Jump to content
Ohpus

Virus in some mods

Recommended Posts

Just a heads up. All download links available through G3 for the following mods have a virus. I verified it with the online scanner:

 

http://www.windowsecurity.com/trojanscan/trojanscan.asp

 

My own AVG anti-virus only picked up the other trojans this loaded when I started the modded BGII game.

 

Here is what I found in the scan:

 

QUOTE

F:\Archives\Software\Games\Mods and Patches\Baldur's Gate II\Alternate Portraits\Gibberlings 3\g3m_plasmo_picks-v2.exe detected: Trojan-Dropper.Win32.Agent.apvg!A2

F:\Archives\Software\Games\Mods and Patches\Baldur's Gate II\Modders\Gibberlings 3\Amber NPC\G3mirror_amber-v2.5.exe detected: Trojan-Dropper.Win32.Agent.apvg!A2

F:\Archives\Software\Games\Mods and Patches\Baldur's Gate II\Modders\Gibberlings 3\Amber NPC\G3_amber-v2.5.exe detected: Trojan-Dropper.Win32.Agent.apvg!A2

F:\Archives\Software\Games\Mods and Patches\Baldur's Gate II\Modders\Gibberlings 3\Amber NPC\home_amber-v2.5.exe detected: Trojan-Dropper.Win32.Agent.apvg!A2

F:\Archives\Software\Games\Mods and Patches\Baldur's Gate II\Modders\Gibberlings 3\Amber NPC\ia_amber-v2.5.exe detected: Trojan-Dropper.Win32.Agent.apvg!A2

F:\Archives\Software\Games\Mods and Patches\Baldur's Gate II\Modders\Gibberlings 3\P&P Celestials\g3m_pnpcelestials-v5.exe detected: Trojan-Dropper.Win32.Agent.apvg!A2

F:\Archives\Software\Games\Mods and Patches\Baldur's Gate II\Modders\Gibberlings 3\P&P Celestials\g3_pnpcelestials-v5.exe detected: Trojan-Dropper.Win32.Agent.apvg!A2

F:\Archives\Software\Games\Mods and Patches\Baldur's Gate II\Modders\Gibberlings 3\P&P Celestials\ia_pnpcelestials-v5.exe detected: Trojan-Dropper.Win32.Agent.apvg!A2

F:\Archives\Software\Games\Mods and Patches\Baldur's Gate II\Modders\Gibberlings 3\P&P Celestials\ic_pnpcelestials-v5.exe detected: Trojan-Dropper.Win32.Agent.apvg!A2

F:\Archives\Software\Games\Mods and Patches\Baldur's Gate II\Modders\Gibberlings 3\Totemic Cernd\g3m_totemic_cernd-v2.exe detected: Trojan-Dropper.Win32.Agent.apvg!A2

F:\Archives\Software\Games\Mods and Patches\Baldur's Gate II\Modders\Gibberlings 3\Totemic Cernd\g3_totemic_cernd-v2.exe detected: Trojan-Dropper.Win32.Agent.apvg!A2

F:\Archives\Software\Games\Mods and Patches\Baldur's Gate II\Modders\Gibberlings 3\Totemic Cernd\ia_totemic_cernd-v2.exe detected: Trojan-Dropper.Win32.Agent.apvg!A2

F:\Archives\Software\Games\Mods and Patches\Baldur's Gate II\Modders\Gibberlings 3\Totemic Cernd\ic_totemic_cernd-v2.exe detected: Trojan-Dropper.Win32.Agent.apvg!A2

 

 

I added abbreviations to the start of the file name to indicate the download source of the file (ie g3 would be the main g3 DL, g3m would be the mirror).

 

No other G3 mods (such as Romantic Encounters or Full Plate & Packing Steel seem to be infected, but I haven't check the online downloads of those mods since I cleaned my system. However, I did DL som of Plasmo portrait packs after the clean up and found the same virus.

 

No other non-Mod downloads (ie exe and zip files) have shown the same infection.

Share this post


Link to post

This is your virus scanner giving a false positive. Please, please check the forums before you post, people.

Share this post


Link to post
This is your virus scanner giving a false positive. Please, please check the forums before you post, people.

 

 

I did check the forums.

 

Though it seems highly coincidental that after launching the game with the installed mods my virus scanner went crazy, then a scan of the mods showed a virus, no?

 

 

 

To be more specific. I was using an AVG scanner. Scanning of the directory with the downloaded mods and game directory with the installed mods showed no infection. As soon as I launched BGII with the mods installed I had 3 trojan alerts in directories unrelated to the game itself. I hit clean and moved on. Less than a minute later I had multiple trojan infections in Windows system file which AVG could not clean because they were "white-listed". 30 Seconds after that the MOM.exe file crashed and would not come back. I had to re-Ghost my machine for the 6th time.

 

I assumed I had been attacked another way and download the "infected" mods over again from the links on G3. I downloaded from every mirror to be sure. I rescanned them, and they appear to be the source of infection.

 

Playing BGII before this without these specific mods which I tried this time around had absolutely no issues.

 

Now while it is possible you are correct, and this would explain why AVG did not pick it up, its also posible you are not. Either way being dismissive is not the answer.

 

...to repeat, yes I have read the forums where this was reported as a false possitive. That does not explain the attacks.

Edited by Ohpus

Share this post


Link to post

Well, quite apart from anything else, several of the mods on your list haven't been re-uploaded for years. So I really don't think it's likely. (And my own scan shows nothing.)

 

False positive reports on viruses being present are pretty common, WEIDU has a well-known track record of showing up as an antivirus FP.

Share this post


Link to post

I did find it a little hard to believe that all mirror for a specific file would be infected unless it was infected at source. That would mean that either its a false postive or you are all fiendishly clever virus writers.

 

Given the construction of a mod I fully understand why scanners would pick it up as a false positive so I didn't want to say anything until I eliminated the other possibilities. Fact remains that the system was completely stable until I launched BGII with the mods installed.

 

Still. I'm off for a week so I'm willing to re-Ghost yet again to find the real culprit. So lets see what happens.

Share this post


Link to post

that's because antivirus software creates more troubles than the virus themselves, not because of viruses in the mods.

Share this post


Link to post

Nice to see more than one person chiming in. Really. :) If it was just one person you would wonder.

 

I agree with The Bigg to a degree. A virus scanner set for automatic can take out critical system files. As they say, nothing will stop you from shooting yourself in the foot. But for the sake of argument, and to eliminate the mods from my list of troublemakers, does anyone have a short-list of tolls which will not return false positives?

 

So far I've used AVG, Trend, and A-Squared.

 

 

 

Update: Sometimes a coincidence is just that. And sometimes if you reinstall Windows enough times the problem sorts itself out.

 

Thanks to those who helped eliminate the mods from being the issue.

Edited by Ohpus

Share this post


Link to post
Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...