IPB

Welcome Guest ( Log In | Register )

 
Reply to this topicStart new topic
Malware/Trojan in EAC installation file?, Microsoft Security Essentials says EAC installation file has a trojan
LANjackal
post Oct 1 2009, 00:18
Post #1





Group: Members
Posts: 731
Joined: 26-October 05
From: Various networks
Member No.: 25371



ohmy.gif

Not too sure what to make of this one, folks. I'm on Windows Vista Ultimate SP2 x64, running Microsoft Security Essentials as my antivirus. Tried downloading EAC both from the main and backup sources, and got this warning in both cases:



Anyone else seeing this? Any ideas?

Thanks
LJ


--------------------
EAC>1)fb2k>LAME3.99 -V 0 --vbr-new>WMP12 2)MAC-Extra High
Go to the top of the page
+Quote Post
andy o
post Oct 1 2009, 00:22
Post #2





Group: Members
Posts: 1333
Joined: 14-April 09
Member No.: 68950



You can upload the offending file to www.virustotal.com to see what the other AV's have to say about it. It's probably just a false positive.
Go to the top of the page
+Quote Post
tpijag
post Oct 1 2009, 00:25
Post #3





Group: Members
Posts: 2353
Joined: 19-May 08
Member No.: 53637



Additional info.

http://www.wilderssecurity.com/showthread.php?p=1546569


terry
Go to the top of the page
+Quote Post
LANjackal
post Oct 1 2009, 01:55
Post #4





Group: Members
Posts: 731
Joined: 26-October 05
From: Various networks
Member No.: 25371



Thanks for the info, guys smile.gif


--------------------
EAC>1)fb2k>LAME3.99 -V 0 --vbr-new>WMP12 2)MAC-Extra High
Go to the top of the page
+Quote Post
Arnold B. Kruege...
post Oct 1 2009, 02:17
Post #5





Group: Members
Posts: 4014
Joined: 29-October 08
From: USA, 48236
Member No.: 61311



QUOTE (LANjackal @ Sep 30 2009, 19:18) *
ohmy.gif

Not too sure what to make of this one, folks. I'm on Windows Vista Ultimate SP2 x64, running Microsoft Security Essentials as my antivirus. Tried downloading EAC both from the main and backup sources, and got this warning in both cases:



Anyone else seeing this? Any ideas?

Thanks
LJ



I checked a file of the same name from the EAC site with Norton Internet security and no problems.
Go to the top of the page
+Quote Post
LANjackal
post Oct 1 2009, 04:00
Post #6





Group: Members
Posts: 731
Joined: 26-October 05
From: Various networks
Member No.: 25371



Checked on my home laptop: Windows Vista Home Premium SP1 32-bit with NOD32, which also immediately quarantined the download as suggested by tpijag's link.

As much as I like EAC, I'm gonna have to demand that the developer do something about this. Being flagged by 2 AV programs - especially NOD32, with it's stellar reputation - is a huge problem IMO.

dBPowerAmp anyone?

This post has been edited by LANjackal: Oct 1 2009, 04:04


--------------------
EAC>1)fb2k>LAME3.99 -V 0 --vbr-new>WMP12 2)MAC-Extra High
Go to the top of the page
+Quote Post
andy o
post Oct 1 2009, 04:35
Post #7





Group: Members
Posts: 1333
Joined: 14-April 09
Member No.: 68950



QUOTE (LANjackal @ Sep 30 2009, 20:00) *
Checked on my home laptop: Windows Vista Home Premium SP1 32-bit with NOD32, which also immediately quarantined the download as suggested by tpijag's link.

As much as I like EAC, I'm gonna have to demand that the developer do something about this. Being flagged by 2 AV programs - especially NOD32, with it's stellar reputation - is a huge problem IMO.

dBPowerAmp anyone?

It's not a big problem though. It's one of those adware that you need to uncheck at installation. Probably a necessary evil if you want free apps.
Go to the top of the page
+Quote Post
Pulse
post Oct 1 2009, 04:36
Post #8





Group: Members
Posts: 3
Joined: 1-October 09
Member No.: 73607



This is far from a huge problem and certainly does not warrant "demands" of the developer or switching to another product. False positives are a common thing and the developer will likely look into it, or the problem will go away in future virus definition updates. In fact, two online virus scanners, Jotti's malware scan and VirusTotal that scan uploaded files using a battery of scanners (NOD32, Avast, Kaspersky, etc.) report 0/21 and 1/41 positives, respectively.

EAC is a phenomenal program and something like a false positive sprouting up is something out of André's hands. Where's the love? wink.gif

Go to the top of the page
+Quote Post
greynol
post Oct 1 2009, 17:30
Post #9





Group: Super Moderator
Posts: 10085
Joined: 1-April 04
From: San Francisco
Member No.: 13167



I hope you guys realize that discussing this on HA will not bring any resolution to the issue.


--------------------
Your eyes cannot hear.
Go to the top of the page
+Quote Post
Andavari
post Oct 1 2009, 18:17
Post #10





Group: Members
Posts: 935
Joined: 3-June 02
From: USA
Member No.: 2204



Malwarebytes' Anti-Malware ("MBAM") also detects it after unpacking the setup file, with this:
QUOTE
...\eac-0.99pb5\$TEMP\eBay_shortcuts_1026.exe (Adware.ADON) -> No action taken.


Very Simple Solution:
Unpack the EAC installer with 7-Zip, and delete the eBay Shortcuts add-on. You'll of course then have to manually install EAC, or make your own installer for it with for example Inno Setup, NSIS, etc., or just 7z or ZIP it should you need to install it again.

These little money making add-ons get tons of software tagged as malware, however both Avast and a-squared Free don't detect anything.

I just wish Andre would also offer a ZIP file for downloading.


--------------------
Complexity of incoherent design.
Go to the top of the page
+Quote Post
kiit
post Oct 1 2009, 18:31
Post #11





Group: Members
Posts: 125
Joined: 9-October 03
From: Washington D.C.
Member No.: 9229



QUOTE (Andavari @ Oct 1 2009, 09:17) *
Malwarebytes' Anti-Malware ("MBAM") also detects it after unpacking the setup file, with this:
QUOTE
...\eac-0.99pb5\$TEMP\eBay_shortcuts_1026.exe (Adware.ADON) -> No action taken.


These little money making add-ons get tons of software tagged as malware, however both Avast and a-squared Free don't detect anything.


Avast, along with Malwarebytes and MSE, certainly flagged EAC for me. I realize its the e-bay shortcuts adware (MSE reports it as a named trojan though, much more serious than adware) causing the issue. I think it is a very bad idea to recommend a software as highly as hydrogenaudio does that contains problem files like this. I doubt any of my friends that I have recommended EAC to did anything other than install it with the default options.. making their infections my fault which I now get to deal with.

Hydrogenaudio should have a prominent warning about this issue in the wiki page. I doubt any amount of complaints to the author will change anything. Perhaps someone with more knowledge could repack the thing, but until then it is off my list of recommended programs to my less than expert friends, sad.

(edit: Ah, Avast doesn't detect it for me, my mistake.)

This post has been edited by kiit: Oct 1 2009, 18:52
Go to the top of the page
+Quote Post
john33
post Oct 2 2009, 10:32
Post #12


xcLame and OggDropXPd Developer


Group: Developer
Posts: 3761
Joined: 30-September 01
From: Bracknell, UK
Member No.: 111



For those who may be converned, you will find simple .zip archives at Rarewares of PreBeta 4 and PreBeta 5 that avoid the need to use the installers. smile.gif


--------------------
John
----------------------------------------------------------------
My compiles and utilities are at http://www.rarewares.org/
Go to the top of the page
+Quote Post
herefornow
post Oct 2 2009, 11:16
Post #13





Group: Members
Posts: 96
Joined: 19-July 03
Member No.: 7866



Thanks john33.


--------------------
cast out...
Go to the top of the page
+Quote Post
Jean Tourrilhes
post Oct 2 2009, 17:24
Post #14





Group: Members
Posts: 37
Joined: 13-March 08
Member No.: 52008



QUOTE (kiit @ Oct 1 2009, 10:31) *
Avast, along with Malwarebytes and MSE, certainly flagged EAC for me. I realize its the e-bay shortcuts adware (MSE reports it as a named trojan though, much more serious than adware) causing the issue. I think it is a very bad idea to recommend a software as highly as hydrogenaudio does that contains problem files like this. I doubt any of my friends that I have recommended EAC to did anything other than install it with the default options.. making their infections my fault which I now get to deal with.


Personally, I would never recommend EAC to people unable to uncheck the e-bay shortcut in the installer. EAC is IMHO opinion not a program one can install without using brain cells, I would argue that EAC can not be used properly with the default options, one has to make sure that it is configured properly for the drive and type of extraction.

For example, some EAC options that *must* be changed prior to using are "null samples for CRC" and "automatically write status report". Add to that "starting compressors in the background". And that's not even getting in the FLAC vs. MP3 and burst vs. secure vs. C2.

Note that EAC is not alone. For every Java update, which tends to happen quite frequently lately, I need to make sure to disable the Yahoo toolbar in the installer. Obviously, I don't remember it on every update on every computer, so I have to remove it using "remove program". It's not that hard, but it's still a pain. To me, what Java does is more obnoxious that what EAC does. Sorry to have picked on Java, but I don't use Apple stuff, which looks to be very pushy as well. I guess this is the world we live in...

QUOTE (kiit @ Oct 1 2009, 10:31) *
Hydrogenaudio should have a prominent warning about this issue in the wiki page. I doubt any amount of complaints to the author will change anything.


Yep, that should be in one of the many user guide for EAC. But, I would not worry about it much more than the many other EAC configuration pitfalls, no need to make it a big deal.

Regards,

Jean
Go to the top of the page
+Quote Post
Squeller
post Oct 2 2009, 18:12
Post #15





Group: Members
Posts: 2351
Joined: 28-August 02
Member No.: 3218



FYI, besides the typical uploading, you can also send MD5/SHA1 of files to http://virusscan.jotti.org/hashsearch.php which is a timesaver if the file has already been scanned before.
Go to the top of the page
+Quote Post
trout
post Oct 2 2009, 19:13
Post #16





Group: Members
Posts: 425
Joined: 26-March 09
Member No.: 68400



QUOTE (Andre Wiethoff @ 31 Jan 2008)
Today I released 0.99 prebeta 4 ...
... I have included a desktop and quick launch bar icon in the installer which link to eBay. As the advertisements on the homepage dropped by a great amount over the last year, I decided to try to go this way. I hope that you can understand my decision! Anyway, the icons are created only on the installation of EAC and their installation can be easily prevented by deselecting the eBay component within the EAC installer. The EAC application itself is still completely free from advertisement or spyware (and will be)!
I hope that you will like the new version nevertheless!

- from the EAC homepage, and the official forum
http://www.exactaudiocopy.de/en/index.php/...-new/whats-new/
http://www.digital-inn.de/exact-audio-copy...html#post131378

I'm surprised it took 20 months for a complaint to arise! Personally, I don't care about this since it's rather obvious that I don't need anything related to Ebay to be installed with EAC and can opt-out.
Go to the top of the page
+Quote Post
Andavari
post Oct 8 2009, 21:30
Post #17





Group: Members
Posts: 935
Joined: 3-June 02
From: USA
Member No.: 2204



QUOTE (trout @ Oct 2 2009, 13:13) *
I don't care about this since it's rather obvious that I don't need anything related to Ebay to be installed with EAC and can opt-out.

It's not really a big deal with EAC since there's the ability to opt out. Allot of software now has some unnecessary adware piggy backing in the setup which is included with it from eBay Shortcuts to some toolbar.

However some software even though you can opt out will still start the offending file hidden in the background (that's detected as malware), which can do who knows what while it's resident - possibly checking to see if it's already installed, writing app data or registry data, creating bookmarks, or something more nefarious like changing the browser start/home page, etc.

I don't like any of it one bit, but if it keeps cherished freeware apps free, then it's worth dealing with but only if the installers can be unpacked with 7-Zip or even Universal Extractor to avoid the unnecessary add-on.


--------------------
Complexity of incoherent design.
Go to the top of the page
+Quote Post
mb3
post Nov 7 2009, 04:43
Post #18





Group: Members
Posts: 1
Joined: 7-November 09
Member No.: 74705



this must have just gotten flagged by all of the antivirus softwares as all of the threads i found are recent (since i googled this after nortron removed my installer exe as a trojan).
i'm sure that this will have to be addressed in a lot of wikis and forums for other sites that heavily promote this software (for good reason, of course).
i won't quit using it, but it's crazy that i have to go to somewhere and get a 3rd party repack zip to retain a copy of the installer on my computer. what's strange tho, is that this one at least can be opted out of and the opt out works, unlike others that never get flagged as malware even tho you have to untick things like "make hassle search your homepage" 2-3 times each for the same items, and then you restart your browser and a new homepage comes up (and often even screws up default dl location, since mine is not factory default).
it's unfortunate that andre has even had to support his site and program with such ill company. eac is still the best, though, hands down.
Go to the top of the page
+Quote Post
mdefranc
post Nov 7 2009, 06:19
Post #19





Group: Members (Donating)
Posts: 49
Joined: 15-October 01
From: Midwest
Member No.: 295



On Monday, MS OneCare spotted EAC's eBay shortcut.

I think it's classed as a trojan because there's no disclosure that the shortcut actually detours to a certain designated server before being sent to the eBay server. If you know that first server is harmless, then no problem. If not, then keep the eBay shortcut off your machine.
Go to the top of the page
+Quote Post
spoon
post Nov 7 2009, 22:08
Post #20


dBpowerAMP developer


Group: Developer (Donating)
Posts: 2752
Joined: 24-March 02
Member No.: 1615



According to this site:

http://spywarefiles.prevx.com/RRJGFJ448253...S_1026.EXE.html

It:

Looks at the contents of the autoexec.bat file
Reads email address and phone book details
Visits web sites on your PC without you knowing

But I think the 2nd one is false, as there is nothing in the list of files that are opened which indicate access to the address book. Not sure why it is opening autoexec.bat though.

(my interest in this is because I have EAC installed, not because EAC is a rival program)

This post has been edited by spoon: Nov 7 2009, 22:09


--------------------
Spoon http://www.dbpoweramp.com
Go to the top of the page
+Quote Post
Engelsstaub
post Feb 17 2010, 08:13
Post #21





Group: Members
Posts: 566
Joined: 16-February 10
Member No.: 78200



"I hope you guys realize that discussing this on HA will not bring any resolution to the issue."

I completely understand what you mean, but I appreciate that this is being discussed somewhere. I've been having these problems as well. It doesn't matter how polite my emails are and/or in German or English: there is no response or tech support. I know it is a free program. I love it and would gladly pay to not have to deal with this.

Much of this has been helpful to me in that I now somewhat understand what is going on with my favorite program. Thanks guys.


--------------------
The Loudness War is over. Now it's a hopeless occupation.
Go to the top of the page
+Quote Post
hellokeith
post Feb 18 2010, 02:58
Post #22





Group: Members
Posts: 288
Joined: 14-August 06
Member No.: 34027



The funny part is that the "sponsored" links direct from the EAC website say that the file is infected. I installed it anyway on my XP machine and haven't had any adverse effects. Though for sure this will substantially reduce EAC's audience, as no one I know would install a program that a reasonably trusted website says is infected.
Go to the top of the page
+Quote Post
greynol
post Feb 18 2010, 03:13
Post #23





Group: Super Moderator
Posts: 10085
Joined: 1-April 04
From: San Francisco
Member No.: 13167



Andre has made an announcement:
http://www.digital-inn.de/exact-audio-copy...html#post145789


--------------------
Your eyes cannot hear.
Go to the top of the page
+Quote Post
Engelsstaub
post Feb 18 2010, 05:55
Post #24





Group: Members
Posts: 566
Joined: 16-February 10
Member No.: 78200



QUOTE (greynol @ Feb 17 2010, 20:13) *


Thanks, greynol. That was very helpful smile.gif Saved me some ill-spent hours scouring "teh internets" for an authoritative response.


--------------------
The Loudness War is over. Now it's a hopeless occupation.
Go to the top of the page
+Quote Post

Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 



RSS Lo-Fi Version Time is now: 1st November 2014 - 01:36