Is that False Positive:Win32: Spyware-gen [Trj] in Alcohol 120% Patch.exe file

[hihikaren]

Hi...everyone~~

I am the user of Avast 4 Home Edition antivirus software and my Avast version is 4.8.1335.  For the safety reason, I am usually perform the standard virus scan for all my local non-removable disks with archive files during the scan, the Program files of Alcohol Soft Alcohol 120% Patch.exe program file was infected by virus Win 32:Spyware-gen [Trj] and I skip it (i.e. do not take any action at time of scanning ) and continue the scanning process, after the scanning process finished and the result is 1 file was infected. The result of last scan showed that “C:\Program Files\Alcohol Soft\Alcohol 120\Alcohol 120% Patch.exe” file was infected by Win 32: Spyware-gen [Trj], so I highlight the line and right click the action of “Repair” button and choose to repair all function, and it showed that the file was successfully repaired. However, after that, I re-scan the infected program and the virus of Win 32: Spyware-gen [Trj] still be existed.

In fact , I perform standard virus scan daily and no files was infected yesterday (4 Aug 09) and today after my virus database version is updated to 090804-1, I perform the standard virus scan for all my local non-removable disks with archive files as usual and the result is 1 file was infected as mentioned above.

In my Log viewer, there also had the warning section, and the description is Sign of "Win32: Spyware-gen [Trj] " has been found in 
“C:\Program Files\Alcohol Soft\Alcohol 120\Alcohol 120% Patch.exe” file

And I’ve just upload the infected file to virustotal.com (but I don't know why date rec'd was 29/6/09 & not 4/8/09) and the result is as follows:

File Alcohol_120__v1.9.6.5403_Patch.ex received on 2009.06.29 22:00:27 (UTC)
Current status: finished
Result: 11/41 (26.83%)

Antivirus   Version   Last Update Result       
a-squared 4.5.0.18 2009.06.29  Risktool.Patch.Alchohol!IK
AhnLab-V3 5.0.0.2 2009.06.29 -       
AntiVir 7.9.0.199 2009.06.29 -          
Antiy-AVL 2.0.3.1 2009.06.29 Trojan/Win32.Agent.gen
Authentium 5.1.2.4 2009.06.29 W32/HackTool.DNZ    
Avast 4.8.1335.0 2009.06.29 -          
AVG 8.5.0.339 2009.06.29 -          
BitDefender 7.2 2009.06.30 -          
CAT-QuickHeal 10.00 2009.06.29 Trojan.Agent.IRC    
ClamAV 0.94.1 2009.06.29 -          
Comodo 1494 2009.06.29 Application.Win32.HackTool.dUP2.~BABY
DrWeb 5.0.0.12182 2009.06.29 -       
eSafe 7.0.17.0 2009.06.29 Suspicious File       
eTrust-Vet 31.6.6589 2009.06.29 -       
F-Prot 4.4.4.56 2009.06.29 W32/HackTool.DNZ    
F-Secure 8.0.14470.0 2009.06.30 -       
Fortinet 3.117.0.0 2009.06.29 -          
GData 19 2009.06.30 -          
Ikarus T3.1.1.64.0 2009.06.29 Risktool.Patch.Alchohol    
Jiangmin 11.0.706 2009.06.29 -          
K7AntiVirus 7.10.768 2009.06.19 Trojan.Win32.Agent.CCHX
Kaspersky 7.0.0.125 2009.06.29 -       
McAfee 5661 2009.06.29 -          
McAfee+Artemis 5661 2009.06.29 Artemis!9D66C803C55B
McAfee-GW-Edition 6.7.6 2009.06.29 -       
Microsoft 1.4803 2009.06.29 -          
NOD32 4197 2009.06.29 a variant of Win32/HackTool.Patcher.A
Norman 6.01.09 2009.06.29 -          
nProtect 2009.1.8.0 2009.06.29 -       
Panda 10.0.0.14 2009.06.29 -          
PCTools 4.4.2.0 2009.06.28 -          
Prevx 3.0 2009.06.30 -          
Rising 21.36.04.00 2009.06.29 -          
Sophos 4.43.0 2009.06.29 -          
Sunbelt 3.2.1858.2 2009.06.29 -          
Symantec 1.4.4.12 2009.06.30 -          
TheHacker 6.3.4.3.356 2009.06.27 -       
TrendMicro 8.950.0.1094 2009.06.29 -       
VBA32 3.12.10.7 2009.06.29 -          
ViRobot 2009.6.29.1810 2009.06.29 -       
VirusBuster 4.6.5.0 2009.06.29 -          

So what can I do now and I’m really do not have any idea why that the Alcohol 120% Patch.exe file was infected. Can anyone helps me to solve this problem.

Thanks for kindly attention….
From Hihikaren

[calcu007]

If you have a patched or craked program then you possibly you are infected, sometimes antivirus programs detect as infected those cracks, keygens ,etc.

[Tarq57]

I don't know the program, so do not know if the file you named is naturally a part of it, or something downloaded via a torrent or p2p. (The name certainly leaves me thinking: Keygen/crack.)
If that is the case, you should remove it. Either pay for the software, or find a free alternative, such as imageburn.
The repair option is not available for this type of file, it is only available for a limited number of windows system files.
Please move the file detected to the chest, then from the chest you can have it upload to Alwil for their analysis. (You will not get an answer.)
A lot of the detections on the virustotal page list words to the effect of "gen" or "sign of" which indicates a "maybe" kind of detection. (Heuristic, or similar to, or seems to belong to this family.)
The date anomaly is probably because this particular file has already been analysed, at the date indicated.

[hihikaren]

Hi...everyone again~~

Refer to my previous post, several circumstances occurred afterward….

Later after the virus database version was updated to 090806-01 on 7 Aug 2009. As usual,  I perform the standard virus scan for all my local non-removable disks with archive files and the result was no files was infected, therefore I think the infected file of “C:\Program Files\Alcohol Soft\Alcohol 120\Alcohol 120% Patch.exe” file was repaired.

However, when the virus database version (1 week later only) was updated to 090812-00 and 090813-0 on 12 & 13 Aug 2009 respectively, it discovered that same problem had been occurred , that is the Program files of Alcohol Soft Alcohol 120% Patch.exe program file was infected by virus Win 32:Spyware-gen [Trj] again.

Same action had been taken as before and the result was the same~~

In my Log viewer, there also had the warning section, and the description is Sign of "Win32: Spyware-gen [Trj] " has been found in “C:\Program Files\Alcohol Soft\Alcohol 120\Alcohol 120% Patch.exe” file.

And I’ve just upload the infected file to virustotal.com again and the result is same as before on 2009.06.29

To be frank, I’m really do not have any idea why that the Alcohol 120% Patch.exe file was infected again. Can anyone help me to solve this problem again.

Thanks for kindly attention….
From Hihikaren

[Tarq57]

Just to put a couple of clarifications in. (Which might actually raise another question..)

Trojans aren't possible to repair. Some virus-infected files are.
Trojans are executables of themselves; the whole body of the file is infected.
So what appears to have changed is the detection of this as a trojan by one or more database updates. I think it unlikely that the file went from being uninfected to being infected by itself. The thing that changed is the detection of its status, probably as a consequence of database updates.

I do not know why the "repair" option came up in this case. Normally it shouldn't have. But an antivirus program can not repair trojans. It can only quarantine or delete them. (Relates to the "raise another question" mentioned above.)

So, to be clear, Avast did not repair that file, and should not have given you the option to repair it.
It may be that the program came bundled with malware. Where did you get it from?