It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
I've used GZDOOM for a few months now without problems. Just now, upon viewing full system scan results from Norton 360, it says it has quarantined an info stealer Trojan. It states that the Trojan was found in gzdoom.exe. Quite worrying considering I've just shopped online.

If memory serves, I followed the link to GZDoom from Total Biscuit's 'wtf is... Brutal Doom' review. It linked to a page on www.osnanet.de
I've just checked that link. The page can't be found. Does anyone know what this is all about?
Post edited December 06, 2015 by RetroCodger426
No posts in this topic were marked as the solution yet. If you can help, add your reply
avatar
RetroCodger426: I've used GZDOOM for a few months now without problems. Just now, upon viewing full system scan results from Norton 360, it says it has quarantined an info stealer Trojan. It states that the Trojan was found in gzdoom.exe. Quite worrying considering I've just shopped online.

If memory serves, I followed the link to GZDoom from Total Biscuit's 'wtf is... Brutal Doom' review. It linked to a page on www.osnanet.de
I've just checked that link. The page can't be found. Does anyone know what this is all about?
The osnanet page is a very old home page for GZDoom, and it doesn't seem to exist any more.
If I remember rightly, first it moved to here: http://grafzahl.drdteam.org/
The later on it moved yet again to here: http://forum.drdteam.org/viewforum.php?f=23

Currently you can see the main releases via that forum page where they are linked to, but I find that it is better to use the latest released nightly builds that can be found here: http://devbuilds.drdteam.org/gzdoom/

These dev builds are much more up to date and I've not had any issues with them.

As for your virus alert, GZDoom is clean. However, that's not to say that your machine hasn't been infected by something that has then corrupted other files on your machine to spread the virus. Personally, I don't rate Norton very highly, but you can submit the file to their false positive reporting site and they can then investigate it fully:
https://submit.symantec.com/false_positive/
Are you talking about www.osnanet.de/c.oelckers/gzdoom/download.html? That was the webspace of the main gzdoom developer, but he has lost access to it some time ago, therefore it got stuck with an really old version. It seems that osnanet finally deleted it.

I don't think that someone else replaced the files with something malicious. Have you tried to check the file with an online scanner that uses several different scanning engines at the same time?
avatar
RetroCodger426: I've used GZDOOM for a few months now without problems. Just now, upon viewing full system scan results from Norton 360, it says it has quarantined an info stealer Trojan. It states that the Trojan was found in gzdoom.exe. Quite worrying considering I've just shopped online.

If memory serves, I followed the link to GZDoom from Total Biscuit's 'wtf is... Brutal Doom' review. It linked to a page on www.osnanet.de
I've just checked that link. The page can't be found. Does anyone know what this is all about?
avatar
korell: The osnanet page is a very old home page for GZDoom, and it doesn't seem to exist any more.
If I remember rightly, first it moved to here: http://grafzahl.drdteam.org/
The later on it moved yet again to here: http://forum.drdteam.org/viewforum.php?f=23

Currently you can see the main releases via that forum page where they are linked to, but I find that it is better to use the latest released nightly builds that can be found here: http://devbuilds.drdteam.org/gzdoom/

These dev builds are much more up to date and I've not had any issues with them.

As for your virus alert, GZDoom is clean. However, that's not to say that your machine hasn't been infected by something that has then corrupted other files on your machine to spread the virus. Personally, I don't rate Norton very highly, but you can submit the file to their false positive reporting site and they can then investigate it fully:
https://submit.symantec.com/false_positive/
I have just noticed this problem now as my gzdoom.exe shortcut graphics is replaced with a blank file shortcut graphic.

I can't remember where I got it from though it might have been the a copy of the one used in my BFG Brutal Doom.

I use Norton as well but only because my dad put it on my computer because he uses it.

Is this really a threat? Should I restore the file in order to make the false positive report?
It's probably a false positive, but feel free to download it anew from drdteam.
These things are tricky. My gut feeling says this is a false positive. Still, best not to take any chances.

The problem is how vague - whilst at the same time - scaremongering Norton can be with their descriptions of detections. It's vague in that it doesn't clarify whether it thinks the threat IS gzdoom.exe (i.e. the Trojan came with this file) or, like Korell said; that I may have an infected machine and gzdoom.exe is the file that the Trojan attached itself too and that first got Norton's attention.

A few things to note: If Norton was to be believed at all times, then half my GOG games are nasties ;) of course, they are not (GOG is safe!) but I've had a few instances (eg Thief Gold and Deus Ex) where the .exe files from those were quarantined.

To add further confusion, after downloading, I always scan files using Norton before I open them. Lately, I've also started using Virus Total https://www.virustotal.com/en/ to see what the other Anti-virus vendors make of files. I've been using GZDoom with Brutal Doom for months now without problems and am pretty sure I did all my usual checks as described above and it came up clean.
I also research about Mods. GZDoom is very popular and a Google search didn't reveal anything about the possibility of it being malicious code.

So then... logic would dictate that my machine may be infected and it's spread to the file, except now darkredshift, after reading your comment, it does seem too much of a coincidence that we both have infected machines and GZDoom is the only file the Anti-Virus we both use (Norton) has detected a nasty in.

Also worth noting is that I've just tried other Anti-Virus software to scan my machine and it came up clean.
Post edited December 08, 2015 by RetroCodger426
avatar
mk47at: Are you talking about www.osnanet.de/c.oelckers/gzdoom/download.html? That was the webspace of the main gzdoom developer, but he has lost access to it some time ago, therefore it got stuck with an really old version. It seems that osnanet finally deleted it.

I don't think that someone else replaced the files with something malicious. Have you tried to check the file with an online scanner that uses several different scanning engines at the same time?
I believe it was osnanet - the original host/creator(?) for this file, yes. Having said that, I'm wondering how long that site has been down. I picked up Doom from GOG in late August and downloaded GZDoom within a matter of hours later, so I'm wondering if the site was already down then and I got GZ from elsewhere. Not 100% sure now :/
If not osnanet, then it will have been from somewhere suggested in these pages or a good wiki.

Re: Online scanning engines. Do you mean like Virus Total? If so, then yes, the file will have came up clean at the time, or I wouldn't have ran it.
https://www.virustotal.com/en/
Post edited December 08, 2015 by RetroCodger426
- darkredshift *sorry, something went wrong with the reply option so hope you read this*.

Do you know the type of threat that Norton classed the file as on yours? It would be helpful to know if it's the same threat type as on mine.

You'll be able to check by opening Norton, click the 'Security' button, followed by 'History', then finally if you look to the top left it should say the word "show". Next to that is a dropdown box. If you click it then select quarantine and scroll down, you should be able to find it sooner or later.
Post edited December 08, 2015 by RetroCodger426
Thanks everyone for your suggestions. My brain is telling me that this is likely a false positive, but my bowel is irritable at the notion of being cleaned out *my bank account, not my bowel!*

It's potentially no laughing matter I know, so best not to take chances so I'll exercise the usual safe practices and think I'll start with downloading the file anew then submitting it to Symantic. If there are any further developments, I'll be sure to post here. Thanks again.
avatar
RetroCodger426: I believe it was osnanet - the original host/creator(?) for this file, yes. Having said that, I'm wondering how long that site has been down. I picked up Doom from GOG in late August and downloaded GZDoom within a matter of hours later, so I'm wondering if the site was already down then and I got GZ from elsewhere. Not 100% sure now :/
If not osnanet, then it will have been from somewhere suggested in these pages or a good wiki.
GZDoom is maintained by http://www.osnanet.de/c.oelckers/gzdoom/.

At some point between and [url=http://forum.drdteam.org/viewtopic.php?f=23&t=6140]July 2013, Graf stopped being able to upload new stuff to his osnanet webspace, a situation that held until very recently. Now the webspace is basically nuked (he mentions having set up a placeholder, but the entire /c.oelckers/ folder is 404'ed).

The only official sources for downloading builds of GZDoom are all on DRD Team:
* http://forum.drdteam.org/viewforum.php?f=23 -- official builds, in forum attachments
* http://devbuilds.drdteam.org/gzdoom/ -- development builds
* http://debian.drdteam.org/ -- debian packages
avatar
RetroCodger426: - darkredshift *sorry, something went wrong with the reply option so hope you read this*.

Do you know the type of threat that Norton classed the file as on yours? It would be helpful to know if it's the same threat type as on mine.

You'll be able to check by opening Norton, click the 'Security' button, followed by 'History', then finally if you look to the top left it should say the word "show". Next to that is a dropdown box. If you click it then select quarantine and scroll down, you should be able to find it sooner or later.
Infostealer.Limitail trojan "a high level threat" it claims. Probably is if said Trojan is even really there.
avatar
RetroCodger426: Thanks everyone for your suggestions. My brain is telling me that this is likely a false positive, but my bowel is irritable at the notion of being cleaned out *my bank account, not my bowel!*
If your details got into the wrong hands, I wouldn't be at all surprised if your "bowel" got cleaned out as well. ;)
Post edited December 08, 2015 by darkredshift
avatar
RetroCodger426: - darkredshift *sorry, something went wrong with the reply option so hope you read this*.

Do you know the type of threat that Norton classed the file as on yours? It would be helpful to know if it's the same threat type as on mine.

You'll be able to check by opening Norton, click the 'Security' button, followed by 'History', then finally if you look to the top left it should say the word "show". Next to that is a dropdown box. If you click it then select quarantine and scroll down, you should be able to find it sooner or later.
avatar
darkredshift: Infostealer.Limitail trojan "a high level threat" it claims. Probably is if said Trojan is even really there.
avatar
RetroCodger426: Thanks everyone for your suggestions. My brain is telling me that this is likely a false positive, but my bowel is irritable at the notion of being cleaned out *my bank account, not my bowel!*
avatar
darkredshift: If your details got into the wrong hands, I wouldn't be at all surprised if your "bowel" got cleaned out as well. ;)
Thanks, I've just double checked and yes, that's the exact same threat warning that I received. *laughing at your bowel comment* - yes, probably. :D A Trojan reverse-enema! They could market that; I wouldn't put it past those scummy scammers.

The fact that there are at least two people with the exact same threat warning from Norton for the same well-known, seemingly safe file seems to suggest it's just wind.
Post edited December 09, 2015 by RetroCodger426
avatar
RetroCodger426: I believe it was osnanet - the original host/creator(?) for this file, yes. Having said that, I'm wondering how long that site has been down. I picked up Doom from GOG in late August and downloaded GZDoom within a matter of hours later, so I'm wondering if the site was already down then and I got GZ from elsewhere. Not 100% sure now :/
If not osnanet, then it will have been from somewhere suggested in these pages or a good wiki.
avatar
Gaerzi: GZDoom is maintained by http://www.osnanet.de/c.oelckers/gzdoom/.

At some point between and [url=http://forum.drdteam.org/viewtopic.php?f=23&t=6140]July 2013, Graf stopped being able to upload new stuff to his osnanet webspace, a situation that held until very recently. Now the webspace is basically nuked (he mentions having set up a placeholder, but the entire /c.oelckers/ folder is 404'ed).

The only official sources for downloading builds of GZDoom are all on DRD Team:
* http://forum.drdteam.org/viewforum.php?f=23 -- official builds, in forum attachments
* http://devbuilds.drdteam.org/gzdoom/ -- development builds
* http://debian.drdteam.org/ -- debian packages
Thanks for the info and links. I think I'll download the latest build from one of these links.
I had the same problem yesterday with Norton. I have submitted the gzdoom file to virus total and it's clean except for Norton. So I have decided to submit the file to Norton to check for false positive. And indeed it's a false positive. And this the reply I got back from norton:

Upon further analysis and investigation we have verified your submission and as such this detection will be removed from our products.

The updated detection will be distributed in the next set of virus definitions, available via LiveUpdate or from our website
Unless you install only Windows-certified software such as Microsoft Office etc., always turn of heuristic mode in your Antivirus. Usually this mode is turned on by default. What it does, it not only searches for known viruses, but for any code which potentially could be a virus. In my experience, most open-source code will fall into this category. Most game mods, No-CD patches, anything people write not for profit, etc., as well.

This is like if you, by default, turned off anybody at your door, unless you know exactly his name and date of birth. It is definitely most safe thing to do, but then you won't be able to ever get any mail - you don't know the name of the mail delivery man, right? How do you know he is not a criminal? But if you expect a delivery, won't it be relatively safe to open the door if you see a delivery truck through your window?

Same here, it is one thing if you download some unknown file, or God forbid, some pirated game, then you could turn on your anti-virus heuristic mode and if it finds something (my bet it will, even though there may be no real viruses there), you have a choice, to go ahead and use the file or not. Nobody will give you a definitive answer, unless you are a computer genius (and then you wouldn't need anybody's advice) or you pay some computer genius to determine this for you (in which case why bother with free stuff anyway).

But if you downloading something like a game from gog.com or a well-known patch, or program like gzdoom, my advice, turn off this heuristic nonsense, then when you done installing or playing, turn it back on, if you want.

That's just my personal opinion though, if you still want to be 100.00% safe (and nothing in the world is 100% safe), only use programs you actually paid for. Obviously, in this case, GZDOOM is not one of them.
Post edited December 26, 2015 by fdr182