Possible infection in 2.84.01 after unpacking.

[lemonstar61]

Malwarebytes signalled an infection in 2 of the DLL's so I uninstalled and that version (2.82.01) and reinstalled the latest version from this website (2.84.01) and uploaded the 2 suspect files to the on-line virus scanner I use:-
http://virusscan.jotti.org/en-GB

It submits files to 20 or so on-line virus scanners - see attached screenshots of the results.

Can someone confirm or rule out these detections. I will try and submit the files themselves to Malwarebytes and to the 2 virus detection companies as I've previously found them quite responsive in terms of accepting that their scanners have made a false detection.

[mouser]

Hi lemonstar61.

You did good to check them against multiple scanning engines as you did.

Those are false positives, alerting merely to the fact that these DLLs capture keyboard and mouse actions (which one might have guessed from the DLL names themselves).

There is no malware or infection, this is just the normal stupid irresponsible behavior of antivirus companies alerting falsely because they see generic code that they don't understand -- we deal with it all the time here, and it's extremely frustrating from a programmer's point of view.  it's similar to the way so many valid emails are now blocked and falsely marked as spam.

As an aside, you can actually run screenshot captor without these DLLs as long as you don't use the RedBox capture mode which is used to capture windows objects, scrolling windows, etc.  The RedBox capture mode is used to overlay a red box on top of existing windows to let the user select them with the mouse or keyboard.

[lemonstar61]

I did suspect this was a false detection but when you use a well known site or package to host your forum, hackers are no doubt beavering away looking to exploit sites that haven't kept up with the latest patches and updates- it's happened before, downloads have been infected by third parties. I suppose responsible developers could do with a way to submit potentially awkward files (like these hooks) to the AV companies - I guess there isn't a simple comprehensive way to do that.

[mouser]

I suppose responsible developers could do with a way to submit potentially awkward files (like these hooks) to the AV companies - I guess there isn't a simple comprehensive way to do that.

we do.  problem is that:

• 1. these companies don't put many resources into handling such submissions.
• 2. inevitably they do eventually remove the false alert if you complain a lot.. until a year later when some other malware again uses similar code instructions, or a shared library, and then it happens all over again.  multiply this by a dozen antivirus companies and you see it's a battle you find over and over again month after month.. it gets tiring.

The troubling thing is that only a small fraction of people are as smart/experienced as you to investigate further.  The overwhelming majority of people see an alert like that and freak out, uninstalling the program and scrubbing their pc and spending a week scared that they have some horrible virus infection.

And most of the blame for that lies squarely on the shoulder of these antivirus companies -- because they refuse to present accurate information to the user.  We have discussed at length on the forum how an antivirus program *should* alert the user when it encounters code that it has low confidence in the danger of -- it needs to be very clear to the user that the program is probably safe but has matched against some new generic pattern that could possibly but not-likely be dangerous, and point them to a link to get one of these multi-engine scans, and provide a clear path for discussing and resolving the issue.

We've even flirted with the idea of setting up an award to give to security software that lives up to this standard.. I still think that would be a good way to try to reform the industry -- by providing positive encouragement and a seal of approval to those few antivirus companies who handle this correctly and responsibly.

[daddydave]

With frequently updated programs such as ScreenshotCaptor, I'm pretty sure the whole process has to be repeated with every new version, no matter how slight the update. And I have some other thoughts I want to run by people, which I think probably need to be in their own thread

[rjbull]

Ah-ha...  looks like my Red Box Mode problem is solved (I hope).  I had one of the DLLs Allowed in Online-Armor, but not the other (must have forgotten to save it or something).  On a single quick check, Red Box Mode worked, whereas it was locking up before.  <phew>