PortableApps.com Platform and Suite 1.6 have been released.

Home » Forums » Support Forums » Nvu Portable & KompoZer Portable

virus in Kompozer and other files

Submitted by null001 on May 5, 2009 - 11:24pm

clicking the download link
server name http://voxel.dl.sourceforge.net/sourceforge/portableapps/KompoZer_Portab...
clicking again
server name http://hivelocity.dl.sourceforge.net/sourceforge/portableapps/KompoZer_P...

sourceforge has no *****.dl. before sourceforge

file infected with trojan spy.winflux

do not download...

‹ Alternative for Kompozer? Blue Fish portable web editor ›

»
( categories: )

Valid

Chris Morgan's picture
Chris Morgan (Homepage) - May 6, 2009 - 3:27am

These are valid. These are download mirrors for SourceForge - that's how SourceForge works. Anyhow, there is no way which another entity could hijack the sourceforge.net name. If the domain ends in sourceforge.net, it's sourceforge.net

The spy.winflux is a false positive. Try it with other antivirus products.

I am a Christian and a developer and moderator here.

“It is in vain that you rise up early and go late to rest, eating the bread of anxious toil; for he gives to his beloved sleep.” – Solomon, Psalm 127:2

false positive

null001 - May 6, 2009 - 10:14am

My browsers (ie and firefox)were getting hijacked and redirected from pages I clicked on through google. Opera no problem. Scanned and deleted suspected files - Kompozer, Nvu, and another - sorry, can't remember which - I downloaded a bunch of apps from home page.
Now, no issues with searches or browsing.
Bbible, Clamwin, Cornice, firefox, gimp, infrarecorder, vlc, jkdefrag, keepass, and notepadpp registered as "clean".
Anyone else have an issue? Using registered, and up to date version of Spyware Doctor with Antivirus. Seems a little strange that deleting a false positive would solve my problems.

Spyware Doctor False Positives

John T. Haller's picture
John T. Haller (Homepage) - May 6, 2009 - 12:14pm

We've had issues with Spyware Doctor causing false positives in the past. Whenever you come across a file you think might be infected, run it by one of the online services that uses a dozen or more virus engines. It's a better indication of what's what. We link to them from our Support page directly.

When you download an app from us, you will be linked to SourceForge.net which will then redirect you to a mirror. SF uses mirrors all over the world to host the files. They have names like voxel and internap. You can see the full list here:
http://apps.sourceforge.net/trac/sourceforge/wiki/Mirrors

You actually could be directed to a non-legit SF site by a third party, but only if your computer is already infected and the infection is linking to a server that is fully mirroring all our files from SourceForge.net, which would be difficult and is highly unlikely.

In any case, you could double-check it just by right-clicking on the file and selecting Properties. You'll find a Digital Signatures tab and it's signed by Rare Ideas, LLC (our parent legal entity). You can also check the MD5 sum which we publish on the site. Our updater (currently in the Beta forum) checks these for you automatically.

False positives will occur from time to time in some antivirus products. Some smaller ones like Spyware Doctor have had more issues as have some of the free ones like AVG. Just follow the steps above and you can ensure it is a false positive and report it to your antivirus provider for them to fix in their next list of updates.

Sometimes, the impossible can become possible, if you're awesome!

false positves

null001 - May 6, 2009 - 3:28pm

Thanks for the info. Thanks for the apps.

Malwarebytes detected malware in Kompozer

jamiesandhillcrane (Homepage) - February 17, 2010 - 7:30am

Hi, I ran a scan with Malwarebytes, and this came up:
Files Infected:
KompoZerPortable\App\kompozer\msvcr70.dll (Malware.Packer.Gen)

Most likely a false positive

spg SCOTT's picture
spg SCOTT (Homepage) - February 17, 2010 - 8:53am

I will report it to the MBAM team Smiling

Reported: http://forums.malwarebytes.org/index.php?showtopic=40377

Sorry to keep editing...

jamiesandhillcrane,

Please can you remove the link from your signature, it is against forum guidelines and is in the 'Homepage link next to your name anyway...

-Scott-

Signature??? Isn't that the thing you write with a pen? Why would I want to put it here? Eye-wink

Sorry, I didn't realize a web

jamiesandhillcrane (Homepage) - February 17, 2010 - 9:04am

Sorry, I didn't realize a web page couldn't be put in the signature. I had seen this under the signature box: Web page addresses and e-mail addresses turn into links automatically., and had assumed otherwise.
It's been removed.

Will be fixed...

spg SCOTT's picture
spg SCOTT (Homepage) - February 17, 2010 - 10:11am

nosirrah has replied in the thread, saying it will be fixed.

@John (or any other Dev that knows - because I don't Eye-wink)
However, he has said they are modified somehow, which was what caused the detection.

a) Do you think there is a way to avoid this?

b) Aren't they closed source files, so they shouldn't be modified?

nosirrahThey modify some of these files when they make these apps portable for some reason , we were detecting the modification and would not detect the real msvcr70.dll .

The modification is not malicious so i have worked around it .

-Scott-

Signature??? Isn't that the thing you write with a pen? Why would I want to put it here? Eye-wink

RSS FeedFirefox 3.5©2005-2010  |  Privacy Policy  |  Developed by Rare Ideas, LLC
Designed by [THIRDSHIFT] and Rare Ideas, LLC  |  Powered by Drupal