Likely false positive uninstall program ?

[davexnet]

Hi, I get a notification on a file called remove.exe when I scan the HDD.
It's in a sound card drive package, apparently the uninstall program.

Here's the virustotal link:
http://www.virustotal.com/file-scan/report.html?id=d0304a38b75810789bbb6d847c8c99bc26b2d29bb6eac7902e4b4fbc7173e2f1-1291402476

Thanks for any info.

[Pondus]

ThreatExpert's awareness of the file "remove.exe":
http://www.threatexpert.com/files/remove.exe.html

[Pondus]

Malwarebytes did not add detection for the file

Norman analysis: File is not malicious - REMOVE.EXE : Clean!





Sample sendt avast! ...

[DavidR]

Some uninstall functions will get pinged, simply because of what they do and this remove.exe. The win32:CIH actions filled the first 1024 KB of the host's boot drive with zeros and then attacked certain types of BIOS.

So I don't know exactly what remove.exe does, as some removal tools may overwrite what was removed, but I rather doubt that it is a good detection, given the low number of hits on the VT Results and Prevx calling it a 'Medium Risk Malware' which is at odds with the severity of win32:CIH. Other than prevx only avast and gdata detect anything (counts as one), see below.

http://en.wikipedia.org/wiki/CIH_%28computer_virus%29

If only GData and avast detect it - GData uses avast as one of its two scanners so counts as 1 detection and almost certainly an FP.
Even though Pondus has sent a sample, I would say you should also - Send the sample to avast as a False Positive:
Open the chest and right click on the file and select 'Submit to virus lab...' complete the form and submit, the file will be uploaded during the next update.

- In the meantime (if you accept the risk), add the full path to the file to the exclusions lists:
File System Shield, Expert Settings, Exclusions, Add and
avast Settings, Exclusions

Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the File System Shield and avast Settings, exclusions lists.

[Pondus]

Other than prevx only avast and gdata detect anything (counts as one), see below

Prevx have removed detection ....

[DavidR]

Definitely now only counts as one and highly likely an FP.

[misak]

File is detected correctly. File REMOVE.exe is wise (un) installer and one of included file contains part of old virus CIH v1.2 TTIT. Virus couldn't be active, but is still there. So better detect, than sorry :-)

[DavidR]

Thanks for the input misak.

[Pondus]

File is detected correctly. File REMOVE.exe is wise (un) installer and one of included file contains part of old virus CIH v1.2 TTIT. Virus couldn't be active, but is still there. So better detect, than sorry :-)

Thanks for the good explanation why some AV chose to detect and some don`t

And Norman confirmes that

Hi,
Might contain some part of  CIH infection, it seems to be corrupted. It wont infect other files anymore, its dead.

[Pondus]

Avira lab

Thank you for your email to Avira's virus lab.
Tracking number: INC00644556.


A listing of files alongside their results can be found below:File ID    Filename   Size (Byte)   Result
25970556    REMOVE.EXE    172.63 KB    DAMAGED FILE (UNKNOWN)



Please find a detailed report concerning each individual sample below: Filename   Result    REMOVE.EXE    DAMAGED FILE (UNKNOWN)


The file 'REMOVE.EXE' has been determined to be 'DAMAGED FILE (UNKNOWN)'. In particular this means that this file is damaged and not working properly. We could not find any malicious content. However the heuristic detection module may still detect this particular file even though it is damaged. In that case we will not adjust and remove detection for this damaged file.