnt a simple solution be just to ban the ip of the people of upload trojans?

I congratulate the staff of curse gaming for keeping the majority of the files that are uploaded clean.

Personally I would never run an executable addon, addon developers should make sure to create a '.zip' version as well for the people that do not trust executable files, especially with all the keyloggers that have been appearing lately.

Yes, but do you check every single folder in the zip to make sure it only contains .TOC, .LUA, XML files and doesn't have an .EXE, .COM, .SCR, .VBS hidden a few directories deep? I haven't gotten into programming AddOns yet but I can't imagine it is too hard to execute a program once the use has put it on their hard disk drive. .ZIP files are hardly more secure than .EXE installers.

Even if programs are .exe they don't just magically execute themselves by being just placed on disk. Something must run them. So, imagine, it is hard enough.

A keylogger was found in this mod too.
http://wow-en.curse-gaming.com/files/details/6668/pvp-enhancement-v5/

I don't have any of the mentioned files, but my account just got hacked on WoW, and I lost all the gear from a couple of 40s and a couple of 30s. That was really bloody expensive. Blizz says they're looking into it, but...

It was about 21 January when I DLd a bunch of new addons from here, and last Friday my account was mysteriously closed. When Blizz turned it back on, all my toons were nekkid (and Forsaken, especially when nekkid, don't look so good). It was just like being robbed; all my toons were parked by mailboxes, all my gear, money and bags from bank and inventory just gone. Even sold off my clothes.

There's a special place in hell, right in between child molesters and the furnace, for hackers.

A few days ago I downloaded ATLAS addon which contained a keylogger embedded in the zip (virus scan did not pick it up, unfortunately). Within a few hours my WOW account pwd was changed and by the time I got back in to it, all my characters/items/gold were GONE.

Do NOT report to Blizzard that an addon got your account compromised or Blizzard will close your account for allowing someone else (even though unauthorized) to access your account (forbidden by the EULA you agreed to when installing WOW). If you report it to Blizzard, you'll likely end up loosing your account PERMANENTLY, as I did, for violating the terms of use for WOW.

Addons really enhanced gameplay for me with WOW..but I never considered the consequences and how addon use, while condoned by Blizzard, is also grounds for getting your account permanently banned, if Blizzard so chooses. BE FOREWARED and be careful.

After some research online, I've discovered that there are MANY unhappy ex-WOW users that have experienced similar circumstances. Be careful when asking a GM for help, as an "investigation" puts your account up for close scrutiny (your activity log) and is liablle to get your account banned for violating the "essence" (Blizzard's term) of the game.

Atlas is one of the most reputable and used addons for World of Warcraft. I guess I have to ask a few questions of you before you go blaming Atlas for getting you hacked.

1. Is this the actual version of Atlas from Curse or some off site one.
2. Was there a sort of executable in the file that you had to run to install

> ramon1984 wrote:
> I got a question..
>
> like 3/4 months ago i had 60 priest full epic on hakkar.
>
> I got hacked pretty bad and lost all my items.. I downloaded al my addons from this site.
> I dont wanne start over knowing that it cna happen again because it rly sucks :P...
>
> Is it safe already tot play wow with addons again from curse?
> Or is there any scan tool or something else to detect if i hav ethis keylogger...
>
> mayb still on my pc? im gonne reroll new wow char on Saturday xD
>

yeah its dead simple ... don;t use any addon that involes and "EXE" file I don't use any exe files for anything that I don't know come from a reliable source.

Any normal mod loads after logging in anyway, so as long as it has no "exe" file in it your safe afaik

I totally agree. Not only is this happening to people in my guild, but WOW isn't doing enough to enforce and penalize people who steal money and hack accounts from people whether maliciously or for profit.

I believe that I had keylogging scripts installed from this site that send out emails and then phish your account for information. Luckily I caught it before replying, but I have been getting attacked recently. I am an adult, but I believe that this is common that people spread add on knowledge in game then turn around and harass the very people that they "help" not only harassing them via phishing emails and keylogging scripts stealing your personal information but also harassing you in game because they get banned for stealing your gold.

I could put up a list of addons but I am not going to bother as I don't know who it was. However, I think that some of the problems are that a quaranteen might be a good idea. Also lletting people only use certain formats and then there is not confusion about installing the addons particularly ones where you have to changed account information. I had a guy on here with a twinked rogue addon that looked great, but his instructions were atrocious and then he copped an attitude when I asked him to elaborate. I should have just reported the guy and his account addon crap but I let it slide and now I am hitting my head.

> Eldredd wrote:
> Atlas is one of the most reputable and used addons for World of Warcraft. I guess I have to ask a few questions of you before you go blaming Atlas for getting you hacked.
>
> 1. Is this the actual version of Atlas from Curse or some off site one.
> 2. Was there a sort of executable in the file that you had to run to install

I echo this 100%. I've never heard of Atlas ever having this issue as it is one of the most reputable and longest running mods period.

Just as a warning

Kalitassa, who is NOT the author of either addon, has just uploaded 2 trojan files named after Atlas and KTM, and he is deleting all the posts made on the fake addons page warning people about it