PDA

View Full Version : Does 40Test include a Trojan Horse ? Was I robbed of 900 € via Neteller ?



Daniel Cima
10-26-2009, 06:25 PM
Hi everyone,

Maybe there is a slight problem with the security at RVG software, I have just been robbed of 900 € just 4 days after installing version HmUpdate40Test and coincidently I received a warning of my Antivirus software, which I as recommended by some RVG staff in the forum (can't remeber the name of the guy) ignored.

Here the Antivirus Report (by the way the serial number is not usable I modified it for this post):

Avira AntiVir Personal
Report file date: Saturday, October 17, 2009 22:14

Scanning for 1800842 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 4556663223-AIEIOPA-03040201
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : ZOPPENHUNG

(Took a bit of the info out, because can only post 10000 signs here.)

Start of the scan: Saturday, October 17, 2009 22:14

Starting search for hidden objects.
'55077' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'PokerStars.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'cidaemon.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'devldr32.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'MacDrive.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'postgres.exe' - '1' Module(s) have been scanned
Scan process 'postgres.exe' - '1' Module(s) have been scanned
Scan process 'postgres.exe' - '1' Module(s) have been scanned
Scan process 'postgres.exe' - '1' Module(s) have been scanned
Scan process 'postgres.exe' - '1' Module(s) have been scanned
Scan process 'postgres.exe' - '1' Module(s) have been scanned
Scan process 'snmp.exe' - '1' Module(s) have been scanned
Scan process 'tcpsvcs.exe' - '1' Module(s) have been scanned
Scan process 'pg_ctl.exe' - '1' Module(s) have been scanned
Scan process 'PnkBstrA.exe' - '1' Module(s) have been scanned
Scan process 'MacDriveService.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'cisvc.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
42 processes with 42 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '54' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Documents and Settings\Butzmin\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v7 2674296\Native\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\DBControlPanel.exe
[DETECTION] Contains a recognition pattern of the (harmful) BDS/Poison.auwc back-door program
C:\Documents and Settings\Butzmin\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v7 2674296\TheApp\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\HMImport.exe
[DETECTION] Contains a recognition pattern of the (harmful) BDS/Poison.avbn back-door program
C:\Documents and Settings\Butzmin\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v7 BC20518\TheApp\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\HMImport.exe
[DETECTION] Contains a recognition pattern of the (harmful) BDS/Poison.avbo back-door program
C:\Documents and Settings\Butzmin\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v7 BC20518\TheApp\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\HoldemManager.exe
[DETECTION] Contains a recognition pattern of the (harmful) BDS/Poison.avbp back-door program
C:\Documents and Settings\Daniel Cima\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v7 2674296\TheApp\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\HMImport.exe
[DETECTION] Contains a recognition pattern of the (harmful) BDS/Poison.avbn back-door program
C:\Documents and Settings\Daniel Cima\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v7 BC20518\TheApp\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\HMImport.exe
[DETECTION] Contains a recognition pattern of the (harmful) BDS/Poison.avbo back-door program
C:\System Volume Information\_restore{FBF9AA47-CA59-4C6C-A46B-7451B75840CD}\RP78\A0014340.exe
[DETECTION] Contains a recognition pattern of the (harmful) BDS/Poison.avbn back-door program

Beginning disinfection:
C:\Documents and Settings\Butzmin\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v7 2674296\Native\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\DBControlPanel.exe
[DETECTION] Contains a recognition pattern of the (harmful) BDS/Poison.auwc back-door program
[NOTE] The file was moved to '4b1d2f4c.qua'!
C:\Documents and Settings\Butzmin\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v7 2674296\TheApp\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\HMImport.exe
[DETECTION] Contains a recognition pattern of the (harmful) BDS/Poison.avbn back-door program
[NOTE] The file was moved to '4b232f57.qua'!
C:\Documents and Settings\Butzmin\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v7 BC20518\TheApp\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\HMImport.exe
[DETECTION] Contains a recognition pattern of the (harmful) BDS/Poison.avbo back-door program
[NOTE] The file was moved to '484809d8.qua'!
C:\Documents and Settings\Butzmin\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v7 BC20518\TheApp\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\HoldemManager.exe
[DETECTION] Contains a recognition pattern of the (harmful) BDS/Poison.avbp back-door program
[NOTE] The file was moved to '4b462f79.qua'!
C:\Documents and Settings\Daniel Cima\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v7 2674296\TheApp\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\HMImport.exe
[DETECTION] Contains a recognition pattern of the (harmful) BDS/Poison.avbn back-door program
[NOTE] The file was moved to '4b232f58.qua'!
C:\Documents and Settings\Daniel Cima\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v7 BC20518\TheApp\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\HMImport.exe
[DETECTION] Contains a recognition pattern of the (harmful) BDS/Poison.avbo back-door program
[NOTE] The file was moved to '484e0109.qua'!
C:\System Volume Information\_restore{FBF9AA47-CA59-4C6C-A46B-7451B75840CD}\RP78\A0014340.exe
[DETECTION] Contains a recognition pattern of the (harmful) BDS/Poison.avbn back-door program
[NOTE] The file was moved to '4b0a2f3b.qua'!


End of the scan: Saturday, October 17, 2009 22:54
Used time: 39:58 Minute(s)

The scan has been done completely.

5406 Scanned directories
247918 Files were scanned
7 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
7 Files were moved to quarantine
0 Files were renamed
1 Files cannot be scanned
247910 Files not concerned
1804 Archives were scanned
1 Warnings
8 Notes
55077 Objects were scanned with rootkit scan
0 Hidden objects were found

________________________________________

So, what are we going to do about this? I don't know, but maybe the clever guys here at RVG have an idea. How can I tell it's one of RVG staff? I don't. How can I post this? It seems quite interesting that I got hacked just a few days after this nice recommended installation and reccomended ignoring of the security issue. It seems there will be many more people who will be or maybe already were robbed of a lot of money.

If you want further proof, no problem, I will show you the email of the peer to peer transfer I never executed.

Let's get this party started.

Daniel

fozzy71
10-26-2009, 09:44 PM
xenocode warnings are false positives from our previous obfuscation software.

To get rid of the false positives:

Close HEM and your anti-virus and delete any \xenocode\appliance cache folders and any other possible false positive files.

1. Enable "Show hidden files and folders" under Control Panel -> Folder Options -> View
2. Go to C:\Users\%USERPROFILE%\AppData\Local\Xenocode\Appl iance Cache and delete every folder you can find in there

If you are on XP, that location is C:\Documents and Settings\%USERPROFILE%\Local\Application Data\xenocode\appliance cache

Empty your recycle bin.

reboot

Please update to the latest beta - http://www.holdemmanager.com/downloads/HmBetaUpdate.exe


To make sure you dont have any actual trojans/viruses, I recommend you follow this post and run all the scans they suggest:

http://forumserver.twoplustwo.com/48/computer-technical-help/virus-spyware-malware-q-please-read-before-posting-321637/