Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Legitimate actions of games - or malware?


  • Please log in to reply
1 reply to this topic

#1 RevGAM

RevGAM

  • Members
  • 714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Milwaukee, Wisconsin, USA
  • Local time:04:19 PM

Posted 26 November 2012 - 01:06 AM

Hi all,

I'm not sure if this is actually the best place to put this but I didn't really find a better one so I apologize if it should be elsewhere.

I have been checking a bunch of questionable games that I found on Portableturk.com as well as some other sources and have come across a large number of them for which EAM throws up a warning (on both WXP & W7) when I run them. The warnings are most often of this variety:
"The program simulates mouse or keyboard input."
"The program tries to directly access the drive."
"The program tries to manipulate other processes."
but there are a few others I can't remember off the top of my head.

Being that I am aware that some (if not all) of the software on that website are infected (deliberately or accidentally) by the people who make the games portable, and that much of the software, books etc. made available is in violation of copyright laws, I take a preventive stance with anything that pops up. I block and quarantine everything (well, not my Internet connection program, which "behaves like a dialer" heheh) that gets a warning. Several of these items have been released from quarantine after EAM checks with its server yet, if I run them again, I get the same warning.

Descriptions of the purported infections are a bit different within EAM's log than from what the warning messages show, so I've posted a log below, sorted by what the last action taken was.

Emsisoft Anti-Malware - Version 7.0
quarantine log

Date Source Event Behavior/Infection
11/25/2012 6:39:21 PM F:\Restaurant Empire\protect.dll File locked, removal on reboot Gen:Trojan.Heur.LP.@x7@aSM@4Nai (B)
11/24/2012 12:34:05 AM C:\Users\Account\Documents\Programs\Games\The Dark Hills of Cherai\DarkHillsOfCherai.exe File locked, removal on reboot Behavior.RemoteControl
11/24/2012 12:23:44 AM C:\Users\Account\Documents\Programs\Games\Star Warrior 2 Defenders\Star Warrior 2 - Defenders.exe File locked, removal on reboot Behavior.CodeInjector
11/24/2012 12:08:11 AM D:\Nike_Shock.exe File locked, removal on reboot Gen:Trojan.Heur.FU.NOX@aKmv28hG (B)
11/25/2012 6:53:57 PM C:\Temp\New folder\Restaurant Empire\protect.dll File locked, set quarantined on reboot Gen:Trojan.Heur.LP.@x7@aSM@4Nai (B)
11/23/2012 10:27:56 PM C:\Users\Account\Documents\Programs\Games\Bob the Builder Can Do Carnival v1.0.01\Bob the Builder Can Do Carnival.exe File not found Behavior.RemoteControl
11/23/2012 10:22:06 PM C:\Users\Account\Documents\Programs\Sort me\Games\Zuma\Zuma.exe File not found Behavior.RemoteControl
11/22/2012 1:03:38 PM C:\Users\Account\AppData\Local\temp\7zS3DB1.tmp\penguins.exe File not found Behavior.RemoteControl
11/21/2012 3:40:55 PM C:\Users\Account\AppData\Local\temp\7zSBC52.tmp\PirateQuest.exe File not found Behavior.RemoteControl
11/17/2012 8:08:52 PM C:\Users\Account\AppData\Local\temp\7zSA9D5.tmp\CounterStrike2D.exe File not found Behavior.RemoteControl
11/25/2012 6:53:57 PM C:\Temp\New folder\Restaurant Empire\protect.dll Moved to quarantine Gen:Trojan.Heur.LP.@x7@aSM@4Nai (B)
11/25/2012 7:18:53 PM C:\Program Files\Restaurant Empire 2\re2.exe Moved to quarantine Behavior.RemoteControl
11/24/2012 12:19:10 PM C:\Users\Account\Documents\Programs\Games\Globey - On the Roll.exe Moved to quarantine Behavior.RemoteControl
11/24/2012 12:43:30 AM C:\Users\Account\Documents\Programs\Games\Zuma again\Zumaaaaaa.exe Moved to quarantine Behavior.RemoteControl
11/24/2012 12:43:18 AM C:\Users\Account\Documents\Programs\Games\Zuma\Zuma.exe Moved to quarantine Behavior.RemoteControl
11/24/2012 12:42:48 AM C:\Users\Account\Documents\Programs\Games\WizardLand1.10\Wizard Land.exe Moved to quarantine Behavior.CodeInjector
11/24/2012 12:42:25 AM C:\Users\Account\Documents\Programs\Games\Wedding Dash 2 - Rings Around the World\weddingdash2.exe Moved to quarantine Behavior.RemoteControl
11/24/2012 12:41:24 AM C:\Users\Account\Documents\Programs\Games\Twisted_Metall_2\TM2.EXE Moved to quarantine Behavior.RemoteControl
11/24/2012 12:34:56 AM C:\Users\Account\Documents\Programs\Games\The Heritage\TheHeritage.exe Moved to quarantine Behavior.CodeInjector
11/24/2012 12:22:29 AM C:\Users\Account\Documents\Programs\Games\Special Enquiry Detail-The Hand that Feeds\SED.exe Moved to quarantine Behavior.CodeInjector
11/23/2012 10:56:32 PM C:\Users\Account\Documents\Programs\Games\Masquerade Mysteries\Masquerade Mysteries.exe Moved to quarantine Behavior.RemoteControl
11/23/2012 10:37:23 PM C:\Users\Account\Documents\Programs\Games\Emberwind\Portable Emberwind v1.01.exe Moved to quarantine Behavior.CodeInjector
11/23/2012 10:36:31 PM C:\Users\Account\Documents\Programs\Games\Corner Chaos_1.4.2\CornerChaos!.exe Moved to quarantine Behavior.CodeInjector
11/23/2012 10:28:28 PM C:\Users\Account\Documents\Programs\Games\Boogie_Bunnies\Boogie Bunnies.exe Moved to quarantine Behavior.RemoteControl
11/23/2012 10:27:08 PM C:\Users\Account\Documents\Programs\Games\Beach_head_2000\Bh.exe Moved to quarantine Behavior.RemoteControl
11/23/2012 10:19:24 PM C:\Users\Account\Documents\Programs\Sort me\Games\worms_wp\worms_wp\wwp.exe Moved to quarantine Behavior.RemoteControl
11/23/2012 10:01:54 PM C:\Users\Account\Documents\Programs\Sort me\Games\Need 4 Speed 2\Need For Speed II SE\NFS2SEN.EXE Moved to quarantine Behavior.RemoteControl
11/23/2012 9:55:40 PM C:\Users\Account\Documents\Programs\Sort me\Games\Marbles Deluxe\Marbles.exe Moved to quarantine Behavior.RemoteControl
11/23/2012 9:54:24 PM C:\Users\Account\Documents\Programs\Sort me\Games\Arcpool\Arcade Pool II.exe Moved to quarantine Behavior.RemoteControl
11/23/2012 9:39:11 PM C:\Users\Account\Documents\Programs\Sort me\Games\game untuk anak\Dynomite\Dynomite.exe Moved to quarantine Behavior.RemoteControl
11/22/2012 1:08:57 PM C:\Users\Account\Documents\Programs\Games\Nike_Shock.exe Moved to quarantine Behavior.RemoteControl
11/22/2012 1:02:22 PM C:\Users\Account\AppData\Local\temp\7zSDB57.tmp\Pixelus.exe Moved to quarantine Behavior.RemoteControl
11/22/2012 12:59:41 PM C:\Users\Account\AppData\Local\temp\RarSFX1\SvenKommt.exe Moved to quarantine Behavior.RemoteControl
11/22/2012 12:46:44 PM C:\Users\Account\Documents\Programs\Games\Deep Voyage.exe Moved to quarantine Behavior.DirectDiskAccess
11/22/2012 12:44:52 PM C:\Users\Account\AppData\Local\temp\7zSB4C4.tmp\dairydash.exe Moved to quarantine Behavior.RemoteControl
11/22/2012 12:43:14 PM C:\Users\Account\AppData\Local\temp\7zS285.tmp\PirateQuest.exe Moved to quarantine Behavior.RemoteControl
11/22/2012 12:33:20 PM C:\Users\Account\Documents\Programs\Games\Book of Legends.exe Moved to quarantine Behavior.RemoteControl
11/22/2012 12:30:14 PM C:\Users\Account\Documents\Programs\Games\Beetle Bug 3.exe Moved to quarantine Behavior.DirectDiskAccess
11/22/2012 12:24:10 PM C:\Users\Account\Documents\Programs\Games\Alabama Smith in Escape from Pompeii.exe Moved to quarantine Behavior.RemoteControl
11/21/2012 1:41:52 PM Value: hkey_users\s-1-5-21-2894483203-1150640364-3906837813-1003\software\gamehouse\feeding frenzy 2 -> ShowLink Moved to quarantine Trace.Registry.Feeding Frenzy 2 (A)
11/21/2012 3:45:58 PM C:\Users\Account\Documents\Programs\Games\Cooking Academy 2 - World Cuisine.exe Moved to quarantine Behavior.RemoteControl
11/21/2012 3:44:24 PM C:\Users\Account\Documents\Programs\Games\WizardLand1.10\Wizard Land.exe Moved to quarantine Behavior.CodeInjector
11/21/2012 3:42:38 PM C:\Users\Account\Documents\Programs\Games\Globey - On the Roll.exe Moved to quarantine Behavior.RemoteControl
11/21/2012 3:40:02 PM C:\Users\Account\Documents\Programs\Games\Dreamsdwell Stories.exe Moved to quarantine Behavior.DirectDiskAccess
11/21/2012 3:37:12 PM C:\Users\Account\Documents\Programs\Games\Wedding Dash 2 - Rings Around the World\weddingdash2.exe Moved to quarantine Behavior.RemoteControl
11/21/2012 2:34:58 PM C:\Users\Account\Documents\Programs\Games\Hidden in Time Mirror Mirror.exe Moved to quarantine Behavior.RemoteControl
11/21/2012 2:32:48 PM C:\Users\Account\Documents\Programs\Games\DeliciousEmily.exe Moved to quarantine Behavior.RemoteControl
11/21/2012 1:41:52 PM Value: hkey_users\s-1-5-21-2894483203-1150640364-3906837813-1003\software\gamehouse\feeding frenzy 2 -> ShowLink Moved to quarantine Trace.Registry.Feeding Frenzy 2 (A)
11/20/2012 6:44:19 PM C:\Program Files\GameHouse\FruitFrolic\Bricks.exe Moved to quarantine Behavior.RemoteControl
11/20/2012 6:02:31 PM C:\Users\Account\Documents\Programs\Sort me\Games\Bejeweled\WinBej.exe Moved to quarantine Behavior.RemoteControl
11/18/2012 10:26:36 PM Value: hkey_users\s-1-5-21-2894483203-1150640364-3906837813-1003\software\gamehouse\feeding frenzy 2 -> ShowLink Moved to quarantine Trace.Registry.Feeding Frenzy 2 (A)
11/18/2012 10:26:38 PM C:\Users\Account\AppData\Roaming\Pogo Games\Common\Cache Moved to quarantine Trace.File.Lottso (A)
11/18/2012 10:26:37 PM C:\Users\Account\AppData\Roaming\Pogo Games\Common Moved to quarantine Trace.File.Lottso (A)
11/18/2012 10:26:36 PM C:\Users\Account\AppData\Roaming\Pogo Games Moved to quarantine Trace.File.Lottso (A)
11/18/2012 10:26:36 PM Value: hkey_users\s-1-5-21-2894483203-1150640364-3906837813-1003\software\gamehouse\feeding frenzy 2 -> ShowLink Moved to quarantine Trace.Registry.Feeding Frenzy 2 (A)
11/18/2012 10:26:35 PM C:\Program Files\GameHouse\Atomaders\Atomaders.exe Moved to quarantine Spyware.22121 (B)
11/18/2012 10:26:34 PM C:\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll Moved to quarantine Adware.Win32.Yontoo.AMN (A)
11/18/2012 10:26:33 PM C:\Users\Admin\AppData\Local\temp\A5B10428FBBD103B8071C626F951C453C830674C.zip Moved to quarantine Trojan.Generic.653917 (B)
11/18/2012 10:26:33 PM C:\Users\Admin\AppData\Local\temp\7FEBB7F6E66A5B64F5F5570A2F76DE17F6F35237.zip Moved to quarantine Trojan.Generic.653917 (B)
11/18/2012 10:26:32 PM C:\Users\Account\Documents\Programs\Networking\Office Productivity\Microsoft Office 2010\Activator\KMS.Activator.Office.2010\mini-KMS_Activator_v1.2_Office2010_VL_ENG_FIXED.exe Moved to quarantine Trojan.Generic.6139748 (B)
11/18/2012 10:26:30 PM C:\Users\Account\Documents\Programs\Networking\Office Productivity\Microsoft Office 2010\Activator\KMS.Activator.Office.2010.rar Moved to quarantine Trojan.Generic.6139748 (B)
11/18/2012 10:26:29 PM C:\Users\Account\Documents\Programs\Sort me\Games\game untuk anak\Interactive Movies\Crazy Sound Machine.EXE Moved to quarantine Trojan-GameThief.Win32.Lmir.jlv (A)
11/18/2012 10:26:27 PM C:\Users\Account\Documents\Programs\Utilities\System Management\Software Informer Setup.exe Moved to quarantine Adware.Win32.OpenCandy.AMN (A)
11/10/2012 9:08:52 AM Value: hkey_local_machine\software\classes\clsid\{1339b54c-3453-11d2-93b9-000000000000}\inprocserver32 --> threadingmodel Moved to quarantine Trace.Registry.internet cleanup 5.0 (A)
11/10/2012 9:08:51 AM Value: hkey_classes_root\clsid\{1339b54c-3453-11d2-93b9-000000000000}\inprocserver32 --> threadingmodel Moved to quarantine Trace.Registry.internet cleanup 5.0 (A)
11/11/2012 12:36:10 AM C:\Program Files\GameHouse\PopDrop\PopNDrop.exe Moved to quarantine Trace.File.Super Pop and Drop (A)
11/17/2012 8:04:30 PM C:\Users\Account\Documents\Programs\Games\Color Harmony\colorharmony_r1a.exe Moved to quarantine Behavior.RemoteControl
11/11/2012 12:36:08 AM E:\System Volume Information\_restore{0DB88145-9DAA-44B9-A1EB-B55D67EC7D42}\RP143\A0072195.exe Moved to quarantine Adware.Win32.OpenCandy.AMN (A)
11/17/2012 8:49:38 PM C:\Users\Account\Documents\Programs\Games\Merriam Websters Spell Jam\SPELL-JAM.exe Moved to quarantine Behavior.CodeInjector
11/17/2012 7:56:13 PM C:\Users\Account\Documents\Programs\Games\Candy Land - Dora the Explorer Edition\DOORAA.EXE.exe Moved to quarantine Behavior.CodeInjector
11/17/2012 11:33:16 PM C:\Users\Account\Documents\Programs\Games\The Heritage\TheHeritage.exe Moved to quarantine Behavior.CodeInjector
11/17/2012 8:07:49 PM C:\Users\Account\Documents\Programs\Games\Corner Chaos_1.4.2\CornerChaos!.exe Moved to quarantine Behavior.CodeInjector
11/17/2012 8:27:05 PM C:\Users\Account\Documents\Programs\Games\Feeding Frenzy 2\Feeding Frenzy 2.exe Moved to quarantine Behavior.RemoteControl
11/17/2012 8:10:50 PM C:\Users\Account\Documents\Programs\Games\Crazy Factory\CrazyFactory.exe Moved to quarantine Behavior.RemoteControl
11/17/2012 8:52:18 PM C:\Users\Account\Documents\Programs\Games\Operation Mania\Operation_Mania.exe Moved to quarantine Behavior.RemoteControl
11/17/2012 7:51:28 PM C:\Users\Account\AppData\Local\temp\RarSFX0\BOBO2.EXE Moved to quarantine Behavior.RemoteControl
11/17/2012 9:16:15 PM C:\Users\Account\Documents\Programs\Games\Righteous Kill v1.0\Righteous Kill.exe Moved to quarantine Behavior.RemoteControl
11/17/2012 8:44:56 PM C:\Users\Account\Documents\Programs\Games\Lost_Treasures_of_El_Dorado\game.exe Moved to quarantine Behavior.RemoteControl
11/11/2012 12:36:09 AM Value: hkey_users\s-1-5-21-2894483203-1150640364-3906837813-1003\software\gamehouse\feeding frenzy 2 -> ShowLink Moved to quarantine Trace.Registry.Feeding Frenzy 2 (A)
11/17/2012 11:32:20 PM C:\Users\Account\Documents\Programs\Games\The Dark Hills of Cherai\DarkHillsOfCherai.exe Moved to quarantine Behavior.RemoteControl
11/17/2012 10:39:34 PM C:\Users\Account\Documents\Programs\Games\Star Warrior 2 Defenders\Star Warrior 2 - Defenders.exe Moved to quarantine Behavior.CodeInjector
11/11/2012 10:04:18 AM Value: hkey_users\s-1-5-21-2894483203-1150640364-3906837813-1003\software\gamehouse\feeding frenzy 2 -> ShowLink Moved to quarantine Trace.Registry.Feeding Frenzy 2 (A)
11/17/2012 10:38:15 PM C:\Users\Account\Documents\Programs\Games\Special Enquiry Detail-The Hand that Feeds\SED.exe Moved to quarantine Behavior.CodeInjector
11/17/2012 6:16:57 PM C:\Users\Account\Documents\Programs\Games\Beach_head_2000\Bh.exe Moved to quarantine Behavior.RemoteControl
11/17/2012 6:09:30 PM C:\Users\Account\Documents\Programs\Games\Abra Academy 2\AbraAcademy2.exe Moved to quarantine Behavior.RemoteControl
11/17/2012 7:49:45 PM C:\Users\Account\Documents\Programs\Games\Boogie_Bunnies\Boogie Bunnies.exe Moved to quarantine Behavior.RemoteControl
11/17/2012 8:44:25 PM C:\Users\Account\Documents\Programs\Games\Lost Realms - Legacy of the Sun Princess\LostRealms.exe Moved to quarantine Behavior.RemoteControl
11/17/2012 8:45:43 PM C:\Users\Account\Documents\Programs\Games\Magic Encyclopedia - First Story\magic.exe Moved to quarantine Behavior.RemoteControl
11/17/2012 6:16:09 PM C:\Users\Account\Documents\Programs\Games\Beach Head 2002\bh2.ews Moved to quarantine Behavior.RemoteControl
11/17/2012 6:08:31 PM C:\Users\Account\Documents\Programs\Games\Bob the Builder Can Do Carnival v1.0.01\Bob the Builder Can Do Carnival.exe Moved to quarantine Behavior.RemoteControl
11/17/2012 10:38:49 PM C:\Users\Account\Documents\Programs\Games\Spiderman 1\SpideyPC.exe Moved to quarantine Behavior.RemoteControl
11/17/2012 10:29:25 PM C:\Users\Account\Documents\Programs\Games\Robocop2D3\Robocop2D3.exe Moved to quarantine Behavior.RemoteControl
11/11/2012 12:36:02 AM E:\System Volume Information\_restore{0DB88145-9DAA-44B9-A1EB-B55D67EC7D42}\RP143\A0072197.exe Moved to quarantine Trojan.Generic.6139748 (B)
11/17/2012 8:11:19 PM C:\Users\Account\Documents\Programs\Games\Dept 42 The Mystery of the Nine\casual.exe Moved to quarantine Behavior.RemoteControl
11/17/2012 8:46:20 PM C:\Users\Account\Documents\Programs\Games\Masquerade Mysteries\Masquerade Mysteries.exe Moved to quarantine Behavior.RemoteControl
11/17/2012 8:43:57 PM C:\Users\Account\Documents\Programs\Games\Jojos Fashion Show\JojosFashionShow.exe Moved to quarantine Behavior.RemoteControl
11/11/2012 12:36:12 AM C:\Users\Account\AppData\Roaming\Pogo Games Moved to quarantine Trace.File.Lottso (A)
11/17/2012 8:34:09 PM C:\Users\Account\Documents\Programs\Games\Hamlet v1 0\Hamlet.exe Moved to quarantine Behavior.CodeInjector
11/17/2012 8:51:19 PM C:\Users\Account\Documents\Programs\Games\Normal Tanks 1.02\Normal Tanks.exe Moved to quarantine Behavior.CodeInjector
11/17/2012 8:12:14 PM C:\Users\Account\Documents\Programs\Games\Emberwind\Portable Emberwind v1.01.exe Moved to quarantine Behavior.CodeInjector
11/11/2012 1:03:38 AM Value: hkey_users\s-1-5-21-2894483203-1150640364-3906837813-1003\software\gamehouse\feeding frenzy 2 -> ShowLink Moved to quarantine Trace.Registry.Feeding Frenzy 2 (A)
11/17/2012 10:36:26 PM C:\Users\Account\Documents\Programs\Games\Rocket Mania\RocketMania.exe Moved to quarantine Behavior.RemoteControl
11/11/2012 12:36:08 AM E:\System Volume Information\_restore{0DB88145-9DAA-44B9-A1EB-B55D67EC7D42}\RP143\A0072196.EXE Moved to quarantine Trojan-GameThief.Win32.Lmir.jlv (A)
11/17/2012 8:29:52 PM C:\Users\Account\AppData\Local\Temp\Crt9108.tmp\volume.cox Moved to quarantine Backdoor.Win32.Agent.pi (A)
11/11/2012 12:36:12 AM C:\Users\Account\AppData\Roaming\funkitron Moved to quarantine Trace.File.GameFiesta 5 Card Slingo Deluxe (A)
11/11/2012 12:36:11 AM C:\Program Files\GameHouse\PopDrop\popres.dll Moved to quarantine Trace.File.Super Pop and Drop (A)
11/25/2012 4:13:05 PM C:\Users\Account\Documents\Programs\Sort me\Games\Marbles Deluxe\Marbles.exe Restored from quarantine Behavior.RemoteControl
11/25/2012 4:13:05 PM C:\Users\Account\Documents\Programs\Games\Zuma again\Zumaaaaaa.exe Restored from quarantine Behavior.RemoteControl
11/25/2012 4:13:04 PM C:\Users\Account\Documents\Programs\Sort me\Games\Need 4 Speed 2\Need For Speed II SE\NFS2SEN.EXE Restored from quarantine Behavior.RemoteControl
11/25/2012 4:13:03 PM C:\Users\Account\Documents\Programs\Games\The Dark Hills of Cherai\DarkHillsOfCherai.exe Restored from quarantine Behavior.RemoteControl
11/25/2012 4:13:02 PM C:\Users\Account\Documents\Programs\Games\Boogie_Bunnies\Boogie Bunnies.exe Restored from quarantine Behavior.RemoteControl
11/25/2012 4:12:58 PM C:\Users\Account\Documents\Programs\Games\Globey - On the Roll.exe Restored from quarantine Behavior.RemoteControl
11/25/2012 4:12:55 PM C:\Users\Account\Documents\Programs\Games\Star Warrior 2 Defenders\Star Warrior 2 - Defenders.exe Restored from quarantine Behavior.CodeInjector
11/25/2012 4:12:44 PM C:\Users\Account\Documents\Programs\Games\Special Enquiry Detail-The Hand that Feeds\SED.exe Restored from quarantine Behavior.CodeInjector
11/25/2012 4:12:23 PM C:\Users\Account\Documents\Programs\Sort me\Games\worms_wp\worms_wp\wwp.exe Restored from quarantine Behavior.RemoteControl
11/25/2012 4:12:22 PM C:\Users\Account\Documents\Programs\Games\Twisted_Metall_2\TM2.EXE Restored from quarantine Behavior.RemoteControl
11/25/2012 4:12:21 PM C:\Users\Account\Documents\Programs\Games\Emberwind\Portable Emberwind v1.01.exe Restored from quarantine Behavior.CodeInjector
11/25/2012 4:12:03 PM C:\Users\Account\Documents\Programs\Sort me\Games\game untuk anak\Dynomite\Dynomite.exe Restored from quarantine Behavior.RemoteControl
11/25/2012 4:12:02 PM C:\Users\Account\Documents\Programs\Games\Zuma\Zuma.exe Restored from quarantine Behavior.RemoteControl
11/25/2012 4:12:01 PM C:\Users\Account\Documents\Programs\Sort me\Games\Arcpool\Arcade Pool II.exe Restored from quarantine Behavior.RemoteControl
11/25/2012 4:12:01 PM C:\Users\Account\Documents\Programs\Games\Wedding Dash 2 - Rings Around the World\weddingdash2.exe Restored from quarantine Behavior.RemoteControl
11/25/2012 4:12:00 PM C:\Users\Account\Documents\Programs\Games\Beach_head_2000\Bh.exe Restored from quarantine Behavior.RemoteControl
11/25/2012 4:11:59 PM C:\Users\Account\Documents\Programs\Games\WizardLand1.10\Wizard Land.exe Restored from quarantine Behavior.CodeInjector
11/25/2012 4:11:54 PM C:\Users\Account\Documents\Programs\Games\Masquerade Mysteries\Masquerade Mysteries.exe Restored from quarantine Behavior.RemoteControl
11/25/2012 4:11:52 PM C:\Users\Account\Documents\Programs\Games\The Heritage\TheHeritage.exe Restored from quarantine Behavior.CodeInjector
11/25/2012 4:11:38 PM C:\Users\Account\Documents\Programs\Games\Corner Chaos_1.4.2\CornerChaos!.exe Restored from quarantine Behavior.CodeInjector
11/22/2012 11:02:08 PM C:\Program Files\GameHouse\PopDrop\popres.dll Restored from quarantine Trace.File.Super Pop and Drop (A)
11/22/2012 11:02:05 PM C:\Users\Account\Documents\Programs\Games\Rocket Mania\RocketMania.exe Restored from quarantine Behavior.RemoteControl
11/22/2012 11:02:04 PM C:\Users\Account\Documents\Programs\Games\DeliciousEmily.exe Restored from quarantine Behavior.RemoteControl
11/22/2012 11:01:57 PM C:\Users\Account\Documents\Programs\Games\Emberwind\Portable Emberwind v1.01.exe Restored from quarantine Behavior.CodeInjector
11/22/2012 11:01:45 PM C:\Users\Account\Documents\Programs\Games\Normal Tanks 1.02\Normal Tanks.exe Restored from quarantine Behavior.CodeInjector
11/22/2012 11:01:37 PM C:\Users\Account\AppData\Local\temp\7zS285.tmp\PirateQuest.exe Restored from quarantine Behavior.RemoteControl
11/22/2012 11:01:36 PM C:\Users\Account\Documents\Programs\Games\Hamlet v1 0\Hamlet.exe Restored from quarantine Behavior.CodeInjector
11/22/2012 11:01:14 PM C:\Users\Account\Documents\Programs\Games\Jojos Fashion Show\JojosFashionShow.exe Restored from quarantine Behavior.RemoteControl
11/22/2012 11:01:12 PM C:\Users\Account\Documents\Programs\Games\Masquerade Mysteries\Masquerade Mysteries.exe Restored from quarantine Behavior.RemoteControl
11/22/2012 11:01:08 PM C:\Users\Account\Documents\Programs\Games\Dept 42 The Mystery of the Nine\casual.exe Restored from quarantine Behavior.RemoteControl
11/22/2012 11:01:07 PM C:\Users\Account\AppData\Local\temp\7zSB4C4.tmp\dairydash.exe Restored from quarantine Behavior.RemoteControl
11/22/2012 11:01:06 PM C:\Users\Account\Documents\Programs\Games\Robocop2D3\Robocop2D3.exe Restored from quarantine Behavior.RemoteControl
11/22/2012 11:01:05 PM C:\Program Files\GameHouse\FruitFrolic\Bricks.exe Restored from quarantine Behavior.RemoteControl
11/22/2012 11:01:04 PM C:\Users\Account\Documents\Programs\Games\Spiderman 1\SpideyPC.exe Restored from quarantine Behavior.RemoteControl
11/22/2012 11:01:03 PM C:\Users\Account\Documents\Programs\Games\Cooking Academy 2 - World Cuisine.exe Restored from quarantine Behavior.RemoteControl
11/22/2012 11:00:43 PM C:\Users\Account\Documents\Programs\Games\Bob the Builder Can Do Carnival v1.0.01\Bob the Builder Can Do Carnival.exe Restored from quarantine Behavior.RemoteControl
11/22/2012 11:00:31 PM C:\Users\Account\Documents\Programs\Games\Beetle Bug 3.exe Restored from quarantine Behavior.DirectDiskAccess
11/22/2012 11:00:18 PM C:\Users\Account\Documents\Programs\Games\Beach Head 2002\bh2.ews Restored from quarantine Behavior.RemoteControl
11/22/2012 11:00:18 PM C:\Users\Account\Documents\Programs\Games\Magic Encyclopedia - First Story\magic.exe Restored from quarantine Behavior.RemoteControl
11/22/2012 11:00:17 PM C:\Users\Account\Documents\Programs\Games\Lost Realms - Legacy of the Sun Princess\LostRealms.exe Restored from quarantine Behavior.RemoteControl
11/22/2012 11:00:15 PM C:\Users\Account\Documents\Programs\Games\Dreamsdwell Stories.exe Restored from quarantine Behavior.DirectDiskAccess
11/22/2012 11:00:08 PM C:\Users\Account\Documents\Programs\Games\Boogie_Bunnies\Boogie Bunnies.exe Restored from quarantine Behavior.RemoteControl
11/22/2012 10:59:57 PM C:\Users\Account\Documents\Programs\Games\Alabama Smith in Escape from Pompeii.exe Restored from quarantine Behavior.RemoteControl
11/22/2012 10:59:43 PM C:\Users\Account\Documents\Programs\Games\Abra Academy 2\AbraAcademy2.exe Restored from quarantine Behavior.RemoteControl
11/22/2012 10:59:40 PM C:\Users\Account\Documents\Programs\Games\Beach_head_2000\Bh.exe Restored from quarantine Behavior.RemoteControl
11/22/2012 10:59:39 PM C:\Users\Account\Documents\Programs\Games\Special Enquiry Detail-The Hand that Feeds\SED.exe Restored from quarantine Behavior.CodeInjector
11/22/2012 10:59:15 PM C:\Users\Account\Documents\Programs\Sort me\Games\Bejeweled\WinBej.exe Restored from quarantine Behavior.RemoteControl
11/22/2012 10:59:15 PM C:\Users\Account\AppData\Local\temp\7zSDB57.tmp\Pixelus.exe Restored from quarantine Behavior.RemoteControl
11/22/2012 10:59:14 PM C:\Users\Account\Documents\Programs\Games\Star Warrior 2 Defenders\Star Warrior 2 - Defenders.exe Restored from quarantine Behavior.CodeInjector
11/22/2012 10:58:58 PM C:\Users\Account\Documents\Programs\Games\Deep Voyage.exe Restored from quarantine Behavior.DirectDiskAccess
11/22/2012 10:58:50 PM C:\Users\Account\Documents\Programs\Games\The Dark Hills of Cherai\DarkHillsOfCherai.exe Restored from quarantine Behavior.RemoteControl
11/22/2012 10:58:49 PM C:\Users\Account\AppData\Local\temp\RarSFX1\SvenKommt.exe Restored from quarantine Behavior.RemoteControl
11/22/2012 10:58:48 PM C:\Users\Account\Documents\Programs\Games\Lost_Treasures_of_El_Dorado\game.exe Restored from quarantine Behavior.RemoteControl
11/22/2012 10:58:46 PM C:\Users\Account\Documents\Programs\Games\Righteous Kill v1.0\Righteous Kill.exe Restored from quarantine Behavior.RemoteControl
11/22/2012 10:58:25 PM C:\Users\Account\AppData\Local\temp\RarSFX0\BOBO2.EXE Restored from quarantine Behavior.RemoteControl
11/22/2012 10:58:24 PM C:\Users\Account\Documents\Programs\Games\Operation Mania\Operation_Mania.exe Restored from quarantine Behavior.RemoteControl
11/22/2012 10:58:23 PM C:\Users\Account\Documents\Programs\Games\WizardLand1.10\Wizard Land.exe Restored from quarantine Behavior.CodeInjector
11/22/2012 10:58:09 PM C:\Users\Account\Documents\Programs\Games\Crazy Factory\CrazyFactory.exe Restored from quarantine Behavior.RemoteControl
11/22/2012 10:58:07 PM C:\Users\Account\Documents\Programs\Games\Feeding Frenzy 2\Feeding Frenzy 2.exe Restored from quarantine Behavior.RemoteControl
11/22/2012 10:58:06 PM C:\Users\Account\Documents\Programs\Games\Corner Chaos_1.4.2\CornerChaos!.exe Restored from quarantine Behavior.CodeInjector
11/22/2012 10:58:05 PM C:\Users\Account\Documents\Programs\Games\The Heritage\TheHeritage.exe Restored from quarantine Behavior.CodeInjector
11/22/2012 10:57:35 PM C:\Users\Account\Documents\Programs\Games\Candy Land - Dora the Explorer Edition\DOORAA.EXE.exe Restored from quarantine Behavior.CodeInjector
11/22/2012 10:57:33 PM C:\Users\Account\Documents\Programs\Games\Merriam Websters Spell Jam\SPELL-JAM.exe Restored from quarantine Behavior.CodeInjector
11/22/2012 10:57:32 PM C:\Users\Account\Documents\Programs\Games\Globey - On the Roll.exe Restored from quarantine Behavior.RemoteControl
11/22/2012 10:57:26 PM C:\Users\Account\Documents\Programs\Games\Book of Legends.exe Restored from quarantine Behavior.RemoteControl
11/22/2012 10:57:04 PM C:\Users\Account\Documents\Programs\Games\Color Harmony\colorharmony_r1a.exe Restored from quarantine Behavior.RemoteControl
11/22/2012 10:57:04 PM C:\Program Files\GameHouse\PopDrop\PopNDrop.exe Restored from quarantine Trace.File.Super Pop and Drop (A)
11/22/2012 10:57:03 PM C:\Users\Account\Documents\Programs\Games\Wedding Dash 2 - Rings Around the World\weddingdash2.exe Restored from quarantine Behavior.RemoteControl
11/22/2012 10:57:00 PM C:\Users\Account\Documents\Programs\Games\Nike_Shock.exe Restored from quarantine Behavior.RemoteControl
11/22/2012 10:56:57 PM C:\Users\Account\Documents\Programs\Games\Hidden in Time Mirror Mirror.exe Restored from quarantine Behavior.RemoteControl


So, basically, what I'd like to know first is what would a video game need DDA, input device simulation, process manipulation, etc. for? Are these potentially legitimate activities or should I view them as trojan-like behavior and ask Emsisoft to investigate?

If there is anything else that would be of use, please let me know. The most recent, Restaurant Empire, was not from PortableTurk but was a video game my wife rented, on which I found that protect.dll was a trojan and, thus, I haven't installed Restaurant Empire. Restaurant Empire 2 came on the same disk and I only discovered that RE2.exe exhibited remote control behavior after installing and trying to run it.

Thanks for your input!

Namaste, Peace & Love,
Glenn


If I have frustrated you, then I must be a student. If I've imparted information or a skill to you, then I must be a teacher. If I've helped you, then I must be a volunteer. If I've touched your life, then I must be happy!
If you had to choose between saving just your family, or saving 10,000 GOOD people (but not your family), what would you choose?


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,202 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:19 AM

Posted 26 November 2012 - 12:39 PM

Hi Glenn, this usually will occur when the file that launches the game isn't digitally signed. If you know the source of the game than it is safe to allow the behavior.
Why a game would need direct disk access though is something I don't entirely trust, mouse/keyboard simulation is fairly common though. I've seen legitimate games use code injection, but that is more an exception than a rule.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users