I am one of three people in my far-flung family who's virus checker has detected the PWS Lineage trojan recently. It was originally designed to steal passwords from Lineage , but over the years has gradually been altered to gather logins from several other games - see here http://vil.nai.com/vil/content/v_130590.htm
Usual advice applies - make sure you have a good virus checker installed and that it's definitions are up to date. And let the bugger finish its scan - I know how annoying virus scans can be, but they're a necessary evil.
Apologies if this is the texmod false-positive again - it's a possibility, but it's better to be safe than sorry, Especially with all the recent account thefts.
The trojan was detected by AVG 8.0 - not sure where mine was, but my cousin-in-law's was in her GW folder
Virus alert - PWS Lineage
Snograt
tommarrow
Thanks for the heads up Snograt. 
Darkobra
The more security awareness, the better. Now I have a specific target to look for.
fusa
Which virus scanner did you use? What files were infected?
Sarevok Thordin
How does infection take place.
NoXiFy
keyloggers suck
Dylananimus
I got that virus the other week, on a brand new comp that was fully protected :/
I had to reformat just to be on the safe side.
AVG picked it up, and quarantined it. I couldn't see that it had escaped the Temp folder and done anything to the registry, but that's apparently what it would have done if undetected.
I scan twice a day now, both Virus and Spyware programs.
And no...I didn't have Textmod on the comp.
I had to reformat just to be on the safe side.
AVG picked it up, and quarantined it. I couldn't see that it had escaped the Temp folder and done anything to the registry, but that's apparently what it would have done if undetected.
I scan twice a day now, both Virus and Spyware programs.
And no...I didn't have Textmod on the comp.
Taurus
Looks like the only reasonable explanation for all the "hacking" goin' around.
Snograt
Edited the OP with more info - detected by AVG 8.0 and in one instance in the GW folder.
I am unaware what specific file was involved - probably PWS-Lineage.dll, according to online databases. I think that, like Dylananimus, mine was in my Temp folder, which would be typical of this particular Trojan.
I am unaware what specific file was involved - probably PWS-Lineage.dll, according to online databases. I think that, like Dylananimus, mine was in my Temp folder, which would be typical of this particular Trojan.
crazybanshee
Wow, I used to play lineage, nowadays you probably couldn't give your US account away since nobody plays it anymore. Guess I'll go update my AVG.
MisterB
I just ran a scan with AVG 7.5, and turned up a report for PWS Lineage, but I'm fairly certain it's a false positive in my case. The file was wtf(#).tmp in my local temp folder, where (#) was a number I don't remember. I use TexMod, hence my suspicion it was a false positive. None of the other files associated with PWS Lineage were found in the scan. Updating to AVG 8.0 now.
Zehnchu
Trojan Horse PSW.Linage.AGX
View your scan history in AVG 8.0
Computer Scanner->Scan History->any blue colored scheduled scan (will indicate which scans have infections.)->Infections
Location
C:\Users\Name Of User\AppData\Local\Temp\
Files It's been named
wtfD8D6.tmp
wtf1BAE.tmp
wtf2091.tmp
wtf41A1.tmp
wtf2E5.tmp
wtf674B.tmp
wtf715A.tmp
wtfA2CA.tmp
wtfDF75.tmp
Wtf9686.tmp
Wtf8A03.tmp
Wtf7A41.tmp
wtf6831.tmp
WtfEBEB.tmp
And it's only been found in the Temp folder. I ran a texmod a few ways then scanned the temp folder and Guild Wars folders and found nothing. But I'll Keep an eye on it.
View your scan history in AVG 8.0
Computer Scanner->Scan History->any blue colored scheduled scan (will indicate which scans have infections.)->Infections
Location
C:\Users\Name Of User\AppData\Local\Temp\
Files It's been named
wtfD8D6.tmp
wtf1BAE.tmp
wtf2091.tmp
wtf41A1.tmp
wtf2E5.tmp
wtf674B.tmp
wtf715A.tmp
wtfA2CA.tmp
wtfDF75.tmp
Wtf9686.tmp
Wtf8A03.tmp
Wtf7A41.tmp
wtf6831.tmp
WtfEBEB.tmp
And it's only been found in the Temp folder. I ran a texmod a few ways then scanned the temp folder and Guild Wars folders and found nothing. But I'll Keep an eye on it.
fenix
Has anyone detected this with an anti-virus that ISN'T AVG? I know it shows some false-positives...but this is ridiculous. Someone try with NOD32 or something decent.
Snograt
Good point.
Incidentally, my AVG found wtf# files too - forgot until Zehnchu mentioned it.
[edit] hmm, this may well be a TexMod false-positive after all
http://www.guildwarsguru.com/forum/s...7&postcount=14
Maybe when AVG updated from 7.x to 8 it started to falsely tag TexMod again - I've had it installed for ages and AVG's never been bothered before.
Incidentally, my AVG found wtf# files too - forgot until Zehnchu mentioned it.
[edit] hmm, this may well be a TexMod false-positive after all
Quote:
|
everytime i use texmod (dl'd with the link in guildwiki), i get this trojan called wtf#.tmp #=some random number Is it a dangerous trojan? |
Maybe when AVG updated from 7.x to 8 it started to falsely tag TexMod again - I've had it installed for ages and AVG's never been bothered before.
pamelf
i'm updating to AVG 8.0 as we speak, so if I have it, hopefully it will be picked up. Thanks for the heads up.
fenix
I downloaded it, and scanned the .zip with NOD32, detected nothing. Considering the zip comes with Texmod.exe and Readme.txt, I decided just to leave it zipped, and no extract or anything, since there wasn't a reason to (already have it on the computer).
AVG fails?
Edit: Scanned my Temp files and found nothing also. <3 NOD32
AVG fails?
Edit: Scanned my Temp files and found nothing also. <3 NOD32
Lykan
I only have the free Avg 7.5, can it be updated to 8.0?
Shakti
OK now I'm worried about textmod. My hubby DLed Textmod a month or so ago (I think from the "safe" link here but I'll check when he gets home) so I could do cartographer.
I use McAffee SecurityCenter among other scans, and after reading this and the other threads, ran the scan just on the Textmod.exe file itself. It came up with a trojan
New Malware.aj to be exact. Seems to be a 2006 Heuristic trojan (wtf ?)
Crap.
I use McAffee SecurityCenter among other scans, and after reading this and the other threads, ran the scan just on the Textmod.exe file itself. It came up with a trojan
New Malware.aj to be exact. Seems to be a 2006 Heuristic trojan (wtf ?)Crap.
Snograt
Don't worry yet - because of TexMod's nature of intercepting system calls, a lot of virus scanners have falsely identified it as a virus/trojan. I think that the AV companies can be reassured of a program's validity and virus definitions can be updated to ignore it.
Shakti
Snog, do you mean it may not be this New Malware.aj thing at all, just that McAffee is getting mixed up by TexMod's nature and falsely IDing it as that trojan? If so you just made my night...
Snograt
It's tricky - the false-positive thrown up by TexMod seems to relate to those wtf files in Temp. This seems for whatever reason to be convincing AVG that it's the PWS-Lineage trojan (PWS stands for PassWord Stealer, if you're interested.)
You're using McAffee, and all AVs give viruses different names. Whether the 2006 Heuristic is Mcaffee's mis-diagnosis of TexMod, I can't tell - but a quick google of 2006 heuristic showed that the first page of results were all false positives, mainly from a file compression program.
In any case, if your crapaffee detected it, it would hopefully have healed it too, if in the unlikely event that is was a real trojan.
You're using McAffee, and all AVs give viruses different names. Whether the 2006 Heuristic is Mcaffee's mis-diagnosis of TexMod, I can't tell - but a quick google of 2006 heuristic showed that the first page of results were all false positives, mainly from a file compression program.
In any case, if your crapaffee detected it, it would hopefully have healed it too, if in the unlikely event that is was a real trojan.
pumpkin pie
Question about AVG free.
what is the difference of the free version and the pay version, as in can the free version detect the same type of virus the pay version can?
what is the difference of the free version and the pay version, as in can the free version detect the same type of virus the pay version can?
Snograt
No anti-rootkit, and other minor things. Certainly no firewall - that's with the really expensive AVG Internet Security, as is anti-spyware.
Comparison page - http://free.grisoft.com/ww.download-...s-free-edition
The AV component is just the same.
Comparison page - http://free.grisoft.com/ww.download-...s-free-edition
The AV component is just the same.
Takeko Nakano
Quote:
|
Originally Posted by Lykan
I only have the free Avg 7.5, can it be updated to 8.0?
|
Personally I like AVG. Sure it might come up with a false positive for some people once in a while, but quite rarely. For a free piece of software it's very good!
pumpkin pie
Thanks
.
.
.
.
Rushin Roulette
As the files detected are always in the temp folder it should be safe to quarantine/delete them anyways as those are not part of the running programm, shouldnt it?
ReiNaruto
That the virus my av detected when downloaded texmod from official wiki. My antivirus is Trend Micro Pc Cillin, the last version.
Fril Estelin
I'm not convinced yet there's a problem, as I've seen a few false positives on this lineage trojan, and his little brothers. And textmod is a reputable project, so it means the probability of a trojan getting into it is very low (but not zero). No problem at all with Symantec and Antivir.
Did you make sure you updated your software? (looks like a silly question, but sometimes the update fails and your AV does not have the latest virus signature files)
@pumpkin pie: no AV vendor would be silly to sell different levels of protection at different price, in terms of virus/trojan coverage. Sometimes they offer detection from minor (spyware, phishing) and major (rootkit) threats, for a fee. Most often the fee adds usability to the tool, providing convenient means to manage the AV. These software are under a lot of scrutinity from the security community, so be sure that something like that would not be seen lightly.
Did you make sure you updated your software? (looks like a silly question, but sometimes the update fails and your AV does not have the latest virus signature files)
@pumpkin pie: no AV vendor would be silly to sell different levels of protection at different price, in terms of virus/trojan coverage. Sometimes they offer detection from minor (spyware, phishing) and major (rootkit) threats, for a fee. Most often the fee adds usability to the tool, providing convenient means to manage the AV. These software are under a lot of scrutinity from the security community, so be sure that something like that would not be seen lightly.
Arduin
Hmmm. Five wtf#.tmp too in my Temp-directory. Let's just hope it stays there .
Thanks for the warning Snograt.
.Thanks for the warning Snograt.
Alexandra-Sweet
1. AVG is junk, AVG is being paid by gaming companies to detect and remove keygenerators and other programs alike.
2. Keyloggers require a connection to a server, a proper firewall can pick this up, so if you see Textmod requiring an internet connection, there's something wrong.
2. Keyloggers require a connection to a server, a proper firewall can pick this up, so if you see Textmod requiring an internet connection, there's something wrong.
Arduin
Quote:
|
Originally Posted by Alexandra-Sweet
1. AVG is junk, AVG is being paid by gaming companies to detect and remove keygenerators and other programs alike.
|
Fril Estelin
Quote:
|
Originally Posted by Arduinna
What's bad about that? Most Trojans and other malware only spread because gamers are downloading all those keygens/no-cd/cracks and such.
|
AVG is OK, not the best in its category but doing the job.
Pleikki
Ah nice know bout that Virus. Meh in my opinion AVG sucks so i stay with my 100e/month virus program :f
Sarevok Thordin
AVG is fine for what it does at the right price (free :P)
fenix
Better off with Avira if you want a free one (it's heaps better than AVG, faster, less RAM, almost no false positives) or NOD32 if you're paying. Anything less than those is a bad choice.
ProgTes
Quote:
|
Originally Posted by Pleikki
Ah nice know bout that Virus. Meh in my opinion AVG sucks so i stay with my 100e/month virus program :f
|
Anyway, scanning computer now. Has anyone had problems with texmod by the way (problems meaning that it contains a virus after downloading from a supposed safe location)?
distilledwill
Hmm... ive been getting these too. I should probably change my password, thanks for the heads-up.
Balan Makki
Most of all, be careful of all your other games with endless MoDs, such as WoW and other evercracked MMOs. These are where you'll pick up a butt load of crap.
Gwmaster
umm interesting..i just did a scan and found nothing, only thing it showed me is the host file in system32..since i changed it lately so i could make servers and stuff.Also ive had textmod for some time now and never had a problem with it.
Shakti
Hey Snog? Just wanted to say thank you for answering my question and not making me feel like a complete dipshit for not knowing about the false positive thing. That's kinda rare at Guru lol so ty
Hubby looked at it when he got home (He's an IT geek professionally lol) and said the same thing you did btw.
Hubby looked at it when he got home (He's an IT geek professionally lol) and said the same thing you did btw.