taultunleashed logoVIRUS Detected when clicking PLAY! (Appears Fixed Now 09/17) : General & Trouble Shooting
newtopic  postreply
 [ 16 posts ]  1, 2  Next
blue large dot

VIRUS Detected when clicking PLAY! (Appears Fixed Now 09/17) : General & Trouble Shooting

Posted: September 16th, 2005, 3:23 pm
 
bloodknight
bloodknight's Reps:
User avatar
Run a virus scan of your system immediatly!!!

I just found out that when you start up Xunleased and click Play, as one of the plugins auto update, it tries to run a virus. Symantec AntiVirus detects it as Backdoor.Graybird.

This only happens when you click the Play button, not before this point.

I deleted my XUnleashed dir. re-d/l'ed it, Installed 3 plugins (EQ2Crafter, EQ2Unleashed Map, EQ2Servicer). I am in the process of trying to figureout which one exactly does it. Will post in a few minutes.


Last edited by Guest on September 17th, 2005, 8:17 am, edited 2 times in total.

Reply with quote
Posted: September 16th, 2005, 3:28 pm
 
bloodknight
bloodknight's Reps:
User avatar
Ok, Deleted XUnleashed, Re downloaded the install file and ran. It downloaded everything like before. I DID NOT install anything extra. Just base Xunleashed install. I still get the Virus Detected message when clicking on Play. I can Run EQ2 just fine with no virus detected messages.

After I get a Virus detected message I have to reboot to get it to show up again when clicking play. I suspect this is becasue when it was trying to run it locked up Xunleashed because it was denied access to the file that had the virus.

This is very new as I was using it yesterday for sure just fine and I can not remember if I used it this morning just fine. But it did just show up.


Reply with quote
Posted: September 16th, 2005, 3:39 pm
 
bloodknight
bloodknight's Reps:
User avatar
Here is the writeup from symantec about this virus:

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.graybird.html


Reply with quote
Posted: September 16th, 2005, 4:29 pm
 
kevinalaska
kevinalaska's Reps:
User avatar
I had that virus come up on my system today as well. I am not sure what the cause of the virus is but Norton Antivirus did catch it.

I also downloaded XUleashed over and installed ONLY the Crafting plug-in. I only had the crafting plug-in before the this whole problem started with not running XUleashed program.

Virus scan was also finished

I recomment scanning via the internet as well (as it is like having more then one Doctors opinion) go to [url]housecall.antivirus.com[/url]. This will let you do a good scan of yoru system for free.

I still want to know what this is all about.. So if anyone finds any information please post it. I really dont want to be running XUleashed with the idea of it being a security hole in my computer as well as a possbile way that SoE to find out I am using XUleashed... =/

Thank you...


Reply with quote
Posted: September 16th, 2005, 4:41 pm
 
bloodknight
bloodknight's Reps:
User avatar
I am still working on analyzing exactly which files are beinf accessed when Symantec detects the virus. Will post in a few more minutes.


Reply with quote
Posted: September 16th, 2005, 4:52 pm
 
bloodknight
bloodknight's Reps:
User avatar
There is a PATCH.BIN file that is creating the temp file that Symantec detects as a virus.

This file exists in the root of the XUnleashed Directory where the XUnleashed.exe file resides.

This temp file it creates is the one that is detected with the virus. I used sysinternals FILEMON tool to see what files were being called and which one was the one creating the file that symantec detected as a virus.


Reply with quote
Posted: September 16th, 2005, 5:05 pm
 
bloodknight
bloodknight's Reps:
User avatar
I found an old install of XUnleashed that I had on another one of my machines from about 2 months ago. I am in the process of determining what creates the patch.bin file as I have already tried to see if it was a direct d/l from the auto-update by launching xunleashed. I did this by processing my firewall logs for all activity from my test machine.


Reply with quote
Posted: September 16th, 2005, 5:22 pm
 
bloodknight
bloodknight's Reps:
User avatar
OK, I gifured out why it was not showing up in my firewall logs. I was assuming that is was making HTTP calls to grab any files as it does use this method to check some files. Using a TCP/IP sniffer after I determined that XUnleashed was making a pure socket call to an external IP to download most of it's files for updateing I was able to determin that XUnleashed.exe was making the socket connection and downloading the PATCH.BIN file. I assume it is suppose to do this as it also updates all the other files this way.

I was able to determin that 1 ip address is server out this virus infected file at 24.155.5.159. Unfortunatly this appears to be a dynamic addess from an ISP. I am going to block access to IP address and test again in hopes that there is a mirror it will use that does not have an infected file.


Reply with quote
Posted: September 16th, 2005, 5:37 pm
 
bloodknight
bloodknight's Reps:
User avatar
Well, that didn't work. Seems that this web site is also served by that same IP as I had to unblock it to get back to the forums. I did a nslookup and verified that these forums are served by that IP also.

So the only thing we can do now is wait for the admin to check his files and get rid of the virus. Unless it was intentional and I don't even want to go down that road as I have trusted Tault for a very long time.


Reply with quote
Posted: September 16th, 2005, 5:45 pm
 
bloodknight
bloodknight's Reps:
User avatar
I'm going to backtrack through all my posts and also say that I am not sure that the PATCH.BIN file is the one with the virus. What appears to happen is this:

XUnleashed.exe creates PATCH.BIN. It either does this from downloading code over the internet or from making a copy of itself.

Then PATCH.BIN creates and access many other files.

After XUnleashed has fully downloaded and you click the play button PATCH.BIN does create a MC21.TMP (typically named as this, but a few times has been other names) which is the one that has a virus.

Now it creates this file either from other files that have already been downloaded at this point, or by downloading the code from the internet at the time.

My point is, I have indeed determined that the file PATCH.BIN creates this temp file which has the virus.


Reply with quote
Posted: September 17th, 2005, 12:24 am
 
kevinalaska
kevinalaska's Reps:
User avatar
Wow Bloodknight... you were well spoken (err... written) and logical in your appoach... I hope the amazing work you have shown here really helps them solve this.

I would also like to ask if you perchance have the name of the "filemon" program you use. I have had great need in the past for such a utility.

Thanks and best wishes.


Reply with quote
Posted: September 17th, 2005, 8:04 am
 
bloodknight
bloodknight's Reps:
User avatar
yes, the filmon.exe and other very useful utilities are at www.sysinternals.com

The filemon is called just that, 'filemon' which is short for file monitor. It is located at http://www.sysinternals.com/utilities/filmon.html


Reply with quote
Posted: September 17th, 2005, 8:26 am
 
bloodknight
bloodknight's Reps:
User avatar
ok, as of this morning when I woke up looking forward to seeing some relpy from the admin or someone involved in fixed this I was disappointed to see nothing of the sort.

I decided to check and see if it was fixed anyways. Everything that I tracked yesterday with a temp file being created and causing a detection of a virus is gone. It appears that it is fixed now. It causes no detection of a virus. I belive it is fixed, unless the virus' signature was changed so it is not detectable by an anti-virus program. I have detected that it still creates the temp file but does not cause a trigger of the virus detection. After succesful run I did a virus scan and checked every place the previous virus modifies stuff (as posted previously) and no known signs of that virus being on my system.

I just wish that the admin of who ever is involved with fixing this posted something about it.


Reply with quote
Posted: September 17th, 2005, 12:50 pm
 
Tault_admin

Total Posts: 30069
Joined: November 9th, 2002, 9:57 am
Tault_admin's Reps: 1440
User avatar
administrator
Mod in Training
Not that i know of are there any viruses in xunleashed. LOL wouldnt make any sense for business for us to ruin peoples computers.


Reply with quote
Posted: September 19th, 2005, 2:45 am
 
muzzleflash
muzzleflash's Reps:
User avatar
Having the same problem with Symantec AntiVirus. Only started happening since a recent virusdefs update.

The temp file generated in the user's temporary directory is detected as being a virus and automatically deleted. Im guessing the file is the DirectX hook, since the XUnleashed menu bar fails to show in the game.


Reply with quote
Want Advertisements After The Last Post Removed? Create A Free Account!

blue large dot Who is online
Users browsing this forum: No registered users and 11 guests

Popular Sections
SWTOR Cheats
Guild Wars 2 Cheats
Guild Wars 2 Hacks
Guild Wars 2 Bots
Diablo 3 Cheats
Guild Wars 2 Mods

Popular Sections
WoW Cataclysm Cheats & Exploits
WoW Cataclysm Hacks & Bots
Star Wars The Old Republic Cheats
SWTOR Mods
Torchlight 2 Cheats
SWTOR Space Mission Bots
Site Nav and RSS
RSS Feed of General & Trouble Shooting RSS Feed 
Sitemap of General & Trouble Shooting Sitemap 
SitemapIndex SitemapIndex
RSS Feed RSS Feed
Channel list Channel list
left bottom corner Site and Contents Copyright 2001-2012 All Rights Reserved TaultUnleashed.com bottom corner
top left
top right
createaccount
Username:   Password:   Remember Me?