Author Topic: Generic.dx Trojan (Read 13958 times)

Mystic-One · « **on:** July 13, 2009, 01:23 AM »

Hi, Im new to this site, but I joined because I have an issue I'm not quite sure of...
I've been trying to download a fix for a video game I have on my laptop...Star Wars Knights of the Old Republic II: The Sith Lords...It seems that it doesnt work on windows Vista without a fixed exe file...But the only file I could find came from gamecopyworld.com...and when i scan it, Mcafee tells me that it found a Generic.dx trojan inside and immediately quarantines it...
However, after looking all over the net to find out more info on this trojan, I keep reading that it may be a "false-positive" from Mcafee....So is this a real virus or not? Normally I wouldnt even try to use any infected file, but unfortunately this is the only file that could possibly fix my game...Can anyone please help me here? Is this a real virus, and if so, what does it do? I REALLY want to play this damn game, but I cant afford to infect my computer...Can anyone help me?

mouser · « **Reply #1 on:** July 13, 2009, 01:32 AM »

i doubt this will help you specifically since it's a little involved and it's not specifically about your issue,

but one thing that can be done in a case where you need to try out some program that you fear could be harmful to your pc is to install some Virtual Machine software, and a change detection program (like Ashampoo Uninstaller) on the virtual machine, and then run the program, and then compare snapshots of the machine using the change detection program, and look to see if any evil changes have been made to system files, etc.

Dormouse · « **Reply #2 on:** July 13, 2009, 04:59 AM »

i doubt this will help you specifically since it's a little involved and it's not specifically about your issue,
-mouser (July 13, 2009, 01:32 AM)

Except that in a situation like this, it seems to be the only safe way of checking it out without risking the computer

Mystic-One · « **Reply #3 on:** July 13, 2009, 06:19 AM »

Hmmm...What sucks..Is I dont know how to do any of that! lol

PhilB66 · « **Reply #4 on:** July 13, 2009, 06:46 AM »

Submit it to Sunbelt CWSandbox, CWSandbox or ThreatExpert for analysis.

Dirhael · « **Reply #5 on:** July 13, 2009, 06:51 AM »

Your best bet in situations such as this is to use a service such as the excellent VirusTotal to check the file. It will scan your file with just about every AV engine on the market, for free no less. You can then use this information to make a judgment on whether or not the file is safe (you will be presented with the result from all engines). The easiest way (at least I think so) is to use their tiny uploader utility to send the file to them. All you have to do is right-click the file, and select the uploader from your send-to menu. When it's uploaded, it'll open your browser with the results. Couldn't be simpler

Oh, and remember to disable your resident AV protection while doing this, as you really don't want the file deleted/quarantined automatically.

Mystic-One · « **Reply #6 on:** July 13, 2009, 07:00 AM »

Word! I used virustotal.com, and it said the file was clean....So I dont understand why my VS says there was a generic.dx trojan...I dont know which to trust..lol

Dirhael · « **Reply #7 on:** July 13, 2009, 07:07 AM »

Word! I used virustotal.com, and it said the file was clean....So I dont understand why my VS says there was a generic.dx trojan...I dont know which to trust..lol
-Mystic-One (July 13, 2009, 07:00 AM)

If VirusTotal says the file is clean, then I'd say listen to them. False positives is a problem with all AV programs, so to get a second opinion from other vendors is always a good idea. Especially when the detection is of the generic kind, like the one you're having

lanux128 · « **Reply #8 on:** July 13, 2009, 07:12 AM »

what is your graphics card, have you tried updating them? and what is the exact error message?

try posting in the publisher's forums like this one. here is one thread with probable solutions: http://forums.obsidi....php?showtopic=41038

Mystic-One · « **Reply #9 on:** July 13, 2009, 07:51 AM »

Thank you all for your help! What an awesome site! I appreciate you all being so willing to help someone like me(a video game nerd with NO programming knowledge..lol) I'll keep ya'll updated!

steeladept · « **Reply #10 on:** July 13, 2009, 08:00 AM »

Don't worry, there are a few vid-gamers here - check out Wreckedcarzz in particular. He is into it big-time, or at least was. I, unfortunately, don't have that kind of time anymore....

wreckedcarzz · « **Reply #11 on:** July 13, 2009, 09:47 AM »

Don't worry, there are a few vid-gamers here - check out Wreckedcarzz in particular. He is into it big-time, or at least was. I, unfortunately, don't have that kind of time anymore....
-steeladept (July 13, 2009, 08:00 AM)

Yeah, check my Xfire page (click it in my sig) and you can see all the time I spend on games. (I also code things from time to time, most I don't post here but you can find some of my stuff at my website (also in sig) if your interested in that as well - I can also help with computer/game issues, including driver updates and the like)

Test Drive Unlimited:
Last 7 days: 23 hours
Total: 271 hours

Sometimes I wonder if I spend too much time gaming

mouser · « **Reply #12 on:** July 13, 2009, 10:26 AM »

Also, as we've pointed out on other threads complaining about false positives, when a virus program tells you the name of the suspected virus is something like "Generic" -- that's a good sign that it's just a complete guess and has no idea if the program is harmful or not.

Mystic-One · « **Reply #13 on:** July 13, 2009, 10:31 AM »

lol Wow..Thats a new concept to me..I never realized that these programs we pay so much to protect our computers would have to "guess", ya know!? That seems criminal..lol I need to get into programming myself...I wonder just how many times this happens...

Innuendo · « **Reply #14 on:** July 13, 2009, 12:15 PM »

The world would be a happier place if people would just stop using Norton and McAfee's products. No good ever comes of it.

Just so you know, Mystic-One, I download files from gamecopyworld.com a LOT to circumvent the downright intrusive copy-protection on some games and I have never had a problem with anything I've downloaded from them. I'd rate them to be a trustworthy site.

mouser · « **Reply #15 on:** July 13, 2009, 12:28 PM »

Since i have been dispensing very generic (pun intended) advice on this thread, let me continue.

Whenever you are downloading user-posted files on a community site, it pays to be cautious. There are some general "human" heuristics that are wise to apply:

Can you see anything about the person who posted the file? Are they long time members? If so, the odds of the file being harmful are pretty slight.
Has the file been uploaded and available for a long time? If so, and especially if there are comments posted subsequently about it, the odds of the file being harmful are pretty slight (otherwise others would have reported it).
If it's a brand new file uploaded by a brand new person on the site.. You may be advised to wait until others have checked it out and given it the thumbs up.

Innuendo · « **Reply #16 on:** July 13, 2009, 10:33 PM »

All good advice, Mouser, but the OP was concerned about files downloaded from GameCopyWorld a site that doesn't have any user-posted files. All files are provided by the site owner(s).

Steven Avery · « **Reply #17 on:** July 14, 2009, 02:29 PM »

Hi Folks,

Righteo. The human heuristics is far more important than techie heuristics, which is an ongoing sludge-fest of Malware vs. the Organized Bureaucratic Defenders.

Even on a defense level, the whole "anti-virus" thing is now less important than HIPS .. "do I really give access to my registry or disk to that thingamajig". It has a place, and to a large extent is still helpful, but with great caution and a bit of whimsy. That is one reason Avira made a splash recently, low footprint, so it was less likely to get in the way. However, it seems every single anti-virus program is gonna have a fairly substantial false positive problem today. Since they are looking at heuristics, and that always struggles against :

a) new masking attempts by the bad guys
b) real programs that do techie stuff, thus it looks like they may be the malware.
c) bureaucratic shuffling and indecision in the anti-virus companies

Granted, this is all another generic comment. Game sites and little-known oddball utilities from Chinese-Mongolian anonymous authors (you may substitute other countries there) will always be problematic. If I used stuff like that, even I might consider a sandbox or virtual machine, as discomfiting as it seems. Probably the only way to be close to 100% safe, once a file is under suspicion, is a sandbox-style route. Generally I only want software from a visible company where there is public communication with the writers or at least with the company marketing or sharing. Remember I am the one who is gonna tell the firewall/HIPS that they are "trusted" .. so I want there to be a basis for that trust.

Shalom,
Steven Avery

wreckedcarzz · « **Reply #18 on:** July 14, 2009, 07:34 PM »

All great points, Steven. As I commonly get yelled at here on the forum for this, I don't actively run A/V software - however, I do run any questionable programs through Sandboxie, as well as my own "does this look legitimate" mental check.

Example:

Last night I installed Grand Theft Auto: Vice City from an ISO backup I made a few years back (back when I had the space to do that, before games got 20GB in size). Installation went smoothly, but when I went to run the game it demanded the CD - which had been lost quite a while ago (I can thank my sister for that (and yes, she does like GTA... don't ask)

). I checked for any game patches and then went on a search for a no-cd EXE for it - finding one relatively easy. Downloaded, extracted, made a backup of the original, and then moved it in and compared icons and file sizes. With fingers on Control-Alt-Delete, I started it up and all was good.

However, if the icon would have been different or the file size been larger than the original, I would have copied the game files into Sandboxie and ran it within that contained environment so that it could not do any damage outside of the sandbox (and therefore, only damage the copy of the game).

Spoiler

How Sandboxie works:

Everyone has their own approach, and I have mine. Common sense, daily scanning (w/o real time protection), Windows Firewall and Sandboxie is mine, but what works for me may not work for someone else. Pick and choose wisely, and your problems will be minimal.

Innuendo · « **Reply #19 on:** July 16, 2009, 10:26 AM »

A lot of those programs have been UPX-packed or whatever to obfuscate the code so their "competitors" can't see how they achieve their neat tricks. Unfortunately, some AV products flag anything that's been packed like that as a generic trojan because the trojan writers like to use those packers as well.

Even Linkman, the very reputable program that's been discussed on this site throws up a "suspicious program" flag in a lot of AVs because it's been packed.