Hi,

after installing UI-Central, my WTF-Folder keeps resetting itself as soon as I launch WoW. The error persists even after uninstalling UI-Central, running the Repair*****, deleting the Cache, Interface and WTF-Folders and checking my harddrives for viruses...
Need help, anyone got an idea, how to solve this?:(

Greetings,

Not a computer genius here but...
Reinstall WoW?

Sounds like that viruse that was on this site a few weeks back.. only way to get rid of it was to reinstall everything on your computer.. DON'T DO THIS untill you find out for sure.. might be something else..

here is a post about that bug...http://wow.incgamers.com/forums/showthread.php?t=405152

Sounds like that viruse that was on this site a few weeks back.. only way to get rid of it was to reinstall everything on your computer.. DON'T DO THIS untill you find out for sure.. might be something else..

here is a post about that bug...http://wow.incgamers.com/forums/showthread.php?t=405152



Installed latest ui central 3.0 yesterday evening and I'm experiencing the same problem. So think it is hacked again.

I,m not sure.. but i would report it to the Rushster by email or Private message, to have him look into it.. I was lucky the last time around and don't want to download it to see =(

I,m not sure.. but i would report it to the Rushster by email or Private message, to have him look into it.. I was lucky the last time around and don't want to download it to see =(

Was able to use restore point from Sunday, was lucky too.
Although I have to get my mods and setting back somehow :-(

@Tralkar: Thanks for your quick response! :)
A virus/keylogger was indeed causing the problem. It only starts when you run the WoW***** and most anti-virus programs can't detect it... "Kaspersky"s trial version did the trick though! After a few times of unsuccessfully trying to delete the virus, it reboots the computer to delete it before it can run and duplicate itself.
Restoring your system to a previous state works as well.

Just fixed it. Easy stuff.

1. Boot in Safe Mode.
2. Click on Start > Execute. Write regedit.
3. Go to HKEY_LOCAL_MACHINE > SYSTEM > ControlSet001 > Services > WZCSVC > Parameters.
4. Change ServiceDll value to "%SystemRoot%\System32\wzcsvc.dll" (without quotes).
5. Go to C:\WINDOWS\system32\.
6. Click on Tools > Options > View then untick "hide system files".
7. Delete mouse.dll and wzcsvbc.dll. Reboot.

The virus did not come from this site. You can also not get a virus from UICentral. UIcentral can not activate/unpack execeutable files. I suggest you look elsewhere for the virus source.

The virus did not come from this site. You can also not get a virus from UICentral. UIcentral can not activate/unpack execeutable files. I suggest you look elsewhere for the virus source.

I beg to differ. You are giving everyone the virus that downloaded this version of UI Central http://uifiles.incgamers.com/upload/ui/Setup_20070331.zip which you are still allowing to be downloaded.

Version of the trojan http://www.f-secure.com/v-descs/trojan-downloader.shtml

If you have this virus that was downloaded from this site, then you can remove it with F-Secure. You can also download the zip file of the above from this site and scan it with F-Secure to see that the virus did originate from this site (DO NOT EXECUTE THE SETUP FILE - leave it in .zip format) , though the current version of UI Central is not showing any type of viruses at this time if you click the DOWNLOAD on the UI Central download page. DO NOT GET THE ARCHIVED ONES.

I Hope this site will remove the archived ones. Which I can care less because I will not use this site for any type of mods ever again. I hope that you make a post about this on your site so users can remove the virus from their computer. I will be making this post in the wow forums as well, so people can clean their system.

I also installed UI Central again on a newly reformatted computer and guess what. I got the virus again. So I had to reinstall my OS again even though F-Secure did remove it. I do not take chances.

Well new to WoW and the add-on thing but for Rushster to defend / support this program is sickening. Here is the low down. I believe in my opinion that UICENTRAL is developed to hack by one of its dev's. Both the recent versions have trojans and the newest one is just being identified by the anti-virus companies. DO NOT USE IT.

They are adapting the trojan to not be detected so they can get more and more information.

Here are the reports:
File Setup_20070331.zip received on 11.29.2007 00:15:51 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 8/32 (25%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2007.11.29.0 2007.11.28 -
AntiVir 7.6.0.34 2007.11.28 -
Authentium 4.93.8 2007.11.28 -
Avast 4.7.1074.0 2007.11.28 -
AVG 7.5.0.503 2007.11.28 -
BitDefender 7.2 2007.11.28 Trojan.Generic.75196
CAT-QuickHeal 9.00 2007.11.28 -
ClamAV 0.91.2 2007.11.28 Trojan.Delf-2177
DrWeb 4.44.0.09170 2007.11.28 DLOADER.Trojan
eSafe 7.0.15.0 2007.11.28 suspicious Trojan/Worm
eTrust-Vet 31.3.5334 2007.11.28 -
Ewido 4.0 2007.11.28 -
FileAdvisor 1 2007.11.29 -
Fortinet 3.14.0.0 2007.11.28 -
F-Prot 4.4.2.54 2007.11.28 -
F-Secure 6.70.13030.0 2007.11.28 Trojan-Downloader.Win32.Agent.eyx
Ikarus T3.1.1.12 2007.11.28 Trojan.Win32.Agent.FO
Kaspersky 7.0.0.125 2007.11.29 Trojan-Downloader.Win32.Agent.eyx
McAfee 5173 2007.11.28 -
Microsoft 1.3007 2007.11.28 -
NOD32v2 2692 2007.11.28 -
Norman 5.80.02 2007.11.28 -
Panda 9.0.0.4 2007.11.28 -
Prevx1 V2 2007.11.29 Generic.Malware
Rising 20.20.21.00 2007.11.28 -
Sophos 4.23.0 2007.11.28 -
Sunbelt 2.2.907.0 2007.11.27 -
Symantec 10 2007.11.28 -
TheHacker 6.2.9.144 2007.11.28 -
VBA32 3.12.2.5 2007.11.28 -
VirusBuster 4.3.26:9 2007.11.28 -
Webwasher-Gateway 6.6.2 2007.11.28 -

THE VERSION FOR DOWNLOAD TODAY:

File UICentralSetup-1194307582.zip received on 11.29.2007 00:26:43 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 3/32 (9.38%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 38 and 54 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2007.11.29.0 2007.11.28 -
AntiVir 7.6.0.34 2007.11.28 -
Authentium 4.93.8 2007.11.28 -
Avast 4.7.1074.0 2007.11.28 -
AVG 7.5.0.503 2007.11.28 -
BitDefender 7.2 2007.11.28 -
CAT-QuickHeal 9.00 2007.11.28 -
ClamAV 0.91.2 2007.11.28 -
DrWeb 4.44.0.09170 2007.11.28 DLOADER.Trojan
eSafe 7.0.15.0 2007.11.28 -
eTrust-Vet 31.3.5334 2007.11.28 -
Ewido 4.0 2007.11.28 -
FileAdvisor 1 2007.11.29 -
Fortinet 3.14.0.0 2007.11.28 -
F-Prot 4.4.2.54 2007.11.28 -
F-Secure 6.70.13030.0 2007.11.28 -
Ikarus T3.1.1.12 2007.11.28 -
Kaspersky 7.0.0.125 2007.11.29 Heur.Invader
McAfee 5173 2007.11.28 -
Microsoft 1.3007 2007.11.29 -
NOD32v2 2692 2007.11.28 -
Norman 5.80.02 2007.11.28 -
Panda 9.0.0.4 2007.11.28 -
Prevx1 V2 2007.11.29 Heuristic: Suspicious File With Covert Attributes
Rising 20.20.21.00 2007.11.28 -
Sophos 4.23.0 2007.11.28 -
Sunbelt 2.2.907.0 2007.11.27 -
Symantec 10 2007.11.28 -
TheHacker 6.2.9.144 2007.11.28 -
VBA32 3.12.2.5 2007.11.28 -
VirusBuster 4.3.26:9 2007.11.28 -
Webwasher-Gateway 6.6.2 2007.11.28 -

Absolutely sick

http://forums.worldofwarcraft.com/thread.html?topicId=3168328825&sid=1

Issue is traced to ScreenshotConverter,exe included in the UICentral package. Rushter's assertion that "You can also not get a virus from UICentral" is incorrect and false.

Would someone like to explain to me why a "screenshot converter" might need to load the windows internet helper APIs, then call some function named URLDownloadToFile(), and then proceed to call ShellExecuteEx()? (ShellExecuteEx is the preferred way to spawn a new process or open other files, for those of you that don't know the windows APIs, if you have the file name)
More information:

This program downloads a file Updata,exe which is then run on your computer. I took Updata,exe and then analyzed it directly. This program calls a function InjectService() which is immediately followed by the string "lsass,exe." Without bothering to sift through the code, I assume this to prove that the program attempts to register a DLL in the Windows LSP which can then be used to analyze packets being transmitted. Suffice to say, this allows the program to see any data you transmit to Blizzard's servers (and anywhere else) and is a clear-cut way to obtain passwords and other information.

If you are affected by this software, I strongly encourage you to perform a full virus scan in Safe Mode and reset your Winsock LSPs. You can get various tools to help you with this, but the easiest one is HijackThis, which allows direct management of the LSPs. However, if you don't know how to use this program, I strongly encourage you to find someone who does, as improper use of it can break your system.

For the curious:

http://images.gammatester.com/pics/7e234719d8c3e25c55c326bb79be2416.jpg

Edit: edited the dot exe filename extensions to ",exe" as it seems there is a filter that replaces them with *****.

What I am saying is UICentral can not unpack a mod that is an exe file that may have avirus. UICentral does not have a virus in it, checked and scanned with latest Kaspersky. Make sure you grab any version of UICentral from the UIC page

http://wowui.incgamers.com/?p=mod&m=2106

UIC will give false positives on virus scanners becuase of the way it works, it needs to know where your WoW install directory is to function. This has been highlighted time and time again in the UIC comments pages.



http://forums.worldofwarcraft.com/thread.html?topicId=3168328825&sid=1

Issue is traced to ScreenshotConverter,exe included in the UICentral package. Rushter's assertion that "You can also not get a virus from UICentral" is incorrect and false.




Edit: edited the dot exe filename extensions to ",exe" as it seems there is a filter that replaces them with *****.

What I am saying is UICentral can not unpack a mod that is an exe file that may have avirus. UICentral does not have a virus in it, checked and scanned with latest Kaspersky. Make sure you grab any version of UICentral from the UIC page
Are you an idiot? (Sorry, stupid question.) I showed you the screenshots on that thread, go look at that yourself. That's not a virus scanner, that's the exact code in your program. And it quite literally says exactly what it's doing.

Yes, I can do that.

Yes, you should be a little more careful when you're programming malicious programs and not name your functions something like "InjectService()"

Yes, you're lying.

Care to explain why that program needs a web DLL file to run? Considering it shouldn't even need to connect to the internet... It's just a screenshot converter... right? Right...?

Yeah, I thought so. Look at my screenshots and try again.


EDIT: I wonder how long it will take you to delete this thread and ban me? And do you think you'll be able to keep me banned? Tor works wonders. There's no hiding anymore.

I am going to remove the file to keep everyone happy until I can check it out on multiple scanners later this morning.

No I am not an idiot and if you use that tone with anyone on these forums again you won't be here long. If you think anyone would do anything malicious on purpose then I am afraid you are very much mistaken.

What I am saying is UICentral can not unpack a mod that is an exe file that may have avirus. UICentral does not have a virus in it, checked and scanned with latest Kaspersky. Make sure you grab any version of UICentral from the UIC page
No. You are damn wrong. Go unpack your own damn installer and note that you have a 13kb trojan named "ScreenhotConverter,exe" bundled with the installer. It downloads a file from "wowui.incgamersi.com", which is owned by a "bizcn.com" chinese site. The downloaded file injects a DLL into lsass,exe, a Windows system process, which hides it from casual eyes and prevents it from being terminated. It monitors the system for wow,exe and performs some kind of communication back with this trojan server when it is detected.

I observed this personally in a copy I pulled from this very site several hours ago.

You've got a trojan that is installing keyloggers in your official distribution, and you'd damn well better get it out before you lose absolutely all credibility in the WoW UI community.

Did you PM anyone about this? No, Did you email anyone about this? No. Did you leave note ont he UIC page abou tthis No? So with keeoping that in mind how do you expect someone to deal with issues quickly. Like I say, I am looking into this properly which will take some time.

Also do not threaten anyone on these forums. We do not let people run around threatening users, admin, moderator or otherwise..

What I am saying is UICentral can not unpack a mod that is an exe file that may have avirus. UICentral does not have a virus in it, checked and scanned with latest Kaspersky. Make sure you grab any version of UICentral from the UIC page

http://wowui.incgamers.com/?p=mod&m=2106

UIC will give false positives on virus scanners becuase of the way it works, it needs to know where your WoW install directory is to function. This has been highlighted time and time again in the UIC comments pages.
By your own words, just because you checked and scanned the files with Kaspersky, it does not mean there is no trojan in it. A virus scanner can also report false negatives, just as likely as a virus scanner can report false positives.

Also, the trojan isn't in UIC itself. It is in the screenshot converter utility that comes packaged with UIC.

Did you PM anyone about this? No, Did you email anyone about this? No. Did you leave note ont he UIC page abou tthis No? So with keeoping that in mind how do you expect someone to deal with issues quickly. Like I say, I am looking into this properly which will take some time.

Also do not threaten anyone on these forums. We do not let peopel runm around threatening users, admin, moderator or otherwise..
That is quite the opposite of what you said:

What I am saying is UICentral can not unpack a mod that is an exe file that may have avirus. UICentral does not have a virus in it, checked and scanned with latest Kaspersky.
You didn't "look into it," you said you scanned it and dismissed it WITHOUT EVEN LOOKING AT THE EVIDENCE. The evidence clearly shows it, and you completely ignored it, because your arrogant self assumed that you were correct.

Oh, how could I be so mistaken, of course you are the perfect one, you couldn't possibly be wrong about anything! No, of course there's no virus, oh great one.

But now you did a complete 180 and are "checking into it." Is that just because you were caught?

Oh ffs. Look What is your problem, you really are being an arse. This is the first time I have seen this thread becuase nobody alerted me to it. I have checked the file in kaspersky and it came back with zip on initial unpack. So I am going to unpack it on my test machine when I get to work this morning and see what updater is doing, then I will look at the evidence.

What happens with UIC is is it kicks up an error as I explained above on some scanners. The initial post in this thread gave no info on what was going on and like I say I have found this thread myself this mornimg. I check the mod comments where any issues should be reported. Guess what? You can also hit the alert button on the mod page to highlight any problems which I check all the time.

Stop being a troll, I am not saying you are wrong, I need to check it OK and sort it out which is my priority. Sitting here answering you is not my priority, dealing with any problems are. I don't update this file so I can not acertain what has changed. Now do you understand or is that too complicated for you? I can't be 'caught', as you so eloquently put it (tinfoil hat time) for something I don't update on the site.

Oh ffs. Look What is your problem, you really are being an arse. This is the first time I have seen this thread becuase nobody alerted me to it. I have checked the file in kaspersky and it came back with zip on initial unpack. So I am going to unpack it on my test machine when I get to work this morning and see what updater is doing, then I will look at the evidence.

What happens with UIC is is it kicks up an error as I explained above on some scanners. The initial post in this thread gave no info on what was going on and like I say I have found this thread myself this mornimg. I check the mod comments where any issues should be reported. Guess what? You can also hit the alert button on the mod page to highlight any problems which I check all the time.

Stop being a troll, I am not saying you are wrong, I need to check it OK and sort it out which is my priority. Sitting here answering you is not my priority, dealing with any problems are. I don't update this file so I can not acertain what has changed. Now do you understand or is that too complicated for you? I can't be 'caught', as you so eloquently put it (tinfoil hat time) for something I don't update on the site.
Okay, so if you don't make the program, who does? And why are you claiming to know everything about the program with absolute certainty when you actually have no knowledge of the code inside of it?

EDIT: And oh yes, I am definitely being, as you put it, "an arse," and I think you deserve this kind of treatment right now until you can get the people here a straight answer that doesn't get changed 3 posts later.

Oh ffs. Look What is your problem, you really are being an arse. This is the first time I have seen this thread becuase nobody alerted me to it. I have checked the file in kaspersky and it came back with zip on initial unpack. So I am going to unpack it on my test machine when I get to work this morning and see what updater is doing, then I will look at the evidence.

What happens with UIC is is it kicks up an error as I explained above on some scanners. The initial post in this thread gave no info on what was going on and like I say I have found this thread myself this mornimg. I check the mod comments where any issues should be reported. Guess what? You can also hit the alert button on the mod page to highlight any problems which I check all the time.

Stop being a troll, I am not saying you are wrong, I need to check it OK and sort it out which is my priority. Sitting here answering you is not my priority, dealing with any problems are. I don't update this file so I can not acertain what has changed. Now do you understand or is that too complicated for you? I can't be 'caught', as you so eloquently put it (tinfoil hat time) for something I don't update on the site.

He's not a troll it's true and it is no error, the client contains the onlinegames keylogger virus, it sits in your system32 folder and logs every keypress you do. I got this a whole month and it took me a day to fix it. I can't believe it's still there lol. I wonder how many accounts has been hijacked because someone amongst your staff is willing to include a keylogging virus with the client. Appauling, absolutely appauling and there is no excuse for it whatsoever. The client should be withdrawn immediately until it is sorted out. In fact, don't ever include a client again. That would be easiest. Luckily I had alerted other people to this a month ago in the official world ofwarcraft forums in the tech support place where others couldn't understand why their ui was resetting every time they logged out. It is a symptom of it. Instead of being mean and irritable, check everything out first and realise why people are so angry. Why didn't I report it here? I really really didn't want to come here ever again and I'm only here now because someone let me know this post was up.

Remove that client immediately. Don't call people names just because they are angry and frustrated and quite rightly to in my opinon. If my account had been hijacked because of this you would guarantee you would be looking at being sued right now.

Client IS removed for the fourth time. Hence my frustration. If you want answers then please do me the courtesy of at least listening to them when I give them. Yes he is being a troll. He is being rude and inpolite. You can get your point accross without being aggressive. There is no need to get the torches and pitchforks out when things happen. As I said already and I will say it again, it needs investigating this morning. As with everything, as SOON as we are ALERTED to a problem it gets resolved. With NO alerts forthcoming I find things slower than I would have done if I had received a proper alert.

Psh, he didn't get me, I'm just angry because I'm a Computer Engineer (a derivation from Software Engineers). It is people like the ones who code this type of software that give the true hackers (which, by the way, is not a bad term) a bad name. People like these whom want to benefit themselves instead of the general population, and gain a quick buck.

And I make it my goal to set these problems right. And if that means turning their own tools against them, then so be it.


Client IS removed for the fourth time. Yes he is being a troll. He is being rude and inpolite. You can get your point accross without being aggressive.

With you, no we can't.

Edit: Looks like a caching issue. I was mistaken.

I can't be 'caught', as you so eloquently put it (tinfoil hat time) for something I don't update on the site.

Sorry with the Admin title next to your name you have a shared responsibility with everything that goes on here on this site you. Having a CONFIRMED virus running around in an updater that you have sponsored is simply asking for others to take pot shots at you while this site dies.

--Have a Day!

I am giving you a straight answer. I will check it out when I get to work. I have removed the file it is no longer available.

Amthea creates the mod/app and he will not have done anything to the file. The file could have been changed in some other way which is what I am looking into, which takes some time to investigate this morning. This site never distributed malicious software knowingly so please understand that.

With a WOW account now worth more than a credit card, the account hackers (99% of the time gold sellers) will go to great lengths to hack, infiltrate and disrupt websites involved with anything to do with WoW. We have pretty tight security on this network and have invested a lot of hardware and software to keep it secure but as everyone knows, where there is a will there is a way. THe way is what I need to look into this morning.

Agreed. We do have responsibility and it is being dealt with now I KNOW about it. That is what taking responsibility is.

As most users here have low post counts I am assuming we will see an influx of abuse and trolling in this thread just for the sake of it. So to keep things civil while I check this out I am going to lock this thread up and will re-open it when I have done my checks this morning.

Finally, just to reiterate. This file is NOT available for download so you can not be infected.

Hi Kimina,

I removed your post. It is the only post of yours that has been deleted. You were asked politely not to use that tone, to keep things civil. It's a basic request. We expect nothing less for us mods as we do for all our members. You may think you can talk to people in that way here and there's "not a damn thing we can do about it" but you're mistaken because there is as you can see. Good manners is all I ask.

And for an explanation of what actually happened read Rush's post here (http://wow.incgamers.com/forums/showthread.php?p=4068659#post4068659). I'm happy it turned out to be nothing we had done.