[first post, i love avast, it missed one that malwarebytes caught, not sure if this is the right way to address this, here goes …]
I was running an invisible exe created by Bat To Exe Converter V1.5 (at www.f2ko.de) from a 3 line batch:
xcopy D:\MyDocs\Thunderbird\contacts\abook.mab C:\Portable\ThunderbirdPortable\Data\profile /Y
C:\Portable\ThunderbirdPortable\ThunderbirdPortable.exe
move C:\Portable\ThunderbirdPortable\Data\profile\abook.mab D:\MyDocs\Thunderbird\contacts
Anyway, this exe (from a converted batch) ensures my address book is backed up with my MyDocs folder along with my Tbird account folders. If portable Tbird allowed me to specify my address book location, this wouldn’t be needed. And, I don’t want to see a dos window in the task bar while I run Tbird.
The problem: random browser redirects with FF 3.6 in Win7 x64. It was only on Google search results and not every result. Once I stopped running the exe created by Bat To Exe Converter and deleted the exe, no problems. Malwarebytes finds Trojan.VkHost but Avast finds nothing.
Here’s how I reproduce the problem …
download Bat To Exe Converter 1.5 and run it
create a batch file with 2 lines: dir, pause
convert it with Bat to Exe with the invisible setting
scan it the test.exe:
Malwarebytes’ Anti-Malware 1.44, Database version: 3826
Files Infected:
c:\Download\portable updates\bat_to_exe_converter\test-dir-pause.exe (Trojan.VkHost) → No action taken.
Here’s the PASSWORD protected 7z file with the test batch file, test.exe, and Malwarebytes output (truncated): http://www.megaupload.com/?d=KJXESB76
somehow it is a strange website!
Please if you are using firefox use this for more safety about websites and change your search engine to google if possible! http://www.mywot.com/en/download/ff
Funny that “false positive” came up here just like the portablefreeware.com/forums/ thread. Below is my follow up post there addressing this. Remember: Avast doesn’t see anything wrong with the invisible exe I create with Bat to Exe but I experience browser redirect symptoms. Malwarebytes sees Trojan.VkHost in the process and file and the symptoms go away when I stop my invisible exe and delete it. This is the opposite of a false positive … a “true negative”? Quote of other post follows …
I'm not suggesting for a moment this is a false positive.
I experienced symptoms after creating and running an invisible exe with this program. These symptoms were random, periodic redirects of Google search results. Maybe the top result was fine but the next 1 or 3 were re-directed. The Google web page of results would have the url printed, e.g. http://www.hitnumber7.com/blah/blah, and when I clicked on it I would be sent to an advertisement web page.
Specifically, with my invisible exe running, I searched Google for an Acronis backup issue. One of the hits (maybe the 3rd) was an Acronis.com link for the pdf manual. The Google web page results had http://www.acronis.com/… printed underneath the hyperlink in clear text. If I mouse over this link with Firefox using the add on Link Alert I don’t see the Acronis link, I see some super long link for some ad web site. Clicking on the link in Firefox takes me to said link.
I started to investigate the URL of this ad page. I Googled and found some others talking about Google search result redirects specially affecting Firefox. I started to test this by doing Google searches and looking at the results and clicking on them. What do you know but I was easily able to replicate the problem: hypertext links on Google that go to an advertisement web site - these links do not match the link text associated with them on the Google search results page.
Ok, so now I know I have a problem. Avast 5.0 scan, nothing. Windows Defender scan, nothing. Malwarebytes scan, something! Trojan.VkHost is found on the process and file that I created with Bat to Exe.
I stop the process and delete the exe. No more Google search redirects!!!
Let me repeat - this is not a false positive problem. I had Firefox redirect hijack symptoms for Google search results when my invisible exe was running. After stopping the process and deleting the exe, no more redirects.
Maybe this only affects certain versions or Windows (I run 7 x64) and/or Firefox (latest with 40+ add ons). But, I can’t recall being hit with a trojan/virus before and I sure didn’t like it this time! Thanks to Malwarebytes and a few other poor souls troubleshooting this on forums on line for helping me to a solution.
If you have not already done so; you might email Alwil a passworded zip file containing both the compiler and your compiled exe together with a brief explanation of your findings.
Quote of other post follows …