Virus attack during Auto Update

parcival · Post by **parcival** » Tue May 05, 2009 9:49 pm

I use Avast. During the auto update I got a popup from it stating that a virus was trying to run in my system.
Here is what Avast recorded in it's logs:
Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\...\Local Settings\Application Data\Xenocode\Sandbox\2.2.3337.18747\2009.02.19T16.33\Native\STUBEXE\@PROGRAMFILES@\COMMON~1\MICROS~1\DW\DW20.EXE" file.

I chose to permanently delete the file (one of Avast's options) and then ASGS popped a message box stating that it can no longer run. ASGS closed and I reopened it. From then on everything went fine and I could play CC04 normally. It seemed that auto update worked but at the same time a virus tried an attack. Has anyone else experienced this?

Grimmwolf_GB · Post by **Grimmwolf_GB** » Tue May 05, 2009 9:51 pm

http://www.freeallegiance.org/forums/index...showtopic=49898

I think it is avast posting a false positive.

Deathrender · Post by **Deathrender** » Tue May 05, 2009 10:05 pm

Avira does the same.

TheCorsair · Post by **TheCorsair** » Tue May 05, 2009 10:23 pm

Deathrender wrote:QUOTE (Deathrender @ May 6 2009, 08:05 AM) Avira does the same.

Same here... and now it keeps coming up every so often no matter how many times I select "ignore" I guess I'll have to delete it next time or move to quarantine.

Cheezits · Post by **Cheezits** » Tue May 05, 2009 10:24 pm

AVG as well.....

parcival · Post by **parcival** » Tue May 05, 2009 10:44 pm

The strange thing is that AU seems to worked although this file was prohibited from launching and was permanently deleted. Like it wasn't doing anything "useful". What does this file do?

TheCorsair · Post by **TheCorsair** » Tue May 05, 2009 10:50 pm

parcival wrote:QUOTE (parcival @ May 6 2009, 08:44 AM) The strange thing is that AU seems to worked although this file was prohibited from launching and was permanently deleted. Like it wasn't doing anything "useful". What does this file do?

I don't know myself but this is what I found on google

http://www.processlibrary.com/directory/files/dw20/
http://dotnetwithme.blogspot.com/2007/04/i...ing-you_18.html

Adam4 · Post by **Adam4** » Wed May 06, 2009 2:33 pm

NOD returns nothing, and NOD doesnt have "false positives"

sgt_baker · Post by **sgt_baker** » Wed May 06, 2009 3:26 pm

This has been widely reported, yet not universally. Either we're dealing with a small number of false positives, or everyone else is already infected with a virus that disables all known AV suites.

I know which is more likely.

peet · Post by **peet** » Wed May 06, 2009 4:38 pm

Check for yourself who to trust.

First disable your poor AV product that gives a false positive

DW20.EXE is one of the few files M$ has digitally signed. Rightclick EXE, click properties, click tab Signatures, click on MIcrosoft..., click Details. Verify the file is not compromised.

Also you can upload the EXE to e.g. VirusTotal and have it analyzed for free by almost every AV manufacturer.

If you still doubt, get another game.