something is wrong or so these Lingon trainers,my ESET always warning trojans,all time.

example,again,Crysis 2 v1.9 (v1.9.0.0) +22 TRAINER have it again.

here:

Object:
http://d02.gamecopyworld.com/?r=pc_crysis_2c=725495341d=2011f=Cry2+22Tr-LinGon!rar
Threat:
a variant of Win32/Packed.VMProtect.AAH trojan
Information:
connection terminated - quarantined

:eek::mad:

there is must be some spy codes.
any1 else trainers DONT do this.




any1 know better?

Confirmed, NOD32 gives a warning, also see VirusTotal: http://www.virustotal.com/file-scan/report.html?id=e0df9bf358f6b17e8fd7ee69d823d8ab668 7b4d6ec2233950919c80f822f8a7a-1309962545 . That's too much for me, too. I suggest that you don't use the trainer and, if LinGon has a contact address, tell him to use a different EXE compressor/encryptor/whatever.

All trainers from LinGon generate an ESET virus warning, nothing new... and nothing to worry about!

People are just trying to be safe and it is unreasonable for the community to accept that Lingon's trainers will always give a 'false' positive -- is someone really trying to make the argument that this guy can code complex trainers but he is unable to do so without setting off everyone's AV? gamecopyworld should step up and tell Lingon that they arent going to post his trainers until he can learn to submit code that passes AV's. The problem is that Lingon is the *only* trainer maker who is getting flagged by eset, sophos, and other antivirus' as having a serious trojan. This has been going on for some time, see jarfin's post above regarding Win32/Packed.VMProtect.AAH trojan back in June. The longer he waits to change his code to prevent this, the more and more people are going to post on forums all over the place, these sites will get indexed by google, which will strengthen the tie between Lingon's name with trojan/viri.

+ TR/Black.Gen2 is not h0tkeys, it is WAY more serious of a threat.

+ eset is regularly rated as an extremely good AV with low false positives.

+ I submitted his Deus Ex: HR trainer to both sophos and eset, NEITHER is willing to whitelist it because, while it may (or may not) be malicious, the implementation is both unorthodox and extremely dangerous.

+ Give the community a choice between choosing a +12 trainer that gives a virus warning and a +10 trainer that doesnt -- which do you think is going to get used, and which do you think is going to get flamed?

worse, since his trainers already flag as TR/Black.Gen2, how easy would it be for someone to download his trainers, infect them with a "real" TR/Black.Gen2 trojan and then repost them to a forum as Lingon's? imagine the storm that would ensue then -- youd have a bunch of forum posts saying 'his trainers are fine, dont worry' and lingon's website would say 'hey they are false positives, go ahead' and idiots who believe it would execute the code and *poof* there goes someones pc along with Lingon's reputation.

+ the ONLY reason Lingon is packing his exe's like this is to prevent reverse engineering. For someone skilled enough to code a trainer with more features than anyone else, it is simple laziness to not find another way to protect their code, minus the virus alerts.

Lingon needs to choose:
1. stay lazy, keep your exe's packed the way they are, and accept that people everywhere will associate Lingon and 'malicious trojan.' [in which case, quit your whining about it]
2. change your code so that you arent the only freaking trainer-maker who is getting TR/Black.Gen2 trojan alerts on your releases.

'my releases are clean, i promise.' is an idiotic argument. fix your code or live with the rep.

It seems that, fortunately, noone has been riding the possibility of really infecting Lingon's trainers so far. If they did, we would've received more serious reports about actual trainers.

It is well possible that Empire is accepting Lingon's trainers only from Lingon: this was a simple yet effective solution for h4x0r's trainers after CheatHappens started submitting fake trainers to GCW in his name. If so, it is up to Lingon to decide whether he wants to fuck up both himself and GCW and he's surely smart enough to understand that this would be a major lose-lose situtaion for everyone so what would be the point? If my assumption is right then GCW is a reliable distributor of genuine trainers from Lingon which would be a win-win situation for everyone.

But, again, Empire is the only one who can really answer these questions; I'm just guessing.

"Protecting his trainers" is a joke anyway, there are only a few methods that trainers use..like WriteProcessMemory, ReadProcessMemory, VirtualAllocEx and code injection... All of which are incredibly easy to hook, and thus obtain the patch code, memory addresses and so on.. Any trainer / ripper with any skill could do this...

I ses everyone says LinGon is whining when infact it's the other way around.
atleast that is what we the rest of the users are seeing.

He protects his trainers and it's his decision and so does many other trainer makers.
i see nothing wrong with that and whining about it here is useless and will lead nowhere.

Also if i remember correct, i recall Lingon saying he woulndt upload trainers to GWC anymore.
so why are why are people even complaining when it's not even lingon that is uploading them here?

Now if he was the one providing GWC with the trainers i would have more understanding for it,
yet it would be pointless to argue about this subjects since i think lingon woulndt change it anyways.

so the question here would be, why are you even whining about that lingon is doing this or that
whit his trainers, is it up to you to say how he should protect them or not?

There are bigger issues in this world and whining over a trainer using this or that protection is pointless.
These user that think he can make changes to something thats obviouly not going to happen,

@rKaye
I quote 'my releases are clean, i promise.' is an idiotic argument. fix your code or live with the rep.
so accoring to you what should lingon be saying?
hey there is virus in my trainer just so you know, would he be more trusted for you then???

conclusin: stop using the trainers that you dont like for which ever reason and use the ones you preffer
and quite the whining you accuse lingon for.

And yes i use his trainers since most of the time he makes the best trainers there is.

Just wanted to stand up for him since he makes my gaming aloot more fun with trainers he makes.

@TippeX
Be it a joke or what, in the end its up to him and not us.
His not even forcing anyone to use his trainers.


/MasterHand

conclusin: stop using the trainers that you dont like for which ever reason and use the ones you preffer and quite the whining you accuse lingon for.

This is exactly my personal opinion, too, but I dare not say it officially. ;)

I second that, unofficially of course (angering ye gods, sleeping or otherwise isnt a good idea)

VMProtected files are causing false positives with the will of the VMP developers - but only IF the VMP software itself is poorly cracked and the triggers kick in.
Files protected with original or propper cracked VMP should not cause that problems.
Source: Other forum, i dont think i can post link to it here.

never usually download hardly any of his trainers because some don't work, I look forward on HoG's and other people who make more efficient trainers.

Our/My aim has always been to make available ALL existing trainers & tools even if they are badly coded, packed, promo's, call home, are in a foreign language or whatever. In the end this gives you the ultimate choice what to use (or not, that is up to YOU)

I would also want to see that the files are not detected as a virus/Trojan (read: Packed) or call home but this up to the author. I understand that some of them want to protect their work for various reasons but I also think that sharing your knowledge is a good thing and then there would be no need to pack files

My thought is that the AV companies should never have added detection for packed files, I totally understand that they did it as they want to warn EVERYBODY for the possibility of an infected file and not just a small group of people... (better safe than sorry)

Maybe we come over as “insensitive” about this subject but this is mainly because we get so many posts & emails about "possible" viruses/trojans that you become a bit immune for these kinds of messages as most are false positives!

Ofcoz it is possible to fake trainers and upload them. This happens, not often and most all are detected in time...

We will do our utmost to make sure it will be a save experience to use GCW & FF but in the end you alone are responsible for what you download & use from the internet, nothing new there…

Well, then it's official. :)

I understand that some of them want to protect their work for various reasons but I also think that sharing your knowledge is a good thing and then there would be no need to pack files

Being a faithful communist, I cannot possibly disagree with the second part of the sentence. :)

Much more generally, people are wasting way too much of their time, energy and other resources battling with each other when there are so many useful goals out there. (We could've colonized half the Solar System by now which would've inherently solved many of the major problems that mankind is currently struggling with.) Well, that's capitalism, people!

My thought is that the AV companies should never have added detection for packed files, I totally understand that they did it as they want to warn EVERYBODY for the possibility of an infected file and not just a small group of people... (better safe than sorry)

The problem with this is that, 1) when an executable is packed and/or encrypted, you cannot (easily) find out whether or not it's malicious because you can't see the actual code, 2) it's impossible for an anti-virus company - or anyone else, for that matter - to code depackers and decryptors for all packers/encryptors available, especially for serious encryptors where the point is exactly to avoid people from seeing what's inside. Therefore, the easiest way is warning the user about packers/encyptors that are usually found in malware and there's nothing we can do about it.

Of course, smart programmers listen to the needs and requests of their users. However, there's nothing we can do about this either. ;)

I understand that it is hard to check a packed file which they cannot decrypt but that is a bit too easy!

AV software should be more intelligent, if they encounter a packed file it should execute it inside its own sandbox and then check the results. It will be hard to make this foolproof but it is possible.

Some anti-malware software, actually, do this but those are rather called HIPS (http://en.wikipedia.org/wiki/Intrusion_prevention_system) than anti-virus. E.g. the free Comodo Firewall has a built-in sandbox which, as far as I remember, has a semi-automatic community-driven online database of whichever file is or isn't malware and you can also submit (I guess, only the checksum of) your own "suspicious" files there. Such sandboxes to become common is, I think, still a bit into the future, especially for fully automated ones.

I find it ridiculous that GCW would advise the community to ignore TR/Black.Gen2. There has got to be another way that he can protect his trainers without such a trigger. Even my poopy linux home firewall goes bananas when attempting his recent submissions.

I understand the drive of GCW to be a primary game trainer site, but won't traffic take a dive if GCW becomes associated with hosting infected files, false positive notwithstanding?

The only middle road I see is for Lingon (or GCW) to submit his trainers directly to major AV companies for analysis and approval.

I'd feel better about this if Empire would at least say that they asked Lingon to look into trying to protect his trainers in a manner that doesnt yield AV hits.

He should simply use original or proper cracked VMP and the problems will be gone.

Real anti-virus positives, genuine malware, on GCW are so rare that I don't remember of ever having seen one. (My memory is quite selective, though, so don't rely on it...) Of course, malicious people can upload tricky executables that look like a false positive but are actual positives, however this is unlikely. I suggest that, until you find a provedly real positive, you refrain from even suggesting that GCW may be hosting infected files because that's a serious accusation.

We have no contact to Lingon and, probably, he doesn't visit this forum and, even if he did, he wouldn't give a shit about our opinion - if he did listen to his users, he would've probably removed his "DRM" long ago - so your suggestions are completely in vain. And, I assure you, he won't bother to send samples of his executables to anti-virus companies, especially, if he really is using a (not fully) cracked, illegal version of the encryptor. Also, I don't think that any of us at GCW would have time for a possibly long correspondence, trying to persuade him into dropping the encryption. You see, we suggested Sicheats to remove theirs and they wouldn't listen to us - or their users, for that matter. I'm a bit pleased that you assume us to have such a power or control over the authors of hosted stuff but we have none at all: just like you, we can only make requests which they will or will not honor, it's up to them.

I think everything that needed to be said has been said. For the umpteenth time, I might add, so there's no point in continuing this discussion. In case someone still didn't get the conclusion: just with any other site, benevolent or not, it is up to you to decide what to download and their use on your own computer is your responsiblity and only yours. You can take that as an informal disclaimer (http://en.wikipedia.org/wiki/Disclaimer).