May 14, 2008, 04:42 PM // 16:42
|
#41
|
Grotto Attendant
|
Quote:
Originally Posted by Shakti
OK now I'm worried about textmod. My hubby DLed Textmod a month or so ago (I think from the "safe" link here but I'll check when he gets home) so I could do cartographer.
I use McAffee SecurityCenter among other scans, and after reading this and the other threads, ran the scan just on the Textmod.exe file itself. It came up with a trojan New Malware.aj to be exact. Seems to be a 2006 Heuristic trojan (wtf ?)
Crap.
|
"Heurisitc" means that it was flagged by a set of rules that pick out things that look virus-ish, but it didn't match any known virus in the definitions. Heuristic detection has a very high false-positive rate.
|
|
|
May 14, 2008, 04:47 PM // 16:47
|
#42
|
Academy Page
Join Date: Mar 2008
Profession: R/
|
On a slightly weirder note, PlayNC Launcher seems to be sure i have Lineage II Installed, although i have never done so.
|
|
|
May 15, 2008, 11:32 AM // 11:32
|
#43
|
Forge Runner
Join Date: Aug 2006
Location: Australia
Guild: Lost Templars [LoTe]
Profession: Me/Mo
|
Updated to 8.0 and I'm clean. *phew*
|
|
|
May 15, 2008, 03:00 PM // 15:00
|
#44
|
Desert Nomad
Join Date: Aug 2005
Location: in my GH
Guild: Limburgse Jagers [LJ]
Profession: W/
|
Hmm I've seen this lineage trojan message too ni AVG. it claimed to have quarantined it, but tonight I'm double checking and changing my pass yet again...
|
|
|
May 15, 2008, 09:41 PM // 21:41
|
#45
|
Desert Nomad
Join Date: Jan 2008
Location: New York
Profession: W/R
|
This morning, while sitting through the morning computer scan with AVG, the PWS Lineage Trojan had come on to say hello.
Now I haven't downloaded anything EXCEPT TexMod and the three mods for Cartography Made Easy. I've used these for about a month now, and seeing it comes now of all times... just confuses me.
That's my two cents.
|
|
|
May 15, 2008, 10:16 PM // 22:16
|
#46
|
rattus rattus
Join Date: Jan 2006
Location: London, UK GMT±0 ±1hr DST
Guild: [GURU]GW [wiki]GW2
Profession: R/
|
Maybe something we have generates a wtf# file in TEMP and AVG tags it as PWS.Lineage?
Is there any way to examine one of these wtf# files and find out what created it?
I suspect googling wtf would be a bad idea ^^
[edit] Don't mind me - it's just senility setting in. From a previous TexMod thread:
Quote:
Originally Posted by Antheus
wtf = Windows Temporary File
.tmp = temporary file extension
The number is a random hex number
These files aren't trojans, they are just temporary file used by texmod. The ability to create these files is part of Windows, and any application can do that. These files should be automatically deleted if you properly close the GW and texmod. If not, you can safely delete them.
See official document.
|
So yes, it's TexMod and it certainly appears benign. I'm sticking with my assumption that the AVG8 update has brought this one up again. Then again, what if the creator of TexMod buried this trojan in it from the start and just waited until thousands of us had it installed before reaping the benefits?
Conspiracy theory again?
__________________
Si non confectus, non reficiat
Last edited by Snograt; May 15, 2008 at 10:36 PM // 22:36..
|
|
|
May 15, 2008, 11:02 PM // 23:02
|
#47
|
Krytan Explorer
Join Date: Mar 2006
Guild: EOA
Profession: P/W
|
.tmp files could be anything don't trust it.
Ive packet sniffed TexMod and listened in on API calls it doesn't seem to be sending any data or creating any hidden log files.
However theoretically it could be using Guild Wars to pm people(bypassing firewalls) so I won't give it the all clear
I remember a very popular 3rd party program for Diablo 2 that was fully functional but also sent the player login data to the developers database.
I realy hope this isn't the case with TexMod.
|
|
|
May 15, 2008, 11:25 PM // 23:25
|
#48
|
Desert Nomad
Join Date: Jan 2007
Profession: R/
|
You shouldn't have to worry about password stealers with texmod, seeing how Texmod was AFAIK originally made for modding Tomb Raider and was then later used for Guild Wars, but I know for certain it wasn't made for Guild Wars. Its inconceivable that the creator had released texmod with code for stealing passwords from another game. And since it has been used for years without people reporting problems you will be safe as long as you aren't downloading a different version.
|
|
|
May 16, 2008, 01:10 AM // 01:10
|
#49
|
Jungle Guide
Join Date: Dec 2005
Guild: Mystical Chaos
Profession: E/
|
Quote:
Originally Posted by The Meth
You shouldn't have to worry about password stealers with texmod, seeing how Texmod was AFAIK originally made for modding Tomb Raider and was then later used for Guild Wars, but I know for certain it wasn't made for Guild Wars. Its inconceivable that the creator had released texmod with code for stealing passwords from another game. And since it has been used for years without people reporting problems you will be safe as long as you aren't downloading a different version.
|
Correct. Texmod was use for modding Tomb Raider, and has been floating around for quite a while. In fact, the main place to get a copy of Texmod is from the Tomb Raider website that started it all.
|
|
|
May 16, 2008, 02:12 PM // 14:12
|
#50
|
Furnace Stoker
Join Date: Jul 2006
Location: behind you
Guild: bumble bee
Profession: E/
|
Hey, anyone good at these virus protection thing? I found these and thought its quite useful, something that does not involve typing - that you can use to key in infomation. is it safe to use?
"Transaction Guard is FREE software that protects you against spyware while performing sensitive online tasks on a public computer, like Internet banking or other financial transactions. Transaction Guard has two components:
* Spyware Monitor – Monitors for spyware and notifies you of any intrusions.
* Password ClipBoard – An on-screen keyboard for securely entering user names and passwords.
http://www.trendsecure.com/portal/en...nsaction_guard
|
|
|
May 16, 2008, 06:46 PM // 18:46
|
#51
|
Lion's Arch Merchant
Join Date: May 2005
Profession: N/Me
|
Quote:
Originally Posted by Dylananimus
I got that virus the other week, on a brand new comp that was fully protected :/
I had to reformat just to be on the safe side.
[snip]
I scan twice a day now, both Virus and Spyware programs.
And no...I didn't have Textmod on the comp.
|
In your haste towards reassurance apparently you guys completely miss this post where it was found on a pc without textmod? Not once was it mentioned. GJ
|
|
|
May 16, 2008, 07:14 PM // 19:14
|
#52
|
Grotto Attendant
|
Quote:
Originally Posted by pumpkin pie
Hey, anyone good at these virus protection thing? I found these and thought its quite useful, something that does not involve typing - that you can use to key in infomation. is it safe to use?
"Transaction Guard is FREE software that protects you against spyware while performing sensitive online tasks on a public computer, like Internet banking or other financial transactions. Transaction Guard has two components:
* Spyware Monitor – Monitors for spyware and notifies you of any intrusions.
* Password ClipBoard – An on-screen keyboard for securely entering user names and passwords.
http://www.trendsecure.com/portal/en...nsaction_guard
|
1. I generally do not trust free software that offers to manage your passwords. All too often, free password managers are in fact password thieves. I would only trust (1) password managers you compile yourself (presuming you know enough about programming to be able to read and understand the code you are compiling), or (2) password managers from reputable corporations that have a vested interest in maintaining their reputation. Trend Micro probably falls into category (2), so it's probably safe to use something downloaded directly from their official site.
2. I'm not sure how much protection this program really offers. Mouse positions can be captured the same way keystrokes can. All an attacker's program would have to do would be wait until the virtual keyboard program started up, then log mouse positions and send them to the attacker. Unless the virtual keyboard randomly moves around the screen or randomly changes the positions of keys as you type, it should be trivially easy to guess where the virtual keyboard window was positioned and derive your password from there. That's not terribly much harder to write than a keylogger, so the only "protection" the program gives you is the "protection through scarcity" that not many attackers are including mouseloggers with their keyloggers (yet).
I also have a bad feeling that this program uses the windows clipboard to transfer the password to the program you want to feed it to, which means that an attack directed at recovering the windows clipboard contents would completely bypass any security provided by this program.
|
|
|
May 20, 2008, 01:26 PM // 13:26
|
#53
|
Site Contributor
Join Date: Jun 2005
Profession: R/
|
Quote:
Originally Posted by StormDragonZ
This morning, while sitting through the morning computer scan with AVG, the PWS Lineage Trojan had come on to say hello.
Now I haven't downloaded anything EXCEPT TexMod and the three mods for Cartography Made Easy. I've used these for about a month now, and seeing it comes now of all times... just confuses me.
That's my two cents.
|
My AVG is running right now and that trojan was picked up. I'd like to know where were all getting this from. I am so careful, I just don't understand it.
|
|
|
May 20, 2008, 01:30 PM // 13:30
|
#54
|
Frost Gate Guardian
Join Date: Jun 2006
Location: My House
Guild: N/A
Profession: Mo/Me
|
i seem to remember something to do with texmod and AVG picking up a false positive for this trojan when it scans texmod.
|
|
|
May 20, 2008, 03:30 PM // 15:30
|
#55
|
Lion's Arch Merchant
Join Date: Mar 2007
Guild: The Eternal Champions
Profession: W/Mo
|
Quote:
Originally Posted by jackers1234
i seem to remember something to do with texmod and AVG picking up a false positive for this trojan when it scans texmod.
|
It's probably a good idea if people don't just put this down to textmod though, as I didn't have textmod on my comp when my scan found the trojan :/ It was a new comp.
Still gotta be careful.
|
|
|
May 20, 2008, 03:39 PM // 15:39
|
#56
|
rattus rattus
Join Date: Jan 2006
Location: London, UK GMT±0 ±1hr DST
Guild: [GURU]GW [wiki]GW2
Profession: R/
|
Here's a thought for you:
Has anyone detected this trojan with anything other than AVG?
__________________
Si non confectus, non reficiat
|
|
|
May 20, 2008, 03:39 PM // 15:39
|
#57
|
Krytan Explorer
Join Date: Mar 2006
Location: Nunya
Profession: E/Mo
|
My AVG is picking it up every time I use TexMod.
I didnt use TexMod for 4 days, no flags on my scans. I used TexMod yesterday & my scan found it this morning. So I fired up TexMod this morning & low & behold it creates a wtf2A.tmp file. AVG sees this temp file as the PSW.Lineage Trojan.
It creates it in C:\Documents and Settings\User\Local Settings\Temp\
|
|
|
May 20, 2008, 03:54 PM // 15:54
|
#58
|
Furnace Stoker
Join Date: Jul 2006
Location: behind you
Guild: bumble bee
Profession: E/
|
thank you Chthon for the analysis. appreciated.
|
|
|
May 26, 2008, 06:43 PM // 18:43
|
#60
|
Ascalonian Squire
Join Date: Mar 2008
Guild: [MBA]
Profession: N/Mo
|
Quote:
Originally Posted by Snograt
Here's a thought for you:
Has anyone detected this trojan with anything other than AVG?
|
Yes, Avast detects it too, it creates a *.tmp file.
|
|
|
Thread Tools |
|
Display Modes |
Linear Mode
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
Similar Threads
|
Thread |
Thread Starter |
Forum |
Replies |
Last Post |
Lateralus |
Off-Topic & the Absurd |
15 |
Apr 20, 2006 06:11 PM // 18:11 |
Virus alert
|
unienaule |
Off-Topic & the Absurd |
4 |
Oct 20, 2005 05:59 AM // 05:59 |
Lineage II?
|
Ghostface |
Off-Topic & the Absurd |
33 |
Aug 13, 2005 11:05 AM // 11:05 |
All times are GMT. The time now is 07:22 PM // 19:22.
|