Hey hey!

Overlord, Eagle and me found how the TSF virus work and how to remove it.

Well, the virus is caused by the program TSF Warper (Warper.exe).

http://www.iespana.es/albertocastillo2001/TSFVirus/Warper.jpg

After is ran it copies a file to C:\Windows\System folder (where C: is your hard drive letter) called Msacdlg.exe.

http://www.iespana.es/albertocastillo2001/TSFVirus/Msacdlg.jpg

Also it adds a key to the RUN section on the registry called Msacdlg so the program starts when your computer starts.

http://www.iespana.es/albertocastillo2001/TSFVirus/Registry.jpg

In some cases when that file is run it creates a third file with a random name such as Gygxk.exe.

http://www.iespana.es/albertocastillo2001/TSFVirus/Gygxk.jpg

And that file is the "Initcent" program, when that program is on and you're on a TSF game, names will change, you'll be warped often and the scores will change sometimes too.

For those who are wondering what the program does in memory I took some pics when I analyzed it.

Warper.exe contains a weird message by it's author:

http://www.iespana.es/albertocastillo2001/TSFVirus/Messagemem.jpg

Also you can find the registry key, the name of the file that it copies and the word "sux0rs".

http://www.iespana.es/albertocastillo2001/TSFVirus/Keyandsux0rs.jpg

On the third file that is created (Initcent one) you can find the title of the virus:

http://www.iespana.es/albertocastillo2001/TSFVirus/AnnoyVirus.jpg

And some bad words..

<a href="http://www.iespana.es/albertocastillo2001/TSFVirus/Badwords.jpg">Click here to view the image</a>

[Fquist - Image changed into a link because of the bad words. The jcf will not be held responsible for them]

How to remove the virus?
Really easy.

If you ran Warper.exe go to your Windows\System folder and look for a file called Mscadlg.exe like this one:

http://www.iespana.es/albertocastillo2001/TSFVirus/Msacdlg.jpg

Then delete that file.

After is deleted go to Start menu and then click on run, in the white box type "regedit" without the quoutes.

http://www.iespana.es/albertocastillo2001/TSFVirus/Registry.jpg

And follow this path:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run and then in the right window look for that Msacdlg key and delete it, look the pic above for more info.

With this done the virus won't start again (unless you run Warper.exe again).

To remove it definitely go to your Windows folder and look for a file with EXACTLY the same icon as on the pic.

http://www.iespana.es/albertocastillo2001/TSFVirus/Gygxk.jpg

Remember that the name can change, but it has the same icon, exactly the same one.
After you find it just delete it and done!

It seems this is just a funny joke of someone, nothing dangerous. :)

this will make you cheaters to don't cheat again. :P

Bye bye!

For more info visit Overlord's post http://www.jazz2online.com/jcf/showthread.php?s=&postid=71751#post71751

YAY for Alberto, Overlord and Eagle!

You're all welcome hehehe. :)

Yeah, but now we gotta find out who made it.


Why?


Well........um......because it makes an interesting story.... :D

It's a quit good story for the war tavren:
Once upon a time, there was a little fat chicken who wanted to punish all the poor cheathers, so it made a lama virus, but our heroes, Eagle, Alberto, and Overlord saved us poor cheathers from it ;P
Happy ending with lots of spell errors

Go 'Berto. Go Eagle too. Woo for them. ;)
Alberto, when I say 'what's up?' or 'whacha doin?' on MSN/ICQ, THIS is the sort of stuff I'm asking about.

Its just so strange that I dont have the virus :) Hmmz maybe My Computer ROckZz :D
Ow yeah this virus thingy has to be NEW, because almost noone knew about Bin Laden before the Twin Tower attack. So its made after it...duh. The virus is quite made 'smart'...

Way to go guys!

Seems to be there was someone who said "I am the Alpha and the Omega", but I don't remember who.

Anyway, very nice detective work, or whatever you did.

Cool.

If warper is on J2O, remove it.

Hehehe. :)
Yes, if it's on J2O, FQuist remove it.
Also, Unknow, try to remember who said it, it would be interesting to find who made this joke.

Overlord put that in one of his programs. I think it was project omega.

The phrase was made popular by UT. Xan (the end boss) used it as a taunt.

I could list a bunch of people who play UT, but I don't want to make them seem like suspects.

Yes, it is in Overlord's Project Omega, so that could be anybody (even me.)

._.

Doesn't Dethman play UT Mike? ;)

Originally posted by Alberto
Also, Unknow, try to remember who said it, it would be interesting to find who made this 'joke'.

Joke, joke....JOKE?!?!?
O_o

That person should get a humor.

<strike>It's Dethman! He's angry at the community because not every JJ2 player is a Christian!</strike>

Great you found it out. Also great I don't have TSF Warper ;)

It's true that I put the taunt into Omega. But I always say Alpha and Omega with uppercase beginning. If you look at the picture or in UT you can see that it's lowercase.

Interesting.... *snickers* I also would like to know who did it...if only to laugh about it. Heh I bet they will think twice before running trainers now. ;)

And no it was not me ;)

EDIT: interestingly enough its a VB work. That narrows it down to everyone but me, mirrow, and lama. Joy. =P Could someone send me this virus? I would like to take a look at it.

Originally posted by Unknown Rabbit
Seems to be there was someone who said "I am the Alpha and the Omega", but I don't remember who.

Anyway, very nice detective work, or whatever you did.

Dosen't the Bible say somthing like that??? :confused:


Great job! This is interesting to hear about a virus for jj2! maybe someone made it because he was sick of that rabbit! (Iknow I aint!):D

Originally posted by Puffie40
Dosen't the Bible say somthing like that??? :confused:
Yes. Jesus Christ said, "I am the Alpha and the Omega, the First and the Last, the Beginning and the End." - Revelation 22:13

Yeah. Thats nice. Now, who really did it... :)

Whoever made this program is very <u>VERY</u> slick, for trying to hide a program with boring icons and names, and knows extensive knowledge about VB process stuff and Jazz2's memory locations.

Yea, let's poll the athour of the program home! I think he/she really gets scared of something like that }>

Heh, well, at first it spread thru e-mail.
Then probably people sending it to another people without the knowledge that it was a bad program.