I have downloaded Insomiax UI (SP?) and DoTimer, from this site and from wowinterface.com and curse-gaming.com. (not sure where i got either one) Admins please search these files on your site to be sure.

That doesn't really matter too much, but the keylogger was installed as....

C:/windows/system32/svchcs.exe

To check to see if you have this you can hit Ctrl+Alt+Delete at the same time (or right click your task bar and select task manager) this will open up...Read through the various programs running, this program gives itself away by saying it's being ran by YOU the user name on your computer.

It's named SVCHC.EXE...It's a keylogger, yes you can look it up or w/e u want. I haven't found an exact way to get rid of it, b/c most sites think it is Zango (another spyware) it's not.

But what I have done, is keep open your task manager...then click START (bottom left of screen) and click "Search" In this window on the left you will click "Search all files/folders" and in the "All or part of the name" type in "Svchcs" (without quotes) then click search, this will scan your entire computer...Make sure to type this in correctly. It should only bring up 1 file. Go back to your task manager and click on the SVCHCS.exe, and click "end process" then click OK, this will end the process and then go back to the search page, and right click on the file, and DELETE it.

Ad-Aware and Spybot did not find this file! Neither does Norton...Even with all the updates.

P.S. If I have placed this page in the wrong spot...ADMIN please move it to a page where people can read this(possibly a sticky), it's very important that everyone should atleast check for this file!

-Funereal
Network Administrator

1. How did you find this?
2. What causes you to believe it is a keylogger?
3. Norton Antivirus didn't find it?

If it is ture, I'm not overly surprised that NAV, etc. doesn't detect it. None of the antivirus/spyware/malware programs detect everything.

Only 100% protection against viruses is... don't use Windows. Personally, I like Linux.

Can't say what it is - not recognised by any file library site I know of.

Must say I'm a bit hesitant to randomly delete files (seen too many posts/mails where people recommend you delete proper windows files), but a decent firewall and denying it net access should go a long way to protect your info.

Most of the recent keyloggers have been named some variation of "svchost.exe". "svchc.exe" sounds very much like something that's supposed to appear as a proper windows process.
Processlibrary(.com) doesn't give any results for it and probably would have if it was anything related to MS at all.

Its been my experience that if you can't identify it, you should delete it. You can almost always find out what the legitimate processes are, even if the virus shares a very simmilar name. New viruses and whatnot may not have been recorded yet.

Only 100% protection against viruses is... don't use Windows. Personally, I like Linux.

Wrong. There are pleanty of viruses out there for other operating systems. Just not nearly as many as Windows, for the simple reason that windows is a heck of a lot more popular. Its a bad idea to simply switch your OS and think your safe without other precautions.

Form this one if you google it you see a lot of people reporting that Norton didn't catch it right away. I don't know about other antivirus programs. It's been around since Sept 6 according to the antivirus sites.

Where are these coming from? The download sites? Not the addons themselves I assume.

Yes, it's SVCHCS.EXE...see on windows you'll see SVChost.exe, those are actual windows installed componants, this one clearly states the process is being ran by YOU the user. when you're in task manager it shows this, by showing SYSTEM/Local service/Network service... I can completely assure anyone who reads this I do know what I am talking about. And no, Norton can't find it, b/c norton doesn't find much of anything...hence the 'free' part. This is a keylogger, I can promise, as this is what had changed my WoW password, I had to retrieve my password from Worldofwarcraft.com and it was complete random letters/numbers. I then scanned my computer with norton/ad-aware SE/spybot. Non of these found anything on my computer. I don't open e-mail unless it's from a company, and I don't view malicious websites (such as porn). And this SVCHCS.exe is related to WoW discussions. I do suggest following my steps, and you can go to Google.com and type in SVCHCS.exe, it will come up with websites explaining that is it a form of spyware/keylogger. My steps, I have confirmed that removes the process from running. If you do not check, then this person would have access to every single damn password you ever type into your machine (bank accnts/e-mail/games/paypal). Please use caution and look.

If anyone has any processes running that they want more info on...I know all the legal windows functions. Any variation of Svchost.exe is a malicious form of some spyware/keylogger/virus/whatever. It is always svchost.exe, nothing else, not scvhost or svch0st (zero)...Any questions I can/will gladly answer either here on in private message form.

-Funereal
Network Administrator

Oh and in my beginning post (great error) I said SVCHC, instead of SVCHCS, it is SVCHCS.EXE. No edit options on this site.

There are edit options, just only an hour after you posted. So in other words, you could have edited your second post so you wouldn't have to make a third... :wink2:

There are indeed scams where people, for some obscure reason, entice others into deleting necessary system files from their computer, but as I don't have this process running I am inclined to believe you. Mostly when I run into these mails or forum posts, it's about a file I actually have - and then it's easy to check if it's a necessary file or not. I'm with Glurin on this one: if Google can't find it anywhere, then it is most likely safe (and even encourageable) to delete from your system.

Yeah I noticed the edit after i re-posted, sorry for the double. I was just hoping people would read this and check for this file, it's such a pain in the ass...and I'll be going around to other posts with people having problems and helping them...So if anyone needs any computer questions answered I'm more then open enough to offer some professional advice on the issue.

-Funereal
Network Administrator

Original poster is correct! Various mods on this site have keyloggers embedded in them. Don't know whether it's intentional, but i've just spent 3 days digging them out of my system.

One of which was a specialised WoW keylogger:sad:, designed specifically to get your WoW password.

From memory, Windows Defender and CA Antivirus did NOT detect them.

Try Ad-aware, it managed to find most of them.
Search google.com with filenames you're not sure about that are running in your Task Manager. If you spot one that's unable to be terminated via Task Manager, you should seek out a program called 'Killbox'. it will close and delete the offending file instantly or on next reboot.

Always virus scan any files you download off the internet!
And regularly check for spyware. Keyloggers are dangerous for MMORPG players. It's not fun to have your account stolen!

I checked the mods listed in the first post, and neither contain any suspicious files.

If you download a mod that you suspect to contain a virus or trojan, feel free to PM me so it can be dealt with.

Thanks

had to retrieve my password from Worldofwarcraft.com and it was complete random letters/numbers.This is what happens when you say you've lost your password, the system generates a new random one for you.

I'm not saying it's not a keylogger, just that it didn't change your password to those random characters.

considering the number of people who download mods from here and have no problems, it's more than likely you get the keylogger from elsewhere. Of course, this doesn't change the validity of your warning and it's true that many programs will hide as SVCHOST or similar but run under your username, which is a big clue at to their nature since the genuine versions of these system processes generally run under SYSTEM.

Oh and in my beginning post (great error) I said SVCHC, instead of SVCHCS, it is SVCHCS.EXE. No edit options on this site.

So, technically, what you said in your first post had an error. Gotcha....

And, you CAN edit things, if you edit them soon enough.


considering the number of people who download mods from here and have no problems, it's more than likely you get the keylogger from elsewhere.

Sorry...but one does not strictly follow the other...the fact that many people don't get them here has no bearing on the likelihood of him getting it here...Those others may not do the things here that he does....

And, it was confirmed, I believe, that ads here at one time lead to trojan downloads...I didn't follow that investigation closely...

There are no viruses in the add-ons but in the advertisings just before the downloading.
This is a security hole of IE who is exploited.
If you use Firefox you wouldn't attacked by the virus so the keylogger too.
The files who are suspicious are all the variations of the svchost.exe file (microsoft file) like svch.exe, schost.exe, svchs.exe ...etc and for the wow keylogger ... g0ld.com !
By my experience , you can know if the keylogger is in the place if when you type in the game "^^" and obtain "^^^^" ...omg you have certainly a keylogger that diplicate the tapes.
(sorry i hate english language :) and i m so bad so more faults)