Sign In
Create Account
Last active: May 02 2008 08:19 AM
Hey guys,
While I'm aware that some virus scanners see AHK as malware (due to possible keylogging IIRC), I was pretty shocked when Avira AntiVir just flagged AHK as a virus:
The whole thing started with AnitVir alerting me that my mIRC.exe was a trojan horse called TR/Dldr.Stration.I.
Quite worried (I've been using that very file for ages!), I ran a full system scan, which brought up AutoHotkey104414.zip, AU3_Spy.exe and AutoScriptWriter.exe as being (infected with?) the same virus or trojan horse.
And just now, PSPad's Notepad.exe was flagged with the same malware.
If it were only for AHK, I'd say AntiVir is a little too sensitive, but this mIRC thing worries me - that can't be a coincidence, can it?
A Google search didn't bring up any results on TR/Dldr.Stration.I, so I'm pretty much lost right now...
Any help would be appreciated!
AHK's malware - same as mIRC!?
Started by
Ace_NoOne
, Nov 27 2006 10:42 PM
7 replies to this topic
- Members
- 299 posts
Last active: May 02 2008 08:19 AM- Joined: 10 Oct 2005
#1
-
Posted 27 November 2006 - 10:42 PM
-
Posted 27 November 2006 - 10:42 PM
Back to top
- Members
- 657 posts
- Last active: Nov 27 2008 04:10 AM
- Joined: 26 Apr 2006
It is possible, but highly unlikely, that the files may have been hacked. Agian, this seems to not be the case. I would have to say that the detection of those files is a False positive. Maybe chris, or someone else who has access, can manual check the files, but I still think it has to be a false positive. If you could, you should email AnitVir support asking for exact information about the trojan, and ask if it is likely to be a false positive detection on those files.
#2
-
Posted 27 November 2006 - 11:31 PM
-
Posted 27 November 2006 - 11:31 PM
- Moderators
- 6850 posts
- Last active: Jan 02 2012 10:09 PM
- Joined: 27 Dec 2005
Funny, I just had the same alert from my Avira AntiVir PersonalEdition Classic... I had the idea to search for "virus" on the forum before alerting everybody... So here I am! We must have got the same update. :evil:
To be sure, I used BitDefender Online Scanner (need IE) and it reported no virus... So that's probably a false alert. I know that UPX compressed exes are sometime reported as virus, that's probably the common link between your various programs.
I am also trying Kaspersky Lab Online Scanner to be sure, but it choked on au3_spy.exe... I am re-trying. [UPDATE] OK, it was stuck because Avira blocked access to it, waiting I tell it to ignore it... This anti-virus is becoming a major annoyance, as it ask me regularly what to do with these files... I hope they will issue a new update.
Note 1: I first tried Secuser's online anti-virus, but unlike BitDefender's it cannot go beyond XP SP2's protection on running ActiveX, so I couldn't run it.
Note 2: I give French links, that's what I got, try these where I replaced the .fr with .com, perhaps it will work for you:
BitDefender Online Scanner
Kaspersky Lab Online Scanner
To be sure, I used BitDefender Online Scanner (need IE) and it reported no virus... So that's probably a false alert. I know that UPX compressed exes are sometime reported as virus, that's probably the common link between your various programs.
I am also trying Kaspersky Lab Online Scanner to be sure, but it choked on au3_spy.exe... I am re-trying. [UPDATE] OK, it was stuck because Avira blocked access to it, waiting I tell it to ignore it... This anti-virus is becoming a major annoyance, as it ask me regularly what to do with these files... I hope they will issue a new update.
Note 1: I first tried Secuser's online anti-virus, but unlike BitDefender's it cannot go beyond XP SP2's protection on running ActiveX, so I couldn't run it.
Note 2: I give French links, that's what I got, try these where I replaced the .fr with .com, perhaps it will work for you:
BitDefender Online Scanner
Kaspersky Lab Online Scanner
#3
-
Posted 28 November 2006 - 12:47 PM
-
Posted 28 November 2006 - 12:47 PM
vPhiLho := RegExReplace("Philippe Lhoste", "^(\w{3})\w*\s+\b(\w{3})\w*$", "$1$2")
not-logged-in-daonlyfreez
- Guests
- Last active:
- Joined: --
Hmm, I updated the definitions, and scanned the AutoHotkey folder with Avira AntiVir PE: Nothing found 8)
#4
-
Posted 28 November 2006 - 01:17 PM
-
Posted 28 November 2006 - 01:17 PM
mcdanilo
- Guests
- Last active:
- Joined: --
Hi there,
I also get the "virus found" message:
The files
AU3_Spy.exe and AutoScriptWriter.exe
are infected with the trojan horse "TR/Dldr.Stration.I".
I Think, that's a false alarm, but does anybody ahs some more infos about his?
Daniel
I also get the "virus found" message:
The files
AU3_Spy.exe and AutoScriptWriter.exe
are infected with the trojan horse "TR/Dldr.Stration.I".
I Think, that's a false alarm, but does anybody ahs some more infos about his?
Daniel
#5
-
Posted 28 November 2006 - 08:51 PM
-
Posted 28 November 2006 - 08:51 PM
dontliketroyans
- Guests
- Last active:
- Joined: --
Same here. AU3_Spy.exe AutoScriptWriter.exe and A0066881.exe (whatever this file might be) ... have them in quarantine right now. Can anybody confirm that these are false positives so that I can move the files back in place?
Thanks in advance!
Thanks in advance!
#6
-
Posted 29 November 2006 - 12:38 PM
-
Posted 29 November 2006 - 12:38 PM
- Members
- 299 posts
- Last active: May 02 2008 08:19 AM
- Joined: 10 Oct 2005
Thanks for the responses, guys.
I've also filed a report to Avira - haven't heard back from them yet, but it looks like they're aware of the issue.
*phew* When mIRC was showing up as infected, I really thought I'd caught a virus there - glad that's not the case.
I've also filed a report to Avira - haven't heard back from them yet, but it looks like they're aware of the issue.
*phew* When mIRC was showing up as infected, I really thought I'd caught a virus there - glad that's not the case.
#8
-
Posted 30 November 2006 - 08:05 AM
-
Posted 30 November 2006 - 08:05 AM
