Announcing new way of Analog Obsession

VST, AU, etc. plug-in Virtual Effects discussion
User avatar
KVRAF
31169 posts since 27 Jul, 2005 from the wilds of wanny

Post Sun Feb 23, 2020 12:26 pm

I used Win Defender ... found several trojans & dodgy programs, all associated with AO, so would say yes, scan your PC.

User avatar
KVRian
965 posts since 10 Sep, 2014

Post Sun Feb 23, 2020 12:43 pm

Aloysius wrote:
Sun Feb 23, 2020 12:23 pm
Do we need to scan our PCs? Any freeware that will do it?
I use AVG free. Should work, but don't take my word for it. I'm not an expert.

User avatar
KVRAF
6376 posts since 6 Jan, 2017 from Outer Space

Post Sun Feb 23, 2020 12:49 pm

Get rid of AVG. They installed spy software. The standard Windows protection is fine nowadays according to the experts of c’t magazine...

User avatar
KVRian
965 posts since 10 Sep, 2014

Post Sun Feb 23, 2020 1:09 pm

Tj Shredder wrote:
Sun Feb 23, 2020 12:49 pm
Get rid of AVG. They installed spy software. The standard Windows protection is fine nowadays according to the experts of c’t magazine...
Oh.. Thanks for telling me. Normally I uninstall it after using it. I don't want a antivirus slowing down my pc.

KVRAF
9350 posts since 12 May, 2008

Post Sun Feb 23, 2020 1:11 pm

At what point could the viruses get into our system? I downloaded a bunch of the plugins but did not get around to opening the 64 bit zip files of the VSTs. I don't even know if there was an installer. Was it the downloads or running an installer can get the virus on your system?
System: Windows 10, Dell XPS 2-in-1, Bitwig 3, Steinberg UR44.

User avatar
KVRAF
31169 posts since 27 Jul, 2005 from the wilds of wanny

Post Sun Feb 23, 2020 1:19 pm

As soon as I unzipped the downloaded folders to get at the dll files I got a warning from Defender which then deleted the files. Unfortunately by then the Trojans, etc had already got into into my AppDate folder. So it looks like simply downloading and opening the zip file is dodgy.

KVRAF
9350 posts since 12 May, 2008

Post Sun Feb 23, 2020 1:25 pm

thecontrolcentre wrote:
Sun Feb 23, 2020 1:19 pm
As soon as I unzipped the downloaded folders to get at the dll files I got a warning from Defender which then deleted the files. Unfortunately by then the Trojans, etc had already got into into my AppDate folder. So it looks like simply downloading and opening the zip file is dodgy.
Do you know what some of the files or folders were called in your appData folder? Do you mean the Programdata folder?

I unzipped the first batch of zip files but inside those more zipped files for the 32 and 64 bit versions. I didn't unzip those. Do you mean those last zip files that were 32 or 64 bit specific? Or the downloaded zip packages? Windows scan has not found anything but I'm paranoid.
Last edited by Echoes in the Attic on Sun Feb 23, 2020 1:29 pm, edited 2 times in total.
System: Windows 10, Dell XPS 2-in-1, Bitwig 3, Steinberg UR44.

KVRist
161 posts since 6 Jul, 2012

Post Sun Feb 23, 2020 1:53 pm

Not really a user of AO plugs. But unzipped and checked each file 1 by 1, files of 3 days ago.

The 64's are clean.
All the 32's show infection except for Dynasaur and Jamp.
All the vst3's are clean, except Jamp shows infection.

KVRAF
9350 posts since 12 May, 2008

Post Sun Feb 23, 2020 1:58 pm

TMaudio wrote:
Sun Feb 23, 2020 1:53 pm
Not really a user of AO plugs. But unzipped and checked each file 1 by 1, files of 3 days ago.

The 64's are clean.
All the 32's show infection except for Dynasaur and Jamp.
All the vst3's are clean, except Jamp shows infection.
But this is what confuses me. You were able to download and check the files to see if there are viruses before they get on your system, yes? If there is no installer, how would those viruses actually get installed somewhere? OR were you able to check them before unzipping and it is the unzipping that releases the viruses? Sorry for my ignorance. I used a mac for a long time.
System: Windows 10, Dell XPS 2-in-1, Bitwig 3, Steinberg UR44.

User avatar
KVRAF
31169 posts since 27 Jul, 2005 from the wilds of wanny

Post Sun Feb 23, 2020 2:00 pm

Echoes in the Attic wrote:
Sun Feb 23, 2020 1:25 pm
thecontrolcentre wrote:
Sun Feb 23, 2020 1:19 pm
As soon as I unzipped the downloaded folders to get at the dll files I got a warning from Defender which then deleted the files. Unfortunately by then the Trojans, etc had already got into into my AppDate folder. So it looks like simply downloading and opening the zip file is dodgy.
Do you know what some of the files or folders were called in your appData folder? Do you mean the Programdata folder?

I unzipped the first batch of zip files but inside those more zipped files for the 32 and 64 bit versions. I didn't unzip those. Do you mean those last zip files that were 32 or 64 bit specific? Or the downloaded zip packages? Windows scan has not found anything but I'm paranoid.
I posted the scan results and locations on the previous page. The malware alerts started as soon as I opened the VST2 zip files containing the dll's, not before.

User avatar
KVRAF
31169 posts since 27 Jul, 2005 from the wilds of wanny

Post Sun Feb 23, 2020 2:08 pm

Echoes in the Attic wrote:
Sun Feb 23, 2020 1:58 pm
If there is no installer, how would those viruses actually get installed somewhere?
That is the question. I presumed the attached malware installed itself as it was showing up in various folders (please see my post on the previous page).

KVRian
991 posts since 3 Oct, 2011 from Christchurch, New Zealand

Post Sun Feb 23, 2020 2:21 pm

thecontrolcentre wrote:
Sun Feb 23, 2020 2:00 pm
I posted the scan results and locations on the previous page. The malware alerts started as soon as I opened the VST2 zip files containing the dll's, not before.
you posted it finding them in .zip files your firefox cache and the per-user temp directory - those are just copies of the .zip archive from downloading - it's not like the virus has managed to infect you without unzipping/executing the .dlls

C:\Users\Dave\AppData\Local\Mozilla\Firefox\Profiles\fey95g4e.default\cache2\entries\0C350065219505450D958784F344B8103A0565C7

C:\Users\Dave\AppData\Local\Mozilla\Firefox\Profiles\fey95g4e.default\cache2\entries\0C350065219505450D958784F344B8103A0565C7->SSQ.dll.32.zip->SSQ.dll

C:\Users\Dave\AppData\Local\Temp\Temp1_Harqules_2.0_VST_WIN.zip\Harqules.dll.64.zip

C:\Users\Dave\AppData\Local\Temp\Temp1_Harqules_2.0_VST_WIN.zip\Harqules.dll.64.zip->Harqules.dll

KVRAF
9350 posts since 12 May, 2008

Post Sun Feb 23, 2020 2:26 pm

^ Right so just temp download files, nothing that would actually do anything until perhaps the VST was actually opened? Just guessing.
System: Windows 10, Dell XPS 2-in-1, Bitwig 3, Steinberg UR44.

User avatar
KVRAF
34932 posts since 11 Aug, 2008 from another dimension

Post Sun Feb 23, 2020 2:41 pm

I'll keep watching. I downloaded Malwarebytes premium Trial. It quarantined two files but they looked harmless, so I restored them. I haven't actually installed any of the x64 files. I think I'll just delete them for safety sake.

Also:

Cleared Browsing & Download History, Form & Search History, Cookies, Cache, Site Preferences and Offline Website Data from FireFox.

Cleared Browsing History, Cookies, Cache and Download History from Microsoft Edge.

Cleared Browsing History, Cookies Etc and Cache in Google Chrome.

There's actually 'Virus & thread protection' on my W10 Machine. Windows Defender. Ran a quick scan. No current threats were registered.
Last edited by Aloysius on Sun Feb 23, 2020 2:59 pm, edited 1 time in total.
Hi-de-Hi!

User avatar
KVRAF
31169 posts since 27 Jul, 2005 from the wilds of wanny

Post Sun Feb 23, 2020 2:56 pm

jdnz wrote:
Sun Feb 23, 2020 2:21 pm
thecontrolcentre wrote:
Sun Feb 23, 2020 2:00 pm
I posted the scan results and locations on the previous page. The malware alerts started as soon as I opened the VST2 zip files containing the dll's, not before.
you posted it finding them in .zip files your firefox cache and the per-user temp directory - those are just copies of the .zip archive from downloading - it's not like the virus has managed to infect you without unzipping/executing the .dlls

C:\Users\Dave\AppData\Local\Mozilla\Firefox\Profiles\fey95g4e.default\cache2\entries\0C350065219505450D958784F344B8103A0565C7

C:\Users\Dave\AppData\Local\Mozilla\Firefox\Profiles\fey95g4e.default\cache2\entries\0C350065219505450D958784F344B8103A0565C7->SSQ.dll.32.zip->SSQ.dll

C:\Users\Dave\AppData\Local\Temp\Temp1_Harqules_2.0_VST_WIN.zip\Harqules.dll.64.zip

C:\Users\Dave\AppData\Local\Temp\Temp1_Harqules_2.0_VST_WIN.zip\Harqules.dll.64.zip->Harqules.dll
You didn't quote all the info from my post.

Program:Win32/Unwasson.Alml

Items:
<file:C:\Users\Dave\Downloads\AO Equalizers\SSQ 3.0\SSQ_3.0_VST_WIN\SSQ.dll.32\SSQ.dll>
<file:E:\Temp\Analog Obsession\AO Equalizers\SSQ 3.0\SSQ_3.0_VST_WIN\SSQ.dll.32\SSQ.dll>
<file:I:\BACKUPS\VST Plugins\Free VST\64 bit VST Plugins\Analog Obsession\AO Equalizers\SSQ 3.0\SSQ_3.0_VST_WIN\SSQ.dll.32\SSQ.dll>

Items:
containerfile:C:\Users\Dave\AppData\Local\Mozilla\Firefox\Profiles\fey95g4e.default\cache2\entries\0C350065219505450D958784F344B8103A0565C7
file:C:\Users\Dave\AppData\Local\Mozilla\Firefox\Profiles\fey95g4e.default\cache2\entries\0C350065219505450D958784F344B8103A0565C7->SSQ.dll.32.zip->SSQ.dll


Trojan:Win32/Spursint.Flcl

Items:
containerfile:C:\Users\Dave\AppData\Local\Temp\Temp1_Harqules_2.0_VST_WIN.zip\Harqules.dll.64.zip
file:C:\Users\Dave\AppData\Local\Temp\Temp1_Harqules_2.0_VST_WIN.zip\Harqules.dll.64.zip->Harqules.dll


I understood that these locations are where the malware files Program:Win32/Unwasson.Alml & Trojan:Win32/Spursint.Flcl were found and removed by Defender. Please correct me if I've misunderstood.

Return to “Effects”