X-ray Doc Posted March 11, 2020 Posted March 11, 2020 (edited) I just downloaded ImgBurn from the ImgBurn mirror site. During the install Windows Defender identified a trojan, namely Trojan:Win32/Wacatac.D!ml. It says it was incompletely "remediated". In other words, I guess Defender did not completely remove it. There is no "delete" or "remove" or even "quarantine" available. My only option in Defender is to "allow" the program to make changes. That seems really bad. It tells me the affected file is: C:\Users\dad\AppData\Local\Temp\ns1FBABC9C\ctn3y\zhw1.exe. When I look for that file, it doesn't exist. Why is this trojan in the official download? Any advice on what to do? Edited March 11, 2020 by X-ray Doc
LIGHTNING UK! Posted March 11, 2020 Posted March 11, 2020 Are you sure you downloaded the correct file? Does the MD5 of the file you downloaded match the one shown on the website?
X-ray Doc Posted March 11, 2020 Author Posted March 11, 2020 I downloaded it from mirror 7 on this webpage: http://imgburn.com/index.php?act=download How would I check the MD5 of the downloaded exe?
LIGHTNING UK! Posted March 11, 2020 Posted March 11, 2020 You can use something like this - http://implbits.com/products/hashtab/ That file isn't part of the ImgBurn download, but maybe it's something from installcore (a plugin used by the installer). It could be a false positive though.
X-ray Doc Posted March 12, 2020 Author Posted March 12, 2020 (edited) The MD5 and the other two lines are the same. If you suspect Installcore, what can be done? There has to be a safe way to install your program if the program is trojan free. I don't remember now if I chose "save" or "run" when I downloaded ImgBurn. Would choosing save and then double clicking your file afterwards avoid this problem? Edited March 12, 2020 by X-ray Doc
LIGHTNING UK! Posted March 12, 2020 Posted March 12, 2020 The other 6 mirrors host files without installcore... or at least were originally given a version without it. Opting to save or run makes no difference.
X-ray Doc Posted March 12, 2020 Author Posted March 12, 2020 Houston, we've got a problem! As a test, I uninstalled ImgBurn, rebooted, then reinstalled from the saved exe. At the end of the installation I got the same pop up message from Windows Defender saying there was a Trojan. Below is a screen shot of the second installation. This time Defender gave me the option to "remove" or "restore". The first time my only option was to "allow" the threat. Something isn't right. Any advice?
X-ray Doc Posted March 12, 2020 Author Posted March 12, 2020 I just downloaded and installed from Mirror 5. The downloaded file was named slightly different with "clean" at the end. It installed without upsetting Windows Defender!
Recommended Posts