Avast WEBforum
Other => Viruses and worms => Topic started by: SkaterKid on March 15, 2008, 08:47:47 PM
-
I was running my monthly maintenance and virus scans when avast detected a Trojan in my C:\Program Files\music_now\inetchk.exe file. This folder has been on my system since purchase and has something to do with AOL's music now program. So naturally I did some research and discovered that other Anti Virus software had detected it too. In fact someone claimed they sent a copy of inetchk.exe to a major anti virus company and they reported it as a false positive.
I sent inetchk.exe (zipped and password protected) to grisoft. They just
got back to me and said it was a false positive. Thanks for your help...
. However I wanted to here it from my own anti virus software company. So is this a false positive or not? Am I infected or not? I sent this file to avast at virus@avast.com compressed and password protected and asked if it was a false positive or not. They never replied and I am still in the dark. Well I hope someone can shed some light on this thanks for the help.
-
Hi SKaterKid,
Yes this could well be a FP. A lot of malware scanners flag this as:
inetchk.exe
We suggest you to remove inetchk.exe from your computer as soon as possible.
Inetchk.exe is Trojan/Backdoor.
Kill the process inetchk.exe and remove inetchk.exe from Windows startup.
In the case music_now/inetchk.exe and it appears there are numerous examples of anti-malware scanners detecting and removing the file. One scan log indicated in was a sign of "Win32:Trojan-gen. {VB}". BitDefender is flagging it as Trojan.Click.HD.
Since your longer finding that file, it appears the malware was removed. And since the program is something you never use, you might want to remove it altogether. If so, go to Start > Settings > Control Panel, double-click on Add/Remove Programs. From within Add/Remove Programs highlight "music_now" (if listed) and select Remove.
Then search for the folder and if its still listed in Program Files, right-click on it and choose delete. If there is no entry in Add/Remove, then look for an uninstall file within the music_now folder and double-click on it to remove. If there is no uninstall file, then just delete the folder. AOL comes with these adware sometimes, AVG stated it was not malicious, maybe like I said unwanted adware...
polonus
-
To know if a file is a false positive, please submit it to VirusTotal (http://www.virustotal.com/xhtml/index_en.html) and let us know the result. If it is indeed a false positive, send it in a password protected zip to virus@avast.com
Please, mention in the body of the message why you think it is a false positive and the password used. Thanks.
Other possibility is JOTTI (http://virusscan.jotti.org/). VirusTotal and Jotti both have file size limit of 10Mb.
As a workaround, you can add these files to the Standard Shield provider (on-access scanning) exclusion list.
Left click the 'a' blue icon, click on the provider icon at left and then Customize. Go to Advanced tab and click on Add button...
You can use wildcards like * and ?. But be careful, you should 'exclude' that many files that let your system in danger.
-
Tech, I think both VT and Jotti have an upload maximum of 10MB now.
-
Tech, I think both VT and Jotti have an upload maximum of 10MB now.
I'll correct the post. Thanks.
-
I remember this file from a couple of weeks ago from a thread I was helping in. A bit of reshearch lead to a post on a different forum where AVG confirmed, in writting, that it was indeed a FP.
-
I remember this file from a couple of weeks ago from a thread I was helping in. A bit of reshearch lead to a post on a different forum where AVG confirmed, in writting, that it was indeed a FP.
Thank you so much! For some reasson though it wont let me upload this file to VirusTotal. Avast pops up when ever I am in the same directory as the file and after that I can't move delete or even check the properties of this file :S Like what the hell why is it doing this and when will the virus database be updated to accept this file as not being malicious?
-
You can pause avast's standard shield while you upload the file. Once you get the results, post them here. If it seems like a FP, you can then notify Avast along with a link to this thread.
I'll try to find that link for you.
-
Hi sKaterKid,
Well FP's are a fact of life when malware scanners are concerned, and avast is no exclusion in that respect, while avast FP record is not that impressive as other av-software. You can exclude this file of yours, so avast won't alert it in the future, putting it to the exclusion list. You can report the FP to avast, and hope an update won't flag it (it is their decision 'though). Sometimes genuine legal code behaves like malware, just like crooks can look like very amiable normal gents, they look like gentlemen, they look like one, smell like one, and still they are crooks and vice versa,
oldman's link reads: http://forum.avast.com/index.php?action=post2;start=0;board=4
polonus
-
Thanks pol, couldn'r remember which thread that came from.
Here you go, last post in this thread
http://help.wugnet.com/security/Downloader-VB-AXO-ftopict11724.html
There was another one that said this program is connected to AOL and comes preinstalled on HPs. The detections started around feb.
-
Yes this file comes pre installed from HP(linked with AOL). After doing a fresh reinstall of my OS and then installing only my Firewall and "avast" i did a full system scan and it was detected as a TRJ. I contacted HP and they assured it IS a SAFE file.
Live long and prosper.
God bless the CPU.
-
Add it to both exclusions lists. Hopefully Alwil will correct it.
-
If i add it to the exclusions list does avast get a report of this exclusion?
-
No, you just won't get a warning. You should send a copy to avast at
virus@avast.com clearing stating it as a false positive, the vps that detected it and a link to this thread. The email will have to be a password protected zip file.
-
OK will do. Also if u could help me with a small problem i would really appreciate it. Under avast settings-Alerts-SMTP I'm trying to set it so it will send a report of virus findings to my email. What do i put in the "Server address" so it sends it to my "Hotmail" account.
-
i apologise for my last post ::) i didn't intend on highjacking this thread :-X. I've started my own in regards to my settings problem.