Win32:Banload-MF

[tripod2go]

This trojan was identified by on-access  scan a few minutes ago. The question is- both copies was found in installed software by cosmi which have had installed for 5 yrs. Is it false positive or real? Why today after 0624-2  6/15/06 definition update.  I reported it but does anyone have info on if cosmi shipped infected cd? What steps can I do to verify. I'm really concerned since a month ago again after an update win32:small-XC was detected when the infected zip file had been on the computer for months without detection?

tripod2go

[Lisandro]

Most probably it's a false positive 

Anyway, to know if a file is a false positive, please submit it to JOTTI and let us know the result. If it is indeed a false positive, send it in a password protected zip to virus@avast.com

Please, mention in the body of the message why you think it is a false positive and the password used.

[tripod2go]

Ok interesting -- I could not upload to JOTTI  said either firewall or malware stopped it. I now took this serious.
Firewall didn't say it blocked anything so I tried to run the application - just fine - The shortcut to the app did not use this folder - looking closer all that was in the folder was the manual and this launchaveo file. I scanned again and placed it back in the virus chest and deleted the folders. App runs find.  I still don't understand why the flag went up yesterday vs months ago?  I will send it to you as requested.

Thanks Tripod2go

[Lisandro]

I still don't understand why the flag went up yesterday vs months ago?  I will send it to you as requested.

Maybe the signature for this infection was added recently, maybe you were using less protection (Normal) and not High at that time, maybe the file was packed...
Maybe it's still a false positive... we need to dig more to find the truth 

[tripod2go]

I restored the file so I could zip it and was denied access. Tried couple of times and ways without success. I sent to virus addr message I was emailing  the file from my virus chest which says it went ok.
Did I miss something inorder to allow me to zip it?  Can the two messages be matched up or shall I try again?
Steve

[Lisandro]

I restored the file so I could zip it and was denied access.

I'm not sure that I've understood you... the access to that file was denied? Which application did it?
If it was avast, well, to manage a file detected as infected, you'll need to turn of the antivirus protection... be sure to not execute the file, just pack it into a zip file.

[tripod2go]

Thank you-
I forgot to turn the antivirus off. I've zipped it and emailed with password.
Thanks again for your time. wWill wait for a response.
tripod2go

[tripod2go]

JOTTI results

 Service load:     
0%              100%
File:    LaunchAveo.exe
Status:    
POSSIBLY INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) (Note: this file was only classified as malware by scanners known to generate more false positives than the average scanner. Do not consider these results definately accurate. Also, because of this, results of this scan will not be recorded in the database.)
MD5    2c2bdc2cccd78f2ba1eb8c5947628174
Packers detected:    
-
Scanner results
AntiVir    
Found nothing
ArcaVir    
Found nothing
Avast    
Found Win32:Banload-MF
AVG Antivirus    
Found nothing
BitDefender    
Found nothing
ClamAV    
Found nothing
Dr.Web    
Found nothing
F-Prot Antivirus    
Found nothing
Fortinet    
Found nothing
Kaspersky Anti-Virus    
Found nothing
NOD32    
Found nothing
Norman Virus Control    
Found nothing
UNA    
Found nothing
VirusBuster    
Found nothing
VBA32    
Found nothing
 

[DavidR]

If you need to use this software then you will need to restore it from the chest, pause standard shield first.
Then if it is indeed a false positive, add it to the exclusions lists (Standard Shield, Customize, Advanced and Program Settings, Exclusions) and check scan it periodically using the ashQuick scan (right click scan), when it is no longer detected then remove it from the exclusions.

Also see (Mini Sticky) False Positives