Microsoft Anti-Spyware just found trojan.backdoor.small.fb

[Pinga]

I spent a little time on this but didn't come up with anything special. I'll spend some time on it tonight if it hasn't been resolved - can't do it this morning.

I don't feel good about the dll file DrSavage found. Have you tried to use process explorer to see what is using it? Also, run the dll-type file through Virus Total or a similar service?

I could use a copy to work with - please zip the file and put a password on it. pinga@adelphia.net

Side note:
I strongly recommend anyone with more than a couple of K at risk use a separate computer purely for poker playing.

The poker computer should be user for poker ONLY. No 2+2, no pr0n, no reading email. Poker playing only.

I know some of you do this, but I think there are a lot of high stakes players who use the same computer for everything.

A new computer to surf the web and read mail is very cheap.

[LazyRobot]

Okay, I had a chance to look at this again tonight.

Party has failed to respond to me and I am not sure what that is about but you know how Party support is.

I used ProcessExplorer to verify that Party was using the .tmp file in question. (Mine in this example is named c62.tmp) See that here (process view) ProcessExplorer has highlighted it yellow to indiciate it is a moved DLL.

This moved dll has the same md5 sum as it's good buddy llh.dll which is found in the Party poker clients install folder. You can view that here (hash of moved dll vs llh.dll)

Additionally this is a shot from a clean install of PartyPoker beta install. Notice the date of the llh.dll file. View Image of Party folder

The original 34.tmp has the same md5 sum as the c62.tmp and is the same file that MAS was flagging indicating it is a copy of llh.dll which is found in your Party folder and is listed under the copy files directive in the install.log. This file only get's flagged as a Trojan by MAS when named 34.tmp.

If someone else would please contact Party, I think I am on their do-not give cust support list.

[BOTW]

This is a false positive, but you should still keep everything up-to-date and scan often.

I logged into Party and let it create the temp files. I renamed one that was 28K and created on 1/5/05 and MAS detected it when it was named 34.tmp. It will not detect it with the original file name, nor will it detect it in other locations. It has the same hash that others have noted.

Party sucks and they also suck for not cleaning up after themselves--I had hundreds of these 28K files dated 1/5/05.

jotti scanners and Norman sandbox also found nothing.

Edit: What LazyRobot said.

[edtost]

i have a bunch of tmp files in that directory modified 1/5/2005 11:56 am, and havent logged in to party since before the split. ugh.

[KaneKungFu123]

You guys seem to be missing something. This 1/5/2005 date is just made up. I bought this notebook last month.

The file keeps coming back after I delete it with Microsoft Anti Spyware. Really starting to get bothered.

[astroglide]

i'm clean at home too, and i was one of the "lucky 100" that actually got invited into the party beta.

[KaneKungFu123]

[ QUOTE ]
i'm clean at home too, and i was one of the "lucky 100" that actually got invited into the party beta.

[/ QUOTE ]

diablo never downloaded beta.

[TheRover]

fwiw,

I scanned my system yesterday with zonealarm security suite, avast, and came up clean. Just installed and ran Microsoft antispyware and got nothin'.

I haven't opened my Party client in months.

[EMc]

Neither have I.

[Pinga]

I have verified these results - this is a false alert.

If you copy any dll to %TEMP%/34.tmp MAS will issue the alert.

Party copies a dll to this location. It is not malware.