Sandyclawz

I'm just taking guesses here because I normally just edit the files by hand as opposed to using the nifty configurator. However, from what I can see you have input2 (your guitar) using the generic ASIO instead of the Steinberg ASIO driver. You also have WASAPI input/output enabled. If you're using ASIO you shouldn't need WASAPI (assuming you're using the headphone/monitor out from the USB interface) That's just where I'd start, if this were my setup. -Sandy

My day job is in malware analysis and threat intel. I tend to be overly suspicious. The .NET packer is REALLY common in malware (because it's easy and ubiquitous) so that's why it's flagging there. The dll hash has now been associated with the exe patcher, so that's why it's on the naughty list, too. I'll definitely check out the source, though! Thank you for the link. For what it's worth from yet another internet stranger; To anyone reading this thread, as long as the file hash for the executable is 7FCB252A6F44F03F8EB7EEA9685393A49C9660ECE2F73E04998B3C3C0D36F32F and the DLL matches 730E6F154A13B7AEFA55ED3A39EC288B62486A1485A05959B6A0BE5887FEBE1D it's clean.

Took a deeper look at the executable. Don't know why it was packed in this manner, the actual files being replaced are just compressed in the resouce DLL files are going to be overwritten and the installer itself will just do some checkups to see where its installed and whatever necessary, as much as I can see. microsoft.windowsapicodepack.shell try { string rsDirectory = string.Empty; string steamDirectory = GenUtil.GetSteamDirectory(); if (!string.IsNullOrEmpty(steamDirectory)) { rsDirectory = Path.Combine(steamDirectory, "SteamApps\\common\\Rocksmith2014"); if (!Directory.Exists(rsDirectory)) { foreach (Tuple<string, string> installRegKey in GenUtil.InstallRegKeys) { if (!string.IsNullOrEmpty(GenUtil.GetStringValueFromRegistry(installRegKey.Item1, installRegKey.Item2))) break; } rsDirectory = GenUtil.GetCustomRSFolder(steamDirectory); if (string.IsNullOrEmpty(rsDirectory) || !rsDirectory.smethod_0()) { int num = (int) MessageBox.Show("We were unable to detect your Rocksmith 2014 folder, please select it manually!", "Your help is required!"); return GenUtil.smethod_1(); } } else if (!File.Exists(Path.Combine(rsDirectory, "cache.psarc"))) { rsDirectory = GenUtil.smethod_1(); if (rsDirectory == string.Empty) { int num = (int) MessageBox.Show("We were unable to detect your Rocksmith 2014 folder, and you didn't give us a valid RS Folder.", "Closing Application"); Application.Exit(); } } } return rsDirectory; } catch (Exception ex) { int num = (int) MessageBox.Show("<Warning> GetStreamDirectory, " + ex.Message); } return string.Empty; } [Click and drag to move] <data name="D3DX9_42" type="System.Byte[], mscorlib"> <value> TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA EAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0K JAAAAAAAAADdbzcvmQ5ZfJkOWXyZDll8SnxafZMOWXxKfFx9FQ5ZfEp8XX2NDll8jHFcfbAOWXyMcV19 lg5ZfIxxWn2KDll8SnxYfZoOWXyZDlh8Gg5ZfKCOUH2dDll8oI5ZfZgOWXygjqZ8mA5ZfKCOW32YDll8 ........... #IRONY (lol!) if (!File.Exists(Path.Combine(installLocation, "IGG-GAMES.COM.url")) && !File.Exists(Path.Combine(installLocation, "SmartSteamEmu.ini")) && !File.Exists(Path.Combine(installLocation, "GAMESTORRENT.CO.url")) && !File.Exists(Path.Combine(installLocation, "Codex.ini")) && !File.Exists(Path.Combine(installLocation, "Skidrow.ini")) && GUI.CheckExecutable(installLocation)) return; int num = (int) MessageBox.Show("CustomsForge doesn't support pirated / stolen copies of Rocksmith 2014!", "ARGGGG", MessageBoxButtons.OK, MessageBoxIcon.Hand); Process.Start(https://store.steampowered.com/app/221680/); Environment.Exit(1); All that to patch the import table of the EXE for the game and add D3DX9 The old HASH of your EXE should be this: GUI.HASH_EXE = new byte[32] { (byte) 167, (byte) 37, (byte) 132, (byte) 97, (byte) 16, (byte) 29, (byte) 160, (byte) 32, (byte) 23, (byte) 7, (byte) 245, (byte) 194, (byte) 114, (byte) 186, (byte) 170, (byte) 98, (byte) 163, (byte) 211, (byte) 209, (byte) 11, (byte) 61, (byte) 34, (byte) 19, (byte) 192, (byte) 208, (byte) 242, (byte) 28, (byte) 200, (byte) 59, (byte) 69, (byte) 136, (byte) 218 }; After patching, should be: GUI.HASH_EXE_NEW = new byte[32] { (byte) 13, (byte) 66, (byte) 226, byte.MaxValue, (byte) 60, (byte) 122, (byte) 246, (byte) 132, (byte) 62, (byte) 203, (byte) 129, (byte) 37, (byte) 156, (byte) 198, (byte) 79, (byte) 29, (byte) 222, (byte) 250, (byte) 19, (byte) 151, (byte) 183, (byte) 206, (byte) 83, (byte) 253, (byte) 207, (byte) 10, (byte) 5, (byte) 208, (byte) 182, (byte) 26, (byte) 13, (byte) 195 }; All in all, verified it's clean as described. Common AVs will complain because it's packed with a really common .NET packer used in malware all the time. I repacked it for myself and it works fine with no alerts using a different packer. -Sandy

Right, I get that. I'm just wary of an unsigned installer that asks for blind trust. Especially when the installer is reporting network callbacks. (2 DNS lookups and 11 IP addresses) Instead of an installer, is the dll just located somewhere? I can inspect the dll and drop it in the right location and load it myself.

RS2014-CDLC-Installer.exe (SHA256 7FCB252A6F44F03F8EB7EEA9685393A49C9660ECE2F73E04998B3C3C0D36F32F) is popping all kinds of malicious alerts from VirusTotal... What's up with that?