Virus!?

Windows specific questions.
Mico
Posts: 165
Joined: Oct 14, 2005 6:09
Location: Italy

Virus!?

Postby Mico » Jan 02, 2015 18:23

Hi everyone!

While I'm no more an active user of this forum since a few years (not enough time, unfortunately!), I still know it's the only place where one can find advice about every FB-related issue.
Yesterday I noticed that a new version was available (1.01) and I installed it on my WIn7 32 bit PC. I used the installer and no problems were reported. I also tried the new installation with a code snippet I was testing and it ran flawlessly.
Today I needed to binarize a data file (a GIS raster layer in ASCII format) and therefore I wrote a few lines of code to carry out the task. I saved the source and executed it without compiling. I was using FBIde 4.6.1, so the executable file was the good old FBIDETEMP.exe. As soon as the executing started, AVIRA popped out reporting that there was virus (I was a stupid not to take note of the name, it was something with a crck or crack in it) in FBIDETEMP.exe. I was really puzzled, but I asked to AVIRA to delete the file, as I thought that a second attempt would have clarified the problem.
After deleting FBIDETEMP.exe, AVIRA suggested to reboot and carry out a full scan, and I followed its advice, but when i rebooted a number of services (included all those about AVIRA and some others, I guess all of them in the Win notification area or in the sidebar) did not start because api-ms-win-downlevel-user-32-l1-1-0.dll was missing.
If I had no problems with FBIDETEMP.exe my diagnosis would have been that my son had been messing around on my PC, but I cannot find a good reason for a virus in a FB executable, unless there is something in my PC that attaches some rogue code to any new exe.
Before trying a Win repair and new compilations I booted Linux Mint out of my USB3 pen drive and copied all my data files from the system disk (a Samsung 256Gb SSD) to another HD. Then I'll unplug the data HDs and try to repair the system, hoping that is not infected. Any hint is more than welcome!

All the best, and have a great 2015,

Mico
dkl
Site Admin
Posts: 3209
Joined: Jul 28, 2005 14:45
Location: Germany

Re: Virus!?

Postby dkl » Jan 02, 2015 18:37

Hi,

this seems to happen a lot - AntiVirus software reporting FB .exe (or other programming languages) based on some heuristics/generic checks. Usually it's a false report.
Mico
Posts: 165
Joined: Oct 14, 2005 6:09
Location: Italy

Re: Virus!?

Postby Mico » Jan 02, 2015 20:31

Thanks, dkl!

I was pretty sure that FB was not involved in what happened and, if a fake virus alert was the only problem, I would not have been much concerned. The missing api-ms-win-downlevel-*-l1-1-0.dll files (I realized that *-user32-* is not the only missing dll) however, are a real problem because a number of programs (AVIRA, for instance) don't run and don't install. I'm afraid it is time for a fresh install in a system that ran perfectly for many years.

BTW, and here I'm going a bit off-topic (sorry!), I noticed that manually replacing those missing dlls seems impossible (regsvr32 does not work, because those dlls are missing!), and the only info that can be found about them is in rather suspicious web sites that promise fixes for a few dollars. I'm pretty sure it's a ...business that is ran by the same people who managed to delete those dlls from my PC...
Mico
Posts: 165
Joined: Oct 14, 2005 6:09
Location: Italy

Re: Virus!?

Postby Mico » Feb 01, 2015 10:08

About one month ago my AVIRA found a virus in the FBIDETEMP.exe that was compiled while I was executing a small piece of code. When I tried to run AVIRA for a full scan, right after that detection, it turned out that several api-ms-win-downlevel-*-l1-1-0.dll (the * replaces several names) were missing and there was no way to repair the system. Then I formatted the disk, and re-installed Win 7 Ultimate.

I paid a lot of attention to what I was installing in the new system, and I bought an Orico HD power switch (ORICO HD-PW6101) in order to select which HDs are turned on at bootstrap. This way I have a (supposedly) clean WIn 7 Ultimate 64 SSD, a disposable Win 7 Ultimate 64 HD for testing, a Linux Mint 17 32 bit HD and two data HDs. After about one month of smooth operation, unfortunately, something went wrong in the (supposedly) clean Win 7 system, and the virus alert with FBIDETEMP.exe struck back (the alert was for a TR/Crypt.XPACK.Gen). At the moment, there are no other effects, like missing dlls. What is really strange is that I did not install new software during the last 2-3 weeks.

According to AVIRA, TR/Crypt.XPACK.Gen is "A generic detection routine designed to detect common family characteristics shared in several variants. This special detection routine was developed in order to detect unknown variants and will be enhanced continuously." (and therefore a good candidate for false positive) and its damage potential is low.

I compiled the same piece of code on my laptop (Win 7 Pro 64) and it worked nicely with no virus alerts, while the FBIDETEMP.exe that triggered the virus alert was immediately detected as infected on the laptop and was 14k larger than the clean FBIDETEMP.exe compiled on the laptop. I checked the differences in the two exes, but they were too many as to be easily understood. This means, however, that something wrong is linked to FBIDETEMP.exe when it is built on the infected (?) system. I assume it could be a false positive, but I don't want to live with this doubt.

What is really funny is that the virus alert in FBIDETEMP.exe was triggered by the addition of a specific piece of code (a PRINT followed by several variable names). If I remove that line, the resulting FBIDETEMP.exe is ok. But that was also what happened the first time I experienced the problem, before my system stopped working because of the missing dlls.

I ran a complete scan and found something wrong only in CodeBlocks_Fortran_v1.2_Win.zip ([DETECTION] Is the TR/Rogue.57856.20 Trojan). However, nothing wrong was reported in the unzipped CodeBlocks files and I'm using them since about 3 weeks without problems, so I don't think that detection (if true) is related to FBIDETEMP.exe alert.

The bottom line is that I'm sure FB is not the cause of this problem, but it seems it has been affected twice by something that at least the first time was associated with lethal effects. Now I have a system image I made right after installation that I can restore, and I'll try to pay attention to what I add to the system, compiling the same FB piece of code that triggered the virus alert after each change (installation, updates, etc.).

More news as soon as I figure out what happened.
Tyr_Anassazi
Posts: 26
Joined: Jul 01, 2013 15:01
Location: Russia, Novosibirsk
Contact:

Re: Virus!?

Postby Tyr_Anassazi » Feb 01, 2015 14:09

The 'Doctor Web' antivirus does the same false report, based on heuristics checks.
Mico
Posts: 165
Joined: Oct 14, 2005 6:09
Location: Italy

Re: Virus!?

Postby Mico » Feb 02, 2015 9:38

Tyr_Anassazi wrote:The 'Doctor Web' antivirus does the same false report, based on heuristics checks.


I think this is the only explanation, and I am glad to know I'm not the only one who got a virus alert. In fact, I checked the "infected" FBIDETEMP.exe sending it to virustotal.com and it turned out that the only detection, out of 57 engines, was that from AVIRA. Moreover, I built an executable file from the same code that gave the "infected" FBIDETEMP.exe and it was clean. Then I compared byte by byte the two (file size was identical) and found only 5 bytes that didn't match (4 in a row + 1 in another location). I'm not a virus expert, but I would expect larger differences in case an executable incorporates some viral code. So I sent my source code, both executables and a report to AVIRA and I'm waiting for news, but I'm pretty sure it is a false positive.

Last minute: using the same code that resulted in the "infected" FBIDETEMP.exe, I was not able to reproduce the problem on my laptop (Win 7 Pro 64, while the desktop is Win 7 Ultimate 64), although the FBIDETEMP.exe it built was identical to the "infected" one. Then I checked my email and found news from AVIRA. They confirmed it was a false positive and I assume they already updated their virus definitions, because I updated AVIRA and now I am no more able to reproduce the problem. Needless to say, I feel better now.
Lothar Schirm
Posts: 333
Joined: Sep 28, 2013 15:08
Location: Bavaria, Germany

Re: Virus!?

Postby Lothar Schirm » Feb 02, 2015 10:44

I made the same experience with AVIRA and PureBasic in the past. I solved the problem by configuring AVIRA in that way that the whole folder "PureBasic" and all subfolders were declared as exception for the antivirus scanner. In the PureBasic forum, there are a lot of contributions that AVIRA produces false alarms when the compiled code is started to run. With FreeBasic I did not have this problem, but some time ago AVIRA produced a false alarm for FBEdit.exe in the FBEdit downlaod zip file. Meanwhile I use Kaspersky instead of AVIRA, without such problems.
Boris the Old
Posts: 134
Joined: Feb 04, 2011 20:34
Location: Ontario, Canada

Re: Virus!?

Postby Boris the Old » Feb 02, 2015 17:35

I solve the whole problem of false positives and false negatives by not using anti-virus software. :-)
qbgenie
Posts: 4
Joined: Feb 18, 2015 3:37

Re: Virus!?

Postby qbgenie » Feb 18, 2015 8:48

I sell MMO products, and I have learned that the huristc engines Of assume that compilers or scanner of any kind are out for no good
becuase compilers behave like some malware because that many viruses scan for files or boot sectors (in old viruses) to infect
They are also looking for worms and spyware, which can be normal products act like hence the problem
This happens more with avast and macfee AV. Go with AVG and it should solve a lot of your probelms
xbgtc
Posts: 157
Joined: Oct 14, 2007 5:40
Location: Australia

Re: Virus!?

Postby xbgtc » Mar 04, 2015 2:30

In one of my games i made AVAST picked it up as a virus, a pretty bad one, and i thought WTF?? but it only flagged it as a virus when i moved or copied it - weird!

So i thought i'd try track the problem in the .BAS file which i thought would be hopeless. For some reason, a string containing 10 '@' characters at the beginning drew my attention, and sure enough after replacing these with something else the EXE was clean and could be copied anywhere without flagging AVAST :)

Also, just the other day, AVAST found a virus, and it was 'TTFtoGfxLib.exe' in my old FreeBasic directory (some user created program) and AVAST didn't mind it for years :)

Return to “Windows”

Who is online

Users browsing this forum: No registered users and 17 guests