Webroot SpySweer detects Trojan horse in V3

[Guest gilles_stp]

Hi!

I don't know where is the problem, whether it's in Webroot's SpySweeper (latest version, spyware definitions up to date) or if AutoIt V3 (latest version downloaded on 2005/07/29) has the trojan horse detected by SpySweeper, but even after downloading a fresh version of Autoit V3 from your site, if I start a scan, SpySweeper points every time to AutoIt3.exe, signals the presence of a Trojan horse and wants to remove AutoIt3.exe and every link pointing to it !

Webroot SpySweeper's version is : "Program Version 4.0.3 (Build 359) Using Spyware Definitions 506".

Here is a partial log :

21:03:  Found Trojan Horse: trojan downloader matcash

21:03:  autoit3.exe (ID = 119348)

21:03:  run script.lnk (ID = 119348)

21:03:  check for updates.lnk (ID = 119348)

21:03: File Sweep Complete, Elapsed Time: 00:01:14

21:03: Full Sweep has completed.  Elapsed time 00:03:43

21:03: Traces Found: 3

********

And this is what SpySweeper says when it looks at AutoIt3.exe or any link pointing to it:

Step 2: Remove

Select items to remove and hold in the quarantine folder

  trojan downloader matcash

  c:\program files\autoit3\autoit3.exe

  c: \documents and settings\all users\start menu\programs\utilitaires\autoit v3\run script.lnk

  c: \documents and settings\all users\start menu\programs\utilitaires\autoit v3\extras\check for updates.ink

View more details online  Select All  Deselect All                              Next >

Details

Name: trojan downloader matcash

Location: 3 traces found in various locations.

Fingerprint Type: Exact Match    Category:  Trojan Horse

Full Sweep has completed. Elapsed time 00:03:43

Traces Found: 3

Trojan downloader matcash (Trojan Horse)

Trojan Downloader Matcash is a downloader that may download other treats on your computer.

Thanks for looking at it!

Gilles

[LxP]

Unfortunately this is a show of ignorance on the anti-virus vendors' part.

To put it simply, some people use AutoIt to create compiled scripts that act like viruses. Virus vendors then see a piece of code within the script common to all compiled AutoIt scripts and mark any file containing that code as a virus.

I would suggest instructing your vendor that this is a false alarm. Here are some links to similar threads for more information:

• http://www.autoitscript.com/forum/index.php?showtopic=13179
• http://www.autoitscript.com/forum/index.php?showtopic=13133
• http://www.autoitscript.com/forum/index.php?showtopic=11709
• http://www.autoitscript.com/forum/index.php?showtopic=10433
• http://www.autoitscript.com/forum/index.php?showtopic=7635

[LxP]

Thanks for taking the time to inform us of this though, Gilles!

Alex, I slightly disagree with you -- it's not really a matter of ignorance. It wouldn't be fair for anti-virus vendors to have to examine every piece of submitted code for a common base, but on the other hand they should be expected to remove AutoIt-related virus alerts from their databases when they are better informed.

To the Documentation Force: this kind of scenario is an ugly reality that won't go away. Perhaps some mentioning of this should be done somewhere on the AutoIt website so that considerate people such as Gilles don't waste their time registering on the boards to alert us of another false alarm.

[buzz44]

What the .

[Jon]

I've had a couple of initial emails from CA and Kaspersky asking about AutoItscript formats - so we'll see if there is anything I can do to help those AV programs to not jump all over AutoIt scripts...

[Frozenyam]

Maybe you should use Lavasoft's Ad-aware instead. It certainly seems to work better, does an active scan... and best of all, doesn't complain about AutoIT v3 in anyway shape or form.

[w0uter]

use hitman pro its coded mainly in autoit.

it uses like 4+ different spyware programs.

including ad-aware.

[Jon]

To the original poster:

http://support.webroot.com/ics/support/KBA...questionID=2072

"Resolution 2" on that link tells you how to tell webroot that AutoIt is not spyware.

[w0uter]

@ Jon

i get an "session expired" error

[Mosquitos]

I have the same problem

[Jon]

K, Try this:

goto: http://support.webroot.com/ics/support/KBL...asp?folderID=15

Then select item "7. How can I stop Spy Sweeper from quarantining a particular product?"

And follow the instructions in there for telling them autoit is not spyware. Hopefully they will remove it in their next update.

[LxP]

K, Try this:

goto: http://support.webroot.com/ics/support/KBL...asp?folderID=15

Then select item "7. How can I stop Spy Sweeper from quarantining a particular product?"

Unbelievable -- Jon's perfectly-formed URL doesn't work as a point of entry to the site. I can't imagine what their software's like if you can't even link to a Knowledge Base article directly.

Webroot Support Center > Spy Sweeper (link list on left) > 7. How can I stop Spy Sweeper from quarantining a particular product?