News:

Masm32 SDK description, downloads and other helpful links
Message to All Guests

Main Menu

world clock source

Started by PushPop, December 28, 2017, 09:35:08 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

PushPop

December 28, 2017, 09:35:08 PM Last Edit: December 29, 2017, 12:14:15 AM by hutch--
Good morning
"Non voglio prendere nessuno per i fondell"
Here are the source codes.
I do not understand why it does not work
Greetings
P.S. I do not understand why the previous post is blocked

DO NOT RUN THIS FILE IF YOU DOWNLOAD IT. 15 out of 18 tests on Jotti say it contains a virus.

jj2007

#1
December 28, 2017, 09:41:24 PM
The exe you posted earlier has viruses. There is no doubt about that.
So either you are playing a foul game here (but don't underestimate the Carabinieri!), or you have a virus that attaches itself to the executables that you produce.

I believe that it is the second case, but you will have to explain some things to the forum members who downloaded your stuff. Those who opened your exe may have lost data, or, if it is ransomeware, will receive a nice request one of these days.

I attach an archive with the exe as rebuilt on my PC, and the original exe renamed to *.exv (guess what the "v" stands for?).

LiaoMi

#2
December 28, 2017, 10:38:24 PM
Most likely the author's computer is infected and the new compiled project works fine  :biggrin: Considering how many tools on the desktop, its not surprising.

Check your computer for viruses, these utilities work without installation
Dr.Web CureIt! http://download.geo.drweb.com/pub/drweb/cureit/cureit.exe
Kaspersky Virus Removal Tool http://devbuilds.kaspersky-labs.com/devbuilds/KVRT/latest/full/KVRT.exe
MALWAREBYTES ADWCLEANER https://download.toolslib.net/download/file/1/1345?s=d8iizDQC32J4nJsdy8P6gfdMlyAAIgs5

LordAdef

#3
December 28, 2017, 11:04:00 PM
Wow, that was pretty nasty. But where does this code come from, the op made this prog?

Can a virus get attached like when built?

hutch--

#4
December 29, 2017, 12:07:35 AM
 :icon13:

This is the second posted example.

Jotti test. Dangerous executable, multiple virus positives.

Lavasoft Ad-Aware  25 Dec 2017 Win32.Virtob.Gen.12   Avast! Antivirus  28 Dec 2017 Win32:Vitro   AVG  28 Dec 2017 Win32/Virut BitDefender Antivirus  28 Dec 2017 Win32.Virtob.Gen.12   ClamAV  28 Dec 2017 Found nothing   Dr. Web  28 Dec 2017 Win32.Virut.56 MicroWorld eScan  28 Dec 2017 Found nothing   ESET  28 Dec 2017 Win32/Virut.NBP   Fortinet  27 Dec 2017 W32/Virut.CE F-PROT Antivirus  28 Dec 2017 W32/Virut.AI!Generic   F-Secure Anti-Virus  28 Dec 2017 Win32.Virtob.Gen.12   G DATA  28 Dec 2017 Win32.Virtob.Gen.12 Ikarus  28 Dec 2017 Virus.Win32.Virut   K7 AV  28 Dec 2017 Found nothing   Kaspersky Anti-Virus  28 Dec 2017 Virus.Win32.Virut.ce Sophos  28 Dec 2017 W32/Scribble-B   Trend Micro Antivirus  27 Dec 2017 PE_VIRUX.J   VBA32  28 Dec 2017 Virus.Virut.02


> P.S. I do not understand why the previous post is blocked

This is why.

LiaoMi

#5
December 29, 2017, 01:05:58 AM
Pay attention to the first post http://masm32.com/board/index.php?topic=6767.msg72396#msg72396 , that file is also infected  :(

fearless

#6
December 29, 2017, 01:45:09 AM
The files in the ProgressTimer171215.zip once extracted all appear clean when checked with jotti and virustotal - just the initial ProgressTimer171215.zip file triggers. Not sure why or what is infected. The file alternate data stream for the zip or something extra in the zip file? I deleted the zip just in case and ran a virus scan as well just to be sure.

Adamanteus

#7
December 29, 2017, 02:30:09 AM
I'm not looked to this program, but by my experience I could say, that for world clock is need to use timezones database (that time to time changing), as example exist TZL (TimeZone Library), that itself looks like hash-code - and so on ...

PushPop

#8
December 29, 2017, 03:41:05 AM
jj2007
I looked at my PC and I did not find anything.
Next time I send only the sources.
I apologize if I have caused damage to anyone.
Or tell me not to post anything.
Excuse me again, guys

avcaballero

#9
December 29, 2017, 03:55:46 AM
There is no good that does not come from bad. Because of this I have discovered that Kaspersky has a free antivirus and it seems that it is going well and does not consume many resources. :t

jj2007

#10
December 29, 2017, 04:43:37 AM
Quote from: PushPop on December 29, 2017, 03:41:05 AMNext time I send only the sources.
..
Excuse me again, guys

S**t happens. But check your PC thoroughly, there is definitely a virus or trojan that infiltrates your executables. It might even be your assembler or linker - try if you get the same results with a freshly downloaded UAsm and polink, for example.

To understand it better, open the two exes I posted above in Olly and step through them with F7 (not with F8, not with F9!). You will soon see the difference:
a) good exe:
Code Select
Address    Hex dump              Command                              Comments
<ModuleEnt Ú$  6A 00             push 0                               ; ÚWindowName = NULL
0040102B   ³.  68 00404000       push offset 00404000                 ; ³ClassName = "MainWinClock1"
00401030   ³.  E8 E30F0000       call <jmp.&user32.FindWindowA>       ; ÀUSER32.FindWindowA
00401035   ³.  85C0              test eax, eax
00401037   ³. 74 1E             jz short 00401057
00401039   ³.  68 E8030000       push 3E8                             ; ÚArg6 = 3E8
0040103E   ³.  6A 00             push 0                               ; ³Arg5 = 0
00401040   ³.  6A 30             push 30                              ; ³Arg4 = 30
00401042   ³.  6A 00             push 0                               ; ³Arg3 = 0
00401044   ³.  68 B0414000       push offset 004041B0                 ; ³Arg2 = ASCII "Programm Running"
00401049   ³.  6A 00             push 0                               ; ³Arg1 = 0
0040104B   ³.  E8 CE0F0000       call <jmp.&user32.MessageBoxTimeoutA ; Àuser32.MessageBoxTimeoutA
00401050   ³.  6A 00             push 0                               ; ÚExitCode = 0
00401052   ³.  E8 A5100000       call <jmp.&kernel32.ExitProcess>     ; ÀKERNEL32.ExitProcess
00401057   ³>  6A 00             push 0                               ; ÚModuleName = NULL
00401059   ³.  E8 A4100000       call <jmp.&kernel32.GetModuleHandleA ; ÀKERNEL32.GetModuleHandleA
0040105E   ³.  A3 E44B4000       mov [404BE4], eax
00401063   ³.  E8 A0100000       call <jmp.&kernel32.GetCommandLineA> ; [KERNEL32.GetCommandLineA
b) your exe:
Code Select
Address    Hex dump              Command                              Comments
<ModuleEnt Ú$  83C4 E0           add esp, -20
0040BEAE   ³.  E8 B1000000       call 0040BF64
0040BEB3   ³.  0FC16C24 24       xadd [esp+24], ebp
...
0040BF64   Ú$ À60                pushad
0040BF65   ³.  FF7424 44         push dword ptr [esp+44]
0040BF69   ³.  BD 7651FFFF       mov ebp, FFFF5176
0040BF6E   À.  FF6424 24         jmp near [esp+24]
0040BF72    .  6C 30 72 32 00    ascii "l0r2",0                       ; ASCII "l0r2"
0040BF77    . E9 FDFEFFFF       jmp 0040BE79
...
0040BEB3   ³.  0FC16C24 24       xadd [esp+24], ebp
0040BEB8   ³.  8B1C24            mov ebx, [esp]
0040BEBB   ³.  66:81E3 0083      and bx, 8300
0040BEC0   À. E9 D6B3FFFF       jmp 0040729B
0040BEC5   Ú>  8F46 14           pop dword ptr [esi+14]
0040BEC8   ³.  2146 1C           and [esi+1C], eax
0040BECB   ³.  8D8D BF000000     lea ecx, [ebp+0BF]
0040BED1   À. EB 6D             jmp short 0040BF40

See the difference? Besides, your exe has 36864 bytes, the one built on my PC with the same source has only 17408. Guess what the extra code does...
Print
Go Up Pages1
User actions