New Get Lazarus Initiative

[SilverWarior]

@SilverWarior - I have attached a screenshot of the files my Avast put into the virus chest...I don't have the actual files anymore as I uninstalled it.

Based on quick look it seems that Avast put every *.exe file that was extracted with setup progarm into quarantene. This might have to do something with Avast comonly recognizing Inno setups as potentionaly dangerous files.
If you look aroud the web there are multiple reports about Avast raising false positives for Inno setups if they are not digitaly signed.
I gues Inno setup might have been used often for distributing various virus infected instalation in the past especially since it is freware.
Another reason for this might be the ability for Inno setup to use Pascal Scripts which means that makes it more difficult for AV software to make early heuristics tests. Especially if scripts are stored in text forn and compiled at runtime. I'm not sure about that.

Anywhay absed on my tests I preformed I don't think any of those files are actually infected. But I can't be 100% sure about that becouse no AV is perfect.

[sysrpl]

I googled win32:evo-gen. The first result is the page below.

http://malwarefixes.com/threats/win32evo-gen-susp/

That page says win32:evo-gen is a threat identified by Avast Anti-virus products, it recommends first using norton power eraser. I ran power eraser and it brought back the list below after reboot.



I'm not sure what to think, because two of those items I compiled 7 years ago on a different machine and just unpacked them on Friday. The rest were built a few days ago. All of them are not identified as having a virus, only that they are suspicious or something thereof. Here is a report for one item.

c:\users\gigauser\desktop\shellpth.exe
____________________________
____________________________
Developers: Not Available
Version: Not Available
Identified: 2/6/2015 at 12:46:06 PM
Last Used: 2/6/2015 at 12:46:06 PM
Startup Item: No
____________________________
____________________________
UNKNOWN
Number of users in the Norton Community that have used this file: Unknown
____________________________
UNKNOWN
This file release is currently not known.
____________________________
UNPROVEN
There is not enough information about this file to recommend it.


Further research, according to wikipedia: http://en.wikipedia.org/wiki/Norton_Power_Eraser

"If it is in the list of bad applications, it is marked for deletion. If it is unknown and not in any list, it is reported as suspicious but not marked for removal ... Power Eraser is very aggressive[1] to unknown threats which are not whitelisted and are instead marked for removal or sent for analysis."

So it would seem according to wikipedia the items identified by norton power eraser are unknown. To me it doesn't sound like they're infected given how aggressive norton power eraser can be, and that they were marked for removal rather than deletion.

Further googling searching for win32:evo-gen reveals many links to people using avast anti-virus getting win32:evo-gen false reports often. i'll keep scanning, but at this point I'm feeling more like my system isn't compromised. I'll continue to try differing virus scanners and report back here.

[paul_nicholls]

Thanks for the updates sysrpl, much appreciated

cheers,
Paul

[paul_nicholls]

Thanks SilverWarior for your hard investigation work too!

cheers,
Paul

[paul_nicholls]

@sysrpl - I'm running into issues when I try and follow your instructions here:
http://www.getlazarus.org/setup/making/

at this point:

Code:

cd fpcmake all & make install INSTALL_PREFIX=%BASE%\fpc

I get a whole bunch of errors like below:

Code:

Error makefile 2843: Command syntax errorError makefile 2844: Command syntax error
Error makefile 2845: Command syntax error
Error makefile 2853: Redefinition of target 'UTILS'
Error makefile 2853: Command syntax error
Error makefile 2854: Command syntax error
Error makefile 2855: Command syntax error
Error makefile 2856: Redefinition of target 'IDE'
Error makefile 2856: Command syntax error
Error makefile 2857: Command syntax error
Error makefile 2858: Command syntax error
Error makefile 2863: Redefinition of target 'UTILS'
Error makefile 2863: Command syntax error
Error makefile 2864: Command syntax error
Error makefile 2865: Command syntax error
Error makefile 2866: Redefinition of target 'IDE'
Error makefile 2866: Command syntax error
Error makefile 2867: Command syntax error
Error makefile 2868: Command syntax error
Error makefile 2871: Command syntax error
Error makefile 2872: Command syntax error
Error makefile 2873: Command syntax error
*** 1344 errors during make ***


C:\Development\FreePascal\fpc>

Any ideas?
cheers,
Paul

[sysrpl]

Make sure "cd fpc" and "make all" are on separate lines. Also before you do "make all", check that you are in the new "fpc" folder. Type "fpc -iV", it should return 2.6.4 at that point, otherwise you path order is messed up. Type "echo %PATH%" and paste the result back here.

[paul_nicholls]

I did do "cd fpc" and "make all" on separate lines, but when I tried the "fpc -iV" it said it couldn't find fpc...

Here is my path from the command line (I haven't closed or changed it since I tried compiling fpc):

Code:

C:\Development\FreePascal\fpc>echo %PATH%C:\Program Files (x86)\NVIDIA Corporation\PhysX\Common;C:\ProgramData\Oracle\Jav
a\javapath;C:\Program Files (x86)\CollabNet;C:\Embarcadero\Studio\14.0\bin;C:\Us
ers\Public\Documents\Embarcadero\Studio\14.0\Bpl;C:\Embarcadero\Studio\14.0\bin6
4;C:\Users\Public\Documents\Embarcadero\Studio\14.0\Bpl\Win64;C:\Program Files (
x86)\Intel\iCLS Client\;C:\Program Files\Intel\iCLS Client\;C:\WINDOWS\system32;
C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;
C:\Program Files\Intel\Intel(R) Management Engine Components\DAL;C:\Program File
s\Intel\Intel(R) Management Engine Components\IPT;C:\Program Files (x86)\Intel\I
ntel(R) Management Engine Components\DAL;C:\Program Files (x86)\Intel\Intel(R) M
anagement Engine Components\IPT;C:\Program Files (x86)\Intel\OpenCL SDK\2.0\bin\
x86;C:\Program Files (x86)\Intel\OpenCL SDK\2.0\bin\x64;C:\Program Files (x86)\R
emObjects Software\Oxygene\bin;C:\Program Files\TortoiseSVN\bin;C:\Program Files
 (x86)\Windows Live\Shared;C:\Program Files (x86)\CineForm\Tools;C:\Program File
s (x86)\QuickTime\QTSystem\;C:\Program Files\Calibre2\;C:\Program Files\Microsof
t SQL Server\110\Tools\Binn\;C:\Program Files\Microsoft SQL Server\120\Tools\Bin
n\;C:\Program Files (x86)\Windows Kits\8.1\Windows Performance Toolkit\;C:\Progr
am Files (x86)\Microsoft SDKs\TypeScript\1.0\;C:\C2J\Bin;C:\Android\android-sdk/
tools;C:\Android\android-sdk/platform-tools;C:\Program Files (x86)\Java\jre7\bin
;C:\Program Files (x86)\Java\jdk1.7.0_17;;C:\HaxeToolkit\haxe\;C:\HaxeToolkit\ne
ko


C:\Development\FreePascal\fpc>

cheers,
Paul

[SilverWarior]

I googled win32:evo-gen. The first result is the page below.

http://malwarefixes.com/threats/win32evo-gen-susp/

That page says win32:evo-gen is a threat identified by Avast Anti-virus products, it recommends first using norton power eraser. I ran power eraser and it brought back the list below after reboot.

First thing you need to note about Anti Virus software manufacturers is that each of them has its own naming of the malvare viruses families. What is virus family? That is basically just a group to ease up the naming and grouping up the viruses with common capabilities.
So if you will keep googling "win32:evo-gen" you will always be getting results related to Avast as this is the way they named such malware family.

Second thing. If you can't see "shellpth.exe" on your desktop as normal file (it might be hidden) then your system is most likely infected. Especilly becouse it seems that Norton found this file on athleast two different places.

Third thing. I personally recomend you to stay away from Norton. Why? I have seen it delet many files that were false recognized as dangerous and it sometimes does this even without a warning. On my friends computer it was literaly breaking drivers for a TV Tuner card which was leading to constant system crashes during watching the TV. And I must say that it took me the whole day to figure that out.
Another thing about Norton is that even when you decide to go and uninstall it it doesen't always removes itself compleetly which could sometimes be causing system instability. Athleast that was quite common in older versions. I must admit that I haven't worked on a computer protected with Norton for quite a time now.

Could you somehow pack those files and upload them somewhere on the interent so I can have a closer look at them? I don't recomending you sending them through E-Mail. If they are infected it could lead to your E-Mail getting on a black list.

I'm not sure what to think, because two of those items I compiled 7 years ago on a different machine and just unpacked them on Friday. The rest were built a few days ago. All of them are not identified as having a virus, only that they are suspicious or something thereof. Here is a report for one item.

The fact that those files were compiled long time ago has no effect. Viruses most commonly migrate first to recently accesed files. So when you have extracted those the virus (if you have one) could detect that and thus inject its own code into them.
Most commonly this is done by simply adding aditional code to the end of the file and changing the default enty point to virus code itself. This gurantees that even if you managed to stop the virus executing one of such files would start it again.

I'll continue to try differing virus scanners and report back here.

I hope you are not just installing new AV programs one by another. Doign so could actually prevent them from working properly. Why? It is posible that one AV software detects a cleaning atempt of another as potential threat to your computer and thus could try and block it. And this could be detected by another one as atemt on disbling it. So you could end up in a continous loop of one AV trying to kill another whoich would most likely lead to bringing your computer almost to a halt.
Yes I have seen this first hand.

@paul_nicholls
I have quite some knowledge in dealing vith various virueses and malware software becouse lots of my friends had problems with them in the past.
And since I'm pretty curious guy I didn't just go and run an AV scan to clean the computer but actually try to find ot from where did the those viruses spread and how.
Once I even had a chance to analyze and finally clean a nasty virus (Sallinity NSF) that has been first detected on the web just three days earlier. But I did have an advantage since I had the initial file from which it spread. I even had to use HDD recovery proces to get it back becouse once the virus spread it has deleted it to cover its tracks.
So I try to help if I can with this. Besides it has been some time since I had last been doing any virus cleaning. What is the main reason for this? Actually I don't know. Whter my firends learned to surf the web more safetly or the ESET is doing a good job in keeping their computers clean as it does with mine.

@sysrpl
Since you are prepared to test other AV's I strongly recomend you try ESET AntiVirus 32 or ESET Smart Security if you also want a Firewall Protection. if you decide to go with ESET Smart Security I recomend you set Firewal to itneractive mode as Automatic mode isn't good enough. Athleast not for my high standards. But ineractive alows you to create specific blocking/exception rules as you go.

But if your computer might have realy been infected by some nasty virus like a Rootkit you would have to run a clean system from some Boot CD and then preform cleaning. I'm personally using Ultimate Boot CD with Windows Xp as botable OS and specially prepared ESET Antivirus 32 so ti can be run without prior instaltion (I used WMWare ThinAp for this).

If you need any more information or help about this feel free to ask.

[sysrpl]

Paul: Ouch I'm sorry. I've seen this problem before and am 100% sure of the problem. Your PATH is too long, seriously. When you open a cmd window, some of those entries are being ignored.

http://superuser.com/questions/63508...-path-variable

You can copy your existing path to a text file, delete a bunch of entries. Add sliksvn and fpc.2.6.4 to the front. Type "fpc -iV" and see if "2.6.4" is returned. the proceed as normal. When done, re-edit your path, but I'd consider making different command prompt shortcuts with different path variables to reduce the size permanently.

[SilverWarior]

Your PATH is too long, seriously. When you open a cmd window, some of those entries are being ignored.

http://superuser.com/questions/63508...-path-variable

but I'd consider making different command prompt shortcuts with different path variables to reduce the size permanently.

I agree with @sysrpl on this. I'm wondering how you haven't already expirienced problems with other programs due to this already. Delphi is known to be especially touchy about this.