Malware/Trojan in EAC installation file?, Microsoft Security Essentials says EAC installation file has a trojan Options

[LANjackal]

Not too sure what to make of this one, folks. I'm on Windows Vista Ultimate SP2 x64, running Microsoft Security Essentials as my antivirus. Tried downloading EAC both from the main and backup sources, and got this warning in both cases:



Anyone else seeing this? Any ideas?

Thanks
LJ

[andy o]

You can upload the offending file to www.virustotal.com to see what the other AV's have to say about it. It's probably just a false positive.

[tpijag]

Additional info.

http://www.wilderssecurity.com/showthread.php?p=1546569


terry

[LANjackal]

Thanks for the info, guys

[Arnold B. Kruege...]

Not too sure what to make of this one, folks. I'm on Windows Vista Ultimate SP2 x64, running Microsoft Security Essentials as my antivirus. Tried downloading EAC both from the main and backup sources, and got this warning in both cases:



Anyone else seeing this? Any ideas?

Thanks
LJ

I checked a file of the same name from the EAC site with Norton Internet security and no problems.

[LANjackal]

Checked on my home laptop: Windows Vista Home Premium SP1 32-bit with NOD32, which also immediately quarantined the download as suggested by tpijag's link.

As much as I like EAC, I'm gonna have to demand that the developer do something about this. Being flagged by 2 AV programs - especially NOD32, with it's stellar reputation - is a huge problem IMO.

dBPowerAmp anyone?

This post has been edited by LANjackal: Oct 1 2009, 04:04

[andy o]

Checked on my home laptop: Windows Vista Home Premium SP1 32-bit with NOD32, which also immediately quarantined the download as suggested by tpijag's link.

As much as I like EAC, I'm gonna have to demand that the developer do something about this. Being flagged by 2 AV programs - especially NOD32, with it's stellar reputation - is a huge problem IMO.

dBPowerAmp anyone?

It's not a big problem though. It's one of those adware that you need to uncheck at installation. Probably a necessary evil if you want free apps.

[Pulse]

This is far from a huge problem and certainly does not warrant "demands" of the developer or switching to another product. False positives are a common thing and the developer will likely look into it, or the problem will go away in future virus definition updates. In fact, two online virus scanners, Jotti's malware scan and VirusTotal that scan uploaded files using a battery of scanners (NOD32, Avast, Kaspersky, etc.) report 0/21 and 1/41 positives, respectively.

EAC is a phenomenal program and something like a false positive sprouting up is something out of André's hands. Where's the love?

[greynol]

I hope you guys realize that discussing this on HA will not bring any resolution to the issue.

[Andavari]

Malwarebytes' Anti-Malware ("MBAM") also detects it after unpacking the setup file, with this:

...\eac-0.99pb5\$TEMP\eBay_shortcuts_1026.exe (Adware.ADON) -> No action taken.

Very Simple Solution:
Unpack the EAC installer with 7-Zip, and delete the eBay Shortcuts add-on. You'll of course then have to manually install EAC, or make your own installer for it with for example Inno Setup, NSIS, etc., or just 7z or ZIP it should you need to install it again.

These little money making add-ons get tons of software tagged as malware, however both Avast and a-squared Free don't detect anything.

I just wish Andre would also offer a ZIP file for downloading.

[kiit]

Malwarebytes' Anti-Malware ("MBAM") also detects it after unpacking the setup file, with this:

...\eac-0.99pb5\$TEMP\eBay_shortcuts_1026.exe (Adware.ADON) -> No action taken.

These little money making add-ons get tons of software tagged as malware, however both Avast and a-squared Free don't detect anything.

Avast, along with Malwarebytes and MSE, certainly flagged EAC for me. I realize its the e-bay shortcuts adware (MSE reports it as a named trojan though, much more serious than adware) causing the issue. I think it is a very bad idea to recommend a software as highly as hydrogenaudio does that contains problem files like this. I doubt any of my friends that I have recommended EAC to did anything other than install it with the default options.. making their infections my fault which I now get to deal with.

Hydrogenaudio should have a prominent warning about this issue in the wiki page. I doubt any amount of complaints to the author will change anything. Perhaps someone with more knowledge could repack the thing, but until then it is off my list of recommended programs to my less than expert friends, sad.

(edit: Ah, Avast doesn't detect it for me, my mistake.)

This post has been edited by kiit: Oct 1 2009, 18:52

[john33]

For those who may be converned, you will find simple .zip archives at Rarewares of PreBeta 4 and PreBeta 5 that avoid the need to use the installers.

[herefornow]

Thanks john33.

[Jean Tourrilhes]

Avast, along with Malwarebytes and MSE, certainly flagged EAC for me. I realize its the e-bay shortcuts adware (MSE reports it as a named trojan though, much more serious than adware) causing the issue. I think it is a very bad idea to recommend a software as highly as hydrogenaudio does that contains problem files like this. I doubt any of my friends that I have recommended EAC to did anything other than install it with the default options.. making their infections my fault which I now get to deal with.

Personally, I would never recommend EAC to people unable to uncheck the e-bay shortcut in the installer. EAC is IMHO opinion not a program one can install without using brain cells, I would argue that EAC can not be used properly with the default options, one has to make sure that it is configured properly for the drive and type of extraction.

For example, some EAC options that *must* be changed prior to using are "null samples for CRC" and "automatically write status report". Add to that "starting compressors in the background". And that's not even getting in the FLAC vs. MP3 and burst vs. secure vs. C2.

Note that EAC is not alone. For every Java update, which tends to happen quite frequently lately, I need to make sure to disable the Yahoo toolbar in the installer. Obviously, I don't remember it on every update on every computer, so I have to remove it using "remove program". It's not that hard, but it's still a pain. To me, what Java does is more obnoxious that what EAC does. Sorry to have picked on Java, but I don't use Apple stuff, which looks to be very pushy as well. I guess this is the world we live in...

Hydrogenaudio should have a prominent warning about this issue in the wiki page. I doubt any amount of complaints to the author will change anything.

Yep, that should be in one of the many user guide for EAC. But, I would not worry about it much more than the many other EAC configuration pitfalls, no need to make it a big deal.

Regards,

Jean

[Squeller]

FYI, besides the typical uploading, you can also send MD5/SHA1 of files to http://virusscan.jotti.org/hashsearch.php which is a timesaver if the file has already been scanned before.

[trout]

Today I released 0.99 prebeta 4 ...
... I have included a desktop and quick launch bar icon in the installer which link to eBay. As the advertisements on the homepage dropped by a great amount over the last year, I decided to try to go this way. I hope that you can understand my decision! Anyway, the icons are created only on the installation of EAC and their installation can be easily prevented by deselecting the eBay component within the EAC installer. The EAC application itself is still completely free from advertisement or spyware (and will be)!
I hope that you will like the new version nevertheless!

- from the EAC homepage, and the official forum
http://www.exactaudiocopy.de/en/index.php/...-new/whats-new/
http://www.digital-inn.de/exact-audio-copy...html#post131378

I'm surprised it took 20 months for a complaint to arise! Personally, I don't care about this since it's rather obvious that I don't need anything related to Ebay to be installed with EAC and can opt-out.

[Andavari]

I don't care about this since it's rather obvious that I don't need anything related to Ebay to be installed with EAC and can opt-out.

It's not really a big deal with EAC since there's the ability to opt out. Allot of software now has some unnecessary adware piggy backing in the setup which is included with it from eBay Shortcuts to some toolbar.

However some software even though you can opt out will still start the offending file hidden in the background (that's detected as malware), which can do who knows what while it's resident - possibly checking to see if it's already installed, writing app data or registry data, creating bookmarks, or something more nefarious like changing the browser start/home page, etc.

I don't like any of it one bit, but if it keeps cherished freeware apps free, then it's worth dealing with but only if the installers can be unpacked with 7-Zip or even Universal Extractor to avoid the unnecessary add-on.

[mb3]

this must have just gotten flagged by all of the antivirus softwares as all of the threads i found are recent (since i googled this after nortron removed my installer exe as a trojan).
i'm sure that this will have to be addressed in a lot of wikis and forums for other sites that heavily promote this software (for good reason, of course).
i won't quit using it, but it's crazy that i have to go to somewhere and get a 3rd party repack zip to retain a copy of the installer on my computer. what's strange tho, is that this one at least can be opted out of and the opt out works, unlike others that never get flagged as malware even tho you have to untick things like "make hassle search your homepage" 2-3 times each for the same items, and then you restart your browser and a new homepage comes up (and often even screws up default dl location, since mine is not factory default).
it's unfortunate that andre has even had to support his site and program with such ill company. eac is still the best, though, hands down.

[mdefranc]

On Monday, MS OneCare spotted EAC's eBay shortcut.

I think it's classed as a trojan because there's no disclosure that the shortcut actually detours to a certain designated server before being sent to the eBay server. If you know that first server is harmless, then no problem. If not, then keep the eBay shortcut off your machine.

[spoon]

According to this site:

http://spywarefiles.prevx.com/RRJGFJ448253...S_1026.EXE.html

It:

Looks at the contents of the autoexec.bat file
Reads email address and phone book details
Visits web sites on your PC without you knowing

But I think the 2nd one is false, as there is nothing in the list of files that are opened which indicate access to the address book. Not sure why it is opening autoexec.bat though.

(my interest in this is because I have EAC installed, not because EAC is a rival program)

This post has been edited by spoon: Nov 7 2009, 22:09