Keylogger from Curse?

[Velky]

Ok so in the last 2 days, i've gotten the same error when attempting to log-in to wow.

First time, after getting a critical error and not being able to login again without getting that same error, I come to find out I have a keylogger. I updated my Malwarebytes, run it and get everything cleaned up. This was 2 days ago, at around 11PM Christmas Day.

Now today, I closed wow down, went to curse to download a few addons and had the curse client install them. I go to login to wow, exact same error as before. Only sites I've been on since waking up is Facebook, MMO and Curse.

[Manito]

My guess would be Facebook if you have a keylogger. I'm fairly sure I've seen this post before though. Some guy blaming Curse for a keylogger. Maybe not. IDK.

[Velky]

Forgot to mention that the first time I get the critical error, I had been on curse to get an addon.

---------- Post added 2010-12-27 at 11:55 AM ----------

My guess would be Facebook if you have a keylogger. I'm fairly sure I've seen this post before though. Some guy blaming Curse for a keylogger. Maybe not. IDK.

Well this is the first time I've gotten a keylogger, both times matching up with the times I visited Curse. Facebook on the other hand is a site I visit daily. I do not fill out those surveys, play games or anything that would warrant a keylogger being downloaded.

[Tryinmilkme]

About 3 months ago I bought a new cpu, installed wow. Played it for a few mins, then went onto Curse, downloaded addons, logged back in, played for a bit. The next morning logged in to get a you have been expoiting the game acc banned email. They unlocked my acc, and restored the items. The Only place I had been was curse. Now this is rare, and I still use curse today, you just have to scan it before you download it.

[ReverendD]

Any website you visit that may have Flash adverts on it can be the cause of most malware. Since it is usually the ads that are poisoned. If you have flash enabled then its a good chance it got in that way.

As for programs that auto-update your addons, I suggest against them regardless of how long you have used them and never had an issue. It only takes one time.

~Rev

[Velky]

Any website you visit that may have Flash adverts on it can be the cause of most malware. Since it is usually the ads that are poisoned. If you have flash enabled then its a good chance it got in that way.

As for programs that auto-update your addons, I suggest against them regardless of how long you have used them and never had an issue. It only takes one time.

~Rev

Screw 1 time, twice in the last 2 days. I'll just go back to the old way.

[BlackZero]

Install and use NoScript. It saves lives.

[Velky]

Install and use NoScript. It saves lives.

This isn't the first time I've been told this, so I guess today I'll actually install it.

[ReverendD]

Install and use NoScript. It saves lives.

Seconded. Also install AdBlock (Chrome, Firefox). Works wonders.

[Kaneiac]

What type of error are you actually getting? I'm just curious.

[Velky]

==============================================================================
World of WarCraft: Retail Build (build 13329)

Exe: C:\Program Files (x86)\World of Warcraft\WoW.exe
Time: Dec 27, 2010 11:45:38.434 AM
User: **
Computer: **
------------------------------------------------------------------------------

This application has encountered a critical error:

ERROR #132 (0x85100084) Fatal Exception
Program: C:\Program Files (x86)\World of Warcraft\WoW.exe
Exception: 0xC0000005 (ACCESS_VIOLATION) at 0023:00F5C22D

The instruction at "0x00F5C22D" referenced memory at "0x00000001".

---------- Post added 2010-12-27 at 12:17 PM ----------

Getting annoying having to do a 30 minute scan just to play WoW. Hopefully NoScript and AdBlock help me in the future.

[mster50]

...

That's not an error that's indicative of a keylogger. It's typically indicative of two problems - either a RAM issue or a HDD issue. Doesn't necessarily mean the hardware is bad, either. Just means there was an access error when trying to reference or access the data stored at the address listed in that report.

If you read around, a lot of people have been having that same problem post Cataclysm's launch. I myself experienced similar issues, and after a full set of hardware tests, found out I had a bad stick of RAM.

If you have it, run a Windows Memory diagnostic, and see if it's bad RAM. WoW has to pull data from two places, your system memory, or your hard drive. If it consistently can't pull from either (aka, the crash), there may be a problem with either.

Not virus/malware related though. You can relax.

Also try to run RepairWoW (in your WoW folder) - may fix any broken files you have as well.

[MatsT]

It's not theoretically possible for an addon to keylog you. It's theoretically possible, but unlikely, that you have gotten a keylogger off some ad on curse.com.

Also, Error #132 isn't related to keyloggers. You can read more about it here: http://us.blizzard.com/support/artic...rchQuery=ERROR

[ReverendD]

Might be worth running a repair on WoW as well. If the keylogger had anything to do with the WoW.exe directly it could have changed something. That is what happened to my wife and myself. She was using myspace back in the day and the infection targeted the WoW.exe directly and did nothing else.

Since WoW can be copied and ran from any PC w/o installing it I just had her files backed up on an external drive. When we tried to run it thats when the AV software finally found it. Ended up copying my files to her PC to get it running again.

[Simca]

It's next to impossible it came from the Curse Client because you'd have to click the exe file associated with the addon yourself to install a keylogger/trojan. In which case, you would probably deserve it.

It is possible that a bad advertisement was delivered through Google Ads to the Curse.com site or MMO-Champion or even Facebook. It's more likely that you fell for a scam or phishing attempt on accident and didn't even notice.

However, I would like to take the time to clarify the three posts above me - It is entirely possible for the newer keyloggers to crash World of Warcraft with a #132 Error - it was the principle on which the Authenticator trojan was based on. It would take the Authenticator code and password, send them to a third party and then crash the client.

Either way, secure your computer, and don't jump to conclusions. I've heard too much of the 'zomg Curse hacked me' paranoia recently. The Curse Client runs NO files on your computer. If you download a bad addon and then -you- run an exe file associated, that is your own fault, really, and you would make the same mistake if you downloaded a zip file.

Might be worth running a repair on WoW as well. If the keylogger had anything to do with the WoW.exe directly it could have changed something. That is what happened to my wife and myself. She was using myspace back in the day and the infection targeted the WoW.exe directly and did nothing else.

Since WoW can be copied and ran from any PC w/o installing it I just had her files backed up on an external drive. When we tried to run it thats when the AV software finally found it. Ended up copying my files to her PC to get it running again.

IIRC, the WoW.exe file and many others are now checked for consistency when the Launcher is run and again when WoW is launched, which is how they broke model exploits and many other file modifications.

They have made a lot of behind the scenes changes to how the process works. TOM_RUS and others could tell you more, perhaps Marlamin as well.

[Velky]

...

That's not an error that's indicative of a keylogger. It's typically indicative of two problems - either a RAM issue or a HDD issue. Doesn't necessarily mean the hardware is bad, either. Just means there was an access error when trying to reference or access the data stored at the address listed in that report.

If you read around, a lot of people have been having that same problem post Cataclysm's launch. I myself experienced similar issues, and after a full set of hardware tests, found out I had a bad stick of RAM.

If you have it, run a Windows Memory diagnostic, and see if it's bad RAM. WoW has to pull data from two places, your system memory, or your hard drive. If it consistently can't pull from either (aka, the crash), there may be a problem with either.

Not virus/malware related though. You can relax.

Also try to run RepairWoW (in your WoW folder) - may fix any broken files you have as well.

I never assumed it to be a keylogger. I went to the technical service forums on WoW, made a thread, and started posting in other peoples threads who had the same error/problem (or so I thought). However, about 4-5 DIFFERENT people (including a blue) came back saying I have a keylogger. I ran Malwarebytes (wasnt updated) and nothing came back. They told me to update it, ran it again, 5 threats came up, cleaned them and I was able to get back on WoW.

---------- Post added 2010-12-27 at 12:24 PM ----------

It's not theoretically possible for an addon to keylog you. It's theoretically possible, but unlikely, that you have gotten a keylogger off some ad on curse.com.

Also, Error #132 isn't related to keyloggers. You can read more about it here: http://us.blizzard.com/support/artic...rchQuery=ERROR

Been there, done that. Did next to all that was suggested on the blizzard site. Read above for more.

---------- Post added 2010-12-27 at 12:25 PM ----------

Might be worth running a repair on WoW as well. If the keylogger had anything to do with the WoW.exe directly it could have changed something. That is what happened to my wife and myself. She was using myspace back in the day and the infection targeted the WoW.exe directly and did nothing else.

Since WoW can be copied and ran from any PC w/o installing it I just had her files backed up on an external drive. When we tried to run it thats when the AV software finally found it. Ended up copying my files to her PC to get it running again.

Did a repair, updated drivers, even re-installed. Read above for more.

---------- Post added 2010-12-27 at 12:28 PM ----------

It's not theoretically possible for an addon to keylog you. It's theoretically possible, but unlikely, that you have gotten a keylogger off some ad on curse.com.

Also, Error #132 isn't related to keyloggers. You can read more about it here: http://us.blizzard.com/support/artic...rchQuery=ERROR

Gonna quote this again. Error #132 isn't related to anything. It's an error code that has a whole bunch of different categories, ones which aren't known yet. So to say it's not related to keyloggers is a bit unfair. Blizzards site even site even says it itself that it is it's own category.

---------- Post added 2010-12-27 at 12:31 PM ----------

It's next to impossible it came from the Curse Client because you'd have to click the exe file associated with the addon yourself to install a keylogger/trojan. In which case, you would probably deserve it.


Either way, secure your computer, and don't jump to conclusions. I've heard too much of the 'zomg Curse hacked me' paranoia recently. The Curse Client runs NO files on your computer. If you download a bad addon and then -you- run an exe file associated, that is your own fault, really, and you would make the same mistake if you downloaded a zip file.

I'm not a computer savvy user (as in I don't know my way around things such as trojans and that boatload) but I do know enough about where they can come from. Before Curse took over MMO, I saw posts saying Curse has had some trojans on their website, so saying it's next to impossible is a little farfetched.

I wasn't being paranoid about it. I stated 2 different times which I became infected, which both were almost immediately after being on the curse website. I'm not pointing fingers, simply asking questions.

[ElMuerte]

7 dollars, really just 7 measly bucks for an authenticator, even cheaper if you have an iPhone or Droid. I could probably scrape together 7 bucks in change from my car and couch cushions.

[Velky]

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5363

Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

27/12/2010 12:35:53 PM
mbam-log-2010-12-27 (12-35-53).txt

Scan type: Full scan (C:\|)
Objects scanned: 338916
Time elapsed: 47 minute(s), 42 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
c:\program files\common files\msnmsgr.exe (Trojan.Agent) -> 5268 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysray (Trojan.Agent) -> Value: sysray -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files\common files\msnmsgr.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\program files\common files\c.reg (Malware.Trace) -> Quarantined and deleted successfully.
c:\program files\common files\ur.dll (Malware.Trace) -> Quarantined and deleted successfully.


------

There's my report from Malwarebytes

---------- Post added 2010-12-27 at 12:37 PM ----------

7 dollars, really just 7 measly bucks for an authenticator, even cheaper if you have an iPhone or Droid. I could probably scrape together 7 bucks in change from my car and couch cushions.

I have an authenticator. I never stated I do, then again I never said I've been hacked, simply gotten a keylogger.

---------- Post added 2010-12-27 at 12:39 PM ----------

Just logged back into wow successfully after scan.

[ReverendD]

I would also suggest running either the MS Malicious Software Removal Tool or Kasperky's TDSS Killer. Google either. I suggest TDSS Killer over MSRT, but both will locate any Alueron based rootkits. These have been causing issues with my customers a lot lately.

~Rev

[Simca]

I'm not a computer savvy user (as in I don't know my way around software such as trojans and that boatload) but I do know we enough about where they can come from. Before Curse took over MMO, I saw posts saying Curse has had some trojans on their website, so saying it's next to impossible is a little farfetched.

I wasn't being paranoid about it. I stated 2 different times which I became infected, which both were almost immediately after being on the curse website. I'm not pointing fingers, simply asking questions.

I suppose this is just a subject that irritates me slightly because of the frequency at which this accusation is falsely made. I apologize.

Yes, before (and after) Curse took over this site there were (and still are... this thread right here!) threads insinuating that Curse is the problem. We don't lock them nor do we ban people for talking about it, so I'm not sure what bringing up the merger has to do with this topic at all. If it did, we wouldn't be talking about this right now, right?

People (not you, others) like to throw blame at Curse because they believe it is the only part of their computer that is at risk or something. The problem is that people see these threads and then assume that it must be true because they saw it on the internet, and then if they get hacked, they say the same thing, and the rumor keeps feeding on itself. I saw a thread on the Curse forums where a Curse Client user claimed to be hacked by the Client and then claimed that a Blizzard service representative that she called said it was "very likely" that the Curse Client was responsible. The rumor has spread so far that apparently the service representatives even believe it now. Several of the site users and then I -believe- an administrator or two tried to tell her that it was next to impossible for that to happen, but she wouldn't believe it. It just disappoints that misinformation has spread that far.

That said, that isn't related to you, and I'm sorry for ranting. To answer your question, the only way I know of that the Curse Client could infect you is by delivering a bad advertisement (or by clicking an exe file from a bad addon, but that is extremely unlikely as I outlined earlier because it requires extensive user mistakes). However, this isn't something specific to the Curse Client and bad advertisements can be found nearly anywhere on the internet.