You're right RunesageMagi, sometimes they do have a re-run on the giveaway, It's great if you missed a giveaway and really want it, but if you really want it you should go buy it.
[sticky]
Review Trojan/Virus Reports
(278 posts) (134 voices)-
Trojan horse in Wondershare Photo Story Platinum?
please look here:
http://www.giveawayoftheday.com/forums/topic/2476?replies=10
Posted 16 years ago # -
jhaber77
MemberI am concerned about Media Resizer PRO (GAOTD of January 2nd, 2008):
In folder:
C:\Program Files\Media Resizer PROThe file:
shell file list.lst
seems to be updated even if I do not use the software.
the file "date-modified" is updated often by itself.Does it mean that the Media Resizer PRO software (or part of it) is loaded during boot without me activating it?
I do not want software to load my system unless I intentionally load it.
Any advice?My OS is Win XP.
Posted 16 years ago # -
Anonymous
UnregisteredI have also noticed this softwares odd behaviour.
I have my programs folder in a sequence of last modified > show in groups.
I installed it when it was offered here, firstly then when the updated version v2.58 came along.
It seems to stay as one of the last modified folders.
I am currently trying to link it to see if when I say install a graphics application, sometimes they ask to be a default application for certain files.
I am yet to conclude if this is affecting media re-sizer pro.
Posted 16 years ago # -
My first reaction (and years of experience) as soon as I see a virus report and AVG mentioned - I immediately think "false positive".
can I ask you to disable your antivirus (and on-access checking) which will allow you to upload the file for checking. If the file is infected you only need worry if you actually execute/run the program - just selecting the file and loading it to a website should not matter.
Please upload to
as the above can often be busy, an alternative
http://www.virustotal.com/metodos.html
you can either upload or email the file (check the instructions for email)
If you could make a note of the results. Often you can tell from some of the "better AV products" and the general consensus across the products overall as to whether the file is a false positive or not.
You should check with AVG for the procedure to provide them with the file so they can correctly classify the file.
After all this - Don't forget to turn your AntiVirus scanning back on again.
Posted 16 years ago # -
turkishvan007
MemberI use Norton online protection and antivirus tool, I have AnVir Task Manager and Mamutu. My Norton is updated daily and is current. I'm running Windows XP SP2.
My system found the trojan Hacktool.Rootkit in Robotask idlehook.dll yesterday/today and in my easttec backup files under the Robotask product backup. I downloaded Robotask and haven't used it since I downloaded it on September 28, 2007 and east tec backup was used October 12, 2007. Norton Antivirus did not find this trojan until this mornings scan so the trojan ended up in this file somehow but I don't know how.
I'm not saying this virus was downloaded in Robotask or EastTec Backup's original download from GAOTD because I routinely do full system Virus Scans (once a week) and quick scans whenever I restart my computer and they haven't been found until now. What I'm saying is to please do a full system scan on your computer to make sure you catch this trojan if your computer has somehow received it. The trojan has been removed from my computer as of this morning.
Symatec provided this information on the Trojan.
Hacktool.RootkitRisk Level 1: Very LowPrinter Friendly Page
SUMMARY TECHNICAL DETAILS REMOVAL Discovered: September 27, 2001
Updated: February 13, 2007 11:38:00 AM
Type: Trojan Horse
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XPHacktool.Rootkit comprises a set of programs and scripts that work together to allow attackers to break into a system. If Hacktool.Rootkit is detected on a system, it is very likely that an attacker has gained complete control of that system. All files that are detected as Hacktool.Rootkit should be deleted. Infected systems may need to be restored from backups or patched to restore security.
Rootkits first appeared on the UNIX operating system. Administrator/Superuser accounts on UNIX systems are called root. Rootkits are kits of programs that are designed to gain root access on a system. The term rootkit now refers to any set of tools that can be used to gain unauthorized access to a system.
ProtectionInitial Rapid Release version September 27, 2001
Latest Rapid Release version March 24, 2008 revision 004
Initial Daily Certified version September 27, 2001 revision 007
Latest Daily Certified version March 24, 2008 revision 005
Initial Weekly Certified release date September 27, 2001
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.Threat AssessmentWildWild Level: Medium
Number of Infections: More than 1000
Number of Sites: More than 10
Geographical Distribution: Low
Threat Containment: Easy
Removal: Moderate
DamageDamage Level: Medium
DistributionDistribution Level: LowWriteup By: Jimmy Shah
Hope this helps someone else out.
Posted 16 years ago # -
iBizCard_Studio
Memberour product "ibizcard" have not any virus, it's 100% Clean
download3k.com Antivirus Report: http://www.download3k.com/Antivirus-Report-iBizCard.html
softpedia.com Antivirus Report: http://www.softpedia.com/progClean/iBizCard-Clean-98324.html
to Thebeo:I will contact Avira to Correct this wrong virus report.Posted 16 years ago # -
iBizCard_Studio
MemberThebeo:Thank you for your report. we will contact Avira and deal with this problem as soon as possible.Please set assured,our produc is 100% Clean
download3k.com Antivirus Report: http://www.download3k.com/Antivirus-Report-iBizCard.html
softpedia.com Antivirus Report: http://www.softpedia.com/progClean/iBizCard-Clean-98324.htmlPosted 16 years ago # -
zubterfuge
MemberThe Myspace Editor had a "trojen.adclick" and I was using NAV. The virus isn't found until after the product is installed. How disappointing.
Posted 16 years ago # -
BurnAware Home Edition is suddenly getting virus alerts from AVG. The developers are aware of the problem and have reported it to AVG. They say it is a false positie. Their site shows it is both the home and free edition affected. The odd part is I have a friend who started getting the messages Saturday night. I didn't start getting it until this morning's boot. It showed up during the boot, not by trying to use the product.
We have the same version of BurnAware (we both got it here) and we have the same version and level of AVG Free (8.0) having downloaded/installed it the same day. We also have almost the same OS (She has Vista Home Premium SP1 and I have Vista Ultimate SP1). Why did she start getting the messages about 36 hours before I did?
As the product was not essential to me (I have Roxio Creation 9 from my original PC purchase), I have uninstalled it to be safe.
Posted 16 years ago # -
Anonymous
UnregisteredBurnAware Home Edition is suddenly getting virus alerts from Antivirus. The developers are aware of the problem and have reported it to AVG. They say it is a false positie.
It be fix with a update I had this with Nero 7 wen it fist come out update fix it be a false positie as it new,so keep it be fix be for long.Posted 16 years ago # -
TK_M
MemberI updated my AVG Free to version 8.0 from the 7.5 last week and as soon as I did, BurnAware has been thowing up virus reports. This explains why it is suddenly giving reports, it seems to be due to the update.
If you go to History/Virus Vault in AVG, you can highlight the quarrentined items and send them to Grisoft to be re-analysed if you feel they are false positives. I have just done that, only to find BurnAware have notified them as well.
While in the virus vault, you can restorew the quarrentined files and BurnAware should then work normally.
You can also click on "ignore" these files during a scan leave them in place until Grisoft gets them sorted out.
I tried Avira as it has better detection rates than AVG, but had to go back to AVG as I got far too many false positives from Avira. Not only that, but it was hard to submit reports of false positives to Avira and even when I persevered, they said one false positive was real. Now it looks like AVG have increased their detection rate, but at the cost of more false positives. I will stick with them (at least temporarily) as at least they have made it easy to report suspected false positives.
Posted 16 years ago # -
Paulga
MemberiBizCard-Stud.......i just clicked to your link http://www.download3k.com/Antivirus-Report-iBizCard.html
and it sure started alarms going on my computer, dangerous....and so forth, where as the second link had no problem and gave a 100% free of virus ++, did you download from the first link??
Paulga
Posted 16 years ago # -
chuck11
MemberFollowing-up on the BurnAware issue, AVG also quarantined most of the files as being infected with Klone P. I contacted the software supplier and got a few cryptic notes back that they no longer support the Home Edition and that I should upgrade to their v.2. However, contrary to what is shown in my / GAOTD registration summary - 'eligible for upgrades for 1 year' - I was informed that only paying customers are eligible for this free upgrade. Not liking this 'bait & switch' approach - when a promised is made...it should be kept. If someone from GAOTD could check into this, I sure everyone who d/l'd this software would appreciate it. Also, if you want, I can forward their e-mail responses.
chuck11
Posted 16 years ago # -
You Wont See Me
MemberPC Tools' "Threatfire reports that SAGA.exe is logging keystrokes". I'm not sure if this is something normal for games that the game is supposed to do but having a keylogger built into the game surely made me uninstall it. I posted this in the comments but it was Modded out so I figure I'll throw it up here.
False Positive? Threatfire uses behavioral based detection so I was just wondering if this is something that is common for games to function and should be allowed to continue or not.
Posted 16 years ago # -
my_name_is_brad
Memberi have seen a couple of offers lately that have required a validation from the developer site, and that is not such a bad thing really as it helps the developers keep up with stats on how well this site works for them.
there was one that troubled me though, and I can't recall the name off hand. It required a second download from their site. To me this poses a huge security risk, and I hope you guys avoid this in the future because you have no way to validate what they decide to change it to.
Even if I could remember the developer/software I wouldn't name them since their offer did pass the spyware/virus scanners on my computer even at the late time that I typically download. it's just a thought
Posted 16 years ago # -
ah, that would be the infamous Flex GIF Animator that only about 2 people managed to get. were you one of them brad?
Posted 16 years ago # -
my_name_is_brad
Membernah i never got the activation for that I believe. I may be thinking of the initial download for that, so I could be mistaken. I was thinking there was another one that was that way. Could just be the old memory crapping out again.
Posted 16 years ago # -
I replaced the hard drive in my portable today with a larger one, and copied over the partitions intact from the old drive. On reboot windows did a repair (probably noticed the changed drive size) and at the end of that, rebooted. When I logged on after the reboot, Anvir immediately detected a trojan in the Solveig WMP Trimmer's *Uninstaller* program. Not sure why it didn't find it earlier, but this isn't something I picked up today - this machine hasn't been online for two or three days. It's very likely that the trojan has been there from the outset and it was only due to the repair that anvir had a chance to look at all the files on the machine. It may have been there since it was first installed.
There's nothing on the original download web page ( http://www.giveawayoftheday.com/plugin-solveigmm-wmp-trimmer/ ) about having seen trojans or viruses at the time of release (not even of false positives) so my guess is that this was caught by an antivirus update that came out after the software was installed.
There are only three possibilities. I picked up a virus and this file is the only one on my system that's been infected; or the uninstaller had a trojan from the start; or this is a false positive. My money is on #2.
Posted 16 years ago # -
I tried to watch a video this evening with VLC and got an error "
C:\Windows\system32\OPENGL32.DLL is either"
not designed to run on Windows or it contains an error.
Try installing the program again using the original installation
media or contact your system administrator or the software vendor for supportRemembering what someone posted yesterday about wondershare having updated some DLLs, I pulled out my last complete backup - fortunately from last weekend - and compared the size and date stamps of all the files in system32, thinking it was just
an older version of something that had been badly updated'. Apart from 5 files which
appeared to be related to microsoft update, there was nothing visibly different.However obviously something *had* changed, so I did a hex dump of opengl32.dll from before and after the last backup.
It turns out that the most recent one has had its code compressed and some new code added to it, and written back on top of the file so that the length is preserved. Some of the original contents are still present at the end of the file since the compressed code + virus are shorter than the original.
The insertion of the virus was also careful to update the date stamps so that they don't appear to have been changed.
The only software that I've installed since the last backup (with the exception of one program which I installed under returnil and then removed) is from GAOTD - the Gridinsoft editor, and Wondershare.
Here is the start of opengl32.dll from the old safe version:
00000000: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 : MZ..............
00000010: b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 : ........@.......
00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : ................
00000030: 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 : ................
00000040: 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 : ........!..L.!Th
00000050: 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f : is program canno
00000060: 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 : t be run in DOS
00000070: 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 : mode....$.......
00000080: a8 e1 0e 74 ec 80 60 27 ec 80 60 27 ec 80 60 27 : ...t..'..'..`'
00000090: ec 80 61 27 41 80 60 27 cb 46 1b 27 fd 80 60 27 : ..a'A.'.F.'..'and here is the start of the code from the infected version:
00000000: 3d 22 97 cb 91 cb e6 f1 7d 9f 8c 9f 92 81 9f f1 : ="......}.......
00000010: c9 7a 39 06 06 47 d8 b0 71 5b 6f 14 d6 c7 1a 8d : .z9..G..q[o.....
00000020: 5a bd d9 6c 9d e3 42 2a ee d2 88 3b 43 db 0e 41 : Z..l..B*...;C..A
00000030: 08 49 22 05 5a 08 91 58 48 aa 81 6e 9e 2e 47 d3 : .I".Z..XH..n..G.
00000040: f5 40 4f b6 9a ba 3e 51 0c e2 81 6e df f1 5d a5 : .@O...>Q...n..].
00000050: 5c 47 2a e5 48 a5 1c 21 85 e7 08 db 9a 26 29 1e : \G*.H..!.....&).
00000060: c4 db 74 1b 4e ff 16 a2 c9 c7 52 67 80 a0 13 eb : ..t.N.....Rg....
00000070: b5 a9 5b d5 1a 24 16 db d6 8c f4 7b b9 28 32 eb : ..[..$.....{.(2.
00000080: bb b2 4e ed c0 f9 c6 0c 17 88 69 29 4b 70 95 04 : ..N.......i)Kp..
00000090: 5e 40 5c 0c 02 58 0a df b9 d9 7c d7 29 2f 53 f8 : ^@\..X....|.)/S.Maybe that'll be enough for other users here to check their own systems and
see if anyone else has picked up this same virus.After getting two viruses in two weeks, with a high likelihood of them coming from here, this is just getting way too risky. As much
as I've enjoyed the petty bickering, I am sad to say I'm outta here. So long guys, it's been nice knowing you.(Although I may drop in to this forum again after I've uploaded the virus to some of the AV sites to see if they can identify it)
Graham
Posted 16 years ago # -
Mercurius
MemberSmart Install Maker (GOTD from 11/27/2007) malware ALERT
Emsi a² Anti-Malware 3.5 (very recent giveaway) has found a TROJAN-SPY.Win32.Banker.khi which is “capable of stealing private information such as account numbers, passwords and banking credentials” (cf. http://www.avast.com/eng/win32-banker.html).
Infected appear to be two files named “install.exe” (in “Data” folder) and "setup.exe” (if you haven’t deleted this file immediately after installation).GOTD team, you definitively ought to investigate that issue! It surely isn’t a minor one!
To be honest, although there have been a few false positives in the a² results, this time I don’t believe in a f.p. for multiple reasons.
Something which is considerably questioning the credibility of the author, I.B.C., as well as in every case alike we had on GOTD, is that on their website they give no hint whatsoever as to their location, not even the country they come from.
The point is, would a serious, customer-related company not be trying to build trust by letting the customer know where, at least in which country, the company’s working that he’s gonna pay and rely his pc on?Posted 16 years ago # -
gonzo
MemberDitto here. Identical experience on my Vista Home Premium Presario laptop while recently trying out Emsi Anti-Malware 3.5.
The files are identified further by Emsi as coming from Smart Install Maker -
C:\Program Files\Smart Install Maker\Data\Install.exe
I downloaded and installed Smart Install Maker from GAOTD on November 15, 2007.
Question: If you delete the Smart Install Maker setup.exe file as well as the Install.exe file as I have done, are you then completely free of the Banker Trojan/Spy problem? In other words, can you safely use the Smart Install Maker program?
Posted 16 years ago # -
Mercurius
MemberAt least 1 reply. Thanks, Gonzo, for your confirmation. It feels strange to report a trojan banker in a GOTD product and nothing happens almost 1 day.
But I do wonder why GOTD remains silent. Bad sign for what's going on behind the stage,
or just due to their vacation? We'll see...Meanwhile I've moved the two suspicious files onto a USB stick, and as a consequence the a² scan of the SIM directory is clean now. Nevertheless, such a state of "security" seems to me nothing but self-deceptive - not at all to my liking. How can we tell whether the two baddies haven't generated "remote server files" (cf. the given link above) hidden deeply inside the registry?
So, what has to be done till somebody "official" is going to take over responsibility?!
Well, to play safe you've got primarily one solution - all downloaders of Smart Install Maker must QUARANTINE the pc where SIM has been installed on in that they stop doing online banking on that same pc! If you are lucky having a notebook at your disposal, use IT for online banking as long as the coast isn't clear yet.
Other than that I don't see an alternative to a reformat of your internet pc ...
Do you, GOTD team???Posted 16 years ago #
Reply »
You must log in to post.