[Solved] Kaspersky Pure 3.0 flags wintoolkit a malware

[andrum99]

My installation of Kaspersky Pure 3.0 has detected the current version of wintoolkit as UDS:DangerousObject.Multi.Generic. This is a generic alert generated by the Kaspersky Security Network. Is this a false positive?

Thanks

 

Andrew.

[andrum99]

Further malicious activity has been detected by Kaspersky once I installed WinToolKit and the Kaspersky Security Network now red flags the installer with a more serious warning. DO NOT INSTALL THIS PRODUCT. I am an IT professional with 20 years experience - I know a bad app when I see one. GIve this site and the product as wide a bearth as you can.

 

I expect someone will be along soon to either deny this is the case, or to simply delete this message. Please contact me via my blog (andrum99.blogspot.co.uk) if you have concerns about this notice and to confirm that this message is genuine.

 

You have been warned!

 

Andrew Pattison

FIfe, Scotland.

[Kelsenellenelvian]

Not denying anything there is adware in the installer, however did you notice there is a 7zip package no installer version???

 

Your insinuation that people should avoid this site is very troubling as you (Especially claming to be a "Expert") failed to fully investigate this matter.

 

Posted a reply on your blog.

[dareckibmw]

@Kelsenellenelvian

 

He removed your both posts in his blog. What did you tell him?   

[Kelsenellenelvian]

He removed my comments on his blog. 

 

This guy barely looks 30 and claims he has 20 years it experience and acts like a child.

 

I am not going to ban him and give him the satisfaction he is looking for, but by deleting my comments off of his blog he proves he is full of crap.

[Kelsenellenelvian]

I called him out for not investigating the matter fully (The 7z file) and also for defaming WinCert by his posts here to avoid this site. I also said we never denied the adware in the installer.

 

As a "IT Professional" to act like this is quite well, ummm unprofessional.

 

Is was extremely polite and professional in my posts on his blog. He apparently didn't want his blog readers to see how full of crap he was.

[andrum99]

If you believe that Kaspersky has flagged this software as a false positive then please post your evidence here. For the record, I am 37.

 

Regards

Andrew Pattison.

Edited August 28, 2014 by andrum99

[Kelsenellenelvian]

He banned me from his blog. Poor guy.

 

I believe kapersky flagged it I SAID the INSTALLER version contains adware. 

 

I ALSO told you there is a exe file only version that has NO installer or adware. Which you seem to continue ignoring the fact of...

[dareckibmw]

 ...and you are banned already!  for being polite and telling him the truth? .... LMAO

 

Edited August 28, 2014 by dareckibmw

[Kelsenellenelvian]

For your record I am over 40, started working on computers in the age of commodore 64 machines, have my own tech website and a freeware open source program that has been actively downloaded tens of thousands of times a month for 10 years (Not some dumb blog) I also get over 12,000 Google hits directly related to my name and works with windows, windows customization and programming.

[Kelsenellenelvian]

While this may not be very polite and I know he will delete all of the comments on his blog I HIGHLY encourage everyone who reads this to post your opinion and thoughts on this to his blog in any way you wish.

 

http://andrum99.blogspot.co.uk

[andrum99]

As I said on my blog, the fact that there is a non-crapware version of the installer does not necessarily mean that WinToolKit itself does not contain, or itself download malware. I have posted further evidence on my blog. It is telling that as well as your attempted character assassination you have not attempted to post any evidence to contradict my statements, except for stating that there is an adware free installer.

Regards

Andrew Pattison

andrum99@gmail.com

Edited August 28, 2014 by andrum99

[Kelsenellenelvian]

That is the issue you installed a version your av told you had questionable binaries in it. That is your own dumb fault. Had you used the portable version there is NO malicious software in it at all!!!

 

I am not contradicting your statements only proving you are a idiot (IT Professional huh?) for not listening to your av software.

 

Wintoolkit by itself is completely safe the adware is ONLY contained in the installer.

 

Also you are really a coward by not showing any of this conversation on your blog. Have the balls to show your readers our defense.

[Kelsenellenelvian]

Also the trusted installer is actually necessary for modifying a windows mounted image. Once again IT professional?

 

http://helpdeskgeek.com/windows-7/windows-7-how-to-delete-files-protected-by-trustedinstaller/

[Kelsenellenelvian]

I have contacted your web provider and sent a cease and desist order asking for the removal of your comments on this matter or you blog be shut down since you refuse to allow us to defend ourselves there.

 

Just to prove I am serious your provider is:

 

Sky Broadband

 

And they control the ip range of:

 

2.223.0.0 - 2.223.255.255

 

Plus this is their contact information:

BSkyB Broadband Hostmaster:Sky Network Services1 Brick LaneLondonE1 6PUUK+44 20 7032 7000+44 20 7900 7812

In conclusion = WinToolkit itself does not contain malware! You were a idiot for using the installer version when you were warned by your anti-virus.

[Kelsenellenelvian]

I don't know why I didn't do this before here is a virus total scan of the 7z portable version for more proof:

 

https://www.virustotal.com/en/url/24f811595107aafd391be0a593e10890a9af37190db92d90fdf03e52b80449c9/analysis/1409266024/

 

And this one is of the WinToolkit binary itself

 

https://www.virustotal.com/en/file/f46322069d819529543227131a757adf85f26734595677b2c2f97afa9d6c7360/analysis/

 

According to this virus total only 2 out of 55 av companies report the installer as containing malware AND Kaspersky is NOT one of them either.

 

https://www.virustotal.com/en/file/3d0e327da9047ee7d5def0db462653531ae845d41558ec63c874c8c84fbfca99/analysis/

[andrum99]

The virustotal analysis only proves that the file itself contains no malware. It is easy to create an app that downloads something dodgy without the binary actually containing anything dodgy itself. If you think that the behaviour of the app is benign then please explain its operation and the presence of write.exe in c:\WinToolkit_mount, with permissions designed to prevent its removal.

[andrum99]

You can send as many cease and desist requests as you like. Last time I looked, fair comment was a defence for defamation, I am not required to publish your comments. For example, something is fair comment if it is factually accurate, as is the case with my observations.

[Kelsenellenelvian]

Yet it is not accurate at all. I have already received a ticket number and assurance that it is being looked into and I did further ACTUAL investigation and checking on the installer.

 

(See trusted installer AGAIN) you cannot delete anything in that folder while it is mounted. Wim management 101 (IT Professional again?)

 

Windows by defaut while managing a mounted win protects most of it in the same way as the main system files.

 

Here is another scan and also a screenshot:

 

http://r.virscan.org/report/49b57c175cf3409a270c855d4063b21d

 

The only piece of adware that the installer contains is this and it as you can see is opt out.

 

 

Now if you were to dumb to not skip it we have no control over what it does that is fully your fault NOT wintoolkits!

 

Claiming that is wintoolkits fault is damaging and inflammatory and that's what I reported you for.

[Kelsenellenelvian]

Further more write.exe (Yes the old one with the 3.1 icon!) IS a file inside the wim you mounted with the toolkit it was not downloaded and placed there by the toolkit! It comes in the wim file MS put on the disk!!!

 

Holy crap I thought you were a it pro?

 

Proof for your self look in the Windows folder of a wim (You can open it with 7z) and you'll see it there. And in the system32 folder and in other folders too.

 

LOL its the same damned file you have in your windows folder on your running system too. (I'll wait go look) Now once you find it try to delete that one...

[andrum99]

I have reverted my blog post to draft, as this is the quickest way to blank it just now, while I further investigate this. It seems I may have been mistaken. I did also use another product on my system just before running WinToolkit so perhaps it is to blame. The product I used was called Windows Updates Downloader, but again this is another apparently legitimate application. Apologies if I have gone off half cocked on this one - I did panic slightly. I will run the portable installer in a VM with wireshark running and see what it looks like.

[Kelsenellenelvian]

While I may not think highly of your claim of being an IT Professional I will admit that your realization and public admittance or your half cocked-ness is a great thing and it takes a big person to stand up and admit fault like that.

 

Thank you.

[andrum99]

Just a small point - why did you file a complaint with Sky rather than blogger? Just wondering.

[Kelsenellenelvian]

It was easier to contact them and they would take much quicker action that blogger.

 

WinToolkit, while being freeware does have a good name to protect and WinCert is technically a business that relies on the income from ads and donations.

 

You defamation of the two without the ability to post counterpoints could be damaging.

 

Especially since the readers you have (Albeit probably not that great a number) only got one side of the story and could not or likely would not check for themselves.

[andrum99]

I am drafting a full retraction, to be issued when, as I expect, Wireshark turns up nothing untoward. Expect it in the next hour or 2.