PDA

View Full Version : Trojan Question



UbU
01-29-2010, 01:16 PM
My Avira found a suspected Trojan (see below), and so I quarantined it; now HEM can't establish a connection to my DB.

Virus or unwanted program 'HTML/Silly.Gen [virus]'
detected in file 'C:\Program Files (x86)\PostgreSQL\8.4\data\pg_xlog\0000000100000018 00000024.
Action performed: Move file to quarantine

I'm sort of assuming this is a false positive, but want to double check if it's okay to try and restore it from quarantine, or if there is another recommended route.

Thanks for this assistance.

fozzy71
01-29-2010, 07:14 PM
It is an old false positive from November. I just took down the sticky a few days ago. :(

Close HEM and your anti-virus and delete any \xenocode\appliance cache folders and any other possible false positive files.

1. Enable "Show hidden files and folders" under Control Panel -> Folder Options -> View
2. Go to C:\Users\%USERPROFILE%\AppData\Local\Xenocode\Appl iance Cache and delete every folder you can find in there

If you are on XP, that location is C:\Documents and Settings\%USERPROFILE%\Local\Application Data\xenocode\appliance cache

Empty your recycle bin.

reboot

Please update to the latest beta - http://www.holdemmanager.com/downloads/HmBetaUpdate.exe


If you have Kaspersky try this:

http://www.holdemmanager.net/forum/showpost.php?p=99782&postcount=10


or this:

* Go into the KAV settings window.
* Navigate to the Service node.
* Here, turn on the Compatibility mode for programs using self-protection option.

If that does not work then find the "Heuristic Scanning" option in Kaspersky and disable that.

UbU
01-29-2010, 07:48 PM
Thanks Fozzy, as always.

I may, however need further assistance.

After showing hidden folders, and following the path you delineated, I still can't find a folder labeled 'xenocode' or 'appliance' (even a search brings up nothing).

I am running Windows 7 (through a VMWare emulator on a Mac, though that shouldn't matter).

So any further guidance is appreciated.

fozzy71
01-29-2010, 08:41 PM
I guess I shouldn't have assumed this was the same thing:


'C:\Program Files (x86)\PostgreSQL\8.4\data\pg_xlog\0000000100000018 00000024.

This is possibly a real virus/trojan issue. That is PostgreSQL. The false positive issue we had was with some of our HM executables being flagged because of our (previous) xenocode/xheo licensing.

I would suggest you runa full MBAM and SAS scan, and follow the advice in this thread. I am not smart enough to help you if this is a real threat, and not the false positive I assumed it to be.

http://forumserver.twoplustwo.com/48/computer-technical-help/virus-spyware-malware-q-please-read-before-posting-321637/

UbU
01-30-2010, 03:37 AM
Okay, thanks. I ran full scans and made sure everything's clean. But now HEM still can't connect to my db. I've tried reinstalling postgreSQL to no avail.

netsrak
01-30-2010, 06:20 AM
Please check this for Windows 7: http://forums.holdemmanager.com/showthread.php?t=21121

and our FAQ: http://faq.holdemmanager.com/questions/91/Can%27t+Connect+%7B47%7D+Failed+to+Start+PostgreSQ L+

UbU
01-30-2010, 11:01 AM
I have, read the FAQs and any relevant thread I can find. I have set the proper things to run as admin, turned off UAC, disabled (temporarily) windows firewall and defender, etc. I've trawled through the FAQs. To no avail. HEM was running fine since I first installed it over a year ago, this is my first problem.

Here is my dilemma:

1. After I quarantined the file (see above) HEM could no longer connect to database.
2. I tried to reinstall both HEM and postgreSQL using the combo installer, but it stops halfway through and says it can't complete.
3. I tried uninstalling then reinstalling the same version of postgreSQL as I was running (8.4.1)
4. What I want to do: reinstall postgreSQL (which I was able to do) and reimport my old database, which I can't figure out how to do. Maybe I'm missing it, but I can't find a FAQ or thread that addresses how to to do this.

fozzy71
01-30-2010, 12:04 PM
.....

1. After I quarantined the file (see above) HEM could no longer connect to database.

It quarantined a (necessary/critical) database file. Chances are you will never be able to connect to that DB again.



2. I tried to reinstall both HEM and postgreSQL using the combo installer, but it stops halfway through and says it can't complete.

Some W7 machines can be finicky with PostgreSQL 8.4, but you obviously had it running before, even though you were on a VM.



3. I tried uninstalling then reinstalling the same version of postgreSQL as I was running (8.4.1)

If your DB was in working order it would probably be possible to reinstall and use your old \data folder. Unfortunately a file from \data\pg_xlog was removed, which has killed the connection.



4. What I want to do: reinstall postgreSQL (which I was able to do) and reimport my old database, which I can't figure out how to do.

I would recommend a clean reinstall of postgreSQL (once you know your machine is clean) and reimport all your original/archived hand histories. If you play a site like stars/ftp you can email their support and ask for all your old hand histories and tourney summaries.



Maybe I'm missing it, but I can't find a FAQ or thread that addresses how to to do this.

We have some FAQs from our old FAQ system, but they are for 8.3. I am working on the FAQ's that you would need, and I hope to have them done tonight. We recently re-launched the website and FAQs, so our new/current FAQs are still being updated/completed.


Here are my cliff notes:

*Please update to the latest beta - http://www.holdemmanager.com/downloads/HmBetaUpdate.exe

1) Uninstall PostgreSQL from the Windows Control Panel.
2) Use our combo installer to reinstall PostgreSQL. Make sure you un-check Holdem Manager during installation. http://www.holdemmanager.com/downloads/Holdem_Manager_Setup.exe

If that installer fails to install PostgreSQL, please reinstall PostgreSQL using the following instructions:
A) Start > Programs > Accessories > Command Prompt > Right-Click > Run As Administrator

net user postgres /delete
B) Reboot.
C) Try installing this version of PostgreSQL - http://www.holdemmanager.com/downloads/Postgres_8.3.9-v1.0.7.exe

UbU
01-30-2010, 12:35 PM
Thanks for the detailed response, Fozzy; I have to hand it to you guys, HEM's customer support is top notch. I will go through all the steps you say and see if I can't get back up and running.