Firefox Plugin installed without permission.

Hi,

There is no executable software installed as a result of this other than npsoe.dll, which is limited in the manner previous described (only exists to launch games, only accepts directives to do so from our web sites). If you have rootkit detection or malware software that is crashing there are unfortunately a very large variety of reasons that could be happening, but none of them are known to be the result of our launcher and its support DLLs. We run nothing at boot on your machine.

It’s true that as part of the install process certain web sites are added as trusted domains – this means simply they can generate requests to the dll. It is not necessary to do registry editing to remove them, simply launch Internet Explorer, use Tools/Internet Options (tools icon in the upper right hand corner for modern versions), select the security tab, click trusted sites (the green check mark), click the “Sites” button, highlight any entries you are sure you don’t want and click remove. This can also be found via the Internet Options control panel without using IE.

As for uninstalling the game leaving some elements behind, this can happen in some circumstances (particularly when EQ2 is set to streaming delivery). We try to be as cautious as possible when deleting things from a users machine, so when there is any doubt we leave data as is. In this case the Launchpad is deleting the launcher itself but leaving the game behind – sometimes users put other data besides the game itself in a given directory tree, so it isn’t safe to just delete the entire thing. We are definitely interested in improving the accuracy of the Launcher in finding all the game (only) files and will continue to work on that, but there is no agenda in leaving files other than making sure we don’t get rid of something you might actually want to keep.

So "all it can do" is take commands from web sites to launch arbitrary software on my machine.
And it also adds those sites to my "trusted" list, so "they can generate requests to the DLL." That's a bit of a prevarication. This allows those sites to do pretty much anything Microsoft allows a web site to be able to do, assuming I don't reset my "trusted sites list" security options to a much-more-secure-than-default level. (No, I personally don't use IE, but other people do. You just infected my browser with an auto-approved plugin.)
So it's perfectly safe as long as SoE's web sites are 100% un-hijackable and all SoE employees involved are 100% unlikely to make a programming mistake. Otherwise, it's functionally a rootkit, even if it's not "a rootkit".
I think y'all better fix (i.e. remove) this, sometime yesterday. Maybe the day before.

rl_soe wrote:

I agree with what you are saying. Also I think a lot of people here don't know the difference between a rootkit and a standard piece of Malware. A rootkit places a file without registering it properly with the file allocation/Master File table making it invisible to anything but a rootkit scanner or someone looking a the HDD with a special editor. Sony's DLL is clearly visible and seems pretty harmless doing what is said it does above. It's not registered to hook onto a windows process and is simply there for use by another program that wants to use it's capabilities. Which from the look of it is pretty much just Sony Products.
As for circumventing UAC, I find I have to give the launcher admin access to do it's thing on a normal basis. No circumvention on my side. Is it different for you?

I have already posted the link on the first page to download the uninstall for this. You do need the plugin enabled to be able to download the uninstaller.

"There is no executable software installed as a result of this other than npsoe.dll..."
Then please explain LiveDriver.exe--it completely bypasses the write protections for drivers, in effect giving you guys the ability to root the machine via a real-time alterable driver. The browser hook merely facilitates a connection via white-listing Sony domains--white-listing that was accomplished by abusing the administrative-level permissions users had given Sony in order to install Everquest 2 (I am assuming at this point that all SOE games have these same hooks).

"This can also be found via the Internet Options control panel without using IE."
I think you missed the part where I referenced Firefox, not Internet Explorer. But to directly address the above statement--none of the Sony domains are listed, yet are clearly visible in multiple locations throughout the registry. The link Dexella posted to remove the plug-in was useless as the instructions require the user to go to "aboutlugins" to remove the plug-in...The SOE plug-in in NOT listed there, and as such, cannot be removed.

"As for uninstalling the game leaving some elements behind, this can happen in some circumstances (particularly when EQ2 is set to streaming delivery"
Need I point out that you folks just forced streaming delivery on all of your users? Also, the entire install folder (aside from various Sony Station/Launcher files spread all over the place--me thinks intentionally) was located in C:/Users/Username/AppData/LocalLow/Sony Online Entertainment on my Windows 7 Machine. Are you seriously telling me that entire folder coudn"t have been deleted? There was nothing but EQ2 files in that folder. The C:/Crash folder was still there even though EQ2 is the only thing that uses it, as well as the .exe to dump it to one of your now Trusted Domains.

>I think you missed the part where I referenced Firefox

The question at hand was about the Trusted Site settings. This is a Windows OS setting, it happens to be controllable from either IE or the control panel - no confusion with Firefox was intended, just referencing how trusted sites can be removed.

>Then please explain LiveDriver.exe

This executable is not installed by any SOE product or used by any SOE product. Perhaps you meant "LiveDrive.exe", which also is not used by SOE, but is a legitimate cloud storage service application (www.livedrive.com).

>was located in C:/Users/Username/AppData/LocalLow/Sony Online Entertainment

It is indeed safe to permanently delete this if you no longer intend to use EQ2 on the machine. We're interested in improving the clean up logic in these cases - but again, our only intention in leaving things in place is to be as safe as possible. In the past we have had circumstances where users installed applications below ours, or mixed data in with ours, thus we are extremely cautious about just deleting directories.

"The question at hand was about the Trusted Site settings. This is a Windows OS setting, it happens to be controllable from either IE or the control panel..."
My point exactly--it is an OS setting, something SOE should not be mucking about in, yet did, and without permission.

"Then please explain LiveDriver.exe

This executable is not installed by any SOE product or used by any SOE product...."

On my wifes XP machine, when EQ2 updated, one of the files that was downloaded was LiveDriverSDK.exe (the .exe installed the .dll, a .xml file and unknown other files, then deleted itself). So I missed a bit on the name of the file, but you should have know what I was referring to, seeing as how you have something very close to what I mentioned.
LiveDriverSDK.dll
Located at C:/Program Files/Sony Online Entertainment/Installed Games/Everquest II
Also...
eq2ui_popup-livedriver.xml
Located at C:/Program Files/Sony Online Entertainment/Installed Games/Everquest II/UI
This appears to be a popup for recording character voices. And you claim nothing called LiveDriver came from SOE?

The EQ2 install directory">was located in C:/Users/Username/AppData/LocalLow/Sony Online Entertainment"
The EQ2 Uninstaller should have removed this. Simple as that. I'm not buying your excuse.
Now, on to another questionable folder far more serious--C:/Crash--My wifes XP machine had two files in here, for a total of 56MBs.
drwtsn32.log (this file can be opened with notepad.exe and be read in plain-text)
I can understand why you might want this file, although it has information in it that you really don't need. The next file is the one that every person that reads this forum needs to inspect on their own machines--this is a serious breach of trust, if not a violation of Federal Wiretap laws. This file may, or may not, be in the C:/Crash folder, depending on whether or not it has been uploaded as the files here are deleted once uploaded.
user.dmp
If you open this file with notepad.exe, what you see is mostly machine/assembly code--unreadable for you and me. Grab that scroll bar on the right and start dragging--you will begin to see code for a graphical interface, frame settings and such. Keep scrolling (I had to scroll down about 80% of the way down the file). If you are like my wife and I, we use a P2P client--that client, specifically BitTorrent, is listed along with a few other applications. What follows is what really matters...a list of every single file downloaded by BitTorrent since my wife last ran CCleaner(set to delete BitTorrent logs), as well as every other file placed in those torrented folders, up to and including update files, patches, cracks, mods and user created files.

Hear me well, Torrenters. SOE is tracking everything you torrent, and doing so directly through your own computer. They are then uploading that data to their own servers via wws_crashreport_uploader.exe.

I do not accept your lies, Sony.

I'm done here. Good day.

Bug wrote:

LiveDriverSDK.dll is a Creative Labs file. If you installed ALchemy to get EAX then you have it. It's also, apparently according to the other posting, part of the new SOEmote system. Read more here: http://www.animationmagazine.net/vf...e-driver/
And again, you don't know what a rootkit is. A rootkit is a malicious file often hidden in the root folder or boot partition designed to intercept data on the drive constantly or cause harm to the drive. This does not fit the definition. I will also point out that the C:\Crash folder only gets dumps when the game, itself, crashes. They receive the same reports (and mostly the same data) as when an application crashes on Windows and the report is sent to Microsoft.

Bug wrote:

It's part of the SOEEmote system. You can find it solidly in the TestServer installation if you've got Test patched in, and I notice some bits of it (libraries and some of the UI window XML files) went live by mistake and got deleted by the patcher earlier today. They were never as far as I can tell wired into the game, so unless you're a UI modder or play around with all the undocumented game windows you wouldn't notice anything in-game.
The plug-in seems to be the same sort of mistake. I'm long familiar with it from Free Realms, and immediately recognized it as something from the web-based games packages that made it's way into EQ2 by mistake. Probably the platform team uses a common codebase (many of the web-based games seem to be basically a web-based installer and authentication system wrapped around a traditional game client) and someone making a mistake in packaging a release caused some of the wrong bits to be included (seems to be happening more frequently these days, and not just at SOE).
I like to think that if SOE was being malicious, they'd be just a bit better at covering their tracks.

Well, it's certainly disappointing I wasn't able to help conclude this to everyones satisfaction, but I do want to note for others reading:
-Yes, LiveDriverSDK.dll is part of the proper EQ2 distribution (users ahead of me on identifying that, thanks). I had grepped through our manifest system for "LiveDriver.exe" so my mistake in being overly specific.
- We are certainly completely uninterested in what you are doing with other apps, in fact we really don't want to know. When crash reports are gathered, they don't look for anything but game information. That includes what is called a "stack" - the program addresses that were used leading up to the crash condition - and a subset of the memory the game is using called a "dump" file. Additionally some environmental data is collected, but again, not related to other app behavior.
If you decide to reconsider Bug i would suggest calling customer service might help, if only to be interactive in discussing your concerns.

Jrral@Unrest wrote:

Thing is, intent to be malicious and creating something that winds up being malicious are two different things. The BMG digital rights management scheme had all the best intentions in the world to protect their digital rights, but it's outcome has been undesirable.
When the hacking incident occured last year, we were assured:
http://forums.station.sony.com/eq2/...topic_id=499510
Yet, we now know otherwise.
http://www.soe.com/securityupdate/pressrelease.vm
So it is not far fetched, nor is it being paranoid to wonder just what is going on when things like what the OP brought up causes concern and other concerns, such as the C:\Crash directory.
Sony would want to protect it's interests and do whatever it takes.
I am all for protecting Sony interests. But not at the expense of compromises to my own computer/home network security because something was overlooked or accidently unintended.
I hope anything unintended is thoroughly reviewed to make sure no accidental harm is done.

rl_soe wrote:

I dont believe this for a single second. I have played on free to play, full client and streaming. Every time I have un-installed EQ2, wether it be in a custom folder, different PC, or default install folder that YOU guys suggest in the installation program I have had to remove the files manually. So is this a bug or not? because it has happened to me every time no matter how I change my method of installation.

also if this is supposedly a user error, not getting the files to uninstall the eq2 directory and associated files on an un-install, how do we do so? How do i get a complete un-install of this game with ouf doing it manually? I am pretty sure that alot of people would like to know this.

Sandyfoot wrote:

As was explained by the SOE dev the dump uploader program uploads whatever is in memory at the time of the crash of the game; much like the Microsoft crash reporter. They have no control over what is collected. Seriously, they don't. It's defined by a Microsoft API as that is what they are calling. Are you concerned about Microsoft knowing EVERYTHING you are running and have runned recently when something crashed on your computer as well? Something tells me BUG isn't. Heck, Microsoft goes further and has an additional data scrape that pulls up information such as your product key and they will even tell you (and have via their own developer blogs) that they have seen crashes where a user was using a pirated version of Windows.
As for a "threat" due to the plugin you may want to take that up with the browser developers. Early in browser development there was a concerted effort to prevent web content (Java and Javascript) from having any access to the hard drive. That changed over the years, obviously. If you have a problem with the SOE plugin then you should also have the same problem with plugins such as Adblock as they can access your drive and it's possible to create code to do so via the plugin. The only way to make a modern browser truly safe is to eliminate all your plugins and extensions, turn off Javascript, Java, and ActiveX and remove Flash (a MAJOR cause of infections currently) from your system.

japanfour wrote:

Remember that the Windows uninstall function removes the files that were recorded in the system database by the original installer. Here's the thing: the EQ2 installer does not install the vast majority of the game. It basically installs the launchpad, which then downloads the game files. Since EQ2 isn't an installer itself, those downloads are just ordinary downloads and as far as Windows is concerned are not part of any installed program. So when you go to uninstall, Windows itself has no clue about the majority of the files in the EQ2 game tree. Sony's own EQ2 uninstaller program can do a better job, but because it's handled by Platform it probably doesn't have a completely up-to-date list of the files the EQ2 team has pushed to the EQ2 patch servers. Not to mention the large number of files (UI settings files, custom macros, saved options, UI mods, saved keyboard layouts) that don't come with the game but are created by user actions so the uninstaller can't know anything about them. The uninstaller has to balance trying to clean up game files vs. not deleting something the user created and wants to keep like their UI layout settings.

deadcrickets2 wrote:

Active X, Java, etc. etc. I agree.
However, even the biggest and most trusted corporations (Cisco, Dell, HP, to name a couple) have requested Microsoft to issue ActiveX Kill Bits on their behalf. Stuff happens. Unintended results happen.
MS closes a vulnerability. A trusted application opens it up. Unintended. Accidental. Mistake.
It is useless to go on and on about who is at fault. It's like arguing over which came first, a chicken or the egg? Security is a collective effort between the OS developers, the browser developers, software developers (that depend on the OS to generate revenue), and the users.
The EQ2 plug in was a mistake. It was not intended for EQ2. We get that. The term "unintended" has been a bit overused as of late and should be a cause of concern to someone.
It is not unreasonable to have the mistake reviewed.

Sandyfoot wrote:

It's perfectly reasonable to have it reviewed. It's unreasonable to attack a company that admited they made a mistake and will correct it.

1. How are they correcting it? Are they telling ALL the EQ2 users to delete files that were placed "in error" - no. Are they issuing a press release about the error - no. So how is the issue being corrected?
2. When MS wants to send a crash dump it ASKS me whether I want to send it, and allows me to look inside at the data that will be sent. EQ2 has crashed on me, I have a C:\Crash directory with dump files in it. Was I asked AT THE MOMENT OF UPLOAD whether I consented? Clearly, comparing the two events MS reports and SOE's, they are not the same at all. One is upfront, the other is underhanded.

[Removed for trolling, attacks.]

Believe whatever you want to believe. Much like certain political groups, I can't convince you on something you have already made your mind up on.