PDA

View Full Version : My HEM has a trojan



<j3ezy>
05-06-2009, 11:21 PM
Every time I try to open my HoldemManager, my antivirus pops up and says that a Trojan was found.

File Name: C:\Documents and Settings\Keith\Local Settings\Temporary Internet Files\Content.IE5\3KY9GGK7\rvgsoftware_com[1].htm

Malware name: JS:Redirector-H [Trj]

Malware type: Trojan Horse

VPS version: 090506-0, 05/06/2009
My antivirus client also won't let me "move the malware to virus chest", which is the recommended option, because the file is "in use by another program".

I have run several virus scans while HEM was not open, which have come up clean.

I have also uninstalled/reinstalled HEM several times, and tried to update my version to the most recent by using the link in the other forum thread, but it fails to update certain parts of the program.

If I choose to delete the file or "not respond" and just open tables/auto import, the program does not import any hands, but the table manager does recognize my being seated at the tables.

If I just ignore the virus alert by clicking no response and sit at tables/auto import, the HUD does not work even though table manager seems to be working.

This is a thread from the forums of the antivirus client that I use: http://forum.avast.com/index.php?topic=44728.0

another thread talking about the malware: http://forum.avast.com/index.php?topic=44728.0

morny
05-07-2009, 11:00 AM
In the vast majority of cases this is a false positive however there are some viruses that can attach themselves to .exe files and when you run it instead of running HM it will run the virus. The safest thing to do is 1) Make a backup of your C:\Program Files\RVG Software\Holdem Manager\Config folder
2) Uninstall HM via the Control Panel
3) Go to Program Files and delete the RVG Software directory, or the equivalent for Vista
4) Reboot your computer
5) Install the complete setup of HM: http://www.holdemmanager.com/downloads/holdemmanager.zip
7) Download the latest patch HM: http://www.holdemmanager.com/downloads/HmUpdate.exe
8) Test if it for a while and see if it work
9) Close down Holdem Manager and copy the config folder from step 1 and copy and overwrite it to your C:\Program Files\RVG Software\Holdem Manager\Config folder
10) Test if it works again for a while

If the problem persists it may be worth conidering changing to another antivirus but usually when a virus attaches to an .exe file it will infest most of the computer so its most likely a false positive if its an isolated incident

JCS
05-19-2009, 05:57 AM
Hi,

I just got the same problem as OP. I tried the same exact procedure as Morny described, but to no avail, I still get the trojan warning as soon as I start HEM (step 8 in Morny's list). I use Avast as my antivirus and don't really intend to change it since it's considered a real good one. Also, I have kinda huge monies on my various poker accounts, and with all the hacking stories lately, I'm scared to even open a pokerroom lobby right now.

I'd really like to know how OP got to solve his problem. Could it be possible for an admin to send him a mail for him to come check this thread back? Since he's got only 1 message, I suppose he's not cheking around here regularly.

Thanks in advance.

LostCause
05-19-2009, 06:21 AM
I am having the same issue.

pilz
05-19-2009, 06:29 AM
Same here,

I got these 2 messages from Avast:

http://img139.imageshack.us/img139/658/trojan.jpg

Followed the steps above, but I still got these messages.

Ajeto
05-19-2009, 06:37 AM
I have the same issue.
Antivir: Avast
Version of HEM: 1.08.03

JCS
05-19-2009, 06:51 AM
Feels a bit better to know that it's not my (or all you guys') particular computer that is targeted, and that instead it seems something related to RVG's website, whose source code seems to have been infested by 'pirate' redirections to other websites containing malicious content.

LostCause
05-19-2009, 07:01 AM
Here are the results of a scan I ran on the rvgsoftware.com

http://www.unmaskparasites.com/security-report/?page=www.rvgsoftware.com/hm/currentversion.html

bigadin
05-19-2009, 07:07 AM
Same with HM 1.08.04 and Avast

Felix9381
05-19-2009, 08:11 AM
Same Problem with GData:

Trojan
Adresse: www.rvgsoftware.com
Virus: JS:Redirector-H7 [Trj] (Engine B)

It seems to be a false positive, but I would like to have that be assured/explained.

bigadin
05-19-2009, 08:15 AM
Same problem with 2 different antivirus... strange !

jepp
05-19-2009, 08:29 AM
I got the same problem and I'm getting paranoid :eek:
Using Avast antivirus.

Edit: We were discussing this on irc and it seems that the site has been attacked.
http://blog.unmaskparasites.com/2009/05/18/martuz-cn-is-a-new-incarnation-of-gumblar-exploit/
arrgh

morny
05-19-2009, 12:49 PM
There dosent appear to be any inconsistencies on the website or any signs of redirecting, i expect its just a false positive with Avast but ill get a confirmation from Roy to put your minds at ease

Felix9381
05-19-2009, 01:06 PM
@morny: I don't know, but maybe this Link is helpful for you.

http://blogs.technet.com/antimalware/archive/2008/05/30/when-sql-injections-go-awry-incident-case-study.aspx


@others:Since I deleted the temporarily Java Applets in my Java Console I got no more warnings on opening the HM.
Otherwise as being a totally Computer noob I don`t know what I am doing exactly, but it seems to work though.:D:p

Rvg72
05-19-2009, 01:09 PM
Hi guys, this has already been corrected. There is a webpage on www.rvgsoftware.com that Holdem Manager checks on launch to see if there is a new version of Holdem Manager ready and this page was redirecting which caused the AV alerts. We've corrected this so there should be no issues at all

Sorry about any confusion caused

Roy

LostCause
05-19-2009, 01:29 PM
Thanks Morny & RVG72, no more problems opening HM.

Sylarr
05-19-2009, 03:16 PM
Any idea how that trojan got on there Roy?

morny
05-19-2009, 06:21 PM
It wasnt a virus, just a false positive but the problem is fixed now

haian
01-07-2010, 05:48 PM
It wasnt a virus, just a false positive but the problem is fixed now

http://img63.imageshack.us/img63/8622/14509749.jpg

fozzy71
01-07-2010, 07:07 PM
Close HEM and your anti-virus and delete any \xenocode\appliance cache folders and any other possible false positive files.

1. Enable "Show hidden files and folders" under Control Panel -> Folder Options -> View
2. Go to C:\Users\%USERPROFILE%\AppData\Local\Xenocode\Appl iance Cache and delete every folder you can find in there

If you are on XP, that location is C:\Documents and Settings\%USERPROFILE%\Local\Application Data\xenocode\appliance cache

Empty your recycle bin.

reboot

Please update to the latest beta - http://www.holdemmanager.com/downloads/HmBetaUpdate.exe


If you have Kaspersky try this:

http://www.holdemmanager.net/forum/showpost.php?p=99782&postcount=10


or this:

* Go into the KAV settings window.
* Navigate to the Service node.
* Here, turn on the Compatibility mode for programs using self-protection option.

If that does not work then find the "Heuristic Scanning" option in Kaspersky and disable that.

haian
01-08-2010, 03:50 AM
so you can confirm that this is still the old false positive from the older versions? I use gdata btw

netsrak
01-08-2010, 04:52 AM
You get the warnings in a Xenocode subfolder which we no longer use (i think since 1.09 B 43). You can delete this files after updating Holdemmanager.
The other warnings are in a system restore point - i'm not sure how to delete this (possibly disabling restore, delete the files and reenable system restoring).

haian
01-08-2010, 07:02 AM
You get the warnings in a Xenocode subfolder which we no longer use (i think since 1.09 B 43). You can delete this files after updating Holdemmanager.
The other warnings are in a system restore point - i'm not sure how to delete this (possibly disabling restore, delete the files and reenable system restoring).

yeah already did that, thanks!