AutoHotkey Community

[M^ck^y]

Is anyone else experiencing this? I wish to know how to resolve this please. I'm sure it's not the first time this happens too.. I'm trying to report this as a false to mc afee now

[M^ck^y]

from here

Virus Profile: W32/YahLover.worm
Risk Assessment
- Home Users: Low
- Corporate Users: Low

Date Discovered: 9/5/2006
Date Added: 9/18/2006
Origin: N/A
Length: Varies
Type: Virus
SubType: Worm
DAT Required: 4845

Virus Characteristics
Update December 7, 2007

McAfee Avert Labs has found a false detection with W32/Yahlover.worm and will be releasing the 5181 DAT Files to correct this issue. The false detection is being seen on certain AutoIT 3.2.2.0 compiled executables.

[M^ck^y]

Things i've tried:

report to mc affee
using the latest autohotkey
searching for 'trojan' in this forum.


Found that I should try different bin file

[M^ck^y]

nothing works so far, virusscan still thinks it's a trojan. if this happens to you, you will lose all your work if your antivirus automatically deletes viruses..

[Guest]

[Ian]

In the AutoHotkey folder (Held in ProgramFiles) there is a sub folder named 'compiler' in that folder is a file named 'upx.exe' rename that to something like upx.old (or any other file extension). That should solve the problem.
_________________
ScriptPad/~dieom/dieom/izwian2k7/Trikster/God

[Josephusm]

Renaming UPX.EXE does the trick alright! Thanks

[Gosugenji]

The upx rename trick worked for me too! wow!

[Guest]

I have same virus problem.
Your suggestion WORKS. Thanks a lot.
What is the reason behind the renaming. How does this work?

That would help explain this to AutoHoKey team here.

Thanks.

TK

[Roger Matthews]

Renaming the UPX.EXE file did not help in my case. All my EXE files on my entire network were all deleted by McAfee today. I can still run AHK files, but if I rename the UPX.EXE file, the AHK files no longer run. I hope this gets resolved quickly (by McAfee?!), as McAfee wiped out a lot of work. I checked their website for criteria for being really infected, and none of the files or registry keys of infection are on my computer. This does not seem to be finding a real virus infection, but seems to be bogus. Arrgghhh!

UPDATE: Thanks to posters who clarified the purpose and use of UPX.EXE. I had renamed it to UPX.EXEOLD, which clearly wasn't a "good enough" rename. I renamed it to MXMXUPX.EXE, which did the job. Now my AHK files compile nicely, albeit to twice the size. But hey, if they get decompressed before running, then I suspect they will run slightly faster even if slightly bigger. Thanks again. And I hope McAfee stops doing this. I hope they realize that SysAdmins who use AHK also are influential in their organization's purchase of antivirus software. So McAfee --- stop biting the hand that feeds you!

[Moki]

if renaming doesn't work then just delete upx.exe all this will do is cause your programs to compile without compression.
_________________
http://www.mofiki.com

[t0rch1t]

Another way to get around this is to manually compress the file yourself after it is compiled. Rename upx.exe to something else before you compile and then compress after it is compiled.

[TempInsanity]

UPX.EXE compresses the EXE after it's compiled.
When a compressed EXE is run, it loads into memory and then runs a decompression routine over itself - technically, this is a self modifying program.
A lot of malware use this process to hide their true nature from AV scanners.
So... self modifying code is generally treated as "suspicious" to a lot of virus scanners.
Renaming the UPX.EXE stops the compiling process from compressing the EXE - it's will just compile the AHK into a larger EXE.

McAfee sucks -this is the third time they have detected compiled AHK files as malware!!!

[M'o]

Hello@all.

Same shit in my company. Many compiled scipts are deleted. So i think, it is a good idea, to send an information to mc afee about this. Here is the thread from the german forum: http://de.autohotkey.com/forum/viewtopic.php?t=2918

Regard,
M'o