Its you who is guessing there Ehye. OP already scanned his computer with some AV - maybe even with AVG you suggested to him - we don't know.
All of this is pure speculation. Maybe if we knew the CP170 file size, we could come to the closure - what I think is that OP somehow get to the initial 1.70 release. Maybe someone send it to him via MSN, maybe it was packaged with some NWN-related package. Hard to say - we don't even know in which directory this was found. If this was in NWN directory it might be even possible that the file is there longer (assuming, someone else is using OP's computer - which we also don't know). And now he downloaded 1.71beta release which has different size - and smaller because the initial release is exe file containing all languages. This makes sense, what you are however trying to prove do not.
patch 1.70 appeared
Débuté par
Dwayne
, nov. 17 2012 11:40
Retour en haut
#27
Posté 20 novembre 2012 - 08:02
Dwayne
-
- Members
- 36 messages
Here is all the info I have. I was not using the internet at all but I was on my computer. All of a sudden a file appeared on my desktop. It was labeled as a patch for nwn. I am a very experenced uses who knows how to be safe. I have Norton 360 installed along with other measures.
Here is the info on the maybe false file. It looks exactly like the real updater but it is labeled as nwnpatch170 and the real one is labeled as NWNPatch170. The false file is 39.2 mb and the real one is 39.4 mb. I hope I didn't post this incorrectly earlier.Using Norton Insight on the false file says it does not know where it was downloaded from and my downloader has no record of it. The real file is listed as being downloaded from the proper place.
Here is the Norton File Insight information on the false file. I guess the origin does not copy.
Full Path: C:\\Users\\Dwayne\\Desktop\\nwnpatch170.exe
____________________________
____________________________
Developers Not Available
Version Not Available
Identified 12/11/2011 at 3:22:08 PM
Last Used Not Available
Startup Item No
____________________________
____________________________
Unknown
This program crash history is not known.
____________________________
Very Few Users
Fewer than 5 users in the Norton Community have used this file.
____________________________
Very New
This file was released less than 1 week ago.
____________________________
Good
Norton has given this file a favorable rating.
____________________________
Source File:
nwnpatch170.exe
____________________________
File Thumbprint - SHA:
9d7c4d4313743612595b00a4c0a407e1e3a140815db66b1f16e750f9ff4ef0ef
____________________________
File Thumbprint - MD5:
f7f979409be220cca0a449aa6d24b53f
____________________________
Here is the info on the maybe false file. It looks exactly like the real updater but it is labeled as nwnpatch170 and the real one is labeled as NWNPatch170. The false file is 39.2 mb and the real one is 39.4 mb. I hope I didn't post this incorrectly earlier.Using Norton Insight on the false file says it does not know where it was downloaded from and my downloader has no record of it. The real file is listed as being downloaded from the proper place.
Here is the Norton File Insight information on the false file. I guess the origin does not copy.
Full Path: C:\\Users\\Dwayne\\Desktop\\nwnpatch170.exe
____________________________
____________________________
Developers Not Available
Version Not Available
Identified 12/11/2011 at 3:22:08 PM
Last Used Not Available
Startup Item No
____________________________
____________________________
Unknown
This program crash history is not known.
____________________________
Very Few Users
Fewer than 5 users in the Norton Community have used this file.
____________________________
Very New
This file was released less than 1 week ago.
____________________________
Good
Norton has given this file a favorable rating.
____________________________
Source File:
nwnpatch170.exe
____________________________
File Thumbprint - SHA:
9d7c4d4313743612595b00a4c0a407e1e3a140815db66b1f16e750f9ff4ef0ef
____________________________
File Thumbprint - MD5:
f7f979409be220cca0a449aa6d24b53f
____________________________
#28
Posté 20 novembre 2012 - 09:04
SHOVA
-
- Members
- 522 messages
I suppose the real question Dwayne is this, Do you want to use Shadows 1.70 patch? If the answer is no, delete it and move on. If yes, then the question of what you were downloading, and or visiting comes to question, long before I will blindly assume that someone is haking your computer. If you do want to use Shadows patch, but are not sure if you trust the one you have, delete it, and download it from shadows vault page.
On a side note, I personally wouldn't trust Norton to protect against anything. From my experience, AVG is better.
On a side note, I personally wouldn't trust Norton to protect against anything. From my experience, AVG is better.
#29
Posté 20 novembre 2012 - 11:54
Baaleos
-
- Members
- 1 330 messages
Not wanting to hit a dead horse with a stick or anything...
But...
Identified 12/11/2011 at 3:22:08 PM
This either relates to the file having appeared on the machine on that date
which is a year old.
Or
The file was compiled/created a year ago.
Which would explain the size discrepency.
Im sure ShadoOoW has added alot more content to it since that date.
It really boils down to the following options.
1. Delete it cause you dont trust it (norton says its fine, Id check with avg or avast to be certain though)
2. Use it, despite the fact it is out of date - hey its up to you?
3. Download the most up to date version - if you want?
As it stands, besides the fact that it appeared on your machine - there is nothing else to suggest its a dodgy file.
Looks like a Duck, Quacks like a Duck... it just might be a Duck.
Also - I know we are all dancing around the idea that this file is dangerous - but... has anyone tried running it?
Believe it or not - its actually quite difficult to infect a binary, while maintaining its original functionality.
Its not a simple matter of - hey here is a exe in the same folder as me, lets copy myself into it....
If you find that the exe doesnt run properly = potential virus/trojan
In anycase - if you do want the 1.70 patch, the smart thing to do, is to get the latest version anyway - this one is clearly at least a year old.
But...
Identified 12/11/2011 at 3:22:08 PM
This either relates to the file having appeared on the machine on that date
which is a year old.
Or
The file was compiled/created a year ago.
Which would explain the size discrepency.
Im sure ShadoOoW has added alot more content to it since that date.
It really boils down to the following options.
1. Delete it cause you dont trust it (norton says its fine, Id check with avg or avast to be certain though)
2. Use it, despite the fact it is out of date - hey its up to you?
3. Download the most up to date version - if you want?
As it stands, besides the fact that it appeared on your machine - there is nothing else to suggest its a dodgy file.
Looks like a Duck, Quacks like a Duck... it just might be a Duck.
Also - I know we are all dancing around the idea that this file is dangerous - but... has anyone tried running it?
Believe it or not - its actually quite difficult to infect a binary, while maintaining its original functionality.
Its not a simple matter of - hey here is a exe in the same folder as me, lets copy myself into it....
If you find that the exe doesnt run properly = potential virus/trojan
In anycase - if you do want the 1.70 patch, the smart thing to do, is to get the latest version anyway - this one is clearly at least a year old.
#30
Posté 21 novembre 2012 - 01:41
MrZork
-
- Members
- 939 messages
I'm not an expert, but it should be pretty easy to use a wrapper that has a virus infect to a system and then pass execution on to the original binary. But, even if there isn't some hacker's tool that automates creating that wrapper, there's still the problem that running an executable is a risky way to check whether it's infected. By the time the user confirms that the binary isn't doing what one would expect it to, it may have caused all sorts of trouble that's a pain to fix.
I certainly agree that the most straightforward course of action for installing the CP would be to download ShaDoOoW's official release from the Vault and use that instead of any potentially suspect or obsolete file.
I certainly agree that the most straightforward course of action for installing the CP would be to download ShaDoOoW's official release from the Vault and use that instead of any potentially suspect or obsolete file.
#31
Posté 21 novembre 2012 - 04:57
Dwayne
-
- Members
- 36 messages
The date above is when the file was created somewhere else if it is a real date. The date my computer lists it being put on my computer is 11-16-2012. My main concern at first was wondering if this came from atari trying to update the messed up (being nice) nwn complete. I tried their forum but it was not working. I may try the file for fun on another computer after Thanksgiving when I have more time. I will let you know what happened if I do it. I wonder if I should report this to Norton? Something failed on their software.
#32
Posté 21 novembre 2012 - 10:01
Baaleos
-
- Members
- 1 330 messages
MrZork wrote...
I'm not an expert, but it should be pretty easy to use a wrapper that has a virus infect to a system and then pass execution on to the original binary. But, even if there isn't some hacker's tool that automates creating that wrapper, there's still the problem that running an executable is a risky way to check whether it's infected. By the time the user confirms that the binary isn't doing what one would expect it to, it may have caused all sorts of trouble that's a pain to fix.
I certainly agree that the most straightforward course of action for installing the CP would be to download ShaDoOoW's official release from the Vault and use that instead of any potentially suspect or obsolete file.
Lets not forget the fact that he has scanned it, and it comes back clean.
on side note-
Creating wrappers is easy in .Net Reflection - however, the trade off is that the application that is wrapping the original, needs to be compiled, with enough byte buffer space inside it, to account for the application it is trying to wrap.
eg- the memory cannot be dynamically increased to account for larger executables - unless the application gets rebuilt/compiled.
This means - yes, a 250kb wrapper program, can wrap a 10kb file, or a 100kb file.
But would not be able to wrap a 275kb file.
The other method of virus propagation, is code inject or code caves.
Where some code from the infected application, copies itself into the binary of another -
the problem there however, is making do this in such a way that it doesnt affect the functionality of the target application, and often its a very targetted process, where the injecting application, needs to know the correct memory address to inject to.
#33
Posté 21 novembre 2012 - 04:19
SHOVA
-
- Members
- 522 messages
Dwayne wrote...
The date above is when the file was created somewhere else if it is a real date. The date my computer lists it being put on my computer is 11-16-2012. My main concern at first was wondering if this came from atari trying to update the messed up (being nice) nwn complete. I tried their forum but it was not working. I may try the file for fun on another computer after Thanksgiving when I have more time. I will let you know what happened if I do it. I wonder if I should report this to Norton? Something failed on their software.
The patch 1.70 is not an official patch. It was put together by Shadooow, and is his project. He is a member of the community, not a employee of Bio-ware, Atari, or EA. The game is current at 1.69. that is, and was, the last official patch for this game.
#34
Posté 22 novembre 2012 - 10:13
NWN_baba yaga
-
- Members
- 1 232 messages
Until Trent Oster comes and blitz attacks our hearts with the message... we will do a NWN:enhaced edition YAY:D
