-
Visit our website www.piratehorizons.com to quickly find download links for the newest versions of our New Horizons mods Beyond New Horizons and Maelstrom New Horizons!-
Join our discord server for regular podcasts/AMA about upcoming and released pirate games (Caribbean Legend, Corsairs Legacy, Ahoy, ERAS 2, etc.):
-
Quick links for Beyond New Horizons
- Download latest version
- Wiki - FAQ - Report bugs here - Bug Tracker on Github -
Quick links for Maelstrom
- Download the latest version of Maelstrom
- Download the latest version of ERAS II - Download the latest version of New Horizons on Maelstrom
-
Join PiratesAhoy! on our social channels:
-
Quick links for PotC: New Horizons
- Download latest version
- Wiki - FAQ - Report bugs here
-
Thanks to YOUR votes, GOG.com now sells:
- Sea Dogs - Sea Dogs: Caribbean Tales
- Sea Dogs: City of Abandoned Ships
Vote now to add Pirates of the Caribbean to the list! -
Quick links for AoP2: Gentlemen of Fortune 2
- Downloads and info
- ModDB Profile
- Forums Archive -
A Pirate Podcast with Interviews
Music, Comedy and all things Pirate!
- Episode Guide - About - Subscribe -
- Twitter - Facebook - iTunes - Android -
- Youtube - Fill the Coffers -
Need Help Installer includes trojan horse/virus?
- Thread starter Oldtimer
- Start date
Get the installer from the first post of this thread. Only Part 2, the contents archive, needs to come from ModDB. (The ModDB installer is out of date anyway - the one linked in the first post of this thread is much improved.)
Edit - it's not this thread any more, someone decided to move the posts. Get the newest installer from here instead:
Mod Release - Build 14 Beta 4.1 WIP [Last Update: 31 August 2017][Beta 7 December 2017]Last edited:
Can anyone confirm that? I know I made that installer EXE myself and it is 100% clean.
Unless someone someone managed to replace it after I uploaded.
Does it happen for this one too?
http://www.piratesahoy.cloud/repository/PotC/b14_beta4_installer.exe
That one MUST be clean, because I don't think (m)any other people have the rights to replace it there.
If Microsoft Security Essentials claims a trojan in there too, then Microsoft must be wrong.
I have no clue how anything like that could have snuck into a simple, clean NSIS installer that I made myself.
almost certainly a false positiveCan anyone confirm that? I know I made that installer EXE myself and it is 100% clean.
Unless someone someone managed to replace it after I uploaded.
Does it happen for this one too?
http://www.piratesahoy.cloud/repository/PotC/b14_beta4_installer.exe
That one MUST be clean, because I don't think (m)any other people have the rights to replace it there.
If Microsoft Security Essentials claims a trojan in there too, then Microsoft must be wrong.
I have no clue how anything like that could have snuck into a simple, clean NSIS installer that I made myself.
but I can scan it with bitdefender too when I get home to create some peace of mind if you like
You're welcome to scan it, just to be sure. I never like viruses and if somehow one managed to creep in, it should be addressed.almost certainly a false positive but I can scan it with bitdefender too when I get home to create some peace of mind if you like
I did a google search on the name of the virus. It looks like it shows up in a lot of false positives.
Hook
no surprise here, but still happy to say bitdefender found nothing weirdThe latest installer was 100% clean when I turned it over. My antivirus settings are rather aggressive.
Keep in mind that just because you uploaded a clean file doesn't guarantee that someone won't download an infected one. That happened to me on the very first version of TEHO Hookmod. Someone downloaded it and asked if it was supposed to contain a self extracting file within the rar file. That's not how I uploaded it, and when I tried to download it to check my antivirus blocked it. Needless to say I pulled the link immediately and warned people. I did not research to see if the upload site was the problem or if something intervened between the site and the users.
Hook
If I understand correctly, the message was about the version on ModDB, which you didn't make.
But still... I made that and I'm pretty sure it IS 100% clean. Unless something really, really weird happened.
That's scary!
I did a quick check using www.VirusTotal.com:
The ModDB mirror: VirusTotal
The PiratesAhoy! Cloud mirror: VirusTotal
The Bowengames mirror: VirusTotal
All return 100% clean based on 64-66 different virus scanners.
So as far as I can tell, it is a false positive and Microsoft is wrong.
@Oldtimer, do you reckon this is proof enough?
niels
Sailor Apprentice
Hi,
I downloaded the b14_beta4_installer.exe from moddb on your official page, and it says an virus is included in it, I dont know if it is a false flag report or not, but I downloaded this installer a couple of times since it release and this is the first time Norton says its a virus (Picture included but its Dutch though I know some members are dutch)Attachments
Hi @niels,
Thanks for the report.
Where does it say there is a virus included? And what does it say?
Which version from which link do you mean?
I merged your report with the one by @Oldtimer who reported something very similar earlier this month.
Because this sounded concerning to me, I tried to do a thorough investigation as shown in the post above yours.
niels
Sailor Apprentice
Hi I downloaded it from this site: Build 14 Beta 4.0 Part 1: Installation Wizard file - Pirates of the Caribbean: New Horizons mod for Pirates of the Caribbean
I copied this from Norton Its Dutch so sorry English people :/
Bestandsnaam: b14_beta4_installer.exe
Naam van bedreiging: Trojan.Gen.8!cloudVolledig pad: c:\users\niels\downloads\b14_beta4_installer.exe
____________________________
____________________________
Aanwezig op computers vanaf
28-12-2017 om 18:19:28
Laatst gebruikt
28-12-2017 om 19:15:09
Opstartitem
Nee
Gestart
Nee
Bedreigingstype: Heuristisch virus. Detectie van een bedreiging gebaseerd op malware-heuristiek.
____________________________
b14_beta4_installer.exe Naam van bedreiging: Trojan.Gen.8!cloud
Zoeken
Weinig gebruikers
Honderden gebruikers in de Norton Community hebben dit bestand gebruikt.
Oud
Dit bestand is 1 jaar 8 mndn geleden uitgebracht.
Hoog
Dit bestand heeft een hoog risico.
____________________________
http://sjc3.dl.dbolical.com/dl/2016....exe?st=GJfklzhUvLoaBVfkAl1i7Q==&e=1514488499
Gedownload bestand van dbolical.com
Bron: externe media
b14_beta4_installer.exe
____________________________
Bestandsacties
Bestand: c:\users\niels\downloads\ b14_beta4_installer.exe Verwijderd
____________________________
Vingerafdruk van bestand - SHA:
aa0f56d74979e88956d72fc8699b54bea19c328262cdadf765d6b93d52e9ceb5
Vingerafdruk van bestand - MD5:
b283423cde277f0227f41ccef52d2203
niels
Sailor Apprentice
Im not a IT Expert but I think a Trojan is burrowed deep inside the exe...
But the first report is from earlier this month and the exe is added on 2nd of April 2016, so is it possible that a virus infiltrated Moddb's Cloud or where ever its uploaded? and decided to nest in this exe?
If it's true maybe more file's are exposed? or am I thinking too hard?
It is either that or a false positive. I'm still trying to figure out which of the two it is.
In addition to the check in post #11 above, I have now also:
Downloaded "b14_beta4_installer.exe" from:
- Some ModDB Mirror [???]
- The PiratesAhoy! Cloud
- The BowenGames Mirror
I then checked all three using Kaspersky, which states the files are clean. They are also all three identical.
I know for certain that the original Installer EXE I made myself is clean as it is just a simple thing I made using the open-source NSIS.
Very few people have access to the PiratesAhoy! Cloud, so that version at least should be as clean as when I made it.
Since all three are identical and confirmed clean by Kaspersky and www.TotalVirus.com, apparently the file itself is OK.
That leaves two options:
1. SOME of the ModDB mirror servers are infected, but not all of them and I got lucky today to download from a clean one
or
2. Norton and Microsoft Security Essentials give a false positive for some unexplained reason
To narrow it down, is there anywhere you can upload your infected copy of the file?
If we can check that with VirusTotal and Kaspersky and do a WinMerge to check if they are identical, that should tell us if your copy somehow got infected.
I used Online MD5 Hash Generator & SHA1 Hash Generator to get the MD5 and SHA-256 checksums of one of the PiratesAhoy! Cloud copy of the file.
This resulted in the exact strings that you post, but in uppercase instead of lowercase.
This does suggest that you got a copy of the file that is equally clean as the ones I have checked.
However, a checksum is not a 100% guarantee, so perhaps something weird does happen.
On the other hand, I now also uploaded my original, untouched copy of the file to www.VirusTotal.com and, concerning enough, I got this:
The good: Microsoft is shown on the bottom of this page and indicates it being clean, despite @Oldtimer's report from the opening post.
The bad: Unfortunately Norton is not included at all, so for that one I don't know.
[EDIT: Oops, Norton = Symantec, so indeed it IS included...]
The ugly: 4 out of 64 do show 3 different Trojans in there, which I definitely don't like.
You could also try it with http://piratesahoy.bowengames.com/potc/Grey Roger/Build14_installer_31082017.exe instead (this is the newest version made by @Mad Jack Wolfe).
If that one shows the same, then apparently Norton does not like NSIS installers for some reason.
If it does not show the same, then perhaps my computer was infected at the time I created the installer and that managed to sneak in somehow.
I tried to check this myself using www.VirusTotal.com, but unfortunately the file is 363MB, which exceeds the 256MB limit of that website.
Therefore I cannot perform the same check myself. I did do a check with Kaspersky, which states that one is clean.
But I don't know how much that means, because Kaspersky also says the original one is clean, while AVware, Symantec, Baidu and VIPRE don't agree.
In other words: I don't know what to believe right now and I don't like it.
@LarryHookins, @Grey Roger, @Hylie Pistof, @Armada, @Captain Murphy, @Levis and @Mad Jack Wolfe, do you guys have any idea what could be going on here?
niels
Sailor Apprentice
Uploadfiles.io - b14_beta4_installer.exe My infected file.
Thanks!
I have now confirmed your copy of the file is 100% identical to the version I already uploaded.
That leaves two options:
1. My computer was infected when I compiled the file, which infected it
or
2. 4 virus scanners indicate a false positive
It does seem unlikely to me that so many virus scanners indicate it is clean, while the 4 that do indicate a trojan can't agree on which one it is.
But to be absolutely certain, I have now submitted the file to all four of the virus scanners that indicate a positive.
Now I suppose all I can do is wait and see; can't really think of anything else left to do...
That file does indeed contain a virus. NOD32 blocked it.
The problem is the upload service you're using. It looks very convenient, and the first few times I used it I didn't have a problem. But the first time I uploaded a file to be available for more than a very short time it contained a virus when someone tried to download it.
Do not use uploadfiles.io
Hook
Did that virus creep in during the download?
The file I got from there was bit-for-bit identical to the one I originally uploaded ages ago. -
