Question - MQ .Exe random name and/or virus detection (obfuscation) (1 Viewer)

[Myysterio]

I have been using RG for like 2 years now and today I got this warning for the first time. Just checking to see if its expected. It popped up when I launched MQ.

 

[Knightly]

BitDefender doesn’t include subdirectories. So you want to exempt each of the folders directly. That might be the issue you were having.

 

[Fearbringer]

Ok guys I think I got it to work. The entire folder had to be included, the specific folder didn't work for some reason. I tried it for each of the three exe files and dat but the entire folder had to be added. What a mess, but looks like it works now. How odd, it had been working just fine.

So logging in with RG works, but logging in just with EQ doesn't now.

Error 4-404

And now there is 2 LaunchPads. One for regular and one for Beta, and the one for Beta works just fine. When all this happened, I tried to download the file from the website, and now I have duplicates of everything it looks like.

So I ran the exe from the website and click on fix, and let me see if this works

 

[Fearbringer]

Ok, I can verify both issues are fixed. The 4-404 error was solved by re-downloading the launcher form the eq website and selecting fix when it prompted new install or fix.

I tried the suggested internet option fix and other mentioned fixes for the 4-404 error but the only fix is the aforementioned one.

As for BitDefender, see previous threads.

Summary was created for anyone with the same issues and the thread title changed to include error 4-404 for search results.

Thanks all!

 

[Doc James]

Personally, I don't really have anything advanced for AV enabled on my PC. I don't use anything beyond simple options with all my program folders and storage excluded from real time protection. Never had a problem with getting a virus on my PC. And even if I ever do, I always have a weekly image of my PC ready to re-image if I needed too. Which means worst case scenario, 30 minutes of downtime, and I am back in business. I do all my browsing and experimentation when researching anything through a linux box either as a stand alone option, or through sandbox software. If you use your PC smartly, you shouldn't need all the AV bloat. My 2 cents.

 

[Fearbringer]

Keep getting *Warning: Unable to write C:Users/------/eqgames.exe

I know it has something to do with anti virus and I looked in quarantine folder and it wasn't there? Thank you all for your help!

Update: Will leave this here in case anyone needs it - The solution AFTER you take the file OUT of quarantine is to reboot your computer to restore files.

 

[Sic]

It is often recommended to whitelist eq, mq, and RG folders/subfolders from av/defender etc and especially one drive or other syncing

 

[Ibotz]

I bought Bitdefender thinking it will keep my PC safe - what a mistake that was.
I am by no means a tech savvy guy - BitDefender has now taken my PC hostage lol, I cannot for the life of me to get Redguides launcher to work.
I have uninstalled and reinstalled the launcher - I have nothing in the quarantine folder and have uninstalled BitDefender from my PC but to yet no avail the launcher wont even load
Any ideas?!?!
My next step is to buy a new SSD and windows

 

[Yannafuntime]

This is just a shot in the dark, but try installing Red Guides as an Administrator or if that doesn't work, then try it normal.
If both of those fail, we'll have to start with some basic Stuff.

What version of windows are you on?

 

[durango773]

I bought Bitdefender thinking it will keep my PC safe - what a mistake that was.
I am by no means a tech savvy guy - BitDefender has now taken my PC hostage lol, I cannot for the life of me to get Redguides launcher to work.
I have uninstalled and reinstalled the launcher - I have nothing in the quarantine folder and have uninstalled BitDefender from my PC but to yet no avail the launcher wont even load
Any ideas?!?!
My next step is to buy a new SSD and windows

uhhhh that seems to be going hard..

not work, doesnt launch, doesnt update, wont login to validate? more details please

 

[Cannonballdex]

See if you have any restore points before installing bit defender, if so you can try to do a rollback.

 

[Ibotz]

This is just a shot in the dark, but try installing Red Guides as an Administrator or if that doesn't work, then try it normal.
If both of those fail, we'll have to start with some basic Stuff.

What version of windows are you on?

I tried running as Admin and normal but to no success
I am running windows 10

See if you have any restore points before installing bit defender, if so you can try to do a rollback.

I checked for rollbacks and restore points ~ I only use this PC for EQ so i'm game for anything

 

[Yannafuntime]

Next up, do a full reboot (I know you've probally done this a few times already but just so we are working on the same page)

Then

Just to be on the safe side, turn off windows defender for a moment.

1. Select Start and type "Windows Security" to search for that app.
2. Select the Windows Security app from the search results, go to Virus & threat protection, and under Virus & threat protection settings select Manage settings.
3. Switch Real-time protection to Off.

It turn back on after I wanna say 24 hours if you care...

Try starting it now
If it doesn't work, describe what does happen, do you get an error message just opens then close's... etc.

 

[Ibotz]

Next up, do a full reboot (I know you've probally done this a few times already but just so we are working on the same page)

Then

Just to be on the safe side, turn off windows defender for a moment.

1. Select Start and type "Windows Security" to search for that app.
2. Select the Windows Security app from the search results, go to Virus & threat protection, and under Virus & threat protection settings select Manage settings.
3. Switch Real-time protection to Off.

It turn back on after I wanna say 24 hours if you care...

Try starting it now
If it doesn't work, describe what does happen, do you get an error message just opens then close's... etc.

I double click on the Redguides launcher and I get a User Account Control message asking if i want testrunner.exe to make changes to my device and i click YES but nothing happens

 

[Yannafuntime]

Ok so Bitdefender likes to block that and a bunch of other stuff so that might be sitting in an exclusion file... its looking like you have the same issue as this guy did: https://www.redguides.com/community/threads/a-veritable-bite-in-the-a.83364/
For the short term, lets try and turn off UAC and see what happens next. Depending on your level of comfort you might wanna turn that back up after we nail this down...

How to Turn User Account Control On or Off in Windows 10 and later - Articulate Support

Here's how to turn User Account Control (UAC) on or off in Windows 10 and later.

articulate.com

 

[Ibotz]

I double click on the Redguides launcher and I get a User Account Control message asking if i want testrunner.exe to make changes to my device and i click YES but nothing happens

still the same ugghh

 

[Sic]

I merged this post into the other threads about bitfender. Please make sure to take time to check before posting as you'll end up robbing yourself of previously provided solutions.

don't rob yourself.

Bitdefender is super aggressive, which isn't a bad thing when it comes to antivirus. The first thing to do after you do your exemptions is to reboot. Then recover the files from your quarantine (or just redownload them).

do what knightly says here

 

[no_one]

If you are still having the issue. Exclude the folder in Bit Defender that RedGuides/MQ is installed to.

 

[Nostuine]

While trying to install and run setup in EQ, I received this error message from Bitdefender, claiming that the following file was Malware 5Fjp68Hv.exe. Exact error is as follows:
Is this indeed an issue with the files I installed? Or a mistake and needed file?

 

[celestialtaco]

its likely as intended to obfuscate the process name incase eq is reading process names

make sure you got your download directly from rg and not somewhere else. if you still feel unsure upload it to virustotal to get a better idea if whatever file it is is actually potentially problematic

 

[kaen01]

check your macroquest.ini, you will find that name in there, this is an obfuscation attempt from mq to try and hide from eq detecting you. like celestialtaco said

 

[a_moss_snake]

change the title of the post (and maybe remove the part in your screenshot ), you should not post the name of your obfuscated exe, because that is unique to you and makes you identifiable.

 

[AttonRand]

re: firewall,
FWIW, off the top of my head I don't think there's any reason(?) for MQ exe itself to be able to access the internet. I'm not intimately familiar with the MQ codebase though so I may be wrong here.
Not to be confused with the RedGuides Launcher.

But this seems to be an antivirus issue, not firewall.

 

[brainiac]

re: firewall,
FWIW, off the top of my head I don't think there's any reason(?) for MQ exe itself to be able to access the internet. I'm not intimately familiar with the MQ codebase though so I may be wrong here.
Not to be confused with the RedGuides Launcher.

But this seems to be an antivirus issue, not firewall.

It checks for updates

 

[an_image]

I have been using RG for like 2 years now and today I got this warning for the first time. Just checking to see if its expected. It popped up when I launched MQ.

View attachment 39887

@Myysterio

 

[OLDBONE]

It isn't supposed to be a new name every time, though.

Ok 2 small questions; Is the exe renaming done for each separate machine running it? Or one renaming for everyone? If just 1 for everyone, isn't that making it too easy for them (Daybreak) to multi-ban?

 

[Sic]

Ok 2 small questions; Is the exe renaming done for each separate machine running it? Or one renaming for everyone? If just 1 for everyone, isn't that making it too easy for them (Daybreak) to multi-ban?

Yes. Each machine. Would defeat the purpose to have a unique exe if everyone had the same

 

[OLDBONE]

I bought Bitdefender thinking it will keep my PC safe - what a mistake that was.
I am by no means a tech savvy guy - BitDefender has now taken my PC hostage lol, I cannot for the life of me to get Redguides launcher to work.
I have uninstalled and reinstalled the launcher - I have nothing in the quarantine folder and have uninstalled BitDefender from my PC but to yet no avail the launcher wont even load
Any ideas?!?!
My next step is to buy a new SSD and windows

Turn off computer, make a drink/get a beer an have a sit in a darkened room. If not calm/relaxed start over, repeat till good to go again. Do not damage undefended people or hardware.

 

[OLDBONE]

Yes. Each machine. Would defeat the purpose to have a unique exe if everyone had the same

Indeed it would, thank you Mr Sic. This'd be a good post for Dog-poo to read, hehe

 

[ChatWithThisName]

Turn off computer, make a drink/get a beer an have a sit in a darkened room. If not calm/relaxed start over, repeat till good to go again. Do not damage undefended people or hardware.

That post is from may. If they haven't calmed down by now then I recommend anger management.

 

[Razadine]

Hello folks been using this software for yeas off and on. Recently updated as normal for all MQ2 related plugins and stuff. Went to launch the game on Friday and when i did so i got all 6 of my 12 toons i play logged in. They successful logged in and were in guild hall and were grouped by autogroup plugin. All of a sudden all six of them crashed to desktop. I've never had this happen then all of a sudden Malwarebytes popped up a notice saying Ransome wear detected. And when i looed in my quarantined folder saw this show up. Also for some reason when i log in every time i have to reset all my MQ2 window placement for Lua windows like MQ2Nav CWTN ect. Any way to forice MQ2 to save the placement?

 

[tervalas]

Two questions:

1) I don't recognize that file. It isn't something MQ puts on there. Might have gotten in there another way. Unless someone else knows differently.

2) Always make sure to camp to character select if you move stuff around. Fast camping seems to sometimes not save things properly all the time. If this isn't working for some, you can always edit MacroQuest_Overlay.ini in your macroquest config folder.

 

[rojadruid]

iirr that file is the randomly nammed file that MQ uses to obfuscate itself when injecting into EQ.

 

[durango773]

that looks like his obscured mq.exe.. false postive..

 

[Dragonslayer]

Some antimalware use a datatable which include a sequence of binary-characters for each kind of malware they are searching for. This behavior can lead to a false positive identification of a program which just happen to contain one of this sequences by executing the compilation of the program.
Also mq "manipulates" the running process of eq in order to cause eq to run mq-functions while running.
This technology may as well be seen as suspicious by an observing antimalware and real malware may attempt do work in a similar manner. Which again may rise a false positive flag.

My guess is, that this was the case. Your antimalware found a seemingly suspicious binary-sequence or behavior in the MQ-program and stopped its execution during login, which than led to the crash of eq.
You may consider to exclude the folder of mq for your antimalware-scanning in order to avoid interferences.

 

[Redfrog]

exclude the folder

 

[Sic]

.

Hello folks been using this software for yeas off and on. Recently updated as normal for all MQ2 related plugins and stuff. Went to launch the game on Friday and when i did so i got all 6 of my 12 toons i play logged in. They successful logged in and were in guild hall and were grouped by autogroup plugin. All of a sudden all six of them crashed to desktop. I've never had this happen then all of a sudden Malwarebytes popped up a notice saying Ransome wear detected. And when i looed in my quarantined folder saw this show up. Also for some reason when i log in every time i have to reset all my MQ2 window placement for Lua windows like MQ2Nav CWTN ect. Any way to forice MQ2 to save the placement?

i merged your question into the existing thread for this situation.

that random string is your obfuscated .exe

please read the rest of this discussion for context and understanding

 

[Razadine]

Ok foolks thank you for all the info. I tested the issue after the post and ran it with just turning off Malwarebytes and everything just rain fine. So i'm just going in to the program and making that exclusion. Thanks again.

 

[taz6two]

I'm aware, I'm saying it isn't intended.

edit: I'm told that its intentional, but the side effects aren't, or weren't expected. Its being looked into.

That sounds sketchy... Things don't just rename themselves randomly and it was not expected.... I can't even imagine a shitty coder achieving this by accident.

--Taz

 

[taz6two]

Or did you mean the name changes were intentional and the side effect of Windows Defender going off was not expected?

--Taz

 

[taz6two]

The copying was intentional. It's not comparing anything to see if the files are different, so it’s just copying over a new one each time. The part brainiac is talking about being unexpected is Windows defender popping up every time. In the short term, if it’s an issue for you, you can just create a shortcut to whatever exe was created.

The version file also needs to be updated to add publisher so it doesn’t say “Unknown.”

But I’ll be fixing both of those this evening.

Gotcha, thanks for the explanation.

-Taz