HyperSpin install, potential virus infection

[Scyto]

On 4/4/2014 at 1:37 AM, DamnedRegistrations said:

You honestly think we'd all be here, doing the work that we do while using virus infected software? Come on, use some common sense and have a look around.

It's called a false positive, something most AV programs can't seem to distinguish between real threats. Tell your silly program to ignore them and relax. There are no trojans, viruses or any such infections in Hyperspin.

No I would honestly think you would take the very simple steps that would get it unflagged.

Oh I see why you get flagged - why the heck would you need to hook the windows station DLL or look at boot options registry, no wonder you are getting flagged.

also WTF would you be touching the DW branch of the registry - highly suspicious, I am not saying you intended to do these things from a malicious perspective, but I am no clear why you are annoyed at the AV vendors, fix up your code like everyone else, this has got nothing do with using scripts to run the games like is being claimed.

I submitted an incorrect detection submission to MS on your behalf.

File system actions

Files opened

• C:\WINDOWS\system32\winime32.dll
• C:\WINDOWS\system32\ws2_32.dll
• C:\WINDOWS\system32\ws2help.dll
• C:\WINDOWS\system32\psapi.dll
• C:\WINDOWS\system32\imm32.dll
• C:\WINDOWS\system32\lpk.dll
• C:\WINDOWS\system32\usp10.dll
• C:\Documents and Settings\Administrator\Local Settings\Temp\EB93A6\996E.exe
• C:\WINDOWS\system32\faultrep.dll
• C:\WINDOWS\system32\winsta.dll

Registry actions

Registry keys opened

• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\996E.exe
• \Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\TransparentEnabled
• \REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebug
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VERSION.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USERENV.dll
• \REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Personal
• \REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local Settings

Registry keys deleted

• \REGISTRY\MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW\
• \REGISTRY\MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW\DWFileTreeRoot

[Andyman]

You're griping at the wrong folks, friend. We're just users of HyperSpin, same as you.

[Scyto]

 

5 hours ago, Andyman said:

You're griping at the wrong folks, friend. We're just users of HyperSpin, same as you.

Umm I think the person I quoted was one of the devs of hyperspin so pretty sure I am targeting the right person, well maybe? they certainly sounded authoratitive.  Either way that person was a liltle arrogant and unhelpful, they are a little obtuse took me all of a few hours to get this fixed for y'all.

Anyhoo, I got Microsoft to update the signatures, as of now window 10 defender won't report as malware, aint rocket science to get this stuff changed and hilarious this community has been living with this for so many years - lol.

Latest definitions

The latest antimalware definitions file is as follows:

• Version: 1.283.1107.0
• Released: Dec 20, 2018 08:53 PM UTC

Submission ID: a0bba16b-824c-41b6-8ca5-<redacted>

Status: Completed

Submitted by: <redacted>

Submitted: Dec 20, 2018 4:05:44 PM

User Opinion: Incorrect detection

Analyst comments:

We have removed the detection. Please follow the steps below to clear cached detection and obtain the latest malware definitions. 1. Open command prompt as administrator and change directory to c:\Program Files\Windows Defender 2. Run “MpCmdRun.exe -removedefinitions -dynamicsignatures” Alternatively, the latest definition is available for download here: https://www.microsoft.com/en-us/wdsi/definitions

 

Thank you for contacting Microsoft.

[Kondorito]

I did not know that Microsoft dbs could be updated by users requests like that. Thought that users would have to either live with it, or wait for devs to recode it. Awesome job @Scyto.

This makes me very happy, but extremely sad at the same time, knowing that a simple fix could have avoided lots of problems and users troubleshooting, and that nobody (if known about this way of whitelisting) did something about it, until now. 

[Scyto]

2 hours ago, Kondorito said:

I did not know that Microsoft dbs could be updated by users requests like that. Thought that users would have to either live with it, or wait for devs to recode it. Awesome job @Scyto.

This makes me very happy, but extremely sad at the same time, knowing that a simple fix could have avoided lots of problems and users troubleshooting, and that nobody (if known about this way of whitelisting) did something about it, until now. 

don't beat yourself up, I have an unfair advantage, I live near zip 98052 and worked for MS for a decade so tend know what can and can't be done.... I even once emailed Balmer (this was a couple years after i left MS) and told him he needed to fix liveIDs/xboxID not being geographically portable - and he put someone on it... the assigned a director to solve it and keep it updated and me as guinea pig, took 12 mo but they did it  - I don't mind banging my head against walls until it hurts ?

 

here is the link to use https://www.microsoft.com/en-us/wdsi/filesubmission I politely asked told them it had been misidentified for years, linked to this thread and asked them if they would mind scanning both files for actual malicious code.  As a community we may have to do this each time there is a new release.  Of course if the devs improve their code and sign their code that would help... also TIP: don't submit a file anonymously use a long lived liveID to do it.