Texmod containing a malware trojan - Guild Wars Forums

N1ghtstalker · May 26, 2008, 02:49 PM // 14:49

hi,

i'm going for my cartographer title and decided to use texmod since my friend suggested it
i downloaded it on the link at the wiki but when i download i get message that it contains a trojan
any advice what i should do?

miskav · May 26, 2008, 02:53 PM // 14:53

if it's used it'll give a warning on anti-spyware scanners about a file called wtf###.pl or something like that, it's just that texmod alters some files in GW, and the anti-spyware see it as spyware lol.

By the way, be sure you downloaded it from a legit place, and not a suspicous link.

Ras Kass · May 26, 2008, 02:56 PM // 14:56

I remember seeing this in the texmod thread. It turned out to be some sort of bug that the anti-virus software will pick up on. I am no techie, so I am sure someone will be posting the specifics which you will find more settling. Either way its harmless.

N1ghtstalker · May 26, 2008, 02:58 PM // 14:58

it's about this filename: http://38.118.213.252/7waa9ktmhx+/pe...X6\Texmod.exe\[NsPack]\[ASPack]\[Embedded#30050]

walmare name: Win32:Trojan-gen {Other}

type is virus/worm

it came from filrefront where wiki directed you too

pamelf · May 26, 2008, 03:00 PM // 15:00

Texmod creates temporary files which are picked up as trojans by some anti virus programs, but are in fact not...

N1ghtstalker · May 26, 2008, 03:01 PM // 15:01

so i won't try to log on one day to find my account has been hacked?
then it'll be fine i guess (:

snaek · May 26, 2008, 03:03 PM // 15:03

definately not a threat

Snograt · May 26, 2008, 03:12 PM // 15:12

It's a false-positive that keeps popping up. I even reported it myself a while back because of the current spate of account thefts.

It's due to the nature of TexMod - because of the way it works, interrupting data between Guild Wars and the display, a lot of malware scanners see it as very trojan-like behaviour.

Yes, your account is safe - but, in the current climate, take extra precautions anyway. Cahnge your password to a strong one - something like gy4$ i(]e5ld; m03-=+f[/ for example.

Kaide · May 26, 2008, 03:26 PM // 15:26

And now you say it :P I already deleted the textmod, scanned pc, and was about to format...(I had the same problem obviosly :P)

fusa · May 26, 2008, 03:42 PM // 15:42

Which AV programs are giving the warnings? I've scanned the texmod I downloaded several months ago with nod32, avast, avg, ad-aware and spybot search & destroy, non have shown warnings.

Snograt · May 26, 2008, 04:32 PM // 16:32

I have a feeling that it depends on when the malware scan is done. As Miskav and Pamelf pointed out, it's the temporary files tha trigger the alert - wtf213.dll or whatever (wtf = Windows Temporary File, by the way). As these files reside in TEMP and are deleted after use, it's likely that they're not detected at all if the scanner runs when TexMod isn't running.

AVG picked it up for me - will test NOD later by scanning when TexMod's running to see if that does it too.

Tatile · May 26, 2008, 04:43 PM // 16:43

Quote:

Originally Posted by fusa

Which AV programs are giving the warnings?

I've got AVG Free Edition (either the latest or the one before that 7.5, can't remember) and it pops Texmod up as a false positive. It worried me at first but then googling WTF##.tmp fixed that.

Yeah, Mircoshaft knows really well how to name their files.

Edit: Wait, Trojan warning during startup (of Texmod)? I don't get that, just wtf##.tmp's appearing in the daily scan. How odd.

Cyric The Liar · May 26, 2008, 04:46 PM // 16:46

It's funny, but I've had texmod on my PC for one month now and never had a problem, but today I suddenly get the trojan warning like the others have reported when I try to run it. Something is weird here and I think I'll take a break from using it.

wyrd · May 26, 2008, 05:44 PM // 17:44

Ive been using Texmod a while now and haven't gotten any virus warning but today avast detected a virus mentioned above "Win32:Trojan-gen {Other}"
Probably after a recent definition update. after running Texmod and avast detects it wont run gw.exe there is just a popup window saying "D'OH"

A virus scan afterwards however detects nothing probably because as mentioned above is in a temp directory and doesn't go beyond that.

Edit:Note Texmod runs Gw.exe normally if no tpf file is loaded the virus alert only happens when a tpf file is loaded no matter which one.

Snograt · May 26, 2008, 05:49 PM // 17:49

Quote:

Originally Posted by wyrd

Probably after a recent definition update.

That, I suspect, is the answer.

Mr. G · May 26, 2008, 05:58 PM // 17:58

ive been using texmod since the GW modding community started...and tbh im tired of telling people its clean...its clean DAMMIT

it alters files so cheap and tbh...crap scanning software (AVG comes to mind) think it has to be a trojan of some sort

kvndoom · May 26, 2008, 06:06 PM // 18:06

Quote:

Originally Posted by wyrd

Ive been using Texmod a while now and haven't gotten any virus warning but today avast detected a virus mentioned above "Win32:Trojan-gen {Other}"
Probably after a recent definition update. after running Texmod and avast detects it wont run gw.exe there is just a popup window saying "D'OH"

A virus scan afterwards however detects nothing probably because as mentioned above is in a temp directory and doesn't go beyond that.

Edit:Note Texmod runs Gw.exe normally if no tpf file is loaded the virus alert only happens when a tpf file is loaded no matter which one.

It won't run on my main system either unless I disable AVG's real-time virus protection. Which is fine, if all I'm doing is playing GW. Seems to work if I disable AV, open GW with texmod, then re-enable AV.

OS T · May 26, 2008, 06:29 PM // 18:29

ok,so I have used textmod since like almost 1.5year now..and today when I used textmod again..the wtf...thing went up on my screen, so I saw DOH and sh*** happens appear on my screen,so I thought I got the keylogger,but I dont know,so I post here for a answer...

wyrd · May 26, 2008, 07:18 PM // 19:18

Some viruses activate on a particular day today being U.S Memorial day it seems suspicious but more likely it is caused by a virus definition update. It seems it has suddenly occured today to many people using different av programs so anyone using it should be cautious.

If you want to use Texmod turn anti-virus off until Guild Wars loads or dont use it.

Quaker · May 26, 2008, 07:42 PM // 19:42

My advice, use Texmod to do your Cartography titles and then put it away - it's too dam glitchy to use for much else. And who knows what version is "clean", when.

As far as the rest of the graphics stuff you can do with it goes, only you can see it anyway, so why bother.

May 26, 2008, 02:49 PM // 14:49	#1
N1ghtstalker Forge Runner Join Date: Dec 2007 Profession: E/	Texmod containing a malware trojan hi, i'm going for my cartographer title and decided to use texmod since my friend suggested it i downloaded it on the link at the wiki but when i download i get message that it contains a trojan any advice what i should do?

May 26, 2008, 03:12 PM // 15:12	#8
Snograt rattus rattus Join Date: Jan 2006 Location: London, UK GMT??0 ??1hr DST Guild: [GURU]GW [wiki]GW2 Profession: R/	It's a false-positive that keeps popping up. I even reported it myself a while back because of the current spate of account thefts. It's due to the nature of TexMod - because of the way it works, interrupting data between Guild Wars and the display, a lot of malware scanners see it as very trojan-like behaviour. Yes, your account is safe - but, in the current climate, take extra precautions anyway. Cahnge your password to a strong one - something like gy4$ i(]e5ld; m03-=+f[/ for example. __________________ Si non confectus, non reficiat

May 26, 2008, 04:32 PM // 16:32	#11
Snograt rattus rattus Join Date: Jan 2006 Location: London, UK GMT??0 ??1hr DST Guild: [GURU]GW [wiki]GW2 Profession: R/	I have a feeling that it depends on when the malware scan is done. As Miskav and Pamelf pointed out, it's the temporary files tha trigger the alert - wtf213.dll or whatever (wtf = Windows Temporary File, by the way). As these files reside in TEMP and are deleted after use, it's likely that they're not detected at all if the scanner runs when TexMod isn't running. AVG picked it up for me - will test NOD later by scanning when TexMod's running to see if that does it too. __________________ Si non confectus, non reficiat

May 26, 2008, 05:44 PM // 17:44	#14
wyrd Ascalonian Squire Join Date: Feb 2008 Guild: Halo Profession: P/	Ive been using Texmod a while now and haven't gotten any virus warning but today avast detected a virus mentioned above "Win32:Trojan-gen {Other}" Probably after a recent definition update. after running Texmod and avast detects it wont run gw.exe there is just a popup window saying "D'OH" A virus scan afterwards however detects nothing probably because as mentioned above is in a temp directory and doesn't go beyond that. Edit:Note Texmod runs Gw.exe normally if no tpf file is loaded the virus alert only happens when a tpf file is loaded no matter which one. Last edited by wyrd; May 26, 2008 at 05:51 PM // 17:51..

May 26, 2008, 02:53 PM // 14:53	#2
miskav Jungle Guide Join Date: Jun 2005 Guild: None Profession: Mo/	if it's used it'll give a warning on anti-spyware scanners about a file called wtf###.pl or something like that, it's just that texmod alters some files in GW, and the anti-spyware see it as spyware lol. By the way, be sure you downloaded it from a legit place, and not a suspicous link.

May 26, 2008, 02:56 PM // 14:56	#3
Ras Kass Academy Page Join Date: Aug 2005 Location: Waterloo, Canada Guild: FF Profession: W/A	I remember seeing this in the texmod thread. It turned out to be some sort of bug that the anti-virus software will pick up on. I am no techie, so I am sure someone will be posting the specifics which you will find more settling. Either way its harmless.

May 26, 2008, 02:58 PM // 14:58	#4
N1ghtstalker Forge Runner Join Date: Dec 2007 Profession: E/	it's about this filename: http://38.118.213.252/7waa9ktmhx+/pe...X6\Texmod.exe\[NsPack]\[ASPack]\[Embedded#30050] walmare name: Win32:Trojan-gen {Other} type is virus/worm it came from filrefront where wiki directed you too

May 26, 2008, 03:00 PM // 15:00	#5
pamelf Forge Runner Join Date: Aug 2006 Location: Australia Guild: Lost Templars [LoTe] Profession: Me/Mo	Texmod creates temporary files which are picked up as trojans by some anti virus programs, but are in fact not...

May 26, 2008, 03:01 PM // 15:01	#6
N1ghtstalker Forge Runner Join Date: Dec 2007 Profession: E/	so i won't try to log on one day to find my account has been hacked? then it'll be fine i guess (:

May 26, 2008, 03:03 PM // 15:03	#7
snaek Forge Runner Join Date: Mar 2006 Profession: N/	definately not a threat

May 26, 2008, 03:26 PM // 15:26	#9
Kaide Ascalonian Squire Join Date: Apr 2008 Location: Finland Guild: Cold Summer Breeze Profession: W/	And now you say it :P I already deleted the textmod, scanned pc, and was about to format...(I had the same problem obviosly :P)

May 26, 2008, 03:42 PM // 15:42	#10
fusa Krytan Explorer Join Date: Mar 2007	Which AV programs are giving the warnings? I've scanned the texmod I downloaded several months ago with nod32, avast, avg, ad-aware and spybot search & destroy, non have shown warnings.

May 26, 2008, 04:46 PM // 16:46	#13
Cyric The Liar Ascalonian Squire Join Date: Mar 2008 Guild: [MBA] Profession: N/Mo	It's funny, but I've had texmod on my PC for one month now and never had a problem, but today I suddenly get the trojan warning like the others have reported when I try to run it. Something is weird here and I think I'll take a break from using it.

May 26, 2008, 05:58 PM // 17:58	#16
Mr. G Desert Nomad Join Date: Jul 2006 Location: S. Wales Profession: Mo/Me	ive been using texmod since the GW modding community started...and tbh im tired of telling people its clean...its clean DAMMIT it alters files so cheap and tbh...crap scanning software (AVG comes to mind) think it has to be a trojan of some sort

May 26, 2008, 06:29 PM // 18:29	#18
OS T Desert Nomad Join Date: May 2006 Profession: Mo/E	ok,so I have used textmod since like almost 1.5year now..and today when I used textmod again..the wtf...thing went up on my screen, so I saw DOH and sh*** happens appear on my screen,so I thought I got the keylogger,but I dont know,so I post here for a answer...

May 26, 2008, 07:18 PM // 19:18	#19
wyrd Ascalonian Squire Join Date: Feb 2008 Guild: Halo Profession: P/	Some viruses activate on a particular day today being U.S Memorial day it seems suspicious but more likely it is caused by a virus definition update. It seems it has suddenly occured today to many people using different av programs so anyone using it should be cautious. If you want to use Texmod turn anti-virus off until Guild Wars loads or dont use it.

May 26, 2008, 07:42 PM // 19:42	#20
Quaker Hell's Protector Join Date: Aug 2005 Location: Canada Guild: Brothers Disgruntled	My advice, use Texmod to do your Cartography titles and then put it away - it's too dam glitchy to use for much else. And who knows what version is "clean", when. As far as the rest of the graphics stuff you can do with it goes, only you can see it anyway, so why bother.