Clicksaver working, but not working...

[Pajeron]

OK, so a little history... I had clicksaver working just fine, couldn't even guess how many nanos/items I've missioned for using it... then on the last patch it just stopped working. I've un-installed and re-installed countless times (including completely deleting it from my system) with the same result...

When I run clicksaver it opens as usual, however when I start rolling missions zero information appears in clicksaver... no mission info, no item info NOTHING...

Has anyone else had this problem? if so, please please for the love of all that is good tell me how you rectified this insanely annoying problem...

[benhari]

I don't want to start a new thread on this, but please let me add something about CS that makes me really worried right now:

When I download CS from Marquentein ("Agaille's guide to Clicksaver"), I get a warning from !Avast that it contains a TROJAN called "Datarape-B".

If it is not a trojan, why does it have such a hostile name to it, and why did !Avast find it in 5 other files as well, and recommended me to reboot, do a deep scan and move it to chest?

This is the file that I downloaded from that place, using the FTP link. So I need to know; do I have to worry about this or not? I have been using CS for aeons, and never seen this before, so I am a bit puzzled about it, and I guess it is some kind of misunderstanding, BUT..

When I did a Google lookup, Zonealarm mentioned it too, as a TROJAN.

So, what's the deal here? I really need to know, because I need CS all the time as I do loads of missions.

[Axela]

I have been using the same CS Version 2.3.0 beta 3 which is before 15.9. Since I found out all I need to do is to obtain the AOHook.dll file. It still work but it is rather a pain to setup whenever there is a patch upgrade. Still, it works and I do not mind spending the extra amount of time setting it up if at the end of it, I have a workable CS. The place I download it from is http://www.halorn.com/clicksaver.html

There are 2 versions there, and the Beta is the one which needs the AOHook.dll file. Rather tedious but these are the steps I take.
1) After patch, I open CS.
2) Tells me database not setup. Go ahead and let it run.
3) CS pop up. Close it and reopen and it will tell me database not setup again.
4) Close CS, copy and replace the AOHook.dll and start CS again.
5) Let CS redo the database. After this second round, CS will work. (Test by closing and reopening it).

Now I never tried the version 2.3.1 CS. I heard people have problems with it and I do not want to go through the hassle, since I got a workable solution.

fletch, could you go over to that link and see if you get a virus alert as well? The copy I got is downloaded ages ago.

[Kahlie]

I don't want to start a new thread on this, but please let me add something about CS that makes me really worried right now:

When I download CS from Marquentein ("Agaille's guide to Clicksaver"), I get a warning from !Avast that it contains a TROJAN called "Datarape-B".

If it is not a trojan, why does it have such a hostile name to it, and why did !Avast find it in 5 other files as well, and recommended me to reboot, do a deep scan and move it to chest?

This is the file that I downloaded from that place, using the FTP link. So I need to know; do I have to worry about this or not? I have been using CS for aeons, and never seen this before, so I am a bit puzzled about it, and I guess it is some kind of misunderstanding, BUT..

Well... I did some research about that:
- The file detected as Trojan is called 'madCodeHook.dll' and is normally used by CS.
- Checked the dll with an hex editor and found nothing really dangerous inside, but something interesting, the author's website : this is in fact a library which permits to start an application on any of win9x/NT/XP systems without having any compatibility problems. There are more infos on this page .
- I also noticed on avast! website that Trojan.Datarape.B's signature has been added in its viral database the 01-31-2006.
- I also noticed that avast! now detects the same Trojan on my CS (installed from a long time, without any probs).
- And at last, obtained some infos from the website www.spywaredb.com which describes this trojan as an exe, named "trojan.datarape.exe".

I guess that you found a nice false positive
The best that you can do is to submit the file to avast team. It should permit them to confirm a malware presence if there are any, or correct the viral database if it is a false positive.

[haxi]

Using Avast's on access protection, both the beta and regular download from Halorn and the ftp and http downloads from http://www.marquentein.dk/clicksaver/download.html trigger the virus alert.

Some code contained within the madCodeHookLib.dll is being detected as a sample of Win32: DataRape-B [Wrm]. It is likely that whatever DataRape-B does, it is using the madCode dll to perform it's functions. I think the Avast signature for DataRape-B contains elements of madCodeHooklib, thus triggering the alert.

The madCodeHooklib.dll is not exclusive to Clicksaver, it is a third-party file. More info on madCodeHooklib.dll is available from the author's site:
http://www.madshi.net/madCodeHookDescription.htm

My archived downloads of ClickSaver now trigger the virus alert as well, so nothing "new" has been added to the CS downloads.

Someone not using Avast should scan the files and post their results.

[saerra]

Thanks for the info, my older version of Clicksaver, and the latest one, also triggered this (and freaked me out!)

It *sounds* like though it's actually just a false positive, as someone else stated, due to a change in the virus-template? *insert sigh of relief*

Thanks!

[Edit: OK - is there a way to tell Avast that "this instance of that potentially virus-infected file is ok"? I can't seem to get it to recognize that I still want to run Clicksaver Thanks...]

[saerra]

Never mind - I figured it out.

Just in case anyone else has problems with this, here's what I did. Pretty basic, but... had to hunt around for how to get avast to let me run CS (and it wouldn't run at all after I had "quarantined" the file, even after taking it out of the "chest"...

1. Go to the Clicksaver page

2. Shut off Avast (temporarily!) by right-clicking the rotating, blue ball with an "A" in it and choosing: "Stop On-Access Protection"

3. Download the Clicksaver file to your desktop. (If you don't shut off avast, it will prevent you from completing the download because of the potential virus.)

4. Open the file on your desktop. Dig around to get to the actual, nested "Clicksaver" folder and move that to where you want it (e.g. C:/Program Files/)

5. Right click the avast icon in the system tray again, and choose "Program Settings..."

6. Select "Exclusions" from the left side of the dialog box, and then "Browse" from within the main area of the box. Find and select your new Clicksaver folder. This stops avast from Checking this folder for viruses.

7. Delete the zipped file that you downloaded to your desktop.

8. Restart avast (right click the icon, etc.)

9. If you need to copy your CS settings (such as search items) - open up your old CS folder and your new one, and just copy over the file: "LastSettings.cs"

10. Run clicksaver, point it to the AO directory and let it build its database.

Good as new

[arimathea]

I submitted this to Avast yesterday for them to check if it is a false positive. We'll see.

[benhari]

Thank you very much, Kahlie and neutronix, this was much more info than I was hoping for, it makes for a bit of interesting reading!

*bows*

[haxi]

You are welcome, funny that we posted pretty much the same thing! Kahlie is both faster and more concise though

Anyway, it is quite likely that the idiot who wrote the trojan lifted some code from a third-party dll that clicksaver is using ( along with many other apps ). Avast scans, sees the same string in the dll that the trojan uses, and triggers the alert.

[saerra]

Kaspersky online free scan seems to found a trojan in my files:

C:\WINDOWS\$NtServicePackUninstall$\logonui.exe Infected: Trojan.Win32.Agent.on

C:\WINDOWS\I386\LOGONUI.EX_/logonui.exe Infected: Trojan.Win32.Agent.on

C:\WINDOWS\I386\LOGONUI.EX_ Infected: Trojan.Win32.Agent.on

I'm not sure what all this does/means. So I deleted the first and third files. I couldn't find anything to match the second one. Re-ran Kaspersky, and it's coming up clean.

(I also went ahead and let Avast put the CS DLL in the chest with a few other files it found, as it started going off again this morning )

[Kahlie]

Always glad to help

[Pajeron]

Finally found the problem.. when downloading the 2.3.1 CSer (post 15.9 version) I wasn't receiving the AOhook.dll no idea why as when I initially installed it that dll was obviously included :/
So it was simply a case of downloading the pre 15.9 CSer AOhook.dll fix and hey presto... it works again

PS: some championship grade thread hijacking btw :P

[Bekrowe]

Moved to Knowledge Database as Clicksaver is a 3rd Party application and not supported by Funcom and ARK.

[arimathea]

Avast never emailed me back about the status of this, but I have noticed that they did update it to no longer detect a trojan in the clicksaver files. I guess it's safe to use after all.

[Agaille]

When I download CS from Marquentein ("Agaille's guide to Clicksaver"), I get a warning from !Avast that it contains a TROJAN called "Datarape-B".

It is nice to see that there are some alert people out there that doesn't take anything for granted but actually do some security checks on their computers themselves.

It was quite disturbing to read that Fletch's software made a connection between the version of Clicksaver that I have put up for download and a Trojan horse, especially since I have personally scanned ALL my downloads with Clam Antivirus, which has a next-to-nothing standard when it comes to it's scanning engine.

Clam antivirus' scanning engine is so good that it together with F-Prot's scanning engine is widely used on a variety of Linux-based e-mail servers.

And since I am using a good antivirus detection engine, the only logical conclusion to finding such a trojan in my ZIP-file must be, that I have inserted it myself, which was a very unpleasant attack on my integrity and honesty.

For the record I believe in the "trust but verify" philosophy, so naturally one has to deal with, that eventually someone like Fletch comes along asking questions about Clicksaver that I put up for download.

Well... I did some research about that:
- The file detected as Trojan is called 'madCodeHook.dll' and is normally used by CS.
- Checked the dll with an hex editor and found nothing really dangerous inside, but something interesting, the author's website : this is in fact a library which permits to start an application on any of win9x/NT/XP systems without having any compatibility problems. There are more infos on this page .
- I also noticed on avast! website that Trojan.Datarape.B's signature has been added in its viral database the 01-31-2006.
- I also noticed that avast! now detects the same Trojan on my CS (installed from a long time, without any probs).
- And at last, obtained some infos from the website www.spywaredb.com which describes this trojan as an exe, named "trojan.datarape.exe".

I guess that you found a nice false positive
The best that you can do is to submit the file to avast team. It should permit them to confirm a malware presence if there are any, or correct the viral database if it is a false positive.

My archived downloads of ClickSaver now trigger the virus alert as well, so nothing "new" has been added to the CS downloads.

Someone not using Avast should scan the files and post their results.

I would like to thank Kahlie & Neutronix for taking their time to do their own investigations into Clicksaver and subsequently report their findings here on the forums. I consider this as a clearing of my name and reputation.

This is not the first case of a false positive that I have heard of. Such cases show up more frequently than you would think in different scanning products and apparently the industry keeps real quiet about it when it happens.

I would also like to announce that unrelated to this event, I have updated Agaille's guide to Clicksaver to version 2.0 including a complete re-write of the download section. I now support CS 2.3.1 and no longer 2.3.0 beta 3.

My download packages are extracted directly from Halorn (didn't compile it myself) and re-packaged with the settings-file with my recommended settings, which is missing from the Halorn download (This is done in order to eliminate one more thing that eventually can go wrong for newbies when they try out CS for the first time). Related to security I now offer a WinRAR self-extracting archive with any possible security whistles and bells included in the compression besides from the usual ZIP-file, which is slightly better compressed than Halorns download.

Subsequently I would like to encourage everyone interested to take a look at my new downloads and have it confirmed or debunked whether or not Halorn and I are serving an honest version of Clicksaver or not.

You can do that looking at the Clicksaver source codes yourselves, verify if anything bad is hidden inside the source code or not, compile the source code and compare the checksum of your own compiled CS binary with the pre-compiled binaries, that I as well as Halorn are offering for download.

"Trust but verify"... this is the very essence of what Open Source is all about, and I know that I can't be trusted before I am verified!



Thanks in advance

- Agaille



PS: I have envisioned a scenario, where Clicksaver would be downloaded to a Windows PC, which is pre-contaminated with viruses, spywares, key loggers and the like. Subsequently the virus will try to insert itself into any binary it can find including the newly downloaded Clicksaver.

It will not take a genius to figure out, that naturally any antivirus scanning engine will report a verifiable true virus alert on this freshly infected Clicksaver executable file, so all I ask is that in the event that you should find something, then you make pretty damn sure, that the source does not origin from your own PC in the first place.

In the case of Fletch he made one vital mistake: He trusted his Avast antivirus but he never took the time to verify it. In the event that I should get such a virus alert, I would naturally test the file in question against an array of competing products, to see if I can reproduce the virus warning. If I can, then I can be pretty sure that the file smells fishy. If not then I learned a lesson or two about my existing antivirus solution. (This is what Neutronix proposed)

[Lumifly]

PS: I have envisioned a scenario, where Clicksaver would be downloaded to a Windows PC, which is pre-contaminated with viruses, spywares, key loggers and the like. Subsequently the virus will try to insert itself into any binary it can find including the newly downloaded Clicksaver.

It will not take a genius to figure out, that naturally any antivirus scanning engine will report a verifiable true virus alert on this freshly infected Clicksaver executable file, so all I ask is that in the event that you should find something, then you make pretty damn sure, that the source does not origin from your own PC in the first place.

In the case of Fletch he made one vital mistake: He trusted his Avast antivirus but he never took the time to verify it. In the event that I should get such a virus alert, I would naturally test the file in question against an array of competing products, to see if I can reproduce the virus warning. If I can, then I can be pretty sure that the file smells fishy. If not then I learned a lesson or two about my existing antivirus solution. (This is what Neutronix proposed)

well, Fletch was taking the time to verify it, by asking here.

the most likely reason avast and co triggered a virus alert is because CS is using a dll that is not exclusive to CS...a dll that could and probably is used in viruses, hence why the alert.

[Timmon]

Hi,

This issue seems cut and dried, but im posting just because no-one as yet done so: verified my long ago installed CS 2.3.1, downloaded most likely from Halorn site, with company supported F-secure Anti-virus 5.43 build 10371, with definition files updated todya 1st of March.

No issues with any of the files in CS directory, including MadCodeHookLib.

[Dyamanda]

*flips a coin on thread necromancy or start new thread...necromancy wins*

Anyone here use Linux and have Clicksaver working? One of my orgmates recently switched over and can't get it to work now. Even tho it's not my problem directly, I'm sure inquiring Linux minds would want to know.

[Whistler]

Is clicksaver still supported?