Jump to content

Trojans in my plugins?!?

Recommended Posts

2 days ago some of my plug-ins stopped working, and my Kaspersky anti-virus warned me of trojans, finding 18 in the plug-in folders. Now, I don't recall if the warning came before or after the plug-ins stopped working.

So I loaded the files onto my bosses computer, he never uses VW. All was fine, then his Kaspersky anti-virus warned me of the same trojans! I'm afraid to do the scan and possibly screw up the VW on that computer - I'm terrified of losing all my symbols etc.

I've removed VW from my PC and am about to re-install it. Guess now I've lost all my shortcuts, there goes hours of work!

Any clue about these trojans? What's going on???

Thanks for any advice.


Windows 7

Link to comment

Same here.

Kaspersky finds Trojan.Win32.Mediyes and deletes the infected plugin dlls on 4 of our PCs with VW2011 Architect on Win7x64

I did a full scan of the hard disks in each PC using an up to date copy of Kaspersky Internet Security 2012 and it only found Trojans in the VW plugin dlls.

I deleted VW2011 application folder and reinstalled it from my own installation file and also from the file redownloaded from VSS today. Both times Kaspersky again detected the Trojans in the plug ins.

I am now updating the PC with Windows updates (20 updates) and downloading MS Security Essentials to see if that does anything.

The 2 machines I am trying to fix are REALLY slow right now.

not happy.

Link to comment
  • Vectorworks, Inc Employee

Apparently a recent update by Kaspersky caused it to identify files in Vectorworks as containing viruses when they actual do not.

Till Kaspersky corrects the error the only thing to do is to create a trusted zone.

1. Create a trusted Zone and pick Vectorworks: http://latam.kaspersky.com/knowledge-base-article/2695

2. And then uninstall Vectorworks and reinstall if the plug-ins have been compromised (deleted).

An article should be posted in the knowledge base soon with more information.

Link to comment

Yeesh! Those are exactly the same Trojans.

It wasn't on my bosses computer until I opened a particular file - could it be in there - I used a symbol from a CAD symbol site, and some from Kohler. 2 fonts from Fonts101 last week. But computers are networked.

Please let me know how things go?

What a waste of time, energy & money.

Link to comment

Thanks Kevin - I had a feeling it was a Kaspersky issue with VW...it just felt like a strange place for a virus to target.

BUT - according to the internet, the Trojan.Win32.Mediyes is a real virus - how can I be sure before allowing Kaspersky to ignore it?

Link to comment
  • Vectorworks, Inc Employee

The only way to tell is by checking the MD5 check sums of the file against an unaltered one to see if it has been changed.

This is something that happened with Kaspersky in the past day or so, we are still gathering the details at this point.

Once we get the knowledge base article created with all the details I'll make sure a like gets posted here.

Link to comment
The only way to tell is by checking the MD5 check sums of the file against an unaltered one to see if it has been changed.

Thank you, Kevin.

I'm Live Chatting with Kaspersky now, and "They will respond to via e-mail with whether or not this is a false positive. If it's not an infection, no action is required. If it is infected, they will let you know and provide further steps to resolve the issue."

I don't know how to do what you said, but I will post the outcome of Kaspersky's analysis so you know.

Link to comment


Kaspersky has been a right pain in the arse about this - friendly, but so many avenues that are trying to deal with it / assuming it's been taken care of. But they have the info, I guess the next release will work better. I keep trying to work-around the issue, but may ditch them, as it would be cheaper than my time wasted, and VW is SO glitchy now - DAYS spent on this! GGrrrrrr!!!!

Link to comment

It's hard to see from your image, JHEarcht, but it looks like the same files that Kaspersky is picking up and deleting on my computer. Door, TrueType, General Notes, among about 30 others.

Some* of them work again now that I have 'restored' them, but I can't use the door tool, nor change the door properties - awesome.

What is this plug-in you're talking about?

Link to comment
Guest Jim Kelly

In the interest of keeping you guys a bit in the loop on this, we are continuing to look at this and have contacted Kaspersky. I'm hoping we have some resolution to the issue in the near future, but as you can understand we're trying to be thorough and get feedback from Kaspersky themselves before making any definitive statements.

Link to comment
  • 2 weeks later...
Guest Jim Kelly

I wanted to fill you all in on where we ended up on this. After a lengthy internal investigation, we've found no evidence of a trojan. We've confirmed that the alerts were coming from DVD-installed versions of Vectorworks, sometimes even from versions years old, meaning that this is not some new virus infection targeting Vectorworks. We took the alternate possibility seriously, that somehow there was something in our shipping code, but found no evidence of this.

As a result, we believe this was a false positive. We tried to contact Kaspersky on this, but they refused to even acknowledge the question, and would only treat our query as if it were an individual incident.

I apologize for the delay in getting a definitive answer on this, but I'm sure you understand there's a need to be careful and investigate all avenues. If anyone has further questions on this, let me know.

Link to comment
Guest Jim Kelly

To clarify my statement regarding DVD-installed versions of Vectorworks, that statement was regarding our efforts to eliminate the possibility that someone had maliciously replaced our downloadable installers.

Link to comment

Thank you, Jim.

I went through a huge, lengthy thing with Kaspersky, and they have updated their 2012 Anti-virus so it no longer finds these false-positives (which they agreed were false). The 2012 is a free update, for anyone using Kaspersky 2011.

Guess all our nagging with them worked!

Link to comment
Guest Jim Kelly

Thanks for updating us on what happened, that's more than I was able to get out of them, even after identifying myself as an employee (and writing to them from a vectorworks.net address), so it's good to have some more information we can pass on to people.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...