Possible FP on a purchased File Recovery program?
Hi Andy,
This file showed a "Trojan.Generic.KDZ.2748" after downloading it from the company with my iPad2 into an FTP App, when I had the older iOS 5.1 installed.
I've since made a fresh install of iOS 7.0.2 recently, and re-downloaded the latest Active File Recovery Enterprise Edition, and no Trojan Virus shows within it.
I was discussing this with CeciliaB the other day, and mentioned to you also several months ago, if it's possible the iPad may have gotten a virus somehow, because when I attempted to backup my iPad using iTunes, it complained about a Malware threat at that time, and we determined it wasn't a threat of any importance.
But seeing this High-Level TrojanVirus somehow added to a file downloaded with an App from my past iOS 5.1 on the iPad, I'm wondering if it's a false positive, or actually was there before I made a fresh install of the iPad's iOS 7.0.2
I also discussed with CeciliaB, a program that can read and write to/from the iDevice, even if it's not Jailbroken, as well as reading the iTunes Backup file, to extract files from it.
The program is called iExplorer at http://www.macroplant.com/iexplorer/
Maybe this programs method can be a way to use AdAware to read the files on an iDevice, to scan for virus'
anyway... I tried uploading the file here but it is too large.
CeciliaB said to use http://sprend.com and give you the link to it in a PM so that's my next operation.
look for my PM to you soon.
the file shows as being around 178MB ... and is uploading there now.
-
Hi,
I downloaded the file from the link above but was unable to extract it using the pin code in your PM. Can you resend the pin code? Thanks.
Andy
0 -
Hi,
I downloaded the file from the link above but was unable to extract it using the pin code in your PM. Can you resend the pin code? Thanks.
Andy
I think that pin code was not needed if you downloaded it thru the file link.
I checked the eMail again, and there was a special PIN code page link, where you enter the PIN code to START the transfer.
Try using the "infected" password your sticky post mentions, as a requirement of posting these false positive uploads.
Sorry about that mix-up in PIN codes. The password to extract is "infected" ... Not the PIN#
I feel like such a PIN-head...
0 -
Got it
I was using the pin code as the password. Thanks for clarifying!
Andy
0 -
Great
Now I have to see why my Win8.1 system lost internet access.
I was playing with an "OpenSSH" and "cygwin64" install, and when it didn't work, I changed settings then deleted some of those files, and registry additions from "cygwin" and now the Internet access is off.
It connects to the router, but no local linking to my iPad, and no internet on it.
It was working so well, ... but I had to have a SSH based VNC connection, and couldn't stop. Oy..!
0 -
I found the problem with my Windows 8.1 issue of No Internet access.
Hey LS Andy, and anyone else..!
If you can't get onto the internet on one of your devices and it comes up as DNS error in Windows, I found a very good site that guides you through a check-list of things to try, first, before going crazy with things you may not have needed to do.
After using the Diagnose option, built into Windows, it said it was a DNS Error, so I Google'd it... and found this link
http://atechjourney.com/dns-server-not-responding-error-fix.html/
Maybe it will help others narrow-down the cause of their DNS errors too.EDITED-
I also now now have my SSH VPN Tunnel fully working too, on public HotSpots around town, into my home computer, from my iPad2, using Bitvise WinSSHd v6.x.x. With UltraVNC v1.1.9.3 on the home PC.
It was the easiest to config. (Both of these programs)
Screw OpenSSH it's way to hard to use, and figure out to install/config, compared to the Bitvise product.
and UltraVNC works with the iPad App called "Remoter" (on any iDevice, too)....really wild stuff..!
one correction, in the post directly before this one.. I noticed calling the VPN connection, a "VNC" connection. Oops!
it's VPN (Virtual Private Network) ...
Guess I was sleepy during that post, and thinking of the UltraVNC program ...HaHa!
0 -
Hi,
It turns out that the file being detected is actually a file contained deep inside the installer (autorun.exe, md5: 44ea31a350f662ad597c092a7bee2575), not the installer itself. The file will be removed from detection in an upcoming update.
I'm also going to submit a bug report to the development team. The log file did not give any information that an 'InnerObject' was the cause of detection - it looked like the installer was being detected, which is not correct.
Thanks for the report!
Andy
Lavasoft Malware Lab
0 -
Hi Andy,
So the autorun.exe, (md5: 44ea31a350f662ad597c092a7bee2575) was the only one being detected as actually a False Positive?
Because other files from that uncompressed original install .EXE file, also showed-up as being infected, and were deleted. But they weren't deleted from the "C" drive original install folder, rather, from the copy I made from that C-drive install, on to another folder on my D-drive.
And that's also strange, because that autorun.exe file is in the updated v11 download of Active File Recovery Enterprise Edition, as well, unless it's a different md5: #, but AdAware v11 didn't see it as a threat when scanning that file download from Lsoft, stored on my D-drive.
i think this file you got from me, was v9.5 and the first one I got, from Lsoft, that was downloaded using my iPad2 when I had iOS 5.1 on it.
maybe you shouldn't remove this detection from the threat definitions yet. Did the autorun.exe file show signs of ANY type of threat?
have you tried installing the software to see if other files get infected during the install process, - by copying that install folder to another drive, then scanning them there?
it wasn't just ONE that AdAware v11 saw as Trojans and deleted.
i may need to try scanning again to see if anything in the new v11 Active File Recovery shows anything, because even though it just logged this one versions files as being a threat, it still deleted all the other versions folders too, from my D-drive
this is what's so strange to me. It took off all folders with all versions of the program I had stored on that D-drive, but didn't log it's removal to give me the option of removing or quarantine it.
i even tried to recover the folders with the v11 recovery program, but there's no mention of those backups even being on that drive.
I need to see this again...cause something very spooky happened regarding this.
there were, definitely - the other versions (v10.x and the newer v11) along with the copied already decompressed, installed files, stored on the D-drive, but now they're all gone after the AdAware v11 first full scan of the entire computer.
0 -
So the autorun.exe, (md5: 44ea31a350f662ad597c092a7bee2575) was the only one being detected as actually a False Positive?
Correct.
Because other files from that uncompressed original install .EXE file, also showed-up as being infected, and were deleted.
Can you zip/password protect the detected files and upload here please?
Did the autorun.exe file show signs of ANY type of threat?
The file looked suspicious (was packed with Armadillo and has some anti-debug capabilties) but did not exhibit malicious behaviour.
have you tried installing the software to see if other files get infected during the install process
Yes. The installer was not a PK file, so the next easiest way to extract the files from it was to install the application. The file in question was contained within bootdisk.iso which was unpacked and scanned. The FP was found in the contents of the unpacked bootdisk.iso file.
Andy0 -
Hi Andy,
the other files I mentioned were from the Bootdisk.iso file, but when I recently lost internet access on my Win8 system, I deleted the 1st install of AdAware to eliminate the possibility it was blocking the access, and lost all the logs and Quarantined files from that installation.
I've since re-installed it, but no past logs are seen.
When AdAware v11 scanned the complete drive, that 1st time, ... and found all the files I mentioned with a virus, ... I tried using the option to disinfect, rather than Quarantine, or ignore.
after I did this, I noticed other versions of this File Recovery program were also gone from their folders, as well as the entire folder being gone as well.
i had another download of the updates to that original v9.5 (v10.5 and v11) --
--both of those were also removed from the drive when I selected the disinfect (or was it "clean") option.
No mention in the AdAware log of them being taken off, or that they're suspicious files, and no warning they'd be removed, either.
i know I put the files there because I downloaded the updates and put them on the D-drive.
i do have two screen captures now, of what seems like one of my directories are being hidden.
I opened a program called MagicISO, and saw it opened at the location last used, to load the one ISO BootDisk file I still seem to have from v10, that only shows the folder of where it is, in the MagicISO program search tree. On the C-drive after the original installation.
if I look in that same location, using the windows file explorer, it doesn't show that folder.
how's that possible?
could AdAware v11 have hidden the folders from view, somehow, when doing the disinfecting after the scan? If so, is it possible they're still there?
also, are any of the previous scan reports still on the drive, from that 1st install of AdAware v11..?
i used the standard uninstall to remove it, and didn't delete the folder.
Then, we can view what it saw... If not, please view the next two photos, and tell me how I can't see the folder where the File Recovery v10.5 BootDisk.ISO is,... using the windows file explorer, ... but the MagicISO can see it... something happened with this version of AdAware that never happened before with the others....I know I had those files and folders on there..! And it's spooking me out.
Both captures taken at the same time.
MagicISO sees the location... "ISO With Registered Key"
---
Windows File Explorer doesn't see it.... Same location on both views..!
0 -
could AdAware v11 have hidden the folders from view, somehow, when dong the disinfecting after the scan?
No, Ad-Aware does not hide anything - just deletes & quarantines.
are any of the previous scan reports still on the drive, from that 1st install of AdAware v11..?
If Ad-Aware is uninstalled I believe all program data is uninstalled with it. In any case, historical detection info is stored in an SQLite database. Can you zip, password protect and upload the Scanner.db file located in C:\ProgramData\Lavasoft\Ad-Aware 11\History?
Andy0 -
Hi Andy, I zipped the entire History Folder. (there are just 2 files in it)
I'll send you a PM with the password to unzip it.
0 -
Hi,
The databases did not contain any information about the detections you mentioned; just some cookie detections:
I rescanned the files installed by the application, including the unpacked ISO/WIM files - nothing was detected. I think we can consider this false positive report closed. Thanks for all the information you provided.
Andy
0 -
Hi,
OK... Thanks for looking.
if it's not the scanned install file that caused any folders with other files to be deleted, I can't help feel AdAware v11 deleted them after using the "disinfect" option.
i did have other folders before that, - that are gone now.
even another totally different backup program from Western Digital (Acronis) was deleted, except for the original installer EXE.
just the BootDisk.ISO and a USB Booter ISO I had saved in the same folder, were gone.
maybe something is too aggressive with the "disinfect" option, and it removed all programs using the BootDisk.ISO's "autorun.exe" loader... I don't know, but I do remember having more directories and files listed under "A" and now it goes directly from these 2 "A" listings to "i" listings.
well... Anyway, luckily I had many on backup elsewhere, as well as being able to get the paid stuff downloaded from the company, LSoft...
but I still don't know if any others were also deleted, and lost forever, 'cause I didn't make a backup of all of my latest "D" drive stuff, at that time.
i do know, for sure, I'm not ever going to use the "Disinfect" option again, and I usually use the "Quarantine" instead, ...
Why I used disinfect that time, I'm still wondering.
0 -
Am I to assume my latest comment of having AdAware v11 remove, or hide several folders and files, on my hard drive, without giving prior notice, or indicate it in the logs, will be ignored by LS Andy and all the rest of LavaSoft personnel?
I can assure all of you I didn't imagine it, as shown in the attached photos (in an earlier post) of one such instance, where a file, and folder doesn't show in the file explorer, but is there when opened in a different program.
(this wasn't explained by Andy, just ignored too)
As a note to Andy... The program AdAware deleted, as well as the others.. ARE PAID FOR, and fully owned by me. Not pirated..! And they were deleted by your software after a scan..! That's a fact..!
the one I uploaded to you even shows my real name it's registered to. And CeciliaB can verify it's me, from when I sent her funds, as thanks for past help, thru PayPal, for a Pizza to her.
I'd like to know why this incident is seemingly being ignored, or brushed-OFF ???
it did happen, I'm not making it up.
0 -
Am I to assume my latest comment of having AdAware v11 remove, or hide several folders and files, on my hard drive, without giving prior notice, or indicate it in the logs, will be ignored by LS Andy and all the rest of LavaSoft personnel?
I think you're being somewhat harsh here. The FP was resolved.
Post #10 was very ’stream of consciousness’ and was difficult to see what you wished to say. I responded to it in post #11.
Post #12 contained the database I requested with post #13 being my post-investigation response. No additional files/folders were detected in my many tests, nor was there any evidence of any detection, beyond some cookies, in the SQLite database.
Post #14 appeared to be 'thinking out loud' - I must have missed what you intended to communicate.
I would really appreciate if you could be concise and provide details about the problem. I'm sure you understand that I need to be able to reproduce this to be able to help you. It is helpful if you format it like:
Description of problem: <concise decription>
Steps to Reproduce
1. Install program
2. Update Ad-Adware
3. Etc
Any supporting info you can think of would be useful.
I can assure all of you I didn't imagine it, as shown in the attached photos (in an earlier post) of one such instance, where a file, and folder doesn't show in the file explorer, but is there when opened in a different program.
(this wasn't explained by Andy, just ignored too)
The false positive report was solved. The detected file that was identified and subsequently removed from detection. The file is no longer being detected. Nothing that I interpreted as a request or question was ignored. Again, this is a bit harsh, no?
As a note to Andy... The program AdAware deleted, as well as the others.. ARE PAID FOR, and fully owned by me. Not pirated..! And they were deleted by your software after a scan..!
No-one said the programs were pirated or not owned by you. I am not disputing the FP occurred. I was able to recreate it.
That's a fact..!
If you can demonstrate the additional items that were detected and removed, I will investigate. With respect, thus far, I have no facts to go on - just your feeling that Ad-Aware did something.
When you say ‘they were deleted by your software’, kindly identify the files being detected and I will investigate.
I'd like to know why this incident is seemingly being ignored, or brushed-OFF ???
it did happen, I'm not making it up.
Nothing is being ignored and no-one said you were making anything up. The FP was resolved. I double checked the files installed by the installer and found no detection - the report was considered closed.
If there is something else being flagged, please provide the relevant information and I will investigate.
Andy
0 -
Hi,
Is "ISO..." a hidden file and you need to change folder settings to show hidden files to be able to see it in Windows Explorer?
0 -
Hi Andy, ...sorry for sounding a bit harsh... I was a bit freaked-out over seeing folders missing, and I just felt like the concerns regarding my files and folders being deleted, were being ignored after the false positive was settled.
I tried to explain as best as I could, being I had no log to reference, but stated in post #10 , where I attached the two screen captures of the strange occurrence. ...
... About the folder and file not showing when using windows file explorer, shows in the same location a different program sees it at when it opened at the last viewed location it worked with, ... I had hoped you'd understand what I was saying there.
Maybe it's the language difference... If so, I apologize
This was why I also mentioned if AdAware v11 can hide folders from view if it thinks they're infected, or pirated.
I also mentioned one of the other programs deleted (Acronis) from Western Digital, in post #14
I stated the original install file wasn't removed, but rather just the BootDisk.ISO and the USB booter.ISO file were taken off.
And I also mentioned it seems as if AdAware v11 was going after all .ISO files where the autorun.exe file may have been in.
All the separate files from the File Recovery v9.5 install folder, copied to the D drive were also removed, besides the new updates v10.5 and v11.5 of that program were also removed, folder and files. And ISO's too
As for mentioning I didn't pirate the file I uploaded to you...
that was because the name it was registered to, shown within the installed program, was different from the one I use on this forum, and I didn't want you to think I pirated it from someone else.
That's why I also mentioned CeciliaB as a reference. She knows my real name when I sent her a thank-you thru PayPal, last year.
This all happened when I used the "Disinfect" option rather than the "Quarantine" option I usually use, ...after it found the false positive in the autorun.exe file.
I don't know if other stuff was taken off, because I didn't make a backup before running the scan, but I did notice someone else on this forum has posted that all their archived eMails are gone too, so I'm thinking this v11 has some "aggression" that's set too high.
That other post of eMail being deleted, is here...
0 -
I just realized what else v11 took off, from my D drive
All the past v10 AdAware install files and the main storage folder I had them in.
0 -
Hi C C
yes I know about showing hidden files and folders, and have the setting ON for showing them, in my folder view.
In this instance, the ISO was not a hidden file. It was a Booter file of a CD Image and USB memory stick, the File Recovery program creates, so you can make a recovery disk or USB stick to scan the hard drive in case the computer crashes.
same for the Acronis drive imager program from Western Digital.
what concerns me most, is the fact AdAware didn't include these deleted files in its log, or quarantine area when I viewed the report after the 1st scan.
i bet if I chose quarantine instead of disinfect, my files may still be restorable, but the ones that didn't show as being ready to quarantine, may still have been taken off anyway.
i wish I tried quarantine, as I usually do, but, it's too late now.
i just hope I helped LavaSoft find any misbehaving by AdAware v11, and can fix it before any wide-spread problems start to show.
0
Please sign in to leave a comment.
Comments
19 comments