Results 1 to 6 of 6
  1. #1
    Administrator Rick Corbett's Avatar
    Join Date
    Dec 2009
    Location
    South Glos., UK
    Posts
    3,704
    Thanks
    166
    Thanked 1,028 Times in 821 Posts

    Warning re: current MiniTool Partition Wizard Free download

    I just downloaded MiniTool Partition Wizard Free (pw103-free.exe) from the MiniTool website.

    When I went to install it in Windows 10 the installation was halted by Windows Defender with the following:

    trojan.png
    Click to enlarge

    I did a double-check by re-imaging the laptop and trying to install MiniTool Partition Wizard Free again and had the same warning from Windows Defender.

    I uploaded the installer to VirusTotal and was shown this:
    vt-minitool.jpg
    Click to enlarge

    I've emailed MiniTool support but haven't yet had a reply.

    EDIT: I also downloaded MiniTool Partition Wizard Free from the MajorGeeks website. It's the same version and same filename but a different filesize. I checked it using VirusTotal and this second download also shows problems.

    Further reading around suggests that v10.3 has introduced adware to itself. I found the previous version (10.2.2) and this passed VirusTotal checks completely.

  2. The Following 2 Users Say Thank You to Rick Corbett For This Useful Post:

    RetiredGeek (2018-09-25),satrow (2018-09-25)

  3. #2
    Super Moderator RetiredGeek's Avatar
    Join Date
    Mar 2004
    Location
    Manning, South Carolina
    Posts
    10,113
    Thanks
    442
    Thanked 1,639 Times in 1,478 Posts
    Rick,

    Very Interesting! I just downloaded a fresh copy yesterday and didn't get any warnings from either Windows Defender or Malwarebytes Premium?

    I didn't install it thank heavens. I just ran a manual scan against the file with Malwarebytes and it checked out OK.
    Interesting-VeryInteresting.JPG
    Interesting...Very Interesting!

    May the Forces of good computing be with you!

    RG

    PowerShell & VBA Rule!

    My Systems: Desktop Specs
    Laptop Specs

  4. #3
    Administrator Rick Corbett's Avatar
    Join Date
    Dec 2009
    Location
    South Glos., UK
    Posts
    3,704
    Thanks
    166
    Thanked 1,028 Times in 821 Posts
    Quote Originally Posted by RetiredGeek
    I just ran a manual scan against the file with Malwarebytes and it checked out OK.
    I use Malwarebytes Premium as well. Neither downloads triggered any warnings when I scanned them manually. I suspect it's just adware in the new version and Windows Defender being a wee bit dramatic. It will be interesting to see what MiniTool support says, if they get back to me.

  5. #4
    Administrator satrow's Avatar
    Join Date
    Dec 2009
    Location
    Cardiff, UK
    Posts
    4,971
    Thanks
    526
    Thanked 659 Times in 547 Posts
    Just guessing based on the abbreviated classification terminology used - Packed (compression/installer helper), Gen(eric), Pua (potentially unwanted application), heuristic (guess, looks similar to):

    It's a false alarm based on the packer used to create a smaller installer. Defender calls out the packer directly (the .dll isn't part of the installed product, and is left in the Temp folder) and the installed product is clean.

    The only reason the packer is flagged is that it's previously been detected in 'helping' to pack/unpack malware, take that a step or two back and you could also blame the OS maker for facilitating in creating malware by providing the base system to build it on).

    IIRC, 3 of the MS/Sysinternals tools and a larger number of Nir Sofer's tools have been flagged in a similar manner, having been packed alongside malware and subsequently used by that malware to download further malware components or directly help to compromise the affected machine.

    Russinovich considered it quite a compliment that his troubleshooting tools are so efficient as to have been used in this way (saving malware authors time constructing 'better' modules), during a video interview at a Berlin InfoSec conference several years ago.

  6. #5
    Administrator Rick Corbett's Avatar
    Join Date
    Dec 2009
    Location
    South Glos., UK
    Posts
    3,704
    Thanks
    166
    Thanked 1,028 Times in 821 Posts
    Quote Originally Posted by satrow
    Just guessing based on the abbreviated classification terminology used - Packed (compression/installer helper), Gen(eric), Pua (potentially unwanted application), heuristic (guess, looks similar to):

    It's a false alarm based on the packer used to create a smaller installer. Defender calls out the packer directly (the .dll isn't part of the installed product, and is left in the Temp folder) and the installed product is clean.
    Good analysis. MiniTool support replied with the news that 'This should be a false positive.' and informed me that the download link on the MiniTools website had been updated so suggested I try a new download.

    Installation of the new download didn't trigger any Windows Defender warning but AVG is now included by default in the installation as a 'ridealong'... and the 'agreement' checkbox is pre-ticked of course.

    pw-avg-ridealong.jpg
    Click to enlarge

    Here's the thing... I compared the SHA1 hashes of both downloads - the original and the new one - and the comparison shows they are identical:

    pw-hash-compare.png
    Click to enlarge

    I've asked MiniTool support if any explanation is available.

    EDIT: I notice that since the installation of Partition Wizard Free 10.3 I now have the Opera browser installed (and it's made itself the default browser). WTH?

    pw-opera-default.jpg
    Click to enlarge

    Nowhere in the MiniTool Partition Wizard Free 10.3 installer did I see any mention of Opera.

    Worse... 5 instances of Opera are running pointing to something called Speed Dial and my device has hung.

    pw-operax5.jpg
    Click to enlarge

    I've sent another email to MiniTool support, this time to ask if the Opera browser is bundled with Partition Wizard Free 10.3.

    (Note: I couldn't post this yesterday as I ran out of time editing the screenshots. I was busy wiping my laptop. )

  7. #6
    Administrator Rick Corbett's Avatar
    Join Date
    Dec 2009
    Location
    South Glos., UK
    Posts
    3,704
    Thanks
    166
    Thanked 1,028 Times in 821 Posts
    Whilst waiting for MiniTool support to reply I wiped my laptop yesterday and restored a backup. Quite frankly I believed the laptop had picked up malware from somewhere.

    I tested both the original and later download of Partition Wizard Free 10.3 in a VM but couldn't get either the Windows Defender warning (first download) or AVG as a bundled app (latest download) so I'm going to assume that it's something to do with the different editions and/or builds of Windows 10 I've been using. My laptop is Windows 10 Pro (not sure what build as I've now restored it) and the VM is Windows 10 Home (1803 Build 17134.48)

    MiniTool support emailed me back today to confirm that Opera is bundled with Partition Wizard Free 10.3:

    Dear Customer,

    Thanks for your reply.
    Opera browser is indeed bundled with MiniTool Partition Wizard Free version, but you can choose not to install it during the process of installing MiniTool Partition Wizard.
    Since version 10.3, we added protect technology, which can prevent the software from being cracked. Many security programs consider the version 10.3 as a security "threat" most probably because of the technology. Considering this situation, we created the new version to fix the problem. Please rest assured, MiniTool Partition Wizard is safe, it is harmless for your system and data.

    Best Regards.
    Note that whilst I did see AVG as a bundled app and was able to avoid it, I most definitely did not see any mention of Opera.

    I've now found and used Partition Wizard Free 10.2 very successfully... but will be avoiding version 10.3. (I've emailed MiniTool support back saying basically the same as I posted here about Partition Wizard Free 10.3.)

    Hope this helps...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •