Mini tool partition wizard a threat?

tinmar49 · 18 Jan 2020

I have Mini Tool Partition Wizard on all my pc's. When I opened the free version on this pc, it prompted me to update to the latest version which was not unexpected, and as I went through the update process which was exactly the same as updates in the past, Windows Security killed it dead. Trying to find out more, I couldn't find any reference to the actual name of the program. Any

thoughts?

Samuria · 18 Jan 2020

Upload the installer to VirusTotal see what it makes of it

tinmar49 · 18 Jan 2020

I can't, the program has vanished from my machine, I even looked in control panel. Tomorrow, I will open up the program in another of my pc's and see if the same thing happens.

1PW · 19 Jan 2020

VirusTotal

Please read the last community remark.

RolandJS · 19 Jan 2020

Tinmar49, exactly where did that download come from? MiniTool Partition Wizard, both free and fee, are available from MiniTool web site www . minitool.com / partition-manager / partition-wizard-home . html.
I suspect the other version is in a quarantine bucket in one or more of the security programs you use. Most allow restore, however, you might be better off to download and use the one directly from MiniTool.

tinmar49 · 19 Jan 2020

I have found threat references on Windows security, and have followed the instructions to scam and remove them . This took four short scans, now there are no threats detected.
I will now follow Roland's link and re install the program.
I was just opening the MTPW and followed the prompt to update when this happened, and the update proceeded exactly the same as frequent earlier updates of the program have gone. I scan frequently using the full Windows Security scans, and their offline scans, in addition to Malwarebytes free. The last scans were done on the same day as the problems arised.

- - - Updated - - -

Having reinstalled MTPW from Roland's link, and unticked a lot of unwanted extras as it proceeded, the program opened as normal and my disc drives showed up as expected. Windows Security immediately showed two potential threats.
I ran Malwarebytes and two addware related items showed up, which I quarantined. A further scan with W S was clear.

- - - Updated - - -

I have just run MTPW and their other program, Shadowmaker, without any interruptions from WS, so, hopefully things may have settled down. I will now try an offline scan and see what happens.

- - - Updated - - -

Since promising to try the Windows offline scan, I have tried and failed four times to get it to start, a full scan worked ok

RolandJS · 19 Jan 2020

Tinmar, thanks for your very informative update! I did not know so many extra"goodies" came with that program! If Windows Security labeled the threats, can you tell us those names?

tinmar49 · 20 Jan 2020

The Windows Security flagged the following programs:

PVA : Win32/install core

PVA : Win 32/relavent knowledge

Malwarebytes found two pups :

Adware. premier opinion (folder)

Adware. premier opinion (file)

These are either not allowed, or quarantined and MTPW still works as expected. Since the first part of this post, I have successfully run an offline scan which was clear.

I have just turned on my laptop, which doesn't get used much, run MTPW and as expected, the latest version was offered. When running through the install process, I noticed what at first glance was the EULA but was something else and unchecked it. However, I am running Malwarebytes on the laptop at present and there are 20 threats, each with the title "Adware Premier".

braveheart1992 · 26 Feb 2024

Surprisingly, I've been using it for so long without knowing it's malicious software. But anyway, it has helped me partition hard drives quite quickly and for free. The latest report from VirusTotal records it as 25/70 points.
A RANSOMWARE SUSPECTED CONTAINED (!)

VirusTotal
VirusTotal

Free Automated Malware Analysis Service - powered by Falcon Sandbox
"System Destruction" - "Opens the file with access rights to deletion"
"Opens many files with write access (often an indicator of complete system infection)"
"Opens the Windows Kernel Security Device Driver (KsecDD)"

…. that evently has been removed

Thank you.

- - - Updated - - -

More details on Joe Sandbox's Analysis:

Verdict: MAL
Score: 42/100
Classification: mal42.spyw.evad.winEXE@39/497@20/10
Domains: vps.sihomuwe-ter.com stats.l.doubleclick.net cdn2.minitool.com tracking.minitool.com cloud.sihomuwe-ter.com MiniTool Software | Best Partition Manager & Data Recovery [Software] Google api.sihomuwe-ter.com MiniTool Partition Wizard | Best partition magic alternative for Windows PC and Server ww1.sihomuwe-ter.com stats.g.doubleclick.net
Hosts: 104.20.7.9 52.209.200.29 199.115.112.67 104.20.6.9 108.177.15.157 216.58.207.35 85.159.237.103 34.252.94.12 104.20.144.70 104.20.145.70 omegle

HTML Report: Automated Malware Analysis - Joe Sandbox Cloud Basic
PDF Report: Automated Malware Analysis - Joe Sandbox Cloud Basic
Executive Report: Automated Malware Analysis - Joe Sandbox Cloud Basic
Incident Report: https://www.joesandbox.com/analysis/245931/0/irxml
IOCs: https://www.joesandbox.com/analysis/...ype=analysisid

Ghot · 27 Feb 2024

@tinmar49

Here's a dropbox link to MTPW 12.1 - free (this is my copy)

Dropbox - Partition Wizard 12.1 - free.zip - Simplify your life

Here the Virustotal results... (it's 100% clean)

VirusTotal

After it's installed, before running the program, block these two files in your firewall.
Then it can't update or call home.