Trojans & mods

This forum is for outdated or irrelevant Modding Information that may or may not be 3 months old.

Moderator: thunderchero

Post Reply
User avatar
zorion_no
Cadet 2nd Year
Cadet 2nd Year
Posts: 6
Joined: Mon May 26, 2008 2:00 am

Trojans & mods

Post by zorion_no » Tue Apr 20, 2010 2:25 am

Heya,

im not to sure if this is the right place or not, but anyway.
I run a very "tight" ship on my computer, meaning firewall, anti-virus scanners etc, and for most part always running on high settings.

I find it abit "puzzling" that sadly when i download addons from this site, that there is unwanted guests attached in the zip.
From what i can gather of pieces is that there is 1 virus in 1 file, and most of the modders use the same files to start out with, and so its spread to other mods.

That I listed above would be option a. If I was into conspiracy, there is also the option that someone isnt playing nice, and are putting them into the dloads, to infect ppl's computers with trojan horses.
Who if the option b is the answer might i not speculate to much into, as i have faith its option a. (if u wanna go with b, it could be the ppl modding, or the ppl that host the files that is infected)

The file that seems to be infected is trek.icd
The Trojan is Trojan.Heur.Szw@@xsM4eg

User avatar
Flocke
BORG Trouble Maker
BORG Trouble Maker
Posts: 2582
Joined: Sun Apr 27, 2008 2:00 am
Location: Hamburg, Germany
Contact:

Post by Flocke » Tue Apr 20, 2010 3:47 am

do you get this also with unmodded original botf?
If so, it's a false positive, cause it's just a heuristical detection (that's why you have "Heur" in it's name). Your scanner identified a code section as a potential trojan cause of the code structure and some function calls. What scanner are you using and which downloads are affected?
Knowing the download/mod-files, we can also back check trek.icd with original botf version ourselves.

And let me add, noone here around is willing to spread trojans or viruses. If there are, it's an accident cause people got infected themselves, or some bad hackers have been around. If there's really a trojan, we'll take care of it.

User avatar
Peter1981
Rear-Admiral
Rear-Admiral
Posts: 1118
Joined: Tue May 06, 2008 2:00 am
Location: England

Post by Peter1981 » Tue Apr 20, 2010 4:26 am

i've run a complete check of my computer for this trojan and Norton doen't find it. Agree with Flocke probably a false positive zorion_no.

User avatar
DCER
Code Master
Code Master
Posts: 683
Joined: Sat Apr 26, 2008 2:00 am

Post by DCER » Tue Apr 20, 2010 5:33 am

trek.icd isn't modded in any mod as far as I know, neither is it included in any of them.

This file comes with the botf cd or the main multi installer.

As has been recommended before: switch to a better AV, I would recommend Avira or AVG from the free ones.

User avatar
Peter1981
Rear-Admiral
Rear-Admiral
Posts: 1118
Joined: Tue May 06, 2008 2:00 am
Location: England

Post by Peter1981 » Tue Apr 20, 2010 6:11 am

Agree with DCER

User avatar
Flocke
BORG Trouble Maker
BORG Trouble Maker
Posts: 2582
Joined: Sun Apr 27, 2008 2:00 am
Location: Hamburg, Germany
Contact:

Post by Flocke » Tue Apr 20, 2010 6:40 am

It doesn't have to be a bad scanner, it actually might be a quite good one.
Heuristical virus detection is a key feature for detecting yet unknown viruses and trojans! But with it, you also get false positives in some cases, that's not uncommon.
zorion_no states he set his scanners on high security, so they'll alert on every possible detection, including possible false positives.

remember, no up to date scanner will detect each and every virus, not even the best and expensive scanners. It's a personal preferance of using heuristical analysis to improve detection rate, but all modern scanners support some kind of it.

User avatar
Flocke
BORG Trouble Maker
BORG Trouble Maker
Posts: 2582
Joined: Sun Apr 27, 2008 2:00 am
Location: Hamburg, Germany
Contact:

Post by Flocke » Tue Apr 20, 2010 7:51 am

hmm, interesting, on my personal original botf disc, I have a complete different version of that file (even the size differs). According to the date of creation, mine is from 17.05.1999 while the one from main multi installer is from 21.07.1999.
Reason is most probably cause I have an older botf release, or cause mine is the german release version. However, replacing the trek.icd of main multi installer with the one from my original cd (yes it still works =D) doesn't seem to cause any problems.
Perhaps someone else can verify the trek.icd of the main multi installer with his own cd (comparing hex code with HxD for example - it has a compare function).
I might upload mine lateron if desired, but have no time right now.

I still don't expect any trojan within, but it doesn't harm to make sure. :P
antivir doesn't alert on both of them

Edit: Just gave it another try, removing that file doesn't seem to cause any crashes either, so what is it good for? Is trek.icd even used in any way? :roll:
Last edited by Flocke on Tue May 18, 2010 4:26 am, edited 1 time in total.

User avatar
Spocks-cuddly-tribble
Code Master
Code Master
Posts: 848
Joined: Sun Apr 27, 2008 2:00 am

Post by Spocks-cuddly-tribble » Tue Apr 20, 2010 9:25 am

Flocke wrote:Perhaps someone else can verify the trek.icd of the main multi installer with his own cd (comparing hex code with HxD for example - it has a compare function).
Done. Not even a single bit deviation.

Most probably the bugged copy protection of the 1.0.0 version is the troublemaker (IIRC trek.icd is an encrypted trek.exe - the 1.0.0 trek.exe itself is just a very small file).

Side note: This bugged copy protection caused in fact the incompatibility with Win 2000 & upwards, BotF itself is (without Joker patch).
I don't know how many bugs is too many but that point is reached somewhere before however many in BotF is.

KrazeeXXL
BORG Trouble Maker
BORG Trouble Maker
Posts: 2267
Joined: Sat Jan 03, 2009 3:00 am
Location: the 36th Chamber

Post by KrazeeXXL » Tue Apr 20, 2010 9:32 am

Flocke wrote:According to the date of creation, mine is from 17.05.1999 while the one from main multi installer is from 21.07.1999.
perhaps ver 1.00 and ver 1.20? Is it the original-cd/securom/copyprotection file?



In the case of a trojan my firewall actually had noticed some output to somewhere. Try tcpview for example.

But since there isn't anything like that and I check everything related regularly... I agree Flockes statement about heuristic scan methods - which use algorythms to compare between database and everything to warn of future viruses which have similiar characteristics and are not known yet and therefore in none database.

User avatar
zorion_no
Cadet 2nd Year
Cadet 2nd Year
Posts: 6
Joined: Mon May 26, 2008 2:00 am

Post by zorion_no » Tue Apr 20, 2010 1:50 pm

Ok glad to hear you have looked it over, and that it appears to be a false positive.

For the record i do own the origianl Both (even got my box around)
And ive never had any issues like this before.

I relative recently upgraded my computer and have dloaded some of the mods ive enjoyed.
And thats when the msg started to pop-up.
My av, says it cleans and removes the infection, but its prolly just a false-positive.

Glad to hear you've looked into it.

Cheers

KrazeeXXL
BORG Trouble Maker
BORG Trouble Maker
Posts: 2267
Joined: Sat Jan 03, 2009 3:00 am
Location: the 36th Chamber

Post by KrazeeXXL » Tue Apr 20, 2010 4:41 pm

I was surprised in the same way as you (perhaps even more) as I got these msgs in Comodo AV some months ago.

I didn't read the "heur" in the messages at first. But then Flocke told me about it and I began to remember about how heuristics work (read an article about it some years ago).

have fun gaming :)

User avatar
Flocke
BORG Trouble Maker
BORG Trouble Maker
Posts: 2582
Joined: Sun Apr 27, 2008 2:00 am
Location: Hamburg, Germany
Contact:

Post by Flocke » Tue Apr 20, 2010 7:53 pm

KrazeeXXL wrote:But then Flocke told me about it and I began to remember about how heuristics work (read an article about it some years ago).
Have I? :lol:
Might be, but not about exact same issue I guess. :roll:

However, thanks for proving and the info about that file SCT. :)

User avatar
alshidaa
Cadet 1st Year
Cadet 1st Year
Posts: 1
Joined: Fri Jun 11, 2010 2:00 am

Post by alshidaa » Wed Jun 16, 2010 3:26 am

How to restore computer system after computer is infected with Trojan horse, worms and viruses? My computer is infected with Trojan horses, worms and viruses. I try to restore back my system before the attack. However all of the applications have been infected. How can I get rid of the threats and restore the system.
_________________
affiliateelite ~ affiliateelite.com ~ adgooroo ~ adgooroo.com
Last edited by alshidaa on Sat Jun 19, 2010 2:38 am, edited 1 time in total.

User avatar
eber3
Captain
Captain
Posts: 663
Joined: Sat Apr 26, 2008 2:00 am

Post by eber3 » Wed Jun 16, 2010 11:30 am

alshidaa wrote:How to restore computer system after computer is infected with Trojan horse, worms and viruses? My computer is infected with Trojan horses, worms and viruses. I try to restore back my system before the attack. However all of the applications have been infected. How can I get rid of the threats and restore the system.
Go to this site....

http://www.geekstogo.com/forum/Malware- ... ea66517fe7


They were able to help me get rid of a rather nasty intruder that took over my web browsers and kept reinstalling itself.

KrazeeXXL
BORG Trouble Maker
BORG Trouble Maker
Posts: 2267
Joined: Sat Jan 03, 2009 3:00 am
Location: the 36th Chamber

Post by KrazeeXXL » Wed Jun 16, 2010 1:19 pm

alshidaa wrote:How to restore computer system after computer is infected with Trojan horse, worms and viruses? My computer is infected with Trojan horses, worms and viruses. I try to restore back my system before the attack. However all of the applications have been infected. How can I get rid of the threats and restore the system.
as we say in my language: "plattmachen, neumachen"

google translated it with "remake flattening" means reinstall your pc. you could try to restore it but it would take much more time and the achievement would be in 99% of all cases a doubtful one. You'll never find out where the worms and viruses are hiding. And in most of the cases you'll have some rest of this malware remaining on your system. So reinstalling from scratch is imo the best solution.

So do yourself a favour and reinstall windows + format the drive where you install it to during the installation + don't forget to back up b4 ofc, etc...

for the future: if you want to run a program but you're not sure if its a virus or not then upload and test it on www.virustotal.com b4 and find out.
another good tip is to use a program like sandboxie which creates an almost secure area for such kind of doubtful programs.

Post Reply

Return to “Modding Information Archive”

Who is online

Users browsing this forum: No registered users