Sign in to follow this  
Followers 0
Buckw1

Avast did it again!

20 posts in this topic

Todays Avast signature files causes a false positive when running .au3 files from the SciTe editor. Once detected autoit is locked out.

Adding the Autoit folder to the exclusions list will solve the issue till Avast fixes their mistake.

4/1/2007 7:23:24 PM SYSTEM 1732 Sign of "Win32:Sohanad-I [Wrm]" has been found in "C:\Program Files\AutoIt3\SciTE\AutoIt3Wrapper\AutoIt3Wrapper.exe" file.

4/1/2007 7:28:29 PM SYSTEM 1732 Sign of "Win32:Sohanad-I [Wrm]" has been found in "C:\Program Files\AutoIt3\SciTE\AutoIt3Wrapper\AutoIt3Wrapper.exe" file.

4/1/2007 10:02:51 PM Don 1732 Sign of "Win32:Sohanad-I [Wrm]" has been found in "C:\Program Files\AutoIt3\SciTE\AutoIt3Wrapper\AutoIt3Wrapper.exe" file.

Share this post


Link to post
Share on other sites



I have exactly the same problem here with identical warnings

right after avast! updated itself. Reading the forums here, it

appeared to be a problem with the UPX packer.

I found that if you open this file, C:\AutoIt3\Aut2Exe\Aut2Exe.exe

and click on "Compression" at the top and uncheck the option

which says "UPX Compress .exe stub", the scripts you compile

will no longer trigger the virus warning.

Before doing this, half my compiled scripts were setting off

avast!. I deleted my scripts folder, recompiled and found that

avast! no longer had a problem with any of them.

Turning off UPX made the files somewhat larger but its

a small price to pay to solve this problem.

Share this post


Link to post
Share on other sites

Well one solution is what sleek mentioned, to turn off the compression, but then the executables won't be compressed....


Share this post


Link to post
Share on other sites

Well one solution is what sleek mentioned, to turn off the compression, but then the executables won't be compressed....

On a small script the difference is hardly notiable anyway. Besides actually gain a very minute bit of speed it the exe is not compressed. You could also compile and then run the exe through a different exe packer, it doesn't have to be UPX

George

Question about decompiling code? Read the decompiling FAQ and don't bother posting the question in the forums.

Be sure to read and follow the forum rules. -AKA the AutoIt Reading and Comprehension Skills test.***

The PCRE (Regular Expression) ToolKit for AutoIT - (Updated Oct 20, 2011 ver:3.0.1.13) - Please update your current version before filing any bug reports. The installer now includes both 32 and 64 bit versions. No change in version number.

Visit my Blog .. currently not active but it will soon be resplendent with news and views. Also please remove any links you may have to my website. it is soon to be closed and replaced with something else.

"Old age and treachery will always overcome youth and skill!"

Share this post


Link to post
Share on other sites

I'm getting the false positive too.

Before i saw the thread, I moved them all to chest :whistle:

Stupid Win32.Sohanad.I Virus.

Share this post


Link to post
Share on other sites

Hmm, it appears the links that the worm sends out are all to a website registered by a Michael Seligman.

http://whois.domaintools.com/thecoolpics.com


"So man has sown the wind and reaped the world. Perhaps in the next few hours there will no remembrance of the past and no hope for the future that might have been." & _"All the works of man will be consumed in the great fire after which he was created." & _"And if there is a future for man, insensitive as he is, proud and defiant in his pursuit of power, let him resolve to live it lovingly, for he knows well how to do so." & _"Then he may say once more, 'Truly the light is sweet, and what a pleasant thing it is for the eyes to see the sun.'" - The Day the Earth Caught Fire

Share this post


Link to post
Share on other sites

CURSE YOU MICHAEL SELIGMAN!

I haven't had any problems with False Positives.

Share this post


Link to post
Share on other sites

And they've done it again today :) . The latest update reports a false positive of the AutoIt3Wrapper.exe. Shot off an email to them so hopefully a fix will be coming out soonish.

Share this post


Link to post
Share on other sites

+1

also, send e-mail.

Share this post


Link to post
Share on other sites

I noticed that the worm spreads through messenger, blocks taskmanager, and uses svhost to do its derty work but what I cant figure out is exactly why some one would go through so much trouble to create a virus that edits reg, forces copys of itself, and can con users into downloading more of itself, but all the dammage they make it do is to block taskmanager and change your startup page. Really, I would call it a minor anoyance at the very most. I would think it would be easy to get rid of.

Where do virus creators get off anyways? Whats the point? I think its no more than childness's and I can compair it to some gangs that ive heard of that spend all there time throwing rocks through windows.

These people need to grow up and get a life and stop codeing virus's because all its going to do is land them in prisen.


"If a vegetarian eats vegetables,What the heck does a humanitarian eat?"

"I hear voices in my head, but I ignore them and continue on killing."

"You have forced me to raise the indifference warning to beige, it's a beige alert people. As with all beige alerts please prepare to think about the possibility of caring."

An optimist says that giving someone power DOESN'T immediately turn them into a sadist. A pessimist says that giving someone power doesn't IMMEDIATELY turn them into a sadist.

 

Share this post


Link to post
Share on other sites

#19 ·  Posted (edited)

:) lol, i just was thinking, Its weird, I have avast! and nothing is happening..Then I looked down at my taskbar, there was a big x right over the avast! icon..i forgot to turn it back on! So, i did, then just to see what would happen, I scanned my AutoitV3 Program files folder.

Things it Found:

1.C:\Program Files\AutoIt3\SciTE\AutoIt3Wrapper\AutoIt3Wrapper.exe

2.C:\Program Files\AutoIt3\SciTE\AutoIt3Wrapper\AutoIt3Wrapper_GUI.exe

3.C:\Program Files\AutoIt3\SciTE\Defs\UpdateDefs.exe

4.C:\Program Files\AutoIt3\SciTE\SciteConfig.exe

I never knew i had over 4000 files in my Autoit Program Files dir

And I looked Autoit up on Avast! Forums, and they had 29 topics about it!

Edited by JustinReno

Share this post


Link to post
Share on other sites

I have Avast! in some machines with AutoIt and not problems.

The danger that I think is: A virus infecting these files and we think that it's a false positive (A possibility nothing else).

Maybe sounds like a paranoia, but I would check/reinstall these files. Or compare the size with this file. Just an idea.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0