Maplestor.exe fake positive

Viruses and worms
1

I play a game named maplestory that never gave me any trouble. Sudently, after db update, it shown maplestory.exe as infected by a rootkit. It actually has the behaviour of a rootkit (not maplestory.exe but gameguard that i think it was been debated here) because it blocks hack programs. Im just warning you because it is a fake positive.

Keep the good work

2

Try a forum search for maplestory in the viruses and worms forum as I’m sure this has been covered before.

3

If you’re sure, you can use the Exclusion lists:

For the Standard Shield provider (on-access scanning):
Left click the ‘a’ blue icon, click on the provider icon at left and then Customize.
Go to Advanced tab and click on Add button…

For the other providers (on-demand scanning such as the screen-saver or the Simple User Interface):
Right click the ‘a’ blue icon, click Program Settings.
Go to Exclusions tab and click on Add button…

You can use wildcards like * and ?.
But be careful, you should ‘exclude’ that many files that let your system in danger.

If you’re right, hope they correct the false positive. If you’re wrong, well, you’re infected ;D

4

I’ll confirm that it’s a fake positive. Maplestory uses an antihacking software called GameGuard that can tend to be a little aggressive sometimes and has some of the attributes of a rootkit. It uses this to prevent server hacks by causing your system to seize if it detects you significantly altering server activity. It will not, however, cause any irreparable damage, only needing a reboot to solve the problem, but causing your hacked in-game character to lose all EXP, items, etc. you gained illegally since your last log-in.

This problem is not a small case either. Many MapleStory users have reported it within the last few days, and the number seems only to be increasing. If there is some way to get word to Alwil to get an authentication certificate or some other means of proving that we’re just trying to play a well-established game, I’m sure there are thousands of users who’d like to know about it.

5

There isn’t such certificate. What they do is correcting the detection into the virus database. They usually do this quite fast (withing a day).

6

Even though I selected “no action” on the malware detected popup from avast, the game still won’t run. I got an error about not having permissions (on Vista). By adding c:\nexon* to the exclusions for both program settings and the on-access scanner it started working again. (right click on “a” in system icon, select program settings, select exclusions on left-hand menu, then “add” then type c:\nexon*, then ok; also right click on “a” in system icon, select on-access protection control, then select standard shield on left menu, then customize, then advanced, then add, then c:\nexon*, then enough OK’s to close everything.)

Furthermore, based on the forums a similar problem happened in August and was fixed on Aug 25. Hopefully Gameguard and Avast can find a way to coordinate so that it doesn’t happen again.

Michael

7

No action just means none of the actions listed on the alert (move to chest, delete, etc.), it still won’t allow what is considered an infected file to run and you can click No Action forever but it won’t allow it to run.

Your exclusions would be better to only list the file being detected and not the complete folder as this could leave a security hole in your system.

If you haven’t already sent the sample to avast you should as that is the way to resolve the FP as you have seen in the other topic. By all accounts there are different versions of this file in existence.

8

Sorry Michael, I hope they have added this to the cleanset machine test… but it’s happening again. Hope they correct it soon.
Sometimes, the exclusion lists work only after booting.