Virus detected?

[Herjendil]

Hello everyone, I would just like to inform you that since my scan today, HookUILib.dll has been recognized as a virus.

I am using GData anti Virus 25.5.17.335 with signatures from 03/23/2024. The warning reads: File: C:\Users\User\AppData\Roaming\Thunderstore Mod Manager\DataFolder\CitiesSkylines2\cache\CaptainOfCoit-HookUI\0.3.5\HookUILib.dll Virus: Gen:Variant.MSILHeracles.155318 (Engine A) Engines: Engine A: AVA 25.37616, Engine B: GD 27.35365

I don't think/hope there's anything to it, but maybe someone who knows programming can check it out.

But I assume that this is a false positive report.

Thanks

[eblenafets]

Have the same problem. The same virus is found in Bitdefender!

The file C:Users*****AppDataRoamingThunderstore Mod ManagerDataFolderCitiesSkylines2profilesDefaultBepInExpluginsCities2Modding-HookUIHookUILib.dll is infected with Gen:Variant.MSILHeracles.155318 and has been quarantined. We recommend running a system scan to rule out further infections.

Since it has been authenticated as a virus by various virus scanner programs, I consider the threat to be real and Don't think that's a false positive!

[Herjendil]

thank you... This has now become too insecure for me too...

VirusTotal online:

SHA256: 64b220e5982830ac4915775b4334184555801a67b53281f046563ce40692918b Name: HookUILib.dll Detection ratio: 9/76

Security vendor Result Update MicroWorld-eScan malicious 20240323 ALYac malicious 20240323 VIPRE malicious 20240322 Arcabit malicious 20240323 BitDefender malicious 20240323 Emsisoft malicious 20240323 FireEye malicious 20240323 GData malicious 20240323 MAX malicious 20240323

Only 9 out of 76 virus scanners warn, but that's not just 1 or 2... 9 is quite a number that makes me sit up and take notice.

Has anyone else had this experience?

For me, the warning occurs for all versions that are available via Thunderstore. I've actually been running the mod since it came out.

Thanks

[pixelinkmedia]

Same thing this morning on Bitdefender. What do I do? Is it false positive or true.

[pixelinkmedia]

There are several plugins that depend on this hook. Is this some kind of Joke?

[89pleasure]

HookUI is doing stuff which is similar to what a virus does inside of a DLL. That's why it's seen as a virus. HookUI places some files which are included in the DLL resources. Also the DLL is not signed as a "legit" windows application or library. There are several reasons why scanners do false positive this dll.

If you don't trust it or us, then don't use it. But that's always the case with modding especially if you ship mods as dlls.

[JGOTTI81]

It's the same here for me. Bitdefender flagged it on the 23rd, and I haven't been able to load the game since then. All the mods I rely on are dependent on this mod. Not cool. I am not convinced this is a false positive.

---

Dangerous pages attempt to install software that can harm the device, gather personal information, or operate without your consent.

Description

Dangerous pages attempt to install software that can harm the device, gather personal information, or operate without your consent.

malware found in C:\Users\jgerr\AppData\Roaming\Thunderstore Mod Manager\DataFolder\CitiesSkylines2\profiles\Default\BepInEx\plugins\CaptainOfCoit-HookUI\HookUILib.dll malware found in C:\Users\jgerr\AppData\Roaming\Thunderstore Mod Manager\DataFolder\CitiesSkylines2\profiles\Default\BepInEx\plugins\Cities2Modding-HookUI\HookUILib.dll

And now the mod is listed as deprecated?

[89pleasure]

The mod page you're referring to is deprecated almost 2 months from now. If you look carefully and follow updates on thunderstore you would have seen that there is already a HookUI replacement with the same name with version 0.3.9. If you're not convinced don't load it. It's all I can say. If you think it's not cool, don't use the mod. If that means you can't use the other mods which rely on it, that's up to your decision.

If you want, you can look into the decompiled code of the DLL and search for any malicious code. The file with the false positive is less than 100 lines long. You won't find anything expect loading assembly resources which some virus detection software sees as dangerous. But in this case it's how the mod loads the modded javascript for the frontend parts. https://thunderstore.io/c/cities-skylines-ii/p/Cities2Modding/HookUI/source/

[eblenafets]

I just find it strange that all these months there was no message from the virus scanners and now several people report it as a virus.

I'm not a programmer or coder, so I can't tell if it's just a false positive.

So I prefer to play it safe, because it's also my productive PC system and not just a PC system especially for games.

[JGOTTI81]

The mod page you're referring to is deprecated almost 2 months from now. If you look carefully and follow updates on thunderstore you would have seen that there is already a HookUI replacement with the same name with version 0.3.9. If you're not convinced don't load it. It's all I can say. If you think it's not cool, don't use the mod. If that means you can't use the other mods which rely on it, that's up to your decision.

If you want, you can look into the decompiled code of the DLL and search for any malicious code. The file with the false positive is less than 100 lines long. You won't find anything expect loading assembly resources which some virus detection software sees as dangerous. But in this case it's how the mod loads the modded javascript for the frontend parts. https://thunderstore.io/c/cities-skylines-ii/p/Cities2Modding/HookUI/source/

Yes, I have already started looking into the lines and am less concerned now. But it was alarming for sure because I suddenly started noticing performance issues.