using 6.2.7955.0.fbl_srv_wdacxml.110228-1930_x86fre_client-ultimate_en-us.iso CRC32: E7D3D3A8 MD5: 0B4B00CBBA6250F0606CD1486A59ED61 SHA-1: CD6CB55F28647860B6252186E5C747D7D03A243C I get this antivirus alert (trojan horse): h ttp://img42.imageshack.us/img42/8562/alarmt.jpg the file is stored twice: in BIN/IDW + BuildBinaries/BIN/idw virustotal shows the same result, maybe it's a fake alert, don't know, but I have very rare fake alerts with avira. details on virustotal: PEInfo: PE structure information [[ basic data ]] entrypointaddress: 0x20E9 timedatestamp....: 0x4D68B8CC (Sat Feb 26 08:24:44 2011) machinetype......: 0x14C (Intel I386) [[ 3 section(s) ]] name, viradd, virsiz, rawdsiz, ntropy, md5 .text, 0x1000, 0x1A54, 0x1C00, 6.01, 00aa0af074d73deff3195903b853f481 .data, 0x3000, 0x378, 0x200, 0.3, f469ad5b2093f991d68e4d904c938cb7 .reloc, 0x4000, 0x206, 0x400, 3.02, 6b1ff886770480386483a73327d2513b [[ 2 import(s) ]] kernel32.dll: OpenProcess, WriteProcessMemory, VirtualAllocEx, VirtualProtectEx, SetLastError, GetLastError, ReadProcessMemory, VirtualQueryEx, TerminateProcess, Sleep, InterlockedExchange, InterlockedCompareExchange, SetUnhandledExceptionFilter, GetModuleHandleA, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, GetTickCount, UnhandledExceptionFilter, GetCurrentProcess msvcrt.dll: _except_handler4_common, _controlfp, _terminate@@YAXXZ, _initterm, __setusermatherr, __p__fmode, _cexit, _exit, exit, __set_app_type, __getmainargs, _amsg_exit, __p__commode, _XcptFilter, atoi, __3@YAXPAX@Z, __2@YAPAXI@Z, memset http ://w ww.virustotal.com/file-scan/report.html?id=d9e7bb40452537ed499fdf0f6dc6bff34d57b13a746e5b173acd483b3e4c1b2d-1303827399
is that the torko iso, or the BA/MSFT/iND iso? -edit: ok now that you provided checksums that would be torko's image. Could you post a link of the virustotal scan? BTW, you ar enot the first person to claim their was nasty stuff in the torko image. A few days ago someone posted on facebook a malwarebytes scan that showed like 4-6 "flags" pointing out registry entries.
t's within the build from winboard, this structure: 01.03.2011 11:11 <DIR> $RECYCLE.BIN 01.03.2011 10:36 24 autoexec.bat 01.03.2011 11:51 <DIR> Bin 01.03.2011 11:53 <DIR> BuildBinaries 01.03.2011 10:36 10 config.sys 01.03.2011 11:51 <DIR> Debuggers 01.03.2011 11:04 <VERBINDUNG> Documents and Settings [D:\Users] 01.03.2011 10:38 <DIR> PerfLogs 01.03.2011 12:24 <DIR> Program Files 01.03.2011 11:04 <DIR> ProgramData 01.03.2011 12:06 <DIR> sources 01.03.2011 11:51 <DIR> SysInt 29.04.2011 22:09 <DIR> System Volume Information 01.03.2011 11:04 <DIR> Users 01.03.2011 12:25 <DIR> Windows 01.03.2011 11:51 <DIR> XPerf found here htt p: //winboards.net/viewtopic.php?t=5595 crc, sha + md5 ^^ an untouched image would be great
nexus, usually 'TR/Hijacker.Gen ' are false positive, first of all when you receive 1/42 even on VirusTotal... Don't you think ? Euristic scan, if it's setted too high, can be full of false alerts... Those Folders are full of Debugging and Developers stuff, so it's still possible that an AV could try a false alert in one of them, but they are not, be sure... ( Bin - BuildBinaries - Debuggers ) Tose folders aren't needed for te O.S. of "normal users" and you an easily delete tem if you're really afraid, even if, i'll tell you again , there's no harmful files into them, if your ISO comes from the torrent posted here at MDL. CU Clay