• New Horizons on Maelstrom
    Maelstrom New Horizons


    Visit our website www.piratehorizons.com to quickly find download links for the newest versions of our New Horizons mods Beyond New Horizons and Maelstrom New Horizons!

Need Help Installer includes trojan horse/virus?

Oldtimer

Master Mariner
Hi all,

really sry about this, but:

- dled the installer from moddb and Microsoft Security Essentials say that there is a:

- Trojan: Win32/Tilken.B!cl.

Now what?

Rgds, Oldtimer
 
Get the installer from the first post of this thread. Only Part 2, the contents archive, needs to come from ModDB. (The ModDB installer is out of date anyway - the one linked in the first post of this thread is much improved.)

Edit - it's not this thread any more, someone decided to move the posts. Get the newest installer from here instead:
Mod Release - Build 14 Beta 4.1 WIP [Last Update: 31 August 2017][Beta 7 December 2017]
 
Last edited:
- dled the installer from moddb and Microsoft Security Essentials say that there is a:

- Trojan: Win32/Tilken.B!cl.
Can anyone confirm that? I know I made that installer EXE myself and it is 100% clean.
Unless someone someone managed to replace it after I uploaded.

Does it happen for this one too?
http://www.piratesahoy.cloud/repository/PotC/b14_beta4_installer.exe
That one MUST be clean, because I don't think (m)any other people have the rights to replace it there.
If Microsoft Security Essentials claims a trojan in there too, then Microsoft must be wrong.
I have no clue how anything like that could have snuck into a simple, clean NSIS installer that I made myself. o_O
 
Can anyone confirm that? I know I made that installer EXE myself and it is 100% clean.
Unless someone someone managed to replace it after I uploaded.

Does it happen for this one too?
http://www.piratesahoy.cloud/repository/PotC/b14_beta4_installer.exe
That one MUST be clean, because I don't think (m)any other people have the rights to replace it there.
If Microsoft Security Essentials claims a trojan in there too, then Microsoft must be wrong.
I have no clue how anything like that could have snuck into a simple, clean NSIS installer that I made myself. o_O
almost certainly a false positive :shrug but I can scan it with bitdefender too when I get home to create some peace of mind if you like
 
almost certainly a false positive :shrug but I can scan it with bitdefender too when I get home to create some peace of mind if you like
You're welcome to scan it, just to be sure. I never like viruses and if somehow one managed to creep in, it should be addressed.
 
I did a google search on the name of the virus. It looks like it shows up in a lot of false positives.

Hook
 
The latest installer was 100% clean when I turned it over. My antivirus settings are rather aggressive.
 
Keep in mind that just because you uploaded a clean file doesn't guarantee that someone won't download an infected one. That happened to me on the very first version of TEHO Hookmod. Someone downloaded it and asked if it was supposed to contain a self extracting file within the rar file. That's not how I uploaded it, and when I tried to download it to check my antivirus blocked it. Needless to say I pulled the link immediately and warned people. I did not research to see if the upload site was the problem or if something intervened between the site and the users.

Hook
 
The latest installer was 100% clean when I turned it over. My antivirus settings are rather aggressive.
If I understand correctly, the message was about the version on ModDB, which you didn't make.
But still... I made that and I'm pretty sure it IS 100% clean. Unless something really, really weird happened.

Keep in mind that just because you uploaded a clean file doesn't guarantee that someone won't download an infected one. That happened to me on the very first version of TEHO Hookmod. Someone downloaded it and asked if it was supposed to contain a self extracting file within the rar file. That's not how I uploaded it, and when I tried to download it to check my antivirus blocked it. Needless to say I pulled the link immediately and warned people. I did not research to see if the upload site was the problem or if something intervened between the site and the users.
That's scary! :shock
 
Hi,

I downloaded the b14_beta4_installer.exe from moddb on your official page, and it says an virus is included in it, I dont know if it is a false flag report or not, but I downloaded this installer a couple of times since it release and this is the first time Norton says its a virus (Picture included but its Dutch though I know some members are dutch)
 

Attachments

  • Naamloos.png
    Naamloos.png
    115.8 KB · Views: 193
Hi @niels,
Thanks for the report.
Where does it say there is a virus included? And what does it say?
Which version from which link do you mean?

I merged your report with the one by @Oldtimer who reported something very similar earlier this month.
Because this sounded concerning to me, I tried to do a thorough investigation as shown in the post above yours.
 
Hi I downloaded it from this site: Build 14 Beta 4.0 Part 1: Installation Wizard file - Pirates of the Caribbean: New Horizons mod for Pirates of the Caribbean
I copied this from Norton Its Dutch so sorry English people :/

Bestandsnaam: b14_beta4_installer.exe
Naam van bedreiging: Trojan.Gen.8!cloudVolledig pad: c:\users\niels\downloads\b14_beta4_installer.exe

____________________________

____________________________


Aanwezig op computers vanaf
28-12-2017 om 18:19:28

Laatst gebruikt
28-12-2017 om 19:15:09

Opstartitem
Nee

Gestart
Nee

Bedreigingstype: Heuristisch virus. Detectie van een bedreiging gebaseerd op malware-heuristiek.

____________________________


b14_beta4_installer.exe Naam van bedreiging: Trojan.Gen.8!cloud
Zoeken


Weinig gebruikers
Honderden gebruikers in de Norton Community hebben dit bestand gebruikt.

Oud
Dit bestand is 1 jaar 8 mndn geleden uitgebracht.

Hoog
Dit bestand heeft een hoog risico.


____________________________


http://sjc3.dl.dbolical.com/dl/2016....exe?st=GJfklzhUvLoaBVfkAl1i7Q==&e=1514488499
Gedownload bestand van dbolical.com
Bron: externe media

b14_beta4_installer.exe

____________________________

Bestandsacties

Bestand: c:\users\niels\downloads\ b14_beta4_installer.exe Verwijderd
____________________________


Vingerafdruk van bestand - SHA:
aa0f56d74979e88956d72fc8699b54bea19c328262cdadf765d6b93d52e9ceb5
Vingerafdruk van bestand - MD5:
b283423cde277f0227f41ccef52d2203
 
Im not a IT Expert but I think a Trojan is burrowed deep inside the exe...
But the first report is from earlier this month and the exe is added on 2nd of April 2016, so is it possible that a virus infiltrated Moddb's Cloud or where ever its uploaded? and decided to nest in this exe?
If it's true maybe more file's are exposed? or am I thinking too hard?
 
Im not a IT Expert but I think a Trojan is burrowed deep inside the exe...
It is either that or a false positive. I'm still trying to figure out which of the two it is.

In addition to the check in post #11 above, I have now also:
Downloaded "b14_beta4_installer.exe" from:
- Some ModDB Mirror [???]
- The PiratesAhoy! Cloud
- The BowenGames Mirror

I then checked all three using Kaspersky, which states the files are clean. They are also all three identical.

I know for certain that the original Installer EXE I made myself is clean as it is just a simple thing I made using the open-source NSIS.
Very few people have access to the PiratesAhoy! Cloud, so that version at least should be as clean as when I made it.

Since all three are identical and confirmed clean by Kaspersky and www.TotalVirus.com, apparently the file itself is OK.
That leaves two options:
1. SOME of the ModDB mirror servers are infected, but not all of them and I got lucky today to download from a clean one
or
2. Norton and Microsoft Security Essentials give a false positive for some unexplained reason

To narrow it down, is there anywhere you can upload your infected copy of the file?
If we can check that with VirusTotal and Kaspersky and do a WinMerge to check if they are identical, that should tell us if your copy somehow got infected.

Vingerafdruk van bestand - SHA:
aa0f56d74979e88956d72fc8699b54bea19c328262cdadf765d6b93d52e9ceb5
Vingerafdruk van bestand - MD5:
b283423cde277f0227f41ccef52d2203
I used Online MD5 Hash Generator & SHA1 Hash Generator to get the MD5 and SHA-256 checksums of one of the PiratesAhoy! Cloud copy of the file.
This resulted in the exact strings that you post, but in uppercase instead of lowercase.

This does suggest that you got a copy of the file that is equally clean as the ones I have checked.
However, a checksum is not a 100% guarantee, so perhaps something weird does happen.

On the other hand, I now also uploaded my original, untouched copy of the file to www.VirusTotal.com and, concerning enough, I got this:
upload_2017-12-28_22-21-18.png

The good: Microsoft is shown on the bottom of this page and indicates it being clean, despite @Oldtimer's report from the opening post.
The bad: Unfortunately Norton is not included at all, so for that one I don't know.
[EDIT: Oops, Norton = Symantec, so indeed it IS included...]
The ugly: 4 out of 64 do show 3 different Trojans in there, which I definitely don't like.

You could also try it with http://piratesahoy.bowengames.com/potc/Grey Roger/Build14_installer_31082017.exe instead (this is the newest version made by @Mad Jack Wolfe).
If that one shows the same, then apparently Norton does not like NSIS installers for some reason.
If it does not show the same, then perhaps my computer was infected at the time I created the installer and that managed to sneak in somehow. o_O

I tried to check this myself using www.VirusTotal.com, but unfortunately the file is 363MB, which exceeds the 256MB limit of that website.
Therefore I cannot perform the same check myself. I did do a check with Kaspersky, which states that one is clean.
But I don't know how much that means, because Kaspersky also says the original one is clean, while AVware, Symantec, Baidu and VIPRE don't agree.

In other words: I don't know what to believe right now and I don't like it.

@LarryHookins, @Grey Roger, @Hylie Pistof, @Armada, @Captain Murphy, @Levis and @Mad Jack Wolfe, do you guys have any idea what could be going on here?
 
Thanks!
I have now confirmed your copy of the file is 100% identical to the version I already uploaded.
That leaves two options:
1. My computer was infected when I compiled the file, which infected it
or
2. 4 virus scanners indicate a false positive

It does seem unlikely to me that so many virus scanners indicate it is clean, while the 4 that do indicate a trojan can't agree on which one it is.
But to be absolutely certain, I have now submitted the file to all four of the virus scanners that indicate a positive.
Now I suppose all I can do is wait and see; can't really think of anything else left to do... :confused:
 

That file does indeed contain a virus. NOD32 blocked it.

The problem is the upload service you're using. It looks very convenient, and the first few times I used it I didn't have a problem. But the first time I uploaded a file to be available for more than a very short time it contained a virus when someone tried to download it.

Do not use uploadfiles.io

Hook
 
Back
Top