Main Area and Open Discussion > General Software Discussion
Windows Security Essentials
Carol Haynes:
When I downloaded a fresh copy of the same file from the same location, my copy of MSE detected TrojanClicker:Win32/Yabector.A
Virus Total report:
File unlocker1.8.7.exe received on 2009.10.25 06:19:07 (UTC)
Result: 5/41 (12.2%)
Ikarus T3.1.1.72.0 2009.10.25 Trojan-Clicker.Win32.Yabector
Microsoft 1.5202 2009.10.25 TrojanClicker:Win32/Yabector.A
NOD32 4539 2009.10.24 a variant of Win32/Adware.ADON
Prevx 3.0 2009.10.25 Medium Risk Malware
Sunbelt 3.2.1858.2 2009.10.24 Trojan.Win32.Generic!BT
-IainB (October 25, 2009, 02:22 AM)
--- End quote ---
Strange - I am running NOD32 build 4541 (and have run all previous builds since version 2) and it doesn't object to unlocker at all (and never has). I am also running AVAST on other computers and again no objection. Unlocker runs in the background on my system all the time and I use it often. Having said that a manual scan of the installer by NOD32 now flags up a 'potentially unwanted' and 'variant of ...' which suggests that it is using heuristics catch rather than an actual known trojan.
If you look at the changelog you can see:
Unlocker 1.8.7 - 01/05/2008
- Fixed bug: Unlocker should not create event logs anymore.
- Fixed bug: Unlocker should not take minutes to close on certain configurations anymore.
- Fixed bug: Unlocker should not lock DLLs not used by Unlocker anymore.
- Fixed bug: Fixed potential driver bug.
- Fixed bug: Miscellaneous handle leaks.
- Improved behavior: Improved deleting/renaming/moving files such as C:\WINDOWS\system32\Macromed\Flash\Flash9e.ocx for example.
- Improved behavior: When right-clicking files or folders and selecting Unlocker, those are automatically deselected. It helps with movie files and removable drives.
- Improved UI: Icon looks correct now on Windows Vista
- Promotional feature: Added fully optional shortcuts to eBay during the installation. Simply untick "eBay shortcuts" in the choose components page during install if you do not wish to have those.
--- End quote ---
(my emphasis).
The file causing problems is an ebay_shortcuts file whis is copied to the application folder but not executed if you opt-out during installation.
Unlocker itself doesn't have any problems with AV products - it is just the promotional add-on they have stupidly chosen to include.
If you are unhappy with this simply uninstall Unlocker and remove the Program Files\Unlocker folder
If you didn't opt-out you can use the following to clean up any unwanted crap (cut and paste into a text file and save with a .BAT extension then run it from a command prompt or download it from the attached ZIP file):
--- ---#From http://www.msfn.org/board/lofiversion/index.php/t116627.html
start /wait unlocker1.8.7.exe /S
ping -n 2 127.0.0.1 > nul
DEL /F /Q "%ProgramFiles%\Unlocker\eBay_shortcuts_1016.exe"
DEL /F /Q "%UserProfile%\Application Data\Desktopicon\eBayShortcuts.exe"
DEL /F /Q "%UserProfile%\Desktop\eBay.lnk"
DEL /F /Q "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\eBay.lnk"
DEL /F /Q "%UserProfile%\Start Menu\eBay.lnk"
REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v UnlockerAssistant /f
If you want to use unlocker without the money making add-on download version 1.8.5 from:
http://ccollomb.free.fr/unlocker/old/unlocker1.8.5.exe
which doesn't contain the eBay bits.
IainB:
@Innuendo:
Thanks for the appreciation of effort. Yes, it was very tedious - doing what I did - but I reckon I benefited from it: as can often happen when you take the time to investigate and analyse something in detail, the result can be an increase in knowledge of the thing being studied.
@Carol Haynes:
What you say is interesting, and, if you had installed Unlocker from the version 1.8.7 installer, then I can offer no explanation as to why your copy of NOD32 did not detect it in the installer file, as per the VirusTotal report. Curious, that.
I would just like to clarify/confirm that Unlocker.exe is not the problem file. I have Unlocker running as a shell all the time too, and MSE never objects to it. MSE only detected the Trojan Yebector.gen and .A in the two separate installer files. Thanks for emboldening the bit about the change log - I had not read that. In any event, as I wrote above:
I also sent an email to the author of Unlocker with a snapshot of the MSE details screen describing the Trojan that MSE had found in the Unlocker install file.
--- End quote ---
Nice work in detailing how to decrap the installer file containing the eBay Trojan bits. I won't bother doing that, having just deleted the installer file, and I wouldn't recommend going back a version step to Unlocker v1.8.5 either, since v1.8.7 evidently has some bugfixes, according to the change log that you pasted above.
The thing here is that, as you say:
...it is just the promotional add-on they have stupidly chosen to include.
--- End quote ---
(My emphasis.)
IainB:
Just an update on the Unlocker install file.
The author told me he had fixed the problem and put up v1.8.8, but when I downloaded it, MSE reported that "unlocker1.8.8.exe" contains TrojanClicker:Win32/Yabector.A
I politely suggested to him that "Maybe embedding the eBay component was not such a good idea."
Bett:
no,it's really free?
IainB:
Correction to my earlier post:
...but when I downloaded it, MSE reported that "unlocker1.8.8.exe" contains TrojanClicker:Win32/Yabector.A
--- End quote ---
I didn't read the MSE report closely enough. When I did, what it actually said was "unlocker1.8.7.exe contains TrojanClicker:Win32/Yabector.A" - i.e., it kept using the old file version name, even though I had given it v1.8.8 to analyse. I repeated this, changing the file name to "Fred" etc. each time, but always the report was for v1.8.7.
I then deleted all the quarantined references in MSE to v.1.8.7, and then gave it the v1.8.8 file to analyse again. This time, it reported that the file was v1.8.8 (which was correct) and that it had no viruses.
I think this means that I have just discovered a quirk - if not a bug - in MSE.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version