Jump to content
the_book

HyperSpin install, potential virus infection

Recommended Posts

I think I'm going to follow Endiel on this.

As evaluation I am trying others like Maximus Arcade as well and no other FE reports to be a virus and yet they found way of starting other programs and run scripts as well.

I think you should rethink the way your software works.

Before then, this is so much I can say about Hyperspin.

Files deleted...

 

Share this post


Link to post
Share on other sites

yes avirus toyano 

si es un virus del tipo troyano que espia, lo que pasa es que en versiones viejas no trae nada de virus ni troyano solo las versiones nuevas traen virus troyano lo malo que las versiones viejas solo son compatibles al 100% con windows xp y no con windows 8 o 10, dejen de hacer programas con virus virus

Share this post


Link to post
Share on other sites
On 4/4/2014 at 1:37 AM, DamnedRegistrations said:

You honestly think we'd all be here, doing the work that we do while using virus infected software? Come on, use some common sense and have a look around.

It's called a false positive, something most AV programs can't seem to distinguish between real threats. Tell your silly program to ignore them and relax. There are no trojans, viruses or any such infections in Hyperspin.

No I would honestly think you would take the very simple steps that would get it unflagged.

Share this post


Link to post
Share on other sites
On 4/4/2014 at 1:37 AM, DamnedRegistrations said:

You honestly think we'd all be here, doing the work that we do while using virus infected software? Come on, use some common sense and have a look around.

It's called a false positive, something most AV programs can't seem to distinguish between real threats. Tell your silly program to ignore them and relax. There are no trojans, viruses or any such infections in Hyperspin.

No I would honestly think you would take the very simple steps that would get it unflagged.

Oh I see why you get flagged - why the heck would you need to hook the windows station DLL or look at boot options registry, no wonder you are getting flagged.

also WTF would you be touching the DW branch of the registry - highly suspicious, I am not saying you intended to do these things from a malicious perspective, but I am no clear why you are annoyed at the AV vendors, fix up your code like everyone else, this has got nothing do with using scripts to run the games like is being claimed.

I submitted an incorrect detection submission to MS on your behalf.

File system actions

Files opened

  • C:\WINDOWS\system32\winime32.dll
  • C:\WINDOWS\system32\ws2_32.dll
  • C:\WINDOWS\system32\ws2help.dll
  • C:\WINDOWS\system32\psapi.dll
  • C:\WINDOWS\system32\imm32.dll
  • C:\WINDOWS\system32\lpk.dll
  • C:\WINDOWS\system32\usp10.dll
  • C:\Documents and Settings\Administrator\Local Settings\Temp\EB93A6\996E.exe
  • C:\WINDOWS\system32\faultrep.dll
  • C:\WINDOWS\system32\winsta.dll

Registry actions

Registry keys opened

  • \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\996E.exe
  • \Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option
  • \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
  • \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\TransparentEnabled
  • \REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
  • \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebug
  • \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VERSION.dll
  • \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USERENV.dll
  • \REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Personal
  • \REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local Settings

Registry keys deleted

  • \REGISTRY\MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW\
  • \REGISTRY\MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW\DWFileTreeRoot

Share this post


Link to post
Share on other sites

 

5 hours ago, Andyman said:

You're griping at the wrong folks, friend. We're just users of HyperSpin, same as you.

Umm I think the person I quoted was one of the devs of hyperspin so pretty sure I am targeting the right person, well maybe? they certainly sounded authoratitive.  Either way that person was a liltle arrogant and unhelpful, they are a little obtuse took me all of a few hours to get this fixed for y'all.

Anyhoo, I got Microsoft to update the signatures, as of now window 10 defender won't report as malware, aint rocket science to get this stuff changed and hilarious this community has been living with this for so many years - lol.

Latest definitions

The latest antimalware definitions file is as follows:

  • Version: 1.283.1107.0
  • Released: Dec 20, 2018 08:53 PM UTC

Submission ID: a0bba16b-824c-41b6-8ca5-<redacted>

Status: Completed

Submitted by: <redacted>

Submitted: Dec 20, 2018 4:05:44 PM

User Opinion: Incorrect detection

Analyst comments:

We have removed the detection. Please follow the steps below to clear cached detection and obtain the latest malware definitions. 1. Open command prompt as administrator and change directory to c:\Program Files\Windows Defender 2. Run “MpCmdRun.exe -removedefinitions -dynamicsignatures” Alternatively, the latest definition is available for download here: https://www.microsoft.com/en-us/wdsi/definitions

 

Thank you for contacting Microsoft.

  • Like 2
  • Super Like 3

Share this post


Link to post
Share on other sites

I did not know that Microsoft dbs could be updated by users requests like that. Thought that users would have to either live with it, or wait for devs to recode it. Awesome job @Scyto.

This makes me very happy, but extremely sad at the same time, knowing that a simple fix could have avoided lots of problems and users troubleshooting, and that nobody (if known about this way of whitelisting) did something about it, until now. 

Share this post


Link to post
Share on other sites
2 hours ago, Kondorito said:

I did not know that Microsoft dbs could be updated by users requests like that. Thought that users would have to either live with it, or wait for devs to recode it. Awesome job @Scyto.

This makes me very happy, but extremely sad at the same time, knowing that a simple fix could have avoided lots of problems and users troubleshooting, and that nobody (if known about this way of whitelisting) did something about it, until now. 

don't beat yourself up, I have an unfair advantage, I live near zip 98052 and worked for MS for a decade so tend know what can and can't be done.... I even once emailed Balmer (this was a couple years after i left MS) and told him he needed to fix liveIDs/xboxID not being geographically portable - and he put someone on it... the assigned a director to solve it and keep it updated and me as guinea pig, took 12 mo but they did it  - I don't mind banging my head against walls until it hurts 🙂

 

here is the link to use https://www.microsoft.com/en-us/wdsi/filesubmission I politely asked told them it had been misidentified for years, linked to this thread and asked them if they would mind scanning both files for actual malicious code.  As a community we may have to do this each time there is a new release.  Of course if the devs improve their code and sign their code that would help... also TIP: don't submit a file anonymously use a long lived liveID to do it.

  • Haha 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...