Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: zivilist on November 21, 2006, 06:39:39 PM
-
Hello,
when I use in "AdvancedRemoteInfo 0.6.5.3" (http://masterbootrecord.de/english/advancedremoteinfo.php) the "XP CD-Key" tool the notification pop-up appear:
----
C:\DOCUME~1\xxx\LOCALS~1\Temp\ta0D0.tmp.exe\[UPX]
Win32:PsExec [Tool]
----
There is a hint on this site (scroll down):
Attention - false Virus Alert!
Some scanners detected a trojan horse in the setup of AdvanedRemoteInfo. This are false alerts. All files of ARI are checked with two virus scanners before release. The false alert was caused by compression of the setup files with the executable packer "UPX". This is reverted in version 0.6.5.1.
thanks
-
The key is the malware name's suffix [Tool] as they can be used for good or evil, since you downloaded it and I assume know its purpose if you decide it is for good and no risk then you can exclude it. In any case you should confirm the detection, see below.
Also to me something with a double file type/extension is suspicious and could be trying to trick you into thinking you have a harmless text file when it is an executable file. There are also no hits in a google search for that file name which in itself is suspicious.
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner (http://www.virustotal.com/xhtml/index_en.html)
Or Jotti - Multi engine on-line virus scanner (http://virusscan.jotti.org/) if any other scanners here detect them it is less likely to be a false positive. You can't do this with the file in the chest, you will need to move it out.
If it is indeed a false positive, add it to the exclusions lists (Standard Shield, Customize, Advanced and Program Settings, Exclusions) and periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.
Also see (Mini Sticky) False Positives (http://forum.avast.com/index.php?board=2;action=display;threadid=7779), how to report and what to do to exclude them until the problem is corrected.
-
scanned with http://virusscan.jotti.org/ after renamed it with avast:
File: [UPX].vir
Status: INFECTED/MALWARE
MD5 18551cae5a306bb929445d3192059310
Packers detected: UPX
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found Win32:PsExec
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found Program.PsExec.131
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found not-a-virus:RiskTool.Win32.PsExec.13 (6, 2, 611)
Fortinet Found HackerTool/ProcLaunch
Kaspersky Anti-Virus Found not-a-virus:RiskTool.Win32.PsExec.13
NOD32 Found nothing
Norman Virus Control Found nothing
VirusBuster Found nothing
VBA32 Found nothing
-
Which basically confirms what I said it is a [tool] and there is a risk involved in its potential use.
I prefer the virustotal site as it uses the windows version of avast and it has as a last count 27 different engines. You can submit it to avast as outlined in the False Positive link above, but given the classification/name [tool] given I doubt anything would change. So if you are happy with the file and its use restore it from the chest and add it to the exclusions given above.