Microsoft Anti-Spyware just found trojan.backdoor.small.fb

[SamG]

[ QUOTE ]
Just found this thing. I haven't opened PP in months, I play on absolute... could absolute have made the file?

I'm disconcerted that I don't have the same explanation as you guys (that party creates a file that creates a false positive)

[/ QUOTE ]
Party doesn't delete the temp files, so it could still be from whenever you used Party months ago.

[callmedonnie]

[ QUOTE ]
[ QUOTE ]
All,

If this is a false positive, why are there a ton of people who play Party and use MAS but haven't seen this? Something seems v. fishy.

[/ QUOTE ]

El D. -

once upon a time, someone wrote a virus which among other things created a file called 34.tmp in your Temp directory. This maybe have been yesterday or three years ago, by a virus author that has maybe never heard of internet poker.

MAS is looking out for this virus. Anytime it finds any file in the Temp directory called 34.tmp, it says you have a virus.

meanwhile, Party Poker is [censored] random files into your Temp directory. here's some of them:

3.tmp 313.tmp 336.tmp 355.tmp 370.tmp 395.tmp 3B2.tmp 3D.tmp 3hp7DD.tmp
30.tmp 317.tmp 33E.tmp 359.tmp 376.tmp 397.tmp 3B5.tmp 3DE.tmp 3i91E9C.tmp
302.tmp 31E.tmp 34.tmp 35A.tmp 377.tmp 398.tmp 3B6.tmp 3E.tmp 3j8B5.tmp
303.tmp 32.tmp 341.tmp 35D.tmp 37E.tmp 39E.tmp 3B7.tmp 3EC.tmp 3je1E76.tmp
305.tmp 32B.tmp 343.tmp 35E.tmp 37F.tmp 39F.tmp 3BC.tmp 3F.tmp 3s71EE9.tmp
309.tmp 32E.tmp 346.tmp 35F.tmp 38.tmp 3A.tmp 3C.tmp 3F0.tmp 3sa1E98.tmp
30A.tmp 32F.tmp 348.tmp 35w1F07.tmp 388.tmp 3A5.tmp 3C4.tmp 3F8.tmp 3sv1EA7.tmp
30C.tmp 33.tmp 34B.tmp 36.tmp 38C.tmp 3A6.tmp 3C9.tmp 3F9.tmp 3wn1B65.tmp
30E.tmp 333.tmp 34D.tmp 363.tmp 38F.tmp 3AD.tmp 3CB.tmp 3FC.tmp 3wn9E2.tmp
30F.tmp 3331A71.tmp 35.tmp 36D.tmp 38r1BEC.tmp 3AE.tmp 3CD.tmp 3fp1AC0.tmp
31.tmp 334.tmp 354.tmp 37.tmp 39.tmp 3B.tmp 3CF.tmp 3gs171E.tmp


they're all the same size, and there's a bunch of different names that Party gives them. If you're not getting the alert, it's perhaps because Party hasn't gone around to [censored] specifically 34.tmp into this directory yet.

[/ QUOTE ]

I have read through this whole thread and am thoroughly confused. I quoted the above post because the tone of the thread was much less alarming after this post.

I have two main questions. The first is, what is MAS? The second (and I think it was requested above) is could someone simplify what is going on instuct someone that is familiar but not trained in computers on what they should look for and how to fix it?

[whittiphil]

MAS = Microsoft Anti Spyware

Some time ago a virus made a file called 34.tmp. So MAS flags all files called 34.tmp as bad files. Turns out that Party makes a file called 34.tmp, so it shows up under the MAS scan, but the party file has nothing wrong with it - it's not the virus. That's why all the poker players have it, and that's why no one is too fussed - it's a false positive.

[callmedonnie]

Thanks a bunch. One less thing for me to worry about.

[marcus111]

i'm getting the same results from the mas scan as well. when i first opened my pp account, i used a site called pokerprophecy to see what the winning percentages of my opponents were. i would play a table then go to the site and enter the names of my opponents. this site was subsequently banned for use by pp. i was made aware of this because I entered the site while playing on pp and within minutes i received a warning from pp not to use "cheat" tools. i concluded that pp software has the ability to open a port so that it can scan or screen scrape your computer to see if you are using banned tools while playing or have banned tools installed. this is in effect a virus, as it leaves your computer vulnerable to a security breach. anyhow, i guess we have to accept this breach as it ensures the integrity of game play...there's a lot of money and business at stake for them.

[TimM]

[ QUOTE ]
i concluded that pp software has the ability to open a port so that it can scan or screen scrape your computer to see if you are using banned tools while playing or have banned tools installed. this is in effect a virus, as it leaves your computer vulnerable to a security breach. anyhow, i guess we have to accept this breach as it ensures the integrity of game play...there's a lot of money and business at stake for them.

[/ QUOTE ]

How could it open a port in my cable router without the password? (that's a rhetorical question btw)

Besides that, they wouldn't need to open a port because we all run an application provided by them. Like any application, it can be programmed to access your system, look for various things, and send information about what it finds back to their servers.

[awjpoker]

Did this really turn out to be nothing as i see people are now claiming to have lost money in their Party Account becuae of this. Not sure if i believe them but the thread is here along with some of my comments at the end whcih explain a bit more. My concern would be this is not really a false positive but coming about as Party have used software originating from the same source as the Trojan which might also have a real "backdoor" left in their for example.

http://forumserver.twoplustwo.com/showfl...e=0#Post4750429

[crunchy1]

Guys,

The problem here is not Party and not the 34.tmp file.

The problem is MAS!

Any AV program worth anything would not be returning a virus alert based soley on a file name. If this is what is actually happening - and it seems highly likely - I suggest that you all stop using MAS. This program should not be looking at filenames to determine whether or not they are a virus. It should be looking at the contents of the files it scans and matching the contents against known virus definitions.

[gambelero2]

i got this thing twice, first after installing pt, then again after installing their latest patch.

Interestingly, when i opened pt again tonight after removing the trojan, it asked me to update with their new patch again.

[gambelero2]

I've also been playing on absolute during this period when i got the trojan twice.