Possible infection that is affecting Atlantis behavior

creativelyspeaking · Post by **creativelyspeaking** » Fri Jan 15, 2016 3:24 pm

I have Atlantis installed locally on 8 workstations that are attached to a common file server. Recently, strange behavior began where two users get different results when printing the same RTF file in Atlantis. (They all use a common physical network printer.) For these two users, the title of the document is repeated at the bottom of the document. I am offsite and have downloaded the identical file and it prints correctly.

In the registry of these users are some bogus registry keys that refer to Atlantis, the GAME software. No one has (or ever has had) this software installed on their workstations. A few of the keys looks like this:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\GameUX\S-1-5-21-1867036968-2396285375-3743747555-1633\{F0FEEBA1-6583-4A9B-8B94-08FAB3612396}]
"ConfigInstallType"="3"
"ConfigApplicationPath"="C:\\Program Files (x86)\\Atlantis"
"ConfigGDFBinaryPath"="C:\\Windows\\system32\\GameUXLegacyGDFs.dll"
"ApplicationId"="{0ec4a233-e49b-47dc-9883-c26cebaffaaf}"
"Description"="Atlantis: The Lost Tales"
"AppExePath"="C:\\Program Files (x86)\\Atlantis\\Atlantis.exe"
"Genre"="Adventure"
"DeveloperName"="Cryo Interactive Entertainment"
"PublisherName"="DreamCatcher Interactive, Inc."
"ReleaseCountry"="United States"
"Title"="Atlantis: The Lost Tales"
"WMGameId"="329f982f-e4eb-4669-9605-6e249ffa5eaf"
"DeveloperUrl"="http://www.cryo.interactive.com:80/"
"PublisherUrl"="http://www.dreamcatchergames.com:80/"
"BoxArt"=""
"ReleaseDate"="2001-09-18"
"TimeToRefreshBasicData"=hex(b):20,8e,5c,fd,53,64,d1,01

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\NVIDIA Corporation\Global\Stereo3D\GameConfigs\LithTech]
"Link1"="LegendsFL.exe"
"Link2"="dx7.snd"
"Link3"="Atlantis.exe"
"Link4"="legends.exe"
"Link5"="AVP2.exe"
"Link6"="NOLF2.exe"
"Link7"="Navy_Seals.exe"
"Link8"="sniper.ico"
"Link9"="ContractJackSpDemo.exe"
"Link10"="Tron.exe"
"Link11"="NSWMD.exe"
"StereoHiddenProfile"=dword:00000000

The following keys might be legit for Atlantis the word processor, no?

[HKEY_USERS\S-1-5-21-1867036968-2396285375-3743747555-1633\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\47be456_0]
@="{0.0.0.00000000}.{eac8282d-ce83-46ed-a5dc-09db3143063a}|\\Device\\HarddiskVolume3\\Program Files (x86)\\Atlantis\\Atlantis.exe%b{00000000-0000-0000-0000-000000000000}"

[HKEY_USERS\S-1-5-21-1867036968-2396285375-3743747555-1633\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\47be456_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}]
"3"=hex:04,00,00,00,00,00,00,00,00,00,80,3f,00,00,00,00,00,00,00,00,00,00,00,\
00
"4"=hex:04,20,00,00,00,00,00,00,18,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,80,3f,00,00,80,3f
"5"=hex:0b,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00

[HKEY_USERS\S-1-5-21-1867036968-2396285375-3743747555-1633\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\57faf2e6_0]
@="{0.0.0.00000000}.{852f2eca-ed54-44ae-89d7-b9bcc96c0061}|\\Device\\HarddiskVolume3\\Program Files (x86)\\Atlantis\\Atlantis.exe%b{00000000-0000-0000-0000-000000000000}"

[HKEY_USERS\S-1-5-21-1867036968-2396285375-3743747555-1633\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\57faf2e6_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}]
"3"=hex:04,00,00,00,00,00,00,00,00,00,80,3f,00,00,00,00,00,00,00,00,00,00,00,\
00
"4"=hex:04,20,00,00,00,00,00,00,18,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,80,3f,00,00,80,3f
"5"=hex:0b,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00

We have run anti-virus scans and rootkit killers (multiple products) that don't detect anything. We have rebuilt the user profile of one of the users who is having the trouble. After a very short while, it all reappears and Atlantis (the word processor) begins misbehaving again. I have also compared the Atlantis.exe file and all Atlantis program folders across several workstations and they are all identical...even the errant workstations. It seems likely to me that we are infected with something, possibly at the server level since it exists on two workstations. Still, the Atlantis.exe does not appear to be modified. Has anyone else had Atlantis (the word processor) misbehave because of such a situation? How can that happen? "Atlantis.exe" IS named in those keys, so there is obviously a connection. I'm not sure where to go from here and any ideas would be welcome. Thanks!

-- Susan

Post by **Robert** » Fri Jan 15, 2016 6:19 pm

Hi Susan,
Indeed, there is a game named “Atlantis: The Lost Tales” (see Atlantis: The Lost Tales). It is not a virus or some kind of malware, it is just a harmless game. But this game apparently has the same name for its executable as “Atlantis Word Processor”, i.e. “Atlantis.exe”. Regrettably, this game also installs by default to “C:\Program Files (x86)\Atlantis”, just like “Atlantis Word Processor”. So anybody who installs this game is creating a most unfortunate mix-up.

I can only see one way out of this Catch-22:
Completely uninstall both “Atlantis Word Processor” and “Atlantis: The Lost Tales” from the “infected” systems.
Then reinstall “Atlantis Word Processor” with its default settings.
And if you must reinstall “Atlantis: The Lost Tales”, reinstall it to a different folder (e.g. to “C:\Program Files (x86)\Atlantis Game”).

After that, there should be no more trouble running “Atlantis Word Processor”.

Note that someone must have installed this game on your systems, albeit unwittingly…
HTH.
Cheers,
Robert

creativelyspeaking · Post by **creativelyspeaking** » Fri Jan 15, 2016 7:12 pm

Thank you for the reply Robert. I am aware of the legitimate series of "Atlantis" games. So far, no one owns up to installing this game on their workstation and given the type of office this is (most users are in the same room and people are walking by constantly) I can't see this type of install happening unnoticed. But I am not writing off any possibility at this point.

A further clue is that today, we have been checking the registries of the rest of the workstations, and ALL of the registries we have checked so far DO have the registry keys with the Atlantis game references! (Even the boss.) That is quite interesting. There is no way that every user in that office installed the Atlantis game - especially the boss! So the registry keys must be coming from somewhere else. AND if you remove them, they come back! That's why I'm thinking it's some sort of infection that PERHAPS is coming from the common file server that they are all connected to. Or maybe it happened because someone played the game online? (There is an online version.) But would playing on online game create registry entries? Or could it have introduced a very stealth virus?

After checking, I can say that the game is not currently installed on ANY of the workstations, so I can't uninstall it. I can manually remove the registry keys, but they come back!

More than this, I am still stumped about this: Even if the users all have these registry keys present, WHY would the Atlantis word processor print an RTF incorrectly on some workstations? What would one have to do with the other? It's possible that the two issues aren't even related. But I only have limited clues to go on at this point.

Thanks for your response, Robert.

-- Susan

Post by **Robert** » Fri Jan 15, 2016 7:35 pm

Obviously, there is some sort of malware trolling your systems!
In the past, I had a similar problem with a different “game”. Whatever caused this remained undetected by all anti-malware and antivirus on the market. But it kept coming back obdurately. The only solution I found was to completely reset my system and reinstall Windows out of the box!

Also I now remember having trouble with “Atlantis: The Lost Tales” when I was running Windows 8. Windows 8 systematically suggested downloading that game from the MS store whenever I tried to launch Atlantis Word Processor. Since I never play games on my PC, I removed/disabled all gaming apps from my system. This did the trick.

As far as Atlantis Word Processor is concerned, here is what you could try:
Completely uninstall Atlantis Word Processor, and reinstall it to a custom folder like “C:\Program Files (x86)\AWP”. Launching “C:\Program Files (x86)\AWP\Atlantis.exe” should no longer interfere with the namesake game.
HTH.

creativelyspeaking · Post by **creativelyspeaking** » Fri Jan 15, 2016 7:45 pm

Thank you! That might work. And most likely, the reason that we don't see the popups, asking you to install the game, is because we run Atlantis from a command line to print files without displaying the files with the /pt switch. This might be starting to make more sense. Even if we still have to work on the infection issue, we may be able to get Atlantis back up and running on those two workstations. Thanks so much Robert!

-- Susan

Post by **Robert** » Fri Jan 15, 2016 8:26 pm

Note that interferences are possible in Windows between applications bearing the same executable name. I personally often run both the standard and the beta version of Atlantis Word Processor on Windows 10 x64. Both executables are named “Atlantis.exe”. Of course, each version is installed in a dedicated folder. But when the beta version hangs or crashes, the standard version also hangs until the beta version has been completely shut down. The two processes can run concurrently without any problem most of the time, but when one process hangs, the other process often hangs through some sort of contagion effect…
MS works in mysterious ways…

As far as your problem is concerned, it might not be an infection per se. It might just be Windows trying to be helpful.

Susan, the registry entries you posted include references to “GameUX”. Now here is from Windows 7 Game Explorer interfering with Game launching:

This has brought to light some issues in Windows 7 in regards to Gaming.

As we all know, Vista introduced the Game Explorer (GameUX.dll) which incorporates update checking and game information.

What most don't know, is that the instant a game is launched, Rundll.exe is spawned with the GameUX.dll,gameshim parameter and constantly polls the dns, network and domain functions in the OS.

The problem here, lies in the fact that if this process does not receive a response, the Game's process will sit frozen until a response is received.

Now the Rundll process actually acts as a mask for the games executable until the response from the servers is received, that said closing the rundll.exe prior to the handover being made will also close the Games executable.

Also here is from Removing Games Explorer?:

Hey guys, was wondering if anyone knows how I can disable Games Explorer from adding new games I install to it or how to remove it completely.
…
He wants to disable Games Explorer entirely. I don't think there is a way. You can hide it thought. Right click on the Start Menu ----> Properties------>Click the Start Menu tab, then click on the Customize button. Scroll down to Games, Choose "Don't Display this item". Click Apply, then OK. Gone.
…
The issue is that every time you launch an application, Windows searches C:\Windows\System32\GameUXLegacyGDFs.dll (check its resources with something like CFF Explorer) for the executable you're about to run. If it is found, rundll32.exe will be launched from the program itself, loading gameux.dll.

And the same registry entries also point to “LithTech”. Here is from LithTech:

LithTech is a game engine which was initially developed by Monolith Productions in collaboration with Microsoft. Monolith later formed a separate company, LithTech Inc., to deal with further advancements of the engine technology and currently, after a change of its corporate identity, LithTech Inc. is known as Touchdown Entertainment.
A number of different video game developers, including Monolith itself, have used LithTech to power their first-person shooter games, establishing it as an alternative to other products, such as the Quake and Unreal engines. LithTech's latest incarnation is "Jupiter Extended" (or Jupiter EX).

So it seems that the Windows “Game Explorer” is trying to be helpful on your systems, and when you launch “Atlantis.exe”, it is surreptitiously referencing it as an installed (or potentially installed) game.
HTH.

creativelyspeaking · Post by **creativelyspeaking** » Fri Jan 15, 2016 8:51 pm

again Robert, thank you! You have gone way beyond the call of duty here. I appreciate it so much. We have been struggling with this for awhile and I didn't find much online since I didn't really know what to search for. This gives us a much better direction in which to head, AND your previous idea of installing Atlantis (word processor) into a different folder may potentially solve the most important issue of documents printing incorrectly. I can deal with the game thing later, if need be.

Have a great weekend!

-- Susan

Post by **Robert** » Sat Jan 16, 2016 1:42 am

Well, it all depends on what exactly is doing this Windows “Game Explorer”. If it actually searches “C:\Windows\System32\GameUXLegacyGDFs.dll” or check resources for any executable you're about to run, it might invariably find that “Atlantis.exe” is one of the games available on your systems, whichever folder it is installed in…
You might find interest in the article at Getting Started with Games Explorer ("https://msdn.microsoft.com/en-us/librar ... s.85).aspx").
Here are excerpts:

Windows Games Explorer provides game developers with a secure and attractive way to present their games to users of the Windows platform (starting with Vista). This document details how to add a game to Games Explorer.

So the authors of the Atlantis game(s) might very well have created a “game definition file” referencing “Atlantis.exe” as a game…
You might also want to take a look at How do you Disable Windows 7 Games Explorer and its Agents.

The only solution might be to disable this Games Explorer on your Windows systems. Or maybe upgrading to Windows 10.
You could try to apply the solutions explained at How to Delete a Game in Games Explorer Folder in Vista, Windows 7, and Windows 8, or Does ANYONE know how to remove (as in DELETE) Games Explorer from windows 7, or Turn Off Games in Windows 7.
HTH.
Have a great week-end too!
Robert

creativelyspeaking · Post by **creativelyspeaking** » Sat Jan 16, 2016 3:31 am

Good info, Robert. I will follow up on the Games Explorer ideas that you have presented. In the mean time, we have a weirder scenario now. We now suspect that this is profile-specific...at least it seems so. We have done some testing on one of the machines that is acting up with Atlantis. If we create a new user profile, Atlantis appears to behave - on the same machine with the same registry! Yet, if we remove and subsequently recreate the original user profile, the problem stops temporarily, but comes back...anywhere from a few hours to a day or two later. That doesn't make any sense to me. Obviously, we have a lot more work to do. This is truly weird. But it still might boil down to the Games Explorer issue and the user profile thing could just be a red herring. If I can get it working, I don't care if I never know exactly why

Thanks again. You have a new fan.

-- Susan

Post by **Robert** » Sat Jan 16, 2016 5:39 am

Sometimes it’s best to create a new user profile that works rather than waste time trying to make work something that simply won’t. It sounds like the original user profile somehow was associated with gaming.

creativelyspeaking · Post by **creativelyspeaking** » Sat Jan 16, 2016 3:09 pm

Yeah, I may have to do that if this drags out much longer. But since it affects the boss's computer too (who has never "gamed" in her life), I'm concerned that there is more to it than an errant profile that somehow became associated with gaming. Besides that, we have custom software that issues feature permissions based on the Windows Login Name, so creating a profile with a different name will require that I do some modification of that code (not prohibitive...just a pain). I was thinking that this could be a result of some sort of Windows patch since these users have been using Win7 and Atlantis for a long time with no issues. That's just one more thing to toss into the pile.

Thank you once again! Normally, I love brainstorming, but I'd love to solve this and move on to a new issue now!

-- Susan

Post by **Robert** » Sat Jan 16, 2016 7:26 pm

OK. I have done some more research on the Games Explorer subject. It seems the easiest and safest solution for you would be to turn automatic game updates off in Windows Games Explorer, then remove all mentions of “Atlantis: The Lost Tales” again from your registry. In this way, you’d first disable Games Explorer from adding new games, then you’d remove all already registered entries.
Here is from Setting up the Games folder:

You might also want to have a look at Enable or Disable Downloading Game Information in "Games Explorer" in Vista, Windows 7, and Windows 8.
HTH.
Cheers.
Robert

creativelyspeaking · Post by **creativelyspeaking** » Sat Jan 16, 2016 10:25 pm

Wow! Thanks! I wish I could hire you

-- Susan