Startpage-JR virus alert

[Andreas Bräu]

Hi people,

since this morning i have a strange problem using compiled autoit-scripts with the default icon. Everytime i want to compile the script mcAfee pops up with a virus alert "Startpage-JR". If I use another icon than the default one, there are no problems.

Does anyone know this problem too?

Andi

[franvarona]

Hey, I have the same problem (see next topic), but I didn't know that it had something to do with the icon... How do you change the icon *before* compiling?

Thanks,

Fran Varona

[Andreas Bräu]

use %program files%\AutoIt3\Aut2Exe\Aut2Exe.exe, there you can give some options to compile your script...

Andi

[Swent]

Hi people,

since this morning i have a strange problem using compiled autoit-scripts with the default icon. Everytime i want to compile the script mcAfee pops up with a virus alert "Startpage-JR". If I use another icon than the default one, there are no problems.

Does anyone know this problem too?

Andi

or you just get a better virusscanner.

[franvarona]

Ok, I have tested it and if you use a custom icon, then McAfee doesn't detect the exe file as a virus. Incredible!!

At least, I have a solution...

[Andreas Bräu]

thank you for your answer...but i have no chance because McAfee was bought by our university, so I have to use it...

[Kreatorul]

Use the BETA

[ChrisL]

I always replace the upx.exe file in my installations with a dummy exe which does nothing and I have never touch wood had any virus scanner pick out an AutoIT file as a virus. I'm not bothered about the little bit of extra size in my compiled scripts

[MHz]

I always replace the upx.exe file in my installations with a dummy exe which does nothing and I have never touch wood had any virus scanner pick out an AutoIT file as a virus. I'm not bothered about the little bit of extra size in my compiled scripts

I have rarely lost a compiled executable UPXed. The blind blame game just continues without thought. Virus makers use UPX but so does the 95 percent or so of other users so in the short term in saying it is a solution is weak. The option now is that a different packer can be used to make a different signiture for the common bin file used which is the more suitable solution, but on the odd chance,so can the virus makers. Edited October 4, 2006 by MHz

[wkeeter]

McAfee released a dat yesterday 4865 that started to delete my scripts. Not good at all. Roll back your dats to 4864. I have a call in with McAfee and they are looking into it.

Short term solution.

I will post back the results when McAfee gives me feed back.

Wayne

Edited October 4, 2006 by wkeeter

[ChrisL]

I have rarely lost a compiled executable UPXed. The blind blame game just continues without thought. Virus makers use UPX but so does the 95 percent or so of other users so in the short term in saying it is a solution is weak. The option now is that a different packer can be used to make a different signiture for the common bin file used which is the more suitable solution, but on the odd chance,so can the virus makers.

Well it seems to me that most of the idiots who try to write viruses with AutoIT are compiling them with the UPX packager, so it is the lame way in which the anti Virus software is detecting them, by not using the UPX packager so far mine have not been detected as a virus.

I can however tell you that someone else in our office had the issue of scripts being deleted and when he remade them without the UPX he had no problem.

So I do not think that I am playing the blind blame game as you put it.

[MHz]

So I do not think that I am playing the blind blame game as you put it.

My particular AV being used does not complain, so you tell me the difference.

[dj9866]

Starting 10/03/2006, I also had the problem with McAfee detecting 'Startpage-JR' and deleting the AutoIT exe's. Recompiles fail. Turned off McAfee and turned on AVG Free Edition and the trojan isn't detected. Following SmOke_N's recommendaton to use the latest beta release, I was able to return to McAfee and execute the compiles without any problem.

Edited October 4, 2006 by dj9866

[MrBeatnik]

Just to confirm:

http://vil.nai.com/vil/content/v_140658.htm

I am in contact with McAfee and AVERT now to try and resolve the issue; I'm not sure McAfee Gold support has that type of clout tho'.

[wkeeter]

Update!!

Ok today at 10:30am Mcafee has sent me an extra.dat file that resolved this issue with dat version 4865.

My scripts are no longer being deleted.

I guess you should contact them for this file.

Wayne

[ZipleR]

Update!!

Ok today at 10:30am Mcafee has sent me an extra.dat file that resolved this issue with dat version 4865.

My scripts are no longer being deleted.

I guess you should contact them for this file.

Wayne

Would you be able to tell us anything else about the extra.dat so we can specifically request it when we call them?..

I sent them several compiled scripts they can "pick apart"

the website you can submit .exe's to is www.webimmune.net

Just create an account, and click submit a file. In there under Virus Name enter 'StartPage-JR Trojan-FALSE DETECTION'

The more people submit scripts (with out your domain passwords ) the quicker the problem will get resolved in a future dat release.

Edited October 4, 2006 by ZipleR

[lawson23]

As I have made a submission to webimmune Analysis ID: 2566204 I have now found that newly released dats today 4866 no longer detect this as a virus.

[ZipleR]

As I have made a submission to webimmune Analysis ID: 2566204 I have now found that newly released dats today 4866 no longer detect this as a virus.

Just got off the phone with them. You are Correct. 4866 fixes the problem.

Apparently if there is an extra.dat those all get included in the next .dat release

Edited October 4, 2006 by ZipleR

[lawson23]

I know if I right click on my shield it says 'update now'.

[wkeeter]

If update now don't work then go here.

http://www.mcafee.com/apps/downloads/secur...updates/dat.asp

Wayne