PDA

View Full Version : New Problem: Members being blocked from Forum!


k23time
June 13th, 2011, 02:49 PM
I have strong reason to believe that a recent update to the Pokemon Game Editor created by member Gamer2020 has purposely created a simple hosts file within the Windows\System32\Drivers\Ect\ folder that blocks all access to the PokeCommunity website. Moving or deleting this file will allow access again, but if you've been blocked, you obviously can't read this post. =/ So I request that a moderator please send out a email message detailing this problem in case someone else has downloaded this game that can be found through this forum.

I've sent a report to the moderators and a pm to one, but haven't gotten any replies yet, so I'm posting this here in case someone else wants to get a hold of them and let them know, or has friends who are currently blocked because of this.

And I urge all members to refrain from downloading anything from Gamer2020. This time it wasn't dangerous, just annoying (and difficult for members if they don't get help from someone), but next time it might be worse.

EDIT:
I just confirmed that installing Gamer2020's Pokemon Game Editor program will create this file. On his forum he has posted the following in response to my statements:
"Oh wow LOL
I haven't even been programing lately. PGE does no such thing...
I can still access PC so idk what the problem could be =/
I know I didn't write anything like that into my program. It just edits ROMs."

So either he's lying and he did put it in there, or one of the programs within his collection created it, but given his known hatred for the way this place is moderated, I'm more likely to believe he put it in there purposely.

Spinor
June 13th, 2011, 03:22 PM
...Pretty sure its just you.
I havent downloaded yet though. How do you know other members are banned?
You probably just messed up :.

...Pretty sure its just you.
I havent downloaded yet though. How do you know other members are banned?
You probably just messed up :/

What he means is that the application edits the 'hosts' file in system32. That file has a list of a sort of 'redirects' associating web sites with some other IP addresses. It has nothing to do with whether one is banned or not.

And this is a semi-rational concern, really. Although now the problem would be that the application is technically a virus, since it edits system files without user permission.

k23time
June 13th, 2011, 03:40 PM
What he means is that the application edits the 'hosts' file in system32. That file has a list of a sort of 'redirects' associating web sites with some other IP addresses. It has nothing to do with whether one is banned or not.

And this is a semi-rational concern, really. Although now the problem would be that the application is technically a virus, since it edits system files without user permission.

Yeah it doesn't "ban" anyone, it just blocks any entry to the website, can't even look at it. So unless you've memorized how I said to fix it, I suggest you not go and download it to try it. You can't download it unless you join his forum anyway, which I think it only linked in his signature, so you have to actually try if you want it, but I think some people will (just as I did). I'm just trying to prevent others from falling into the trap and help save people who already have. There's no way to tell if someone has been blocked, because they can't post here. The only way is to email everyone, and I don't think I can do that. We need a moderator.

The 100 Mega Shock
June 13th, 2011, 03:40 PM
...Pretty sure its just you.
I havent downloaded yet though. How do you know other members are banned?
You probably just messed up :.

He perhaps talked to over people via communication other than on PC, and following on from the recent case of someone mysteriously finding PC in their hosts file? Don't be so quick to brush this off.

Anyway, shouldn't something like this require a UAC prompt to be permitted on Windows Vista or 7? People should be wary of a program such as this requesting that kind of unnecessary permission.

k23time
June 13th, 2011, 03:48 PM
He perhaps talked to over people via communication other than on PC, and following on from the recent case of someone mysteriously finding PC in their hosts file? Don't be so quick to brush this off.

Anyway, shouldn't something like this require a UAC prompt to be permitted on Windows Vista or 7? People should be wary of a program such as this requesting that kind of unnecessary permission.

I actually just had the problem myself, and went searching for answer, which I found at Gamer2020's forum, as Pino19 over there had the problem too, but lucky for me he found the solution. It was then that I found the question: "Can only get on Pokecommunity through ip" that M4 posted.

And yes the UAC prompt does appear when installing the program, and I'm an idiot for allowing it.. >_< I'm just glad that's the only malicious thing the program seems to do right now. After a complete scan with Microsoft Security Essentials, I was notified that my computer is free of any viruses. And this problem is an easy fix, as long as you're able to find the info on how to fix it.

Team Fail
June 13th, 2011, 03:53 PM
I installed it and I can still access the forums. What is your browser?

The 100 Mega Shock
June 13th, 2011, 03:58 PM
Are you running a 64-bit version of Windows, Team Fail? The attempt may not work on a 64-bit OS as Windows doesn't allow programs running in 32-bit (Which it may be) to access things like the hosts file.

e: wait you might wanna close and reopen your browser before declaring your hosts file unchanged

Rukario
June 13th, 2011, 04:29 PM
I STRONGLY suggest you not download / install this program at all.

We can not go emailing every user to inform a few that got burned by it, sorry.

If you are, or know someone who is having access issues, the best way to solve them is to email the webmaster, IM me at ppnsteve on aim or gtalk (on gtalk 24/7), by tweeting us at @pokecommunity

or use our contact form by going to http://174.133.255.180/sendmessage.php

provide an nslookup (dig) and tracert (traceroute) to pokecommunity.com in your message.

pass this on..

Team Fail
June 13th, 2011, 04:51 PM
Are you running a 64-bit version of Windows, Team Fail? The attempt may not work on a 64-bit OS as Windows doesn't allow programs running in 32-bit (Which it may be) to access things like the hosts file.

e: wait you might wanna close and reopen your browser before declaring your hosts file unchanged

I'm running a 32-bit version. And I restarted all my browsers. Nothing different. I'm still here.

k23time
June 13th, 2011, 05:35 PM
I'm running a 32-bit version. And I restarted all my browsers. Nothing different. I'm still here.

It doesn't place it there when you install it. It places it there after you run the program and install the updates.

I STRONGLY suggest you not download / install this program at all.
We can not go emailing every user to inform a few that got burned by it, sorry.


I really don't know anyone on this forum, but I thought that as moderators you would care to inform your people and care for the ones who would be hurt by attacks that were really directed at you. =/ Some who are affected by this may not have the intellect and searching skills to find out how to fix it, and they cannot contact anyone if they can't even reach this site, so they're helpless. A simple email could be ignored (or at least alert) those unaffected, but would be helpful for those who might be. I'm pretty sure most forums allow mass-emails to their members, right? Wouldn't be any effort at all.

After now having some knowledge of Gamer2020, witnessing his cheap attempts at denial, deleting posts of anything against him, and changing the names of users to "I_Have_a_Small_P****" (without the *'s), I've come to realize he is a child. Well, I've done my best at alerting everyone of this attack.

Team Fail
June 13th, 2011, 05:57 PM
It doesn't place it there when you install it. It places it there after you run the program and install the updates.

Even then, nothing has happened after what seems like a billion updates. And they don't stop coming.

Rukario
June 14th, 2011, 12:36 AM
Don't misread my email statement as we don't care, in fact we take great strides to ensure PC is a safe environment. Its just not very practical to send out 120,000 emails to cover a few people.

there are ways to find access to PC.. we have other domains that point here.. Google search can get our others and IP to connect on, etc.

The 100 Mega Shock
June 14th, 2011, 06:32 AM
Even then, nothing has happened after what seems like a billion updates. And they don't stop coming.

Well you must have the world's most robust operating system because it does replace your hosts with one that resolves PC http and IP (or at least somebody's IP address, was this a new addition?) addresses to 127.0.0.1, I just tried it.

It also opens your browser to some hilarious tl;dr's about Pokémon (At least I presume they're hilarious - my eyes tend to glaze over long rants about Pokémon websites).

Gamer2020
June 14th, 2011, 07:42 AM
I was in fact only notified of this yesterday and did not know anything about this. Someone just linked me to this thread a couple of minutes ago.

People should have asked me if there was something wrong with my program instead of just starting rumors. In any case I apologize for any inconvenience and I will get to the bottom of this.

I actually did release my source code yesterday to prove that I had nothing to do with this. Feel free to look through it.
{link removed}

Rules to using the source.

1 - It is for learning purposes only.

2 - I am not responsible for what is done with it.

3 - Do not try to re-release these programs as your own.

It doesn't place it there when you install it. It places it there after you run the program and install the updates.



I really don't know anyone on this forum, but I thought that as moderators you would care to inform your people and care for the ones who would be hurt by attacks that were really directed at you. =/ Some who are affected by this may not have the intellect and searching skills to find out how to fix it, and they cannot contact anyone if they can't even reach this site, so they're helpless. A simple email could be ignored (or at least alert) those unaffected, but would be helpful for those who might be. I'm pretty sure most forums allow mass-emails to their members, right? Wouldn't be any effort at all.

After now having some knowledge of Gamer2020, witnessing his cheap attempts at denial, deleting posts of anything against him, and changing the names of users to "I_Have_a_Small_P****" (without the *'s), I've come to realize he is a child. Well, I've done my best at alerting everyone of this attack.
I only did that because I thought you were spreading a rumor to scare people. When one of my friends emailed me with the same issue I realized this was not the case. I apologize for that now.

Flashmeteor
June 14th, 2011, 07:51 AM
Gamer, it doesn't really make ANY sense how this could happen on accident. Somewhere along the lines you did something, and now you're trying to cover it up. Very smoothy I must add.

Gamer2020
June 14th, 2011, 08:02 AM
Gamer2020, it doesn't really make ANY sense how this could happen on accident. Somewhere along the lines you did something, and now you're trying to cover it up. Very smoothy I must add.

I have barely been online the past week. I couldn't use my computer all weekend because HackMew was optimizing it. Also all of last week I was put with friends. I haven't done any programing in a while but I assure you I will figure this out. While I do not approve of how some people get treated on this site everyone does have the right to be able to visit it if they wish and I wouldn't take that away.

Also I'm pretty sure there are better ways (http://www.youtube.com/watch?v=-Rh5FHBINLQ) to "block" PC if I wanted to.

Rukario
June 14th, 2011, 09:52 AM
lets give him a chance to find the issue..

also since the source is released, feel free to look through his code yourself.

Renii
June 14th, 2011, 10:13 AM
TRWTF is VB.net. The file is hosted on a server and everything is open to public :O. No index or htaccess at all.

And saying that somehow a file hosted on their own server magically changed to malicious code.

Gamer2020
June 14th, 2011, 10:19 AM
Well I'm actually now thinking that one of my friends may have done it as a joke. I'm not the only one with FTP access FYI.

Xyrin
June 14th, 2011, 10:44 AM
A joke? If that's a joke that's a pretty bad one. And if it changes your host files that's considered a virus. That's not a joke.

Nice job trying to cover it up.

Gamer2020
June 14th, 2011, 11:47 AM
A joke? If that's a joke that's a pretty bad one. And if it changes your host files that's considered a virus. That's not a joke.

Nice job trying to cover it up.
That doesn't necessarily make it a virus. Just wait till I find out for sure.

Team Fail
June 14th, 2011, 02:02 PM
I'm on Gamer2020's side here, and I don't think that he had anything to do with it, seeing as I haven't been affected yet, unless my antiviruses are doing their intended job. :\

countryemo
June 14th, 2011, 02:14 PM
Yeah I'm also with Team Fail here. Sorry guys. I havent downloaded yet, because I dont hack much. I was going to, and now I will. :D
antivirus's doing their job, what.

The 100 Mega Shock
June 14th, 2011, 02:19 PM
Virus, trojan whatever either way it's specifically designed to be malicious and disrupt people's usage according to someone else's' instructions.

It's malware.

[FONT="Times New Roman"]antivirus's doing their job, what.

While a program overwriting the contents of hosts is something that should probably be picked up on more closely by security applications, the user already gave the program express permission to modify the system via accepting the UAC popup, so that sort of makes it hard for such a thing to work like that.

Especially because a small, unknown application like this isn't going to trigger any scanning software if it doesn't contain any publicly known malware code or particularly blatant attempts to damage the system (above the scope of writing a new hosts file to the system)

(Heuristics doesn't really work that way anyway when we're only talking a small line of code embedded in a program to write one file)

Team Fail
June 14th, 2011, 02:30 PM
Virus, trojan whatever either way it's specifically designed to be malicious and disrupt people's usage according to someone else's' instructions.

It's malware.



While a program overwriting the contents of hosts is something that should probably be picked up on more closely by security applications, the user already gave the program express permission to modify the system via accepting the UAC popup, so that sort of makes it hard for such a thing to work like that.

Especially because a small, unknown application like this isn't going to trigger any scanning software if it doesn't contain any publicly known malware code or particularly blatant attempts to damage the system (above the scope of writing a new hosts file to the system)

(Heuristics doesn't really work that way anyway when we're only talking a small line of code embedded in a program to write one file)

Well, I looked at the address that was shown to have the modification (Windows\System32\Drivers\Ect\) and the last time anything was changed in that file was in 2010. It never did anything to my computer, besides it's intended purpose of modifying roms.

The 100 Mega Shock
June 14th, 2011, 02:39 PM
Dude I saw it replace my hosts file with another one.

It's coded in Visual Basic so naturally it's so badly done that it doesn't even work half the time.

Gamer2020
June 14th, 2011, 03:31 PM
Virus, trojan whatever either way it's specifically designed to be malicious and disrupt people's usage according to someone else's' instructions.

It's malware.



While a program overwriting the contents of hosts is something that should probably be picked up on more closely by security applications, the user already gave the program express permission to modify the system via accepting the UAC popup, so that sort of makes it hard for such a thing to work like that.

Especially because a small, unknown application like this isn't going to trigger any scanning software if it doesn't contain any publicly known malware code or particularly blatant attempts to damage the system (above the scope of writing a new hosts file to the system)

(Heuristics doesn't really work that way anyway when we're only talking a small line of code embedded in a program to write one file)

And I wrote no such code. Go ahead and look at the source. Also the only reason it requires to be run as admin is because if it get's installed to the windows folder there will be errors when it tries to read the ini and start other programs.



Well, I looked at the address that was shown to have the modification (Windows\System32\Drivers\Ect\) and the last time anything was changed in that file was in 2010. It never did anything to my computer, besides it's intended purpose of modifying roms.
Is that the folder that file would be in for all operating systems? I'm going to see if I can fix whatever the program did, I just hope the file path would be the same every time.

Dude I saw it replace my hosts file with another one.

It's coded in Visual Basic so naturally it's so badly done that it doesn't even work half the time.
VB.Net actually. Send me the version that replaces the hosts file cause the one I have installed doesn't do it obviously cause I can still access the site.

Team Fail
June 14th, 2011, 03:46 PM
Is that the folder that file would be in for all operating systems? I'm going to see if I can fix whatever the program did, I just hope the file path would be the same every time.

That's what the OP said, so I checked the said folder.

Perhaps, did Mewthree9000 help with building/compiling this? Just a hunch I have.

tlah
June 14th, 2011, 05:20 PM
I had (well, still have...) this problem. However, if it was in fact a purposeful virus, it obviously wasn't programmed to block subdomains of the website. I currently have this problem, and am writing this from the 'mail' subdomain of PC (mail.pokecommunity.com). The domain pokecommunity.mobi also works.

Renii
June 14th, 2011, 09:44 PM
That's what the OP said, so I checked the said folder.

Perhaps, did Mewthree9000 help with building/compiling this? Just a hunch I have.
Some anti-virus software do prevent software from changing the hosts file. I have, in the past been notified either by Avast or Avira that some software tried to replace my hosts file.

The Prince of Sweet Sorrow
June 15th, 2011, 03:08 AM
Yeah the story so far makes me raise a few questions (???????????????????????)

a) If Gamer2020 is innocent, why troll the people who accused him on his forum?
b) Why is he acting so suspiciously?

Okay the last question was kind of generic, and I'm not going to give examples. Those who got what I'm saying should understand. Duh.

But.. we don't really have proof he did something, although he has a pretty good motive to block off people from PC (His own forum, he "doesn't like how people are treated here", etc. ).

HarrisonH
June 16th, 2011, 12:12 PM
And I wrote no such code. Go ahead and look at the source. Also the only reason it requires to be run as admin is because if it get's installed to the windows folder there will be errors when it tries to read the ini and start other programs.


Okay. Looking through it now.

Additionally, there really is no reason for your program to have to be installed. As it uses .ini files, it could run perfectly fine from any folder. You could have just distributed it as a .zip, as I do with all of my (open source) applications.

EDIT 1: Oh god I'm dying here:

From /GBAPokemonGameEditor/GBAPokemonGameEditor/MainFrm.vb

If GetString(AppPath & "GBAPGESettings.ini", "Settings", "FirstRun", "Yes") <> "No" Then
Process.Start("http://0xrh.net/?page_id=69")
MsgBox("Since this is the first time you have run this program I, Gamer2020, would like you to read an article I wrote. Your web browser should have already opened to the article. Just in case you decided to close your browser it will come up again once this message box goes away. You might as well take some time out and read it. I hope you enjoy using this program. Have a nice day.")
Process.Start("http://0xrh.net/?page_id=69")

WriteString(AppPath & "GBAPGESettings.ini", "Settings", "FirstRun", "No")
End If



If GetString(AppPath & "GBAPGESettings.ini", "Settings", "FirstRun2", "Yes") <> "No" Then
MsgBox("Hello. I would like to thank you for your support and for using this program. I will continue to update this program whenever I can. Please I would like you to take some time out and read something I have written.")
Process.Start("http://0xrh.net/?page_id=145")

WriteString(AppPath & "GBAPGESettings.ini", "Settings", "FirstRun2", "No")
End If


You call PC the "Pokecommunists", yet you're the one forcing propaganda upon someone when they first use your program. I don't know what it is about early generation ROM hacking that makes people go nuts, but at least the folks at Skeetendo seem immune from it.

Anyways, on topic. The file /GBAPokemonGameEditor/GBAPokemonGameEditor/MainFrm.vb was modified minutes before you uploaded the source. What's your reasoning behind that?

http://gyazo.com/8f67d5fc685a7ca5747dc5a39050c777.png
http://gyazo.com/621832e14c078a7896dbe936a460d5d3.png

Note the times.

On your forums, Full Metal said:

Seriously, it would be a pain in the but to code that in a non platform-specific way. That would differ greatly even between different versions of Windows. It's not the program. Get over yourself.


The hosts file has been located in the same place on all versions of Windows since NT. So no, it'd be extremely simple to do it. It would be hardly any different from writing to a .ini file.

Unrelated, but there is absolutely no reason for MainFrm.vb to be over 1000 lines, instead of copy/pasting it could have all been consolidated into one function.

Gamer2020
June 16th, 2011, 12:55 PM
Yeah the story so far makes me raise a few questions (???????????????????????)

a) If Gamer2020 is innocent, why troll the people who accused him on his forum?
b) Why is he acting so suspiciously?

Okay the last question was kind of generic, and I'm not going to give examples. Those who got what I'm saying should understand. Duh.

But.. we don't really have proof he did something, although he has a pretty good motive to block off people from PC (His own forum, he "doesn't like how people are treated here", etc. ).

a) I don't know what trolling is.
b) How am I acting suspicious?

Okay. Looking through it now.

Additionally, there really is no reason for your program to have to be installed. As it uses .ini files, it could run perfectly fine from any folder. You could have just distributed it as a .zip, as I do with all of my (open source) applications.

Actually, on windows 7 at least, the program needs admin rights to read the ini and start up other programs. This is because it is installed into the program folder. It is easier and better for me to release it as an installer.

(**Attention Everyone**

I have already figured out what happened and I already told an admin. One of my friends edited a copy of the source code to write to the hosts AND ONLY write to the hosts file. He then put it on the server since he had an FTP account to the site. Also the reason the program keeps updated is because he put up a clean version to try to cover it up but didn't edit the programs version. SO it will always think there is an update(Till I change the update file on the server.)

I am going to release an update over the next few days (It would be today but I'm very busy lately...) that will notify people on start up of the situation and that they should delete the hosts file in order to regain access to this site.

Since the issue has been found I will now remove the source from the internet so no one decides to make fake versions of it. If the admins of this site need to see it for some reason they can PM me.

All I really have to say about all this is that I am mad at my friend for doing this and I am mad at you people that decided to jump to conclusions and start accusing instead of informing me something is wrong. I am always reachable at [email protected] for any ROM hacking related things. If anyone still has any questions or concerns they may email me at that address.

Since the situation has been resolved I now ask that this thread be locked and marked as such.

**Attention Everyone**)

You posted at the same time LOL

Okay. Looking through it now.

EDIT 1: Oh god I'm dying here:

From /GBAPokemonGameEditor/GBAPokemonGameEditor/MainFrm.vb

If GetString(AppPath & "GBAPGESettings.ini", "Settings", "FirstRun", "Yes") <> "No" Then
Process.Start("http://0xrh.net/?page_id=69")
MsgBox("Since this is the first time you have run this program I, Gamer2020, would like you to read an article I wrote. Your web browser should have already opened to the article. Just in case you decided to close your browser it will come up again once this message box goes away. You might as well take some time out and read it. I hope you enjoy using this program. Have a nice day.")
Process.Start("http://0xrh.net/?page_id=69")

WriteString(AppPath & "GBAPGESettings.ini", "Settings", "FirstRun", "No")
End If

If GetString(AppPath & "GBAPGESettings.ini", "Settings", "FirstRun2", "Yes") <> "No" Then
MsgBox("Hello. I would like to thank you for your support and for using this program. I will continue to update this program whenever I can. Please I would like you to take some time out and read something I have written.")
Process.Start("http://0xrh.net/?page_id=145")

WriteString(AppPath & "GBAPGESettings.ini", "Settings", "FirstRun2", "No")
End If
You call PC the "Pokecommunists", yet you're the one forcing propaganda upon someone when they first use your program. I don't know what it is about early generation ROM hacking that makes people go nuts, but at least the folks at Skeetendo seem immune from it.

Anyways, on topic. The file /GBAPokemonGameEditor/GBAPokemonGameEditor/MainFrm.vb was modified minutes before you uploaded the source. What's your reasoning behind that?

http://gyazo.com/8f67d5fc685a7ca5747dc5a39050c777.png
http://gyazo.com/621832e14c078a7896dbe936a460d5d3.png

Note the times.

On your forums, Full Metal said:


The hosts file has been located in the same place on all versions of Windows since NT. So no, it'd be extremely simple to do it. It would be hardly any different from writing to a .ini file.

Unrelated, but there is absolutely no reason for MainFrm.vb to be over 1000 lines, instead of copy/pasting it could have all been consolidated into one function.

Like I have mentioned countless times I have a right to let people know what happened instead of it being covered up. Those links were going to be removed upon version 1.0.0.0

"Anyways, on topic. The file /GBAPokemonGameEditor/GBAPokemonGameEditor/MainFrm.vb was modified minutes before you uploaded the source. What's your reasoning behind that?"

I had started fixing some thing with the downloading of the tools. There was an error that when the download went wrong the name of the form would remain as "Please wait..." Also to defend against this I'm sure the already compiled exe in the debug folder was compiled before that date. Does that write a hosts file? No? Ok good.

"Unrelated, but there is absolutely no reason for MainFrm.vb to be over 1000 lines, instead of copy/pasting it could have all been consolidated into one function."

I'm very lazy LOL Also not every tool gets downloaded the same. For VBA-link I delete some useless files for example.