Trojan inside mod download? (RE: ' 88 FLAK)
-
can i ask you a question? is there any programs in the 88 flak mod that can be picked as a virus or trojan?
So I decided to reinstall Freelancer on my pc after three years. And ofcourse playing the boring original version is not quite fun. Therefor I downloaded FLMod installer + Flak88. Though upon installing FLMM my avast picked up a warning.
FLMM seems to put a file named a.bat on your C:\ dir aswell as start a service ‘Nod64.exe’. I first thought this mind be some hoax as you know, most virusscanners act weird. But when I opened a.bat in notepad it showed quite alot registery editing. And I am not talking about FLMM entries, but entries with setting up protocol, disabling/running services, etc etc.
So I am wondering did anyone else ran into this? Even if you try to delete a.bat and FLMMinstaller.exe it will be reproduced endlessly. Each time you reboot both files appear and FLMM forces you to install / run it. I eventually managed to prevent the annoying worm behaviour by manually removing all related things.
So what is up with this?
this is a post from somebody from lancers reactor it could be that maybe somebody is attaching a trojan horse or something to theyre down loads ?
Possible, a few days ago somebody posted a Cloak.exe on the tlr forums claiming it is a working cload mod, but in reality it was a trojan,
-
Do a full system deep scan with everything. Chances are it’ll still be there, although it may have migrated to a removable drive. Delete system restore values. Anything which has a snapshot of the system. Purge the registry manually by deleting or changing keys relating to the file. I doubt it will be the last you see of that. And for god sakes make a backup of everything important!. If it’s a self replicating worm, it’s best to burn to DVD opposed to backing up on removable drives, only keep things you NEED, there is no point keeping backup’s of games. Then do a high level format on the hard disk. Trust me, a self replicating trojan horse/worm will be the least of your worries, chances are it’ll allow other malicious software to install such as rootkits, key loggers and the likes of them. Call me paranoid, but I’d rather be safe than sorry. I like to run a clean computer
-
Sickening… ( no emo for thowing up…)
I just wish it was some other mod he decided to “lob in” with his post…
I read it wrong… how many more have… ??? it even got a grumble from me and im just a Flak fan…And it had to be the 1 file everyone Dll’s when they first want to play a mod… FLMM
Furious… would be a gross understatement
-
Has anyone else confirmed this behaviour. If there is a FLMM copy with a trojan attached then we really need to warn our players not to download it - and where not to download it from.
Sorry Flak88 guys for hijacking this thread - maybe a SP admin could move these posts into another thread.
-
Some one else will have to check TLR’s files as I’m not registered, and I never will be as long as those 3 W*****S are involved with the site.
Richard could you or someone else point Helepolis to this site, that way he can get the the same version of FLMM and can check if it’s him or TLR that has the problem.
-
Has anyone else confirmed this behaviour. If there is a FLMM copy with a trojan attached then we really need to warn our players not to download it - and where not to download it from.
Sorry Flak88 guys for hijacking this thread - maybe a SP admin could move these posts into another thread.
Split the topic and moved it to the general discussions.
-
**You can use the following program to see everything running…
http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
Here is a page to help with removing viruses
http://www.bleepingcomputer.com/tutorials/tutorial101.html
BTW, hope nobody ran that cloak.exe that was posted on TLR, it’s a trojan.**
-
@ fox, Just FLMM it seems m8…
I woulda sent Helepolis here days ago but I cant even mention this place in PM / email or anything
through TLR channels… just comes up as “anti advertising”… grrrr &*$%#!Sometimes i trully wonder why i even bother with TLR…. ??? If the community wasn’t
so scattered as it has become… (im still looking for certian peeps) I’d boycot it fully.I’ll go grab a FLMM 1.3 from em… and give it a good scan before deletion…
-
I see. I pulled all the relevant files off the Flak FTP, including the FLMM Installer on there (uploaded on there for ease-of-use), and scanned them with Avira as well as some hand-checking for possible tampering while they’ve been on the FTP, but they all look clean.
I’d make a Lancers Reactor account to look through the downloads, but that place gives me the creeps. I’ll make a fake email and all that jazz and see what I can dig up.
-
Done…
Both the Zip & Exe “look” clean… but i aint running em… lol…
that was for both v1.31 and the suspicious looking (2) one…Scanned with Avira… came up clean. Its been a few days now… probaly should have dll’d it
when the S**T hit the fan… sry…@ Lancer
and yes that cloak fiasco was a right doozy… “somthing” is happeneing in there & us simple
peeps are getting infected for it… and its also giving TLR a “worse” name and dragging FL with it…Not a happy camper…
-
It might not look dodgy, but if the code has been tampered with, and the virus code injected directly into the source code. I’m not sure if FLMM is open source, and I assume you’d be able to do such a thing, with the right know how.
-
It’s a lot easier to just make a fake installer which takes care of infecting you instead…
FLMM isn’t open source AFAIK.
-
Xarian, would you mind sending me the EXE and zip? I’ll run 'em on my laptop, which I’m about to wipe clean and format anyways due to an infection on it, so it doesn’t matter if it gets busted.
I’d get 'em myself, but like I said that place gives me the creeps now. =P (and I don’t want to hook up the laptop to networking due to said infection)
-
Dam… Sry fox i deleted it straight after, and now when i search for FLMM (as i did a few hours ago) there i get a
“cant find any reference” message…well… at least its gone…
-
i emailed you a copy of that on your msn account so if you see [email protected] thats me
-
reading things like this makes me even more glad that MU uses LS’s auto updater, to be honest i dont know why we dont just all boycott LR anyway granted i know some of us want to stick around there for the sake of new players but with SP on the microsoft site and LR not surely there arent that many players over there now.