dsetup.dll Trojan in V33?

Jaleth · #1 08-10-2014, 11:52 PM

Not sure why, but when I try to open the game it says dsetup.dll is missing and immediate closes the program (my friend is having the same problem). So I tried to re-patch the latest version V33, it says that dsetup.dll is a Trojan.Gen.2 program and Norton removes it.

Any advice? I even tried just adding that dsetup.dll to my eq directory directly, and Norton rejects it right away. I've updated my security software, so I am sure it's not out of date.

I tried third party dsetup.dll software and it loads eqemu server select fine, but it nullifies the V33 update of p1999 and says I need to download the latest spell files. So I download the lastest patch files . . .again . . . .(V33) and I don't have the dsetup.dll file again and it closes.

Any help would be greatly appreciated.

Windows 7, 64 bit OS.

phacemeltar · #2 08-11-2014, 12:09 AM

whitelist the directory in norton if you want to play. im not sure exactly what the file is capable of doing, but opening it in ResourceHacker shows that it has a privilege level of "asinvoker" so as long as you do not run EQ as admin there is no need to worry.

Fylgi · #3 08-11-2014, 10:42 PM

Get the same problem. For the moment I've aloved the file to run, but I must admit it worries me...

Lanuven · #4 08-11-2014, 11:23 PM

This was brought up long ago in another thread. They use it to check for other processes running on your machine like ShowEQ. Its a risk you take to play the game on their server.

Hyasinth · #5 08-12-2014, 05:14 AM

Placing a trojan within the download without a warning is wrong. There was no mention of this trojan being placed within a required file to run this free game. It's now NOT free, when you consider that p99 staff can be performing tasks other than just watching to see if anyone is cheating....so its ok for them to cheat?? I am really pissed about this. I have been playing since 2011 and my virus scanner never detected this virus until the most recent patch.

It should have been in red capital letters next to the download link, "WARNING...YOU HAVE TO DOWNLOAD A TROJAN VIRUS TO PLAY OUR FREE GAME!!! Again, it's a bit late now. I added the dsetup.dll to my VS vault before realizing what it was.

I wish I would have been given the courtesy of a warning prior to this virus infecting my computer. I will never really know if they took information, or what.

It's really really not ok for strangers to have access to my computer with all my private information, under the guise of a "free" game. As I said, it's already too late, thanks.

a_gnoll_pup · #6 08-12-2014, 05:24 AM

Quote:

Originally Posted by Hyasinth [You must be logged in to view images. Log in or Register.]

Placing a trojan within the download without a warning is wrong. There was no mention of this trojan being placed within a required file to run this free game. It's now NOT free, when you consider that p99 staff can be performing tasks other than just watching to see if anyone is cheating....so its ok for them to cheat?? I am really pissed about this. I have been playing since 2011 and my virus scanner never detected this virus until the most recent patch.

It should have been in red capital letters next to the download link, "WARNING...YOU HAVE TO DOWNLOAD A TROJAN VIRUS TO PLAY OUR FREE GAME!!! Again, it's a bit late now. I added the dsetup.dll to my VS vault before realizing what it was.

I wish I would have been given the courtesy of a warning prior to this virus infecting my computer. I will never really know if they took information, or what.

It's really really not ok for strangers to have access to my computer with all my private information, under the guise of a "free" game. As I said, it's already too late, thanks.

There's no Trojan here. Just code that looks like a trojan to most AVs. It doesn't access your private information, unless you consider file paths of loaded modules into the EverQuest client 'private' or 'sensitive' information.

You obviously have no idea what a trojan is, so I doubt there's anything I can do to convince you otherwise.

Good day.

Hyasinth · #7 08-12-2014, 08:03 AM

Then why is it named Trojan.Gen.2 Couldn't they have named it nuffinbadhere.Gen.2 or whatever?

When I read up on this trojan at Symantec, although relatively low lvl threat, and rated very easy to remove, it does say it can self replicate, and is very much like other back door trojans and not something anyone wants to have on their comp.

Thank you for your response. If you have any other information that would make me rest a little easier regarding this trojan, please post it [You must be logged in to view images. Log in or Register.]

Baler · #8 08-12-2014, 08:04 AM

It's called a false positive.
Norton antivirus is notorious for overreacting and producing false positives. Now don't get me wrong there is a lot of malicious stuff on the internet but with as many people as there is on project 1999 from all walks of life, I'd think someone would have blown a whistle if the files really were dirty.

Quote:

Originally Posted by Hyasinth [You must be logged in to view images. Log in or Register.]

Then why is it named Trojan.Gen.2

They chose to give it a generic name. For a plethora of different flags that norton has.
Not all "Trojan.Gen.2" are false positives mind you.

Hyasinth · #9 08-12-2014, 08:33 AM

Thank you, that is what I was saying regarding them selecting a different trojan (I guess) or at least an explanation of what it actually was. It was a bit scary to me, as I am not that knowledgeable in regard to viruses. I notice though that I am not the only one that was concerned. I have friends that play and were nervous about it, because there are bad ones out there with that same name.

Thanks for your response and explanation. [You must be logged in to view images. Log in or Register.]

*edited a typo

a_gnoll_pup · #10 08-12-2014, 09:30 AM

What he posted is correct.

When a computer program is made that an Antivirus doesn't know how to interpret (such as a program packed with an executable obfuscator such as Themida) it flags the program as a malicious file because of the way Themida scrambles the file.

If everyone makes their program look the same on the surface, then it gives you this warning detection as it cannot 'look at' the file without executing the code, which may or may not be malicious.

Most AntiViruses tend to flag the file as malicious as there is no way to determine whether a file is malicious or not, hence why it says generic in the description - not all Gen2 files are malicious, but some may be.

The reason AV programs do this is mainly for work computers; a common user at work has all their executables whitelisted by their systems administrator and you don't typically need to protect code sections while doing work - or using any application that doesn't need to be protected to prevent cheating. When in situations like this, antivirus vendors tend to err on the side of caution rather than have a hacker have a free ticket to compromise a computer by buying a product like Themida and have a free bypass for their AV software.

Here is a virustotal link of the application.
https://www.virustotal.com/en/file/4...e998/analysis/

Notice the detections in some programs flag it as Themida, this is because some of the code sections are missing/mislabeled.

[You must be logged in to view images. Log in or Register.]

For more information on Themida, read up here:

http://www.oreans.com/themida.php