Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Possibly Infection On BC Hosted Download???


  • Please log in to reply
14 replies to this topic

#1 Guest_ArisMFighter_*

Guest_ArisMFighter_*

  • Guests
  • OFFLINE
  •  

Posted 23 August 2014 - 04:24 PM

Hi.I had download the open source program "GiveMePower" from this site on two computers.After i did a scan with Emsisoft Emergency Kit and it found on both computers a hijacked registry key.So there is my question,is this a false positive on this registry key(which may be made from "GiveMePower") or this infection is true and BC which has host it hasn't detect it yet??

I have the report pasted below:

___________________________________________________________________________________________________________Emsisoft Emergency Kit - Version 9.0

Quarantine log
 
Date Source Event Infection/PUP
8/23/2014 9:00:50 PM Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\TASKMGR.EXE -> DEBUGGER Remove From Quarantine SecHijack (A) 2
8/23/2014 8:49:27 PM Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\TASKMGR.EXE -> DEBUGGER Move To Quarantine SecHijack (A) 1
___________________________________________________________________________________________________________

Thanks.



BC AdBot (Login to Remove)

 


#2 Guest_ArisMFighter_*

Guest_ArisMFighter_*

  • Guests
  • OFFLINE
  •  

Posted 24 August 2014 - 02:02 PM

Finally this  registry key was not an infection,it was just a trace of infection ( spyware).

So the app is safe.

Thanks.



#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,267 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA

Posted 24 August 2014 - 07:00 PM

BleepingComputer's hosted programs for download are trustworthy, safe and malware-free. However depending on the product some anti-virus software and other security tools may flag them (or certain embedded files) as a threat for a variety of reasons when that is not the case. In these instances the detection is a "false positive" and can be ignored.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling

Posted 24 August 2014 - 07:59 PM

Hello -

This  < < seems to agree with the B.C. download link.

A quick "partial" quote from Wagnard ("as written"), Re : What is GiveMePower?
"GMP (GiveMePower) is a powerful and dangerous utility. It should only be used by users who known what they are doing.
Some application were not made to have this kind of system privilege and may / do react unexpectedly; so be careful."

 

Always read the full program details first ..........

 

"GiveMePower" from this site on two computers.

EDIT - You currently have an active post in Malware Removal Logs area,  and are being helped,  so please do not request answers outside of that area unless you request that the topic be closed.

Also - Unless you have more than 2 active computers (please say when you post) keep all posts / questions in your topic.

 

Thank You -


Edited by noknojon, 24 August 2014 - 08:13 PM.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,267 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:40 PM

Posted 24 August 2014 - 08:28 PM

Some security scanners might classify and detect such a powerful program as a Risk Tool because the program has the potential for being misused by others.

Evil can be done with the Image File Execution Options key. Malware can install themselves as the "debugger" for a frequently-run program (such as Explorer) and thereby inject themselves into the execution sequence.

Beware the Image File Execution Options key
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 rp88

rp88

  • Members
  • 2,980 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:40 AM

Posted 25 August 2014 - 10:29 AM

i once had a file from here LOOK malicious to my antivirus (norton), i assumed it wasn't so reported it to them as a false positive. They quickly clarified it wasn't an infection after i had done that. If you are suspicious of a file from here report it as a false positive to your antivirus company, it almost certainly is a false positive not an infection and getting them to check it over in greater detail will lead to them changing their definitions to avoid future downloaders of it getting the same scary message. 


Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,267 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:40 PM

Posted 25 August 2014 - 01:17 PM

If you confirm a false detection of a particular file, then you should contact the anti-virus vendor's Tech Support and advise them so their technicians can investigate and make corrections to its database definitions. Most anti-virus vendors have instructions for sample file submissions posted on their web sites. Once a file is received, a technician can examine it in more detail and provide a report letting you know the results. You should also contact and advise the program vendor that one of their files is being detected as a threat. In many cases they will work with the anti-virus techs in an attempt to resolve the detection.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 Guest_ArisMFighter_*

Guest_ArisMFighter_*

  • Guests
  • OFFLINE
  •  

Posted 27 August 2014 - 06:48 AM

Hello.

I had used GMP and after i ran a quick scan with Emsisoft Emergency Kit and it detected this registry key when it was looking for malware traces.So this tool is safe but it seems that it has a malware trace maybe from a past infection.And i am 100% sure that the registry key Emsisoft detected was from GMP.Also Emsisoft detected this on a quick scan after i had used GMP and during the scan GMP was closed.So when i had used GMP,it had created a registry key that was active after GMP had closed.This is suspicious.So it appears that this open source app is not infected,but just has a malware trace from the past.Or maybe it is Emsisoft's false positive on a registry key that GMP had created??

The registry key that GMP had created was active after GMP has closed and Emsisoft detected it when it was scanning for malware traces.

Thanks.


Edited by ArisMFighter, 27 August 2014 - 07:05 AM.


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,267 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:40 PM

Posted 27 August 2014 - 07:58 AM

The link I provided explains the IFEO key is used to force a program to run under a debugger regardless of how it is launched. Security scanners cannot distinguish between "good" and "malicious" use of powerful programs such as GMP, therefore they may alert you or even automatically remove them. That does not mean it's malware.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 Guest_ArisMFighter_*

Guest_ArisMFighter_*

  • Guests
  • OFFLINE
  •  

Posted 27 August 2014 - 09:31 AM

Ok now i understand.I will report this false positive to Emsisoft.

Thanks quietman7.



#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,267 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:40 PM

Posted 27 August 2014 - 01:17 PM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 electromage

electromage

  • Members
  • 1 posts
  • OFFLINE
  •  

Posted 29 August 2014 - 05:59 PM

I'm getting this warning from clamav:

GiveMePower-v2.0.exe: Win.Trojan.644723 FOUND

 

This is safe to ignore then?



#13 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:40 PM

Posted 29 August 2014 - 06:36 PM

From Virus Total.
Detection ratio:     5 / 55
Antiy-AVL
ClamAV
Qihoo-360 < As Heuristics only
TrendMicro-HouseCall  as      Suspicious only
Zillya

But the Combo Fix program will usually have more than this.

"GMP (GiveMePower) is a powerful and dangerous utility. It should only be used by users who known what they are doing.

NOTE : It is NOT a boy toy - Only ever use if you know what you are doing ............................... See Above ............
 

Thank You -



#14 Guest_ArisMFighter_*

Guest_ArisMFighter_*

  • Guests
  • OFFLINE
  •  

Posted 30 August 2014 - 08:35 AM

As we said before the GMP is safe and everything hosted here is safe.Also yes ComboFix should have more detection ration and lots of antivirus and antimalware programs should detect it as malware because of it's strange behavior that it has when scanning or delete/remove malware.



#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,267 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA

Posted 30 August 2014 - 01:10 PM

I'm getting this warning from clamav:
GiveMePower-v2.0.exe: Win.Trojan.644723 FOUND
 
This is safe to ignore then?

...contact the anti-virus vendor's Tech Support and advise them so their technicians can investigate and make corrections to its database definitions. Most anti-virus vendors have instructions for sample file submissions posted on their web sites. Once a file is received, a technician can examine it in more detail and provide a report letting you know the results. You should also contact and advise the program vendor that it is being detected as a threat. In many cases they will work with the anti-virus techs in an attempt to resolve the detection.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users