AutoHotkey Community

toasterking · Joined: 04 Oct 2006 Posts: 8

AVG Free Edition 7 for Windows just pulled its latest virus definitions file today on my Win9x box, and now whenever a compiled (.exe) AutoHotkey script runs, AVG detects it as the trojan horse PSW.Agent.CRB, prevents it from running, and prompts for options to eradicate it. If I click the Heal button, it actually just moves it to the Virus Vault and deletes the original. Running a plain-text .ahk file works fine; it's just the compiled scripts that AVG catches. Has anyone else experienced this? It seemed to just start today. I've been a faithful user of AVG Free for about 6 years now, but if it comes down to dropping AutoHotkey or switching AntiVirus software, AVG will be gone in a heartbeat.

slomz · Joined: 03 Sep 2006 Posts: 608 Location: Iowa, U.S.

Well it depends what the script does. If it grabs information about your internal hard drive or changes files or .dll's in ur comp it could be detected as an infected virus.

.AHK · Joined: 26 Apr 2006 Posts: 662 Location: USA

Read this link:
http://www.autohotkey.com/forum/viewtopic.php?t=11132
My compiled script was reported to be a possible keylogger by spysweeper. It updates no system files, registry, or anything (self contained .exe). It was considered most likely this happened due to AHK keyboard hook, which is mistaken as a keylogger.

JohnnyNitrox · Posted: Wed Oct 04, 2006 3:10 am Post subject:

Could it possibly be because it says Created by "Hidden Trojan" perhaps it reads the code and sees that specific word and it niltches it because of that small fact.
_________________
You all rock!

slomz · Joined: 03 Sep 2006 Posts: 608 Location: Iowa, U.S.

No, if a anti virus program would do that it would be a pretty shitty anti virus program.

silveredge78 · Joined: 25 Jul 2006 Posts: 387 Location: Midwest, USA

Have you tested this for various compiled scripts? Or just the one?

I just made sure I had the latest updates for AVG 7.1.407, as well as the latest virus definitions. I then ran some of the compiled scripts I have (Yam and Guess-It). I had nothing come up. I even tried a script I have written that I normally use as an *.ahk, compiled it and again nothing came up for me.

Has anyone else had this problem?
_________________
SilverEdge78

toasterking · Joined: 04 Oct 2006 Posts: 8

Solved it.

I finally attempted what I perhaps should have tried first -- I uninstalled my version of AutoHotkey (1.0.43.08) and installed the latest version (1.0.44.14). The scripts which were already compiled are still detected as containing the trojan, but if I recompile the same scripts with 1.0.44.14, AVG is now fine with them.

I first tested running/recompiling the scripts on a different system also already running AHK 1.0.43.08 in Windows XP SP2 and had the same problem with AVG. I then tested on a system already running AHK 1.0.43.09 in Windows XP SP2 and had no problems. It was then that I uninstalled/updated AHK on the original machine to 1.0.44.14, and it's been smooth sailing since. So I assume something changed between AutoHotkey 1.0.43.08 and 1.0.43.09 that changed the behaviour that AVG is suspicious of. Nothing in the "Recent Changes" in the help file looks obvious.

In a related incident, McAfee VirusScan 8.0 started trashing my compiled AutoIt3 scripts at work today, claiming that they contain the trojan StartPage-JR. I'm still working on that -- several customers on the network have had problems today because the logon script couldn't run an AutoIt3 script that assists in our Exchange2003 migration.

SKAN · Joined: 26 Dec 2005 Posts: 6223

Seclinix · Posted: Mon Mar 05, 2007 7:58 pm Post subject:

omg i get the same dam thing except mine says warning new.mal found this is an PUP (potentially unwanted program) it is McAfee!!!!!!!!!!!!
_________________
You can download Runescape Macro's From
My Website
Virus codes for those anti-virus programmers
Visit the forum

toasterking · Joined: 04 Oct 2006 Posts: 8

I have found that virus definitions in many popular antivirus software apps seem to erroneously detect UPX-compressed executables (like compiled AutoHotkey scripts) as trojans because so many simple trojans have been written and compiled using UPX. AutoIt3 has an option in the compression menu of its "Script to EXE Converter" app to disable UPX compression, which effectively avoids this situation albeit producing a larger executable file, but I see no such similar option in AutoHotkey 1.0.43.09's converter app.[/quote]

koro · Joined: 24 Sep 2006 Posts: 60

I use regularly my own script (compiled) and Antivir Personal Edition Classic. Today, apparently after the latest upgrade, it Antivir claimed that my script IS the trojan "Autoit.AE". What is surprising is that this is not speculative; it doesn't say "it could be a trojan"; it says it is one. Should I report this to the antivir team so that they fix it?

Zippo() · Guest

SKAN · Joined: 26 Dec 2005 Posts: 6223

mail@airlinepilot.de · Guest

Hello,

I had the same problem! Since last week two of my AHK .exe files are detected as "Autoit.AE" ! I am using that tools since six mounth and never had any warning!

I just changed in my compile.ahk, that I am using, a different filename as output. Thats ist since this change I have no problems anymore.

At the second file this worked as well!

Can someone do a Xcheck for me?

You can download the file at: http://www.flightprep.de/MOTNE.zip

Please try, If this file is detected as "Autoit.AE"! I am using Bitdefender Antivirus 10. I thought that it is just my antivirus program and its present
virus signature!

I will write parallel to that to the Bitdefender Company to receive further information. I will keep you informed!

The program is a little tool for airlinepilots to convert runway status.
Here is the code, so you can see that is nothing dangerous in: