Posted April 05, 2016
I found that the 1.38 Tropical patch is loaded with several instances of Win32/Detplock--just spent the last hour cleaning all of them out. Thought I'd pass this on...I installed the mod yesterday from this site:
</span>https://www.mediafire.com/?bab6i5ezwj6u1</span>
I should have known better, it's a Russian site, apparently *cough*...;) Word to the wise--if you installed any mods from that site as I foolishly did you'll want to scan your complete Moo3 game directories--and probably your whole drive--I caught one instance hiding in the Recycle Bin of the drive the game is installed on--it put itself there.
The specific file name of the 13 instances Malwarebytes Anti-Malware found and removed is "uielement.exe"...I found that while Win10x64 detected the malware through Defender, that Defender for some reason could not remove it, although it reported that it had removed every instance. Malwarebytes Anti-malware also saw them but was successful in actually removing them. (First time for me that Defender wasn't up to the task.)
My symptoms were few but noticeable:
1) AV programs saw it and warned me of the location of the infections
2) Very curious this next...although the malware did not strangle my network or cut it off, or my access to my AV programs, what it did do was to cause my system to completely lock up after any of the AV-scanners had scanned a drive for approximately ~3 minutes and 20 seconds, or so--which meant that without knowing where the infection was (which I did, fortunately) I could not have found and neutralized this malware via a bulk drive scan, since most likely the system would lock up *before* it had scanned and eliminated the infections...! That happened to me a couple of times before I went hunting for the specific UIelement.exe infected files and found them in the Moo3 mods.
Scary, because I was infected even though I am running an advanced build of Win10x64 not yet available to the general public.
Not so scary because I think that my version of Windows (Win10) curtailed much of what this Trojan attempted to do to foul up my system, maybe--but it still managed to do enough--via the lockups it caused. These were hard locks, too--only way out was a hardware reset. Also not so scary because this is a well-known Trojan that evidently comes in many flavors--but is well-known by the major AV/Malware programs.
However, the goal of this thing is to get into your system without making you aware of its presence, and relaying your information and/or your keystrokes to another site, so shutting down your network and disabling your AV and/or firewall would be direct indicators of its presence--and this thing doesn't do that because it wants to live and thrive. It did, however, shut down every AV drive scan I attempted via a hard system lockup after just over 3 minutes of scanning. The trick is to note the *file name and location* when your AV program first gives it to you--then you can cut it off at the knees and get rid of it.
Last observation...it's interesting, but today I grabbed a 32 GB thumb drive (Sandisk) from off the shelf at WalMart. I got home and plugged it into a USB port and *wham* that's when Defender picked up the uielement.exe malware for the first time that I'd seen it and blasted a warning about it! My first thought of course was that it came from the thumb drive, but I scanned it and nothing was there and reformatted the thumb drive without difficulty to NTFS (preferred over FAT32 for me because I'm just dealing with Win10 boxes.) So...
What I *think* happened...is that this version of Win32/Detplock wasn't immediately picked up when installed because it is designed to be quiescent and not to draw attention to itself--at least until it has had a chance to spread itself. I think that when I plugged in the thumb drive and Windows recognized it that the malware activated and attempted to copy itself to the new drive. Ergo, it showed itself and was trapped...because there was nothing on that little thumb drive it could hurt and nowhere on that drive it could hide. And I trapped and eradicated it.
Anyway, that's my theory. Needless to say I would rather have spent the afternoon doing something else...!...;) Hopefully, though, this account will help someone who may have inadvertently done what I did.
A word about mods in general, though: I've got dozens, probably hundreds, installed in other games, and this is the first time I've had something like this happen. It won't stop me from installing mods in the future, and it should not stop anyone else--but I'll be more cautious and *consider the origins & the source* from whence the mod comes from now on...;)
</span>https://www.mediafire.com/?bab6i5ezwj6u1</span>
I should have known better, it's a Russian site, apparently *cough*...;) Word to the wise--if you installed any mods from that site as I foolishly did you'll want to scan your complete Moo3 game directories--and probably your whole drive--I caught one instance hiding in the Recycle Bin of the drive the game is installed on--it put itself there.
The specific file name of the 13 instances Malwarebytes Anti-Malware found and removed is "uielement.exe"...I found that while Win10x64 detected the malware through Defender, that Defender for some reason could not remove it, although it reported that it had removed every instance. Malwarebytes Anti-malware also saw them but was successful in actually removing them. (First time for me that Defender wasn't up to the task.)
My symptoms were few but noticeable:
1) AV programs saw it and warned me of the location of the infections
2) Very curious this next...although the malware did not strangle my network or cut it off, or my access to my AV programs, what it did do was to cause my system to completely lock up after any of the AV-scanners had scanned a drive for approximately ~3 minutes and 20 seconds, or so--which meant that without knowing where the infection was (which I did, fortunately) I could not have found and neutralized this malware via a bulk drive scan, since most likely the system would lock up *before* it had scanned and eliminated the infections...! That happened to me a couple of times before I went hunting for the specific UIelement.exe infected files and found them in the Moo3 mods.
Scary, because I was infected even though I am running an advanced build of Win10x64 not yet available to the general public.
Not so scary because I think that my version of Windows (Win10) curtailed much of what this Trojan attempted to do to foul up my system, maybe--but it still managed to do enough--via the lockups it caused. These were hard locks, too--only way out was a hardware reset. Also not so scary because this is a well-known Trojan that evidently comes in many flavors--but is well-known by the major AV/Malware programs.
However, the goal of this thing is to get into your system without making you aware of its presence, and relaying your information and/or your keystrokes to another site, so shutting down your network and disabling your AV and/or firewall would be direct indicators of its presence--and this thing doesn't do that because it wants to live and thrive. It did, however, shut down every AV drive scan I attempted via a hard system lockup after just over 3 minutes of scanning. The trick is to note the *file name and location* when your AV program first gives it to you--then you can cut it off at the knees and get rid of it.
Last observation...it's interesting, but today I grabbed a 32 GB thumb drive (Sandisk) from off the shelf at WalMart. I got home and plugged it into a USB port and *wham* that's when Defender picked up the uielement.exe malware for the first time that I'd seen it and blasted a warning about it! My first thought of course was that it came from the thumb drive, but I scanned it and nothing was there and reformatted the thumb drive without difficulty to NTFS (preferred over FAT32 for me because I'm just dealing with Win10 boxes.) So...
What I *think* happened...is that this version of Win32/Detplock wasn't immediately picked up when installed because it is designed to be quiescent and not to draw attention to itself--at least until it has had a chance to spread itself. I think that when I plugged in the thumb drive and Windows recognized it that the malware activated and attempted to copy itself to the new drive. Ergo, it showed itself and was trapped...because there was nothing on that little thumb drive it could hurt and nowhere on that drive it could hide. And I trapped and eradicated it.
Anyway, that's my theory. Needless to say I would rather have spent the afternoon doing something else...!...;) Hopefully, though, this account will help someone who may have inadvertently done what I did.
A word about mods in general, though: I've got dozens, probably hundreds, installed in other games, and this is the first time I've had something like this happen. It won't stop me from installing mods in the future, and it should not stop anyone else--but I'll be more cautious and *consider the origins & the source* from whence the mod comes from now on...;)
Post edited April 05, 2016 by waltc
