| View previous topic :: View next topic |
| Author |
Message |
crxvfr
Joined: 10 Mar 2006
Posts: 46
|
 Posted: Tue Nov 06, 2007 4:38 pm Post subject: AVG - all ahk script infected |
 |
|
| Today when I came into work, all the compiled scripts I've written were flagged by AVG as having a trojan dropper generic.RQG. Why are the compiled ahk scripts being targeted or why are they vulnerable? |
|
| Back to top |
|
 |
me again
Guest
|
| Posted: Tue Nov 06, 2007 5:22 pm Post subject: Re: AVG - all ahk script infected |
|
|
| crxvfr wrote: | | Today when I came into work, all the compiled scripts I've written were flagged by AVG as having a trojan dropper generic.RQG. Why are the compiled ahk scripts being targeted or why are they vulnerable? |
I read around a little. Perhaps this is a false positive created by avg's update? AVG updates everyday. hmmm. |
|
| Back to top |
|
|
daonlyfreez
Joined: 16 Mar 2005
Posts: 744
Location: Berlin
|
| Posted: Tue Nov 06, 2007 5:44 pm Post subject: |
|
|
Please report your findings to AVG
_________________
(sorry, homesite offline atm) |
|
| Back to top |
|
|
crxvfr
Joined: 10 Mar 2006
Posts: 46
|
| Posted: Tue Nov 06, 2007 6:30 pm Post subject: |
|
|
| daonlyfreez wrote: | | Please report your findings to AVG |
Thanks, I do that. Can't live without ahk! ...but here is something of interest...
I recompiled the scripts from the source, replaced the offending exe's and re-scanned them with no detection of the trojan horse dropper. Also, the scripts alone, er um, ahk source code was never flagged.
Would this mean, ...the compiler is clean, the source code is clean but the compiled scripts were somehow more vulnerable or targeted? |
|
| Back to top |
|
|
daonlyfreez
Joined: 16 Mar 2005
Posts: 744
Location: Berlin
|
| Posted: Tue Nov 06, 2007 7:05 pm Post subject: |
|
|
It probably means AVG triggers on executables compiled with a previous version of AHK.
_________________
(sorry, homesite offline atm) |
|
| Back to top |
|
|
Zippo()
Guest
|
| Posted: Wed Nov 07, 2007 3:06 am Post subject: |
|
|
AVG is really getting on my nerves lately.
I have 14 AHK compiled scripts in the virus vault, and a couple compiled programs that I've written in another language (one is made for DLL injection, so I can kind of understand that). It even added an .OBJ file to the vault.
It also decided to add FASMW.exe from the Flat Assembler.
And for good measure it threw in OLLYDBG.exe (my friggen debugger!).
Grrrrrrrrrr |
|
| Back to top |
|
|
jballi
Joined: 01 Oct 2005
Posts: 319
Location: Texas, USA
|
| Posted: Thu Nov 08, 2007 12:26 am Post subject: |
|
|
| Zippo() wrote: | AVG is really getting on my nerves lately.
...
Grrrrrrrrrr |
I too was having a problem with AVG and AHK yesterday. Today I downloaded the latest AVG signature files and everything seems to be OK. I also ran a scan of the latest AHK installation file, AutoHotkey104704_Install.exe, against Jotti's malware scan: http://virusscan.jotti.org/, and the scan found no malware.
Since AHK has a large community of users, these false positives usually get reported fairly quickly. Thanks to whomever reported this to AVG. You saved me the cost of an email.  |
|
| Back to top |
|
|
Timothy
Guest
|
| Posted: Wed Nov 21, 2007 8:04 pm Post subject: |
|
|
| AVG is now reporting all my scripts compiled with AutoHotkey 1.0.47.04 as trojan horse SHeur.ACWD. Is anyone else getting this problem? |
|
| Back to top |
|
|
Timothy
Guest
|
| Posted: Sun Nov 25, 2007 11:07 pm Post subject: |
|
|
| I have found that I get the problem if I use a True Color (24 bits) 32 x 32 custom icon for my compiled script. It doesn't happen if I use other types of icons. |
|
| Back to top |
|
|
jballi
Joined: 01 Oct 2005
Posts: 319
Location: Texas, USA
|
| Posted: Thu Jan 17, 2008 2:09 am Post subject: |
|
|
| Timothy wrote: | | I have found that I get the problem if I use a True Color (24 bits) 32 x 32 custom icon for my compiled script. It doesn't happen if I use other types of icons. |
AVG just started to report the Trojan horse SHeur.ANBM for AutoHotkey v1.0.47.05 compiled scripts. But here's the weird part. AVG only reports a problem with compiled scripts with icons but only some icons give it the Heebie Jeebies. The size/True Color/etc. of the icon doesn't appear to be the right clue. Most of the icons I use are 32x32x24bit and some give me a problem and others do not.
Weird and wacky stuff... |
|
| Back to top |
|
|
Guest
|
| Posted: Sat Feb 02, 2008 5:35 pm Post subject: |
|
|
Hi there,
Just wanted to say that this is happening to me now too!
1st off If I compile with an .ICO file created in IconBuilder 1.1 with AVG2exe. I get the error message 'Error: Unable to create the compiled archive'.
2nd AVG then gives me a threat of Trojan horse SHeur.APYK.
It must be a false positive as even older .ICO's I've compiled before with no problem are coming up with the same message now.
I've even tried disabling AVG (risky) with no success. Is there perhaps another compiler I coud try to make this work? I'm going to try an icon file not created in IconBuilder.. If this doesnt work what do I do? PLEASE HELP!
TLM |
|
| Back to top |
|
|
TheLaughingMan
Joined: 21 Aug 2006
Posts: 41
|
| Posted: Sat Feb 02, 2008 5:47 pm Post subject: |
|
|
Ok I tried some ICO files from this site..
http://www.icongalore.com/software-icons/free-ico-icon.htm
The problem does not come up..
This is frustrating. Looks like it has something to do with Icon Builder. Must investigate futher..
(Sorry about the Guest post was not logged in)
TLM
_________________
 |
|
| Back to top |
|
|
TheLaughingMan
Joined: 21 Aug 2006
Posts: 41
|
| Posted: Sat Feb 02, 2008 10:16 pm Post subject: |
|
|
Ok after some investgation it looks like a false positive. AFAICT If you are using IconBuilder 1.1 you have to upgrade to 2.0. I tried the demo and I no longer get the same message from AHK2exe or Trogen alert from AVG. I'll be purchasing an upgrade next week..
HTH
tlm
_________________
|
|
| Back to top |
|
|
Yustec
Joined: 11 Feb 2008
Posts: 1
Location: Malaysia
|
| Posted: Mon Feb 11, 2008 7:30 am Post subject: New Trojan Strain... |
|
|
| Just now when I compiled a script, AVG reported that the compiled file contains 'Trojan horse SHeur.ASAW'. Is there any patch available for this? |
|
| Back to top |
|
|
jballi
Joined: 01 Oct 2005
Posts: 319
Location: Texas, USA
|
| Posted: Mon Feb 11, 2008 8:22 am Post subject: Re: New Trojan Strain... |
|
|
| Yustec wrote: | | Just now when I compiled a script, AVG reported that the compiled file contains 'Trojan horse SHeur.ASAW'. Is there any patch available for this? |
I just got it too. AVG appears to be having a problem gettting/keeping their act together.
The problem appears to be with compiled scripts that are compressed. One temporary work-around (without disabling AVG) is to delete the upx.exe file in the AutoHotkey Compiler folder. Just rename it to something like upx.exe.old. You should be able to compile without getting the virus error. In a few days when AVG updates their signature files rename it back and give it another try.
Good luck to us all.
Edit 20080211_1540: I just discovered that compiling with an icon might also be a temporary work-around for this problem, depending on the icons. Some icons work OK while others don't make a difference. |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Register
Profile
Log in to check your private messages
Log in
