17 replies to this topic

[D619]

Hello, am new member and first attempt was using 075 beta3 to create LiveXP using the recommended project and settings. Was alarmed to see all the warnings about multiple malware infections in the project files and in the created LiveXP. Am operating behind a double hardware firewall and have software firewall and logging enabled on a clean, isolated test PC. Logfiles generated are huge. Has anyone else tested the project files or know what may have happened? Specific "backdoor" infections appear in HDTune.EXE and GMouse.EXE, but may be others in or caused by running the project file scripts. Notified Nuno Brito and he recommended that I post this for others to review, test, and report.

[pscEx]

Hello, am new member and first attempt was using 075 beta3 to create LiveXP using the recommended project and settings. Was alarmed to see all the warnings about multiple malware infections in the project files and in the created LiveXP. Am operating behind a double hardware firewall and have software firewall and logging enabled on a clean, isolated test PC. Logfiles generated are huge. Has anyone else tested the project files or know what may have happened? Specific "backdoor" infections appear in HDTune.EXE and GMouse.EXE, but may be others in or caused by running the project file scripts. Notified Nuno Brito and he recommended that I post this for others to review, test, and report.

In which scripts are the two mentioned EXEs?

Peter

[D619]

In which scripts are the two mentioned EXEs?

Peter

Peter,

Thanks for your interest.

The two EXE's were contained in downloading the recommended LiveXP script running 075 beta 3 yesterday. I ran the script accepting the selections without modifications. The LiveXP CD was created, and when the project was scanned it showed 3 different "backdoor" type infections in the project, in the firewall logfiles, and two different "backdoor" infections in the created LiveXP boot CD. I understand that these type of infections are considered very serious and can cause "chain reaction" of infections when activated.

[pscEx]

Peter,

Thanks for your interest.

The two EXE's were contained in downloading the recommended LiveXP script running 075 beta 3 yesterday. I ran the script accepting the selections without modifications. The LiveXP CD was created, and when the project was scanned it showed 3 different "backdoor" type infections in the project, in the firewall logfiles, and two different "backdoor" infections in the created LiveXP boot CD. I understand that these type of infections are considered very serious and can cause "chain reaction" of infections when activated.

I wanted to know just the name of one script, not the complete project!
Now I'm downloading LiveXP recommended and it will take some time until I have the project ...

Peter

[pscEx]

I did the download and build an ISO.

AVAST (actual by daily updates) did not announce any infection.

Try a different scanner and send an support call to your antivir supplyer.

I also sometimes have infections reported by my avast, where I exactly know that there is no virus. When I send this to them, next update accepts my app.

BTW: May I ask you next time to read my questions more thoroughly?
I only I wanted to have the name of two scripts, which contain the suspicious EXEs.

Now I had to download 185 MB, just to get two files!

Peter

[D619]

I wanted to know just the name of one script, not the complete project!
Now I'm downloading LiveXP recommended and it will take some time until I have the project ...

Peter

Peter,

I did go back into the project, and unchecked scripts for the two different infections that showed up in the first LiveXP CD created in the section under Diagnostic the HDTune script and under Miscellaneous the Ghost Mouse script. Ran the project script to create a second LiveXP CD and it scanned clean, however a scan of the drive showed a unrelated infection captured by the firewall log files with a cryptic description of a infection and its pattern of behavior. I do not know at this time if this infection was left from the first run of the script, or is a different type of infection, or something else.

Dex

[D619]

I did the download and build an ISO.

AVAST (actual by daily updates) did not announce any infection.

Try a different scanner and send an support call to your antivir supplyer.

I also sometimes have infections reported by my avast, where I exactly know that there is no virus. When I send this to them, next update accepts my app.

BTW: May I ask you next time to read my questions more thoroughly?
I only I wanted to have the name of two scripts, which contain the suspicious EXEs.

Now I had to download 185 MB, just to get two files!

Peter

Peter,

Sorry I misunderstood...

The infections show with most updated AVG anti spyware, PCtools anti virus, and COMODO firewall. The ones that showed up in the LiveXP boot CD are identified as downloader.delf.aup and downloader.agent.laa. It has occured to me that its possible for infections to get in during the project download or running the project script with the firewall opened in "update install" mode. I do recall a message that one of the scripts failed verification, and I did download it again.

Dex

[D619]

Peter,

Sorry I misunderstood...

The infections show with most updated AVG anti spyware, PCtools anti virus, and COMODO firewall. The ones that showed up in the LiveXP boot CD are identified as downloader.delf.aup and downloader.agent.laa. It has occured to me that its possible for infections to get in during the project download or running the project script with the firewall opened in "update install" mode. I do recall a message that one of the scripts failed verification, and I did download it again.

Dex

Some more testing... I downloaded HDTune.EXE (free and pro versions), and Ghost Mouse... scanned them and all were clean... So I think the ones on first LiveXP boot are really infected. Don't know how, but curious enough to look some more...

Dex

[pscEx]

Some more testing... I downloaded HDTune.EXE (free and pro versions), and Ghost Mouse... scanned them and all were clean... So I think the ones on first LiveXP boot are really infected. Don't know how, but curious enough to look some more...

Dex

MD5 of the files I 2 hours ago downloaded from LiveXP server

a4ba1d3c320db8524d7f815dc59d7174 *HDTune.exe
c24c1f35c27fd47fdebd3d8c0705da65 *Gmouse.exe


Peter

[D619]

MD5 of the files I 2 hours ago downloaded from LiveXP server

a4ba1d3c320db8524d7f815dc59d7174 *HDTune.exe
c24c1f35c27fd47fdebd3d8c0705da65 *Gmouse.exe


Peter

Peter:

Thanks for the MD5's, I checked my LiveXP boot for the two files and get the same MD5 as you have, then I specifically scanned the two files again on my LiveXP CD with current updated AVG anti spyware and both are flagged with the infections I listed earlier.

So is it a real infection?, or do we have a false alarm... If it were only AVG I would be less concerned, but since I have infections identified on the drive that was used to create the LiveXP with two other scanners, have to really wonder....

Dex

[pscEx]

Peter:

Thanks for the MD5's, I checked my LiveXP boot for the two files and get the same MD5 as you have, then I specifically scanned the two files again on my LiveXP CD with current updated AVG anti spyware and both are flagged with the infections I listed earlier.

So is it a real infection?, or do we have a false alarm... If it were only AVG I would be less concerned, but since I have infections identified on the drive that was used to create the LiveXP with two other scanners, have to really wonder....

Dex

Avast has no concerns ...

I have no opinion what to believe.
Fortunaltelly all similar issues in the past have been false alarm.

But three scanners ...

Peter

[was_jaclaz]

Wouldn't checking MD5 of files downloaded from Bootland server the same as the ones of files downloaded directly from respective homepages the next logical step?

I mean, unless to day I have some problems in understanding what D619 posted:
1) Files Gmouse.exe and Hdtune.exe downloaded from Bootland were found infected by his antivirus/firewall
2) The same files do not result infected by Avast that psc tested
3) The same files downloaded by D619 from respective homepages result NOT infected by his antivirus/firewall
4) psc published the MD5 of the two files on his system and D619 confirmed that they are the same ones (those on bootland server)

Are the files on bootland server the same as those on respective homepages?

If they are the same, the circle WILL NOT close....

jaclaz

[D619]

Wouldn't checking MD5 of files downloaded from Bootland server the same as the ones of files downloaded directly from respective homepages the next logical step?

I mean, unless to day I have some problems in understanding what D619 posted:
1) Files Gmouse.exe and Hdtune.exe downloaded from Bootland were found infected by his antivirus/firewall
2) The same files do not result infected by Avast that psc tested
3) The same files downloaded by D619 from respective homepages result NOT infected by his antivirus/firewall
4) psc published the MD5 of the two files on his system and D619 confirmed that they are the same ones (those on bootland server)

Are the files on bootland server the same as those on respective homepages?

If they are the same, the circle WILL NOT close....

jaclaz

Agree, the circle cannot be closed unless current versions are installed into the Bootland server which check clean... downloads of same version for example of HDTune.EXE MD5's do not match, size do not match. Unless there were same versions posted with different code, something is clearly wrong...
Can this issue be closed by just simply replacing the two .EXE's with current versions in the project script on the Bootland server. Who can do this?

[pscEx]

Agree, the circle cannot be closed unless current versions are installed into the Bootland server which check clean... downloads of same version for example of HDTune.EXE MD5's do not match, size do not match. Unless there were same versions posted with different code, something is clearly wrong...
Can this issue be closed by just simply replacing the two .EXE's with current versions in the project script on the Bootland server. Who can do this?

Because it is due to your personal security aspects, I cannot give you any suggestion what you should do.

I only can tell you what I would do in your situation:

• For me the suspicious EXEs are clean, and I would include the scripts in my build
• In case of some doubt I would either
• If I really need the two EXEs:
  replace the EXEs in my local scripts by the 'clean' ones from the original site
• If I do not need them:
  simply 'forget' the two scripts and do not include in my build

Peter

[Galapo]

If someone will post updated scripts I'll update the server accordingly.

I'm currently using Avast and Commodo and have no alerts. Sometimes, like Peter has said, Avast generates a false-positive, which disappears after a day or two.

Regards,
Galapo.

[pscEx]

Agree, the circle cannot be closed unless current versions are installed into the Bootland server which check clean... downloads of same version for example of HDTune.EXE MD5's do not match, size do not match.

Just for your personal knowledge:

The WinBuilder download does not

• Compare three party files with the actual files at the original site

The WinBuilder downlad does

• Download into a temporary file
• Ask the server for MD5
• Calculates the MD5 of the temp file
• If the MD5 is ok: move to final target
• If the md5 is not ok: delete temp file and show an error dialog

Therefore a file with some MD5 suspiciency can never be copied into your host!

Peter

[D619]

Just for your personal knowledge:

The WinBuilder download does not

• Compare three party files with the actual files at the original site

The WinBuilder downlad does

• Download into a temporary file
• Ask the server for MD5
• Calculates the MD5 of the temp file
• If the MD5 is ok: move to final target
• If the md5 is not ok: delete temp file and show an error dialog

Therefore a file with some MD5 suspiciency can never be copied into your host!

Peter

Peter,

Thanks for the information and all your help and comments and those from other members. What I have been doing is to take the folders containing the programs that I want to update from the LiveXP project prior to any script runs, and swap out the files with updated ones or clean tested ones from the author's site, or those that I purchased license for, then run your team's easy to use makescript program to generate a replacement script, and swap it into the project. then run the script to create a LiveXP updated CD. Seems to work fine, along with other portable programs that I want to add to the LiveXP CD collection. Is there a different or better way to create updated, or expanded LiveXP CD's that I missed? (I have not really looked yet) This is only my first day working with WinBuilder, and I am very impressed with what you and the team have created !!!

Dex

[was_jaclaz]

Depending on the "responsiveness" of original Authors of the app and on that of the Antivirus "updating" team it is also possible a scenario like this:
1) an Antivirus "brand" marks (falsely) a ,exe as containing a virus trojan
2) the Author of the app (possibly alerted by a user of the app that is also a user of the said "brand" of Antivirus) writes to the antivirus asking for a correction of the virus database or (possibly) of the "heuristic engine"
3) the Antivirus "updating" team fails to comply, because they are lazy, because they in good faith think the malware is there, because changing the heuristic engine would be too expensive or reduce is detecting capabilities
4) the Author, fed up, changes slightly the app code as to avoid it being classified as malware
5) Winbuilder users, that do not use the particular "brand" of antivirus are unaware of this and live happily with the "old" version
6) Original Author of the Winbuilder .script (remember that this is only voluntarily sharing and contributing to the community something that he did primarily for his own use) has no reason or need to periodically check the updates of the original app, his builds work perfectly and even if he has an alert, he knows that the file is clean

In other words, this is an ever changing world and it is practically impossible to have "everything" in sync....


jaclaz