Avast WEBforum

Other => General Topics => Topic started by: szc on January 19, 2005, 02:58:17 PM

Title: Killapps.exe - reported by a2
Post by: szc on January 19, 2005, 02:58:17 PM
I just started scann process with a2, and at the end of scan, I've got report that one file is classified as malware. The name of the file is KILLAPPS.EXE and it's located in Windows/System32 subfolder (WindXP Pro SP2). I've searched all over the net and found this thread at Wilders forum:
http://www.google.ca/search?q=cache:g8LVPWp3MwsJ:www.wilderssecurity.com/showthread.php%3Ft%3D13039%26goto%3Dnextnewest+what+is+killapps.exe&hl=en

Some of them are saying that file belongs to some specific SoundBlaster cards (Audigy etc.), but I don't have Audigy, my SoundBlaster model is SB Live! Value. I've also found out that some antiviruses are recognizing that file as malware, but after double checking by developers, they all agreed that it's just a false positive.

I would really like to hear Alwil's opinion, as we all know, to whome to trust if not to our host, hehe... is there any chance I can send that file to someone for further checking ?

Note: Never ever had any problems with my system in the past, it's working flawlesly, but I'm just wondering what's the story with that file... I don't like to have anything that I don't know what's the purpose of it.

Here is the screenshot from a2...

Cheers !
Title: Re: Killapps.exe - reported by a2
Post by: toadbee on January 19, 2005, 03:25:59 PM
I would really like to hear Alwil's opinion, as we all know, to whome to trust if not to our host, hehe... is there any chance I can send that file to someone for further checking ?

Note: Never ever had any problems with my system in the past, it's working flawlesly, but I'm just wondering what's the story with that file... I don't like to have anything that I don't know what's the purpose of it.

Here is the screenshot from a2...

Cheers !

You should have it tested here for a second opinion -
http://virusscan.jotti.dhs.org/

If you suspect a false positive - be sure to let Mr. Haak know over there at the a2 forum as well  ;)


Title: Re: Killapps.exe - reported by a2
Post by: szc on January 19, 2005, 03:46:18 PM
I've got this (see attachment)... it looks like it's non-destructive, but still, I don't know why is it classified as malware... it comes from very good and respected sound card manufacturer...  ???

Btw, thanks for the link... great !
Title: Re: Killapps.exe - reported by a2
Post by: szc on January 19, 2005, 05:20:00 PM
Any thoughts Alwil ? Any opinion would be greatly appreciated.

I mean, it sounds so weird... characterized as Malware, but non-destructive malware... Malware is something like abbreviation from Malicious Software, if I'm not wrong... malicious is very close to destructive in these terms, so what shoudl I do when a2 asks me ? Completely delete the file or something else ? Biggest problem is 'cause I can't find anything about the purpose of that file on Creative web site...
Title: Re: Killapps.exe - reported by a2
Post by: igor on January 19, 2005, 05:28:10 PM
Well, according to the name, it sounds like a tool to kill other application. While some people may consider is "dangerous" (which is probably why it's reported by KAV), it's rather strange - you could report the Task Manager the same way.
Title: Re: Killapps.exe - reported by a2
Post by: toadbee on January 19, 2005, 05:37:31 PM
If I'm getting it right (which only happens now and again  ;D )
Riskware is legitimate software that can be used
to do harm.
Title: Re: Killapps.exe - reported by a2
Post by: szc on January 19, 2005, 05:38:08 PM
Well, according to the name, it sounds like a tool to kill other application. While some people may consider is "dangerous" (which is probably why it's reported by KAV), it's rather strange - you could report the Task Manager the same way.

Yeah, it's really strange... why would any part of Creative Sound Blaster software package, like to "kill" some other processes ? Really strange...
I may try to completely erase it (uninstall Creative applications), clean the registry, and then reinstall it from the scratch... just to see what's going to happen...
Title: Re: Killapps.exe - reported by a2
Post by: FastGame on January 19, 2005, 10:28:31 PM
Hmmm my a2 doesn't find Killapps.exe. in my creative drivers  ???
Title: Re: Killapps.exe - reported by a2
Post by: szc on January 19, 2005, 10:50:21 PM
Most likely not the same sound card. Mine is SB Live! Value... (quite different than normal SB Live!). Killapps.exe is located in Windows/System32 subfolder, not uder default Creative folder.

Also, there is another file that comes with that one, and it's called Kill.ini
Here are contents of that file:

[KILL.B]
audiohqu.exe
rcman.exe

[KILL.A]
ahqrun.exe
ctltray.exe
ctltask.exe
ctplay2.exe
surmix2.exe
rcenter.exe
adgjdet.exe
mplayer2.exe
rcman.exe
cthelper.exe

As we all can see, those applications are Creative applications, nothing else... so it really looks like false alarm. I just reported it to a2 developers.
Title: Re: Killapps.exe - reported by a2
Post by: connie on January 20, 2005, 12:04:18 AM
,
Title: Re: Killapps.exe - reported by a2
Post by: szc on January 20, 2005, 12:21:33 AM
Sasha.. I have an SB Live Value card on one of my systems here.  Out of curiosity I just checked..  neither of those files exist ..   All creative software is installed.   Weird

I don't know, but this is official Creative web site where I downloaded latest drivers and utilities:
http://us.creative.com/support/downloads/download.asp

File is around 24 Mb...

I have that those drivers at least last 2 months, and never noticed anything unusual with my computer. Everything works perfect. avast! can't find anything weird with that file, that's why I asked if someone wants me to send that file for further checking. a2 is the only one program that reports it as malware, but not destructive malware as they said.

Cheers !

Title: Re: Killapps.exe - reported by a2
Post by: connie on January 20, 2005, 12:27:29 AM
,
Title: Re: Killapps.exe - reported by a2
Post by: bob3160 on January 20, 2005, 12:28:38 AM
Sasha
ahqrun.exe For Creative Soundblaster Live! series soundcards. Specify for any audio application what audio preset to automatically associate with currently active speaker output. Available via AudioHQ
Stop worrying. It's ok
Title: Re: Killapps.exe - reported by a2
Post by: szc on January 20, 2005, 12:38:12 AM
Bob, ahqrun.exe is not a problem... file Killapps.exe is the one that a2 reports as malware...

EDIT: Maybe you guys didn't notice, but those files listed and marked in blue color, are just text file, contents of Kill.ini file.

Only one that is suspicious is Killapps.exe
Title: Re: Killapps.exe - reported by a2
Post by: bob3160 on January 20, 2005, 12:54:25 AM
this is all I can up with:

There seems to be at least two different things here:-

a) Creative Labs' Audigy sound card uses 2K_XP/Drivers/COMMON/killapps.exe. See here for details:- http://www.soundcard-drivers.com/drivers/58/58954.htm

b) Killapps - which is sofware used for the control of certain applications. See here:- http://www.killapps.com/screenshots.htm

c) Clearly, if the above two things do not apply, then we have to think in terms of malware.

The most likely explanation is the Audigy sound card.(see here:- http://research.pestpatrol.com/Anal...3-02_212212.asp).

Eliminate this possibility before considering anything else. It is not unknown for the heuristics of an AV to misinterpret the veracity of a prog designed to halt other processes.
Title: Re: Killapps.exe - reported by a2
Post by: szc on January 20, 2005, 01:13:13 AM
Yes, that's from Wilders forum I gave link for in my first post in this thread:
Quote
I've searched all over the net and found this thread at Wilders forum:
http://www.google.ca/search?q=cache:g8LVPWp3MwsJ:www.wilderssecurity.com/showthread.php%3Ft%3D13039%26goto%3Dnextnewest+what+is+killapps.exe&hl=en

This Killapps.exe located in Windows/System32 subfolder is not sofware used for the control of certain applications... As I mentioed before, there is also Kill.ini file (part of this Killapps.exe) and it lists all Creative applications. I also wrote about that. See here:

http://forum.avast.com/index.php?topic=10465.msg89143#msg89143

Second problem... Sound Blaster Audigy is completely different product, much better than SoundBlaster Live! Value. I don't have Audigy, but still have that file... it came withy latest driver updates from official Creative website.

I sent that sample to developers of a2, and we'll see from there. Most likely I will never receive answer from them, because that's what I've heard from some people that used to send some samples before... maybe, this time will be different, but that's still just maybe...

Cheers !
Title: Re: Killapps.exe - reported by a2
Post by: bob3160 on January 20, 2005, 01:22:14 AM
Sasha
According to that info, what you have is a false positive from a2. It's not the first one. and i'm sure there will be others.
Title: Re: Killapps.exe - reported by a2
Post by: szc on January 20, 2005, 01:32:00 AM
Yes it really looks like that, but it's maybe better to wait... we'll see when I receive info from a2 team. For now, I just removed that file from System32 folder (I have backup)...

Cheers !
Title: Re: Killapps.exe - reported by a2
Post by: bob3160 on January 20, 2005, 01:45:17 AM
I just rename a suspicious file. exe=xee,  com=moc, bat=tab, etc etc. ;D
Can't run what doesn't exist.
Title: Re: Killapps.exe - reported by a2
Post by: szc on January 20, 2005, 02:41:25 AM
Yes I know, but I don't want it to physically exist on my HD if it's something suspicious, especially if it's some file that I don't even use. My sound card works great even without all those applications installed. Creative Mp3 player, 100% not needed, anyway I use WinAMP, Creative mixer good, but almost all those options and features you get with default Windows Mixer. Creative Rack in general, complete waste of HD space. The only real thing you need, are tose drivers...

I have backup and original installation CD, so if something goes wrong (and I'm 100% sure it won't, because so far nothing is complaining about that file), I know what I have to do... however, I make backups of my whole system every week on Fridays, so one short visit to Ghost won't cost me anything, haha  ;D
Title: Re: Killapps.exe - reported by a2
Post by: Spyros on January 20, 2005, 11:03:56 AM
Andreas Haak's (a2) response about KILLAPS.EXE:
http://forum.emsisoft.com/viewtopic.php?t=2459
Title: Re: Killapps.exe - reported by a2
Post by: igor on January 20, 2005, 11:22:55 AM
If they think about detecting mIRC or FTP servers, then of course they should detect most versions of Outlook/Express and Internet Explorer, too - it's much bigger risk IMHO.
Title: Re: Killapps.exe - reported by a2
Post by: szc on January 20, 2005, 12:06:06 PM
Yes, Igor is right... I don't think this is a right way to handle things... tomorrow, they will detect whole Windows OS telling us that there are potential "holes", great exploiting possibilities... OK, maybe it's possible that killapps.exe can be used by some other party to control (turn off) antiviruses and firewalls. but IMHO, a2 should detect those things if they are infected, not telling us what is possible risk. Everything is possible risk today, even walking in the street, breathing, driving in planes and cars...
Title: Re: Killapps.exe - reported by a2
Post by: bob3160 on January 20, 2005, 02:03:34 PM
With that approch, why not just kill the computer?
That would then eliminate the potential of either receiving or spreading malware.
A program that protects you from harm but requires an Einstein to operate isn't much
good for the average computer user. IMHO
Title: Re: Killapps.exe - reported by a2
Post by: szc on January 20, 2005, 02:18:56 PM
Exactly Bob, and at the end it turned out that killapps.exe is in fact nothing else than little utility provided by Creative and it's used by the Creative setup to terminate active applications before installing/uninstalling Creative software... something like, kill the process so I (installation process) can rewrite them, and be sure that they are not in use in that particular moment...

I just put them back in System32 subfolder...
Title: Re: Killapps.exe - reported by a2
Post by: toadbee on January 20, 2005, 02:30:24 PM
I think the detection by a2 (and kaspersky) is excellent. If nothing else - most of us just learned a thing or two  ;)

Quoting andreas:
Quote
The problem is that the same application is used by several scripts and trojans out there to terminate anti-virus software and firewalls

That sounds like a fact, and therefor a valid detection IMO.
Title: Re: Killapps.exe - reported by a2
Post by: szc on January 20, 2005, 02:35:33 PM
OK, true... but, why then a2 don't report IE, Outlook Express or any other application ? As Igor said, those can be easily used to compromise security of our systems... not to mention million of other little anonymous programs that can be used against the user...

I don't need any program telling me that something is wrong with very legitimate file just because it has in it's database that that particular program can be used for something else... this one is not infected and that way, can't be used to compromise my system. Why then alarming people and bringing all that confusion. As I said before, it should report if something malicious is found, otherwise I don't wanna see any reports about it... I'm sorry, but just my humble opinion...
Title: Re: Killapps.exe - reported by a2
Post by: toadbee on January 20, 2005, 02:47:29 PM
OK, true... but, why then a2 don't report IE, Outlook Express or any other application ? As Igor said, those can be easily used to compromise security of our systems... not to mention million of other little anonymous programs that can be used against the user...

I don't need any program telling me that something is wrong with very legitimate file just because it has in it's database that that particular program can be used for something else... this one is not infected and that way, can't be used to compromise my system. Why then alarming people and bringing all that confusion. As I said before, it should report if something malicious is found, otherwise I don't wanna see any reports about it... I'm sorry, but just my humble opinion...

And i respect your opinion  :)
The difference is most people not only understand the risks of IE and Lookout, but they also are aware that they're installed on their machine. In this case you are made aware of something you didn't even know you had,  and after explanation - you know now that there are known nasties that exploit that exe. making it your call if you want that on your harddrive.

What I do fully agree with is that A2 should make it clear - "hey don't panic - we're just letting you know". 
Title: Re: Killapps.exe - reported by a2
Post by: szc on January 20, 2005, 02:55:12 PM
Exactly, wonderful explanation !

I agree, it should be something like: "...hey we found some suspicious file, for now nothing is wrong with it, but there is a huge possibility for exploiting that file in the future..."

That would be great, but I guess, we can't have everything "delivered" in front of our nose...

Yes, you're 100% right, I wasn't aware at all that I have that file on my HD untill a2 alarmed me... it's just, they should really rephrase those reports sometimes.

Cheers !
Title: Re: Killapps.exe - reported by a2
Post by: lee20 on January 20, 2005, 03:07:37 PM
Does not the a2 forum have a place for suggestions?
Could you not ask for this to be added?

--lee
Title: Re: Killapps.exe - reported by a2
Post by: RejZoR on January 20, 2005, 03:16:18 PM
Heh if it's so,why don't they detect ALL installers that can kill processes(to replace in use files)? That would be a nice mess. And as i can see A^2 is using Kaspersky Engine. Thats new for me :P
Title: Re: Killapps.exe - reported by a2
Post by: toadbee on January 20, 2005, 03:21:35 PM
Heh if it's so,why don't they detect ALL installers that can kill processes(to replace in use files)? That would be a nice mess. And as i can see A^2 is using Kaspersky Engine. Thats new for me :P

Egads no - A2 doesn't use any Kaspersky anything  :o
It looks like they use the same if not similar naming convention  ;)
Title: Re: Killapps.exe - reported by a2
Post by: RejZoR on January 20, 2005, 03:31:18 PM
And same detection? I doubt it...

Link:
http://forum.avast.com/index.php?topic=10465.msg89060#msg89060

Only KAV detects it...
Title: Re: Killapps.exe - reported by a2
Post by: toadbee on January 20, 2005, 03:39:38 PM
And same detection? I doubt it...

Link:
http://forum.avast.com/index.php?topic=10465.msg89060#msg89060

Only KAV detects it...

Nope, and a2 detects it  ;D  You're just going to have to take my word on this one.
a2 has nothing to do with kaspersky  ::)
Title: Re: Killapps.exe - reported by a2
Post by: RejZoR on January 20, 2005, 06:23:01 PM
Fine,i belive you ;D ;)