Flight sim 9 failure

Discussion in 'ESET NOD32 Antivirus' started by madhattr15, May 7, 2012.

Thread Status:
Not open for further replies.
  1. madhattr15
    Offline

    madhattr15 Registered Member

    After upgrading to NOD32 5.0 I tried to install some scenery to Flight simulator 9 and FS9 failed. The reason I reinstalled the scenery is I had reset my computer to factory. This scenery had worked on this computer before but not after upgrading to 5.0. I have the same software installed, fs9 and scenery, on another computer but with NOD32 4.0 and everything works. The only difference is the version of NOD32o_O??

    Thanks for great security software

    Allan
  2. DrewD
    Offline

    DrewD Eset Staff Account

    Please verify whether you are able to install some scenery to Flight simulator 9, when the ESET antivirus client is temporarily uninstalled.
  3. Nige
    Offline

    Nige Registered Member

    I have a similar issue here.

    @madhattr15 is your scenery from Flight1 by any chance?

    Flight1 add-ons use various dlls to check valid installations.
    They're called flight1chk3.dll. flight1chk4.dll and are usually installed in //Windows/System32 and/or the WOW64 folder on a 64 but machine.

    The dlls are referenced whenever Flight Simulator is started, and if they're not there then an error message is generated and the application (Flight Simulator) fails to start.

    I've had Flight1 software on my Win XP system for years (probably about 9 years), with of course the associated flight1chk files.

    I've had NOD32 for the past 4 years at least, and these flt1chk files were never flagged by Nod32 (because, of course, they're not malicious).

    I recently updated to a new PC (Win 7). As a consequence I transferred my NOD32 licence to the new PC and updated to version 5, I think, of NOD32.

    I also re-installed the Flight1 add-ons by redownloading the installers from the Flight1 site.

    Firstly, NOD32 prevented the proper installation of the Fligh1 software by quarantining the fligh1chk dll files. This meant that Flight Simulator wouldn't start.
    Secondly, whenever I try and create a backup using the default Windows 7 back up utility, the back up fails, because NOD32 prevents the fligh1chk files from being copied to the backup, and the whole back up fails.
    Thirdly, whenever I run a NOD32 scan, either scheduled or manually, NOD32 quarantines every instance of these necessary files, from back up, from System32, from WOW64 and from within the flight1 installer exe files.

    I've scanned these same files with NOD32, Windows Defender, Norton, Avast, and MawareBytes AntiMalware. Only NOD32 reports them as malicious.

    I've also submitted the files as false positive to ESET multiple times, since March 2012, but they are still being flagged as malicious.

    I've now had to add the file paths to NOD32 Exclusions, which at least means that Flight Simulator will run.

    The issue is that these are legitimate files. If they're not, then for 10 years NOD32 failed to spot them, which is not good. If they are ok (which I believe they are) then the recent version is incorrect.

    This is by no means a new issue - A quick Google for flt1chk4.dll will yield various posts on (mainly Flight Sim) forums going back at least 5 years. If it is the case that there is a malicious variant of these files in circulation, then it seems very odd that NOD32 never flagged them as such before the latest version. If they are false positives (which I believe they are), then it also seems very odd that NOD32 is using rudimentary checking to determine that files are malicious.

    Is there a more formal mthod of submitting false positives to ESET than using the contact form within NOD32, which seems to be being ignored?
  4. Nige
    Offline

    Nige Registered Member

    Bump!
    Anybody from Eset support on these forums at all?
    I've tried the support approach, but nothing.
  5. Marcos
    Offline

    Marcos Eset Staff Account

    You wrote "NOD32 prevented the proper installation of the Fligh1 software by quarantining the fligh1chk dll files". Unfortunately, I was unable to find any file with that name submitted to ESET's viruslab. Could you please resend it as per the instructions here? I'm also curious to know what threat was detected in these files.

    I was able to find a dll with that name and MD5 11b98159691b1d072f679cea04ad38ef on the Internet. If it's the same file as yours, it's not detected by ESET now.
  6. Nige
    Offline

    Nige Registered Member

    Thanks for the reply.
    as I said, I've submitted this file through NOD32 on multiple occasions.
    I will try the method you linked to.

    [Edit] I've just submitted a selection of files. NOD32 flags them as Win32/SusbLibLoad.B trojan [/Edit]
    Last edited: May 30, 2012
  7. Marcos
    Offline

    Marcos Eset Staff Account

    Still, I cannot find it. Please upload it to VirusTotal and copy & paste the SHA1/MD5 hash of the file as well as the detection name here.
  8. Nige
    Offline

    Nige Registered Member

    I emailed it in a zip file as per instructions, and I submitted the files multiple times through NOD32 and you can't find any of them?

    I suggest that maybe you should be checking things at your end.

    To be honest, NOD32 is becoming more and more of a pain to use, and the reporting facility is obviously broken.

    Anyway, here's the result for fltchk4.dll, which prevents FS9 from starting if it's not found:

    18cb04ff5818bfbfa807f6430f7427129f9f0335f269eb0eb3dd32aab8b2107b

    McAfee-GW-Edition = Heuristic.LooksLike.Win32.Suspicious.C
    NOD32 = Win32/SuspLibLoad.B
    TheHacker = Trojan/SuspLibLoad.b
  9. Nige
    Offline

    Nige Registered Member

    And here's flt1chk3.dll

    e6feea66ee1f57c0a4138fe401fc51c90bcf7d60eddf0ac4895496c30d86037c

    McAfee-GW-Edition = Heuristic.LooksLike.Win32.Suspicious.C
    NOD32 = Win32/SuspLibLoad.B
  10. Marcos
    Offline

    Marcos Eset Staff Account

    This detection is triggered on patched files and is still under investigation as it's not clear if the changes were intentional and legit or performed by malware.
  11. Nige
    Offline

    Nige Registered Member

    Thanks.

    As I said, I redownloaded the files and did a fresh install from flight1, and NOD32 picked them up at installation.
    So if the patch is malicious, then I presume it was done on flight1's versions?

    It would be good to have a progress report on this - I've excluded the files from NOD32 checking for now.
Thread Status:
Not open for further replies.