Spyware.OnlineGames from patching UOSA?

[XLaCeDX]

All I wanted to do was make a new char in the enhanced client so I could get the Dark Knight quest in New Haven and try to get a skill tutor statuette since they're so cute.

I already had SA enhanced but it needed patching so I patched it up.

Did a scan of my comp later and Malwarebytes found one infection:

C:\Documents and Settings\Owner\MyDocuments\Downloads|UOSASETUP_105.exe (Spyware.OnlineGames)

 

[Wenchkin]

Firstly, scan the living daylights out of your system with a good spyware detector (Spybot Search & Destroy and Adaware for example). Or use Malwarebytes if it's got a good removal tool - I haven't used that program so I don't know what it's capable of.

From the quick search I did about Spyware.OnlineGames, it's looking for your passwords, so once you're certain you're clear and your system scans clear after a reboot, I'd change your passwords. Or use a different PC to do that ASAP so your accounts are protected.

I don't think this would have come through a patch, from what I read it's more likely to be through a bad website or some fake anti spyware program you've accidentally downloaded. Or you've had an attack of the evil popups Depending on what browser you use, it may be you have a loophole and hit an unknown site recently. Check it's up-to-date and if you're running Firefox there's a barrage of security plugins to stop dodgy scripts and so on. Worth asking in the Tech forum if you're not sure.

Wenchy

 

[Petra Fyde]

Read this thread, with special attention to post #11
http://vboards.stratics.com/showthread.php?p=1560326#post1560326

 

[Aurelius]

I'm becoming convinced that Malwarebytes is triggering a 'false positive' for the SA setup file, and misinterpreting the way it unpacks and then connects to the updater and the EA servers page.

Absolutely nothing else I use to check UOSASetup_105.exe picks up any problems with it at all. I've flagged it with Malwarebytes as a possible 'false positive', and am waiting to see if they reply.

Despite all that though - the rest of the advice about keeping programs up to date, good virus and malware checkers, and regular scans of your system most definately still apply!

 

[XLaCeDX]

rtlfc


Thanks all!

One thing I did do was download WoW as the boxed version we own was telling me my computer didn't meet minimum requirements, although I used to play WoW on it and reading the posted requirements I could see that it did.

Oh yes I had gotten an automatic update for my video card, an ATI, which has never happened before in the 3 years I have owned this computer. That update offered me a free trial of WoW.

I think that free trial 'window' (eeps I dont' want to say 'strange website although I guess that's what it was) was where I downloaded WoW from.

I did disable my virus protection and firewall for the 14 hours or so it took my slow dsl to dl and patch WoW.

Hopefully though it is just a false positive from Malwarebytes.

Guess its time to change the passwords again anyways.

Thanks again!

 

[Wenchkin]

I'd say treat it like there is something nasty, at least to be on the safe side. The best way to be sure is to use a couple of programs to scan your system, that's what I always did when I used Windows regularly. It covers you for cases like this when you're not sure if you have infection or a software issue.

If Windows ever pops up anything you didn't expect, it's worth checking the little git hasn't picked something nasty up. Any odd errors and such too - if you can't think of a good reason for the message, always check under the hood.

What browser do you use? There should be a disable popups option in whatever you use, I'd recommend you turn that on and only disable it for trusted sites when they're not working as you expect.

It does seem that ATI were running a promotion with the WoW trial so that could be a legit popup. But if you didn't download directly from ATI themselves, it's possible that it was a spoof and by clicking it you let an infection in. Don't worry, we all do it at least a few times - sometimes just for the thrill You shouldn't have to disable firewall/AV protection for a download though, unprotecting a Windows system like that can let all sorts in. Again, only if you want a rush.

To protect yourself if you download from your browser, check your anti virus program is setup to automatically scan downloads and new files arriving on your PC. Also set it for scanning all your emails before you can open them and screw your system up If you have disabled your security stuff to download something, as soon as it's downloaded you want to scan the file(s) with your software.

Fingers crossed you get the all clear on your system

Wenchy

 

[Spiritless]

UOSASETUP_105.exe is a self-extracting RAR archive. I have extracted it in a sandbox and the only changes it makes are the ones it purports to, namely extract the game client's files to a temporary location. None of the files within the archive are infected. Malwarebytes itself also does not report a problem with the extracted files.

Additionally, UOSASETUP_105.exe is not flagged as a threat by any other leading AV scanners.

I am 100% certain that this is a false positive from Malwarebytes on the RAR archive itself and your machine is not infected.

 

[Wenchkin]

Unfortunately, legit filenames aren't necessarily a guarantee that the contents are safe. The best place for malware to hide is in a safe looking file that you won't suspect. All the fun ones are sneaky

To put it another way, I wouldn't be at all surprised if it's a false positive, but it never hurts to scan your Windows system and know for sure. It's a lot less painful than the results of that particular bit of malware.

Wenchy

 

[Basara]

my guess personally, is that it may be triggering on something EA put into the installer to look for illegal 3rd party software.

 

[Zosimus]

You all know instead of having these different types of virus protection software soem should try the new microsft secuirty essentials and its free. At one time I had many different spyware removal programs and the funny thing was some would say the other program was the spyware. I use microsoft security essentials and ccleaner on my comp nothing else. No problems since and whats nice I even come to a site that has an issue it instantly comes up with a warning, cleans my comp, and closes the site.

 

[Spellbound]

Kasperksy is telling me UOSA.exe is "suspicious"; or PDM Keylogger. I'm not savvy enough to know what to do except delete the program.

 

[Spiritless]

Unfortunately, legit filenames aren't necessarily a guarantee that the contents are safe. The best place for malware to hide is in a safe looking file that you won't suspect. All the fun ones are sneaky

Nowhere did I imply that legitimate filenames did guarantee the contents were safe, either.

Initially I observed all changes the .exe made to a system after execution through use of a decompiler and process monitor. None that I could see were suspicious and certainly not consistent with malware.

Secondly I then ran the archive past 40 AV engines of which 0 report it as a threat.

Thirdly, I executed the .exe in a sandboxed environment and isolated all files and registry changes which it produced. None were consistent with malware behavior. I then scanned these files and ran them past Malwarebytes also and even it did not report threats, which I certainly would expect it to should file(s) within the archive have been infected as it initially reported.

This, simply, is a false positive on the archive file. It isn't even detecting anything within the file as a trojan but the self-extractor itself. While it's never a bad idea to scan your system and whatnot, there is no need to spread further FUD about this file being infected. It simply isn't.

Take care.

 

[Wenchkin]

Unless something changed since I shifted to Linux, Windows malware can still do creative things in the guise of a trusted filename. Your file and the OPs might not be 100% identical.

I'm not saying that the file is definately infected, I could be totally wrong, and I'd be happy if that was the case. But if that file has been modified by malware on the OP's system, the sooner it gets noticed the better. So, if the OP runs a few extra scans, at worst they'll yield some extra peace of mind and take up a little time. Where's the problem in that though? Better to double check than assume you're ok.

I certainly haven't intended to offend you or question your knowledge, I just didn't agree with your suggested approach.

Wenchy