It is currently March 25th, 2019, 4:47 am

rainlist.exe is a trojan according to windows defender

General topics related to Rainmeter.
Posts: 22
Joined: February 15th, 2014, 9:53 am

rainlist.exe is a trojan according to windows defender

rick-t-fiedrain » October 7th, 2018, 8:52 pm

I was moving a bunch of stuff from my documents folder (under Users/Username/Documents) which included some folders with backup and old rainmeter skins.

As the files transfer to another drive, every time rainlist.exe gets moved windows defender calls it a trojan.
As I type this I'm up to 7 such "trojans" and counting. Each of them has been linked to the rainlist.exe file.

Is this a true threat or a known false positive?

You do not have the required permissions to view the files attached to this post.
User avatar
Rainmeter Sage
Posts: 3261
Joined: April 12th, 2012, 9:40 pm
Location: Cedar Point, Ohio, USA

Re: rainlist.exe is a trojan according to windows defender

eclectic-tech » October 8th, 2018, 1:04 am

That is a compiled version of the Auto-It script I have in my Lua Calendar folder (@Resources\Addons\Options\RainList.au3)

Here is what I have in the actual script (RainList.au3):

Code: Select all

#include <Array.au3>
#include <File.au3>
#include <SendMessage.au3>

If $CmdLine[0]<2 Or Not ProcessExists("Rainmeter.exe") Then

If $CmdLine[0]=3 Then
	$ArrayType = $CmdLine[3]
	$ArrayType = 0

$Folders = _FileListToArray($CmdLine[1], "*", $ArrayType)
$Text = StringReplace($CmdLine[2], "$FileList$", _ArrayToString($Folders, "|", 1))
$Text = StringReplace($Text, """, Chr(34))

Func _SendBang($szBang)

   Local Const $hWnd = WinGetHandle("[CLASS:RainmeterMeterWindow]")

   If $hWnd <> 0 Then
      Local Const $iSize = StringLen($szBang) + 1

      Local Const $pMem = DllStructCreate("wchar[" & $iSize & "]")
      DllStructSetData($pMem, 1, $szBang)

      Local Const $pCds = DllStructCreate("dword;dword;ptr")
      DllStructSetData($pCds, 1, 1)
      DllStructSetData($pCds, 2, ($iSize * 2))
      DllStructSetData($pCds, 3, DllStructGetPtr($pMem))

      Local Const $WM_COPYDATA = 0x004A
      _SendMessage($hWnd, $WM_COPYDATA, 0, DllStructGetPtr($pCds))

Nothing looks unusual to me, so I would think you are seeing a false positive... :17nodding