Can;t download SmitRem, Avast thinks its infected

[danielson81]

Hi,

Whenever I try and download SmitRem from: http://noahdfear.geekstogo.com/  Avast pops up immediately telling me SmitRem.exe is infected.



So I cancelled it, and a few more worms appeared, and a few seconds later my firewall kept asking me if MS Paint (when I was making screenshot!?) wanted to send packets to: 208.158.14.142 .

I downloaded it without problems in April, gone to download it again and this happens!

Anyone have any ideas?


Athlon 2400 XP
512MB RAM
Windows XP Pro SP2

Avast! Home Edition
Sygate Personal Firewall
Windows Defender

Adaware SE
Spybot S&D

Hijack this says: (attached)

[Lisandro]

It does not seem to be a false positive, on contrary, seems infected 

[Spiritsongs]

   Hi Danielson :

     SmitRem is no longer used by anti-malware Experts. Did
     you ever uninstall the SmitRem you installed in Apr PRIOR
     to trying to download it again ?
     I noticed from your HJT log that it appears you have NO
     antiSPYWARE program(s); is there a reason for that ?
     If you are experiencing worms and/or trojans, I would
     recommend you 1st try using the good & FREE "Ewido"
     from www.ewido.net/en to deal with them. There is a
    "tutorial" at : www.greyknight17.com/spy/Tutorials/EwidoQuickGuide.pdf .
     I see you are using the "experimental" IE 7.0 ; I hope
     this is not causing any problems !?
     And lastly, your Sun Java is "out-of-date" & is therefore a
     serious security risk; recommend you uninstall it, then go
     to www.java.com/en & get their latest .

[danielson81]

Thanks for replies.

I am running Windows Defender

"C:\Program Files\Windows Defender\MsMpEng.exe"

and I run Ad Aware and Spybot weekly.

I have IE7 but don't use it much, use Firefox 1.5.

I will update Java and install Ewido

[noahdfear]

smitRem is NOT infected, and it is still widely recommended and used in the internet community. This FALSE POSITIVE has been reported to Avast many times by many people in the malware removal community, myself included, yet they have yet to respond to any of us.

UPX packing does not always mean infection, nor does a process manipulation tool. If Avast would take the time to see what the tool does, and why it has UPX packing and not 1, but 2 process manipulation apps, instead of relying solely on their generic heuristics patterns, they would agree smitRem is not a malicious or infected tool, but a helpful, effective tool used to remove a family of infections that even their own application can't.

AVG responded straight away, and removed it from their detections, as have several others.

smitRem has been downloaded nearly 2 million times, has been and still is recommended by Symantec's Support personnel, McAfee Support, Trend Support, and even Microsoft's PCSafety virus help hotline, to name a few.

Please note the MS MVP logo displayed on my geekstogo page ........... then ask yourself if you truely believe that I would distribute infected files, or if MS would recognize me for doing so.

Dave (noahdfear) Fear
MS MVP 2006

[DavidR]

Hi noahdfear,

I don't doubt that there is no infected item in smitrem.exe.

Since this Topic is from June 17 2006, and avast doesn't see it as infected now, see image. I can only assume that it was a false positive detection at that time which has been corrected, although no mention of that in this topic.

However the DrWeb Link Checker Firefox Extension still reports elements as infected, so I think you need to also contact them.

>>smitRem.exe/smitRem/Process.exe contains an intrusion tool Tool.Prockill
>>smitRem.exe/smitRem/pv.exe - OK
>>smitRem.exe/smitRem/replace.cmd - OK
>>smitRem.exe/smitRem/replaceIE7.cmd - OK
>>smitRem.exe/smitRem/RunThis.bat - OK
>>smitRem.exe/smitRem/swreg.exe packed by UPX

[noahdfear]

Thanks for the reply DavidR.
I chose to respond to this topic specifically because of the responses above indicating that smitRem is indeed infected and it no longer being used, and due to the fact that Avast IS still reporting it as infected. I get at least one email a week from users inquiring as to why Avast blocks my tool, the last just earlier last night. I have noticed that the Avast online scanners do not detect it, so I find it odd that resident scanners with up-to-date detection rules do.

I have also reported the DrWeb detection, though no response from them either. I would note that while DrWeb reports it as 'containing an intrusion tool', Avast reports it as a trojan and blocks it from being downloaded.

[polonus]

Hi noadfear,

The reasons why anti-virus scanners flag certain applications as riskware, as is done here by DrWeb's are mysterious. Every normal tool can be used as an evaluation tool or be turned into a malicious application by miscreants, and an av scanning program cannot discriminate and flags it. I can use netcat to check a network for which I am a sys admin, which is good, it is flagged by av. Then I could use a regular website content evaluation program that no security program flags and I can load it with some dictionary with a list of all sorts of weak cgi. Nothing flagged. Could be used legit, could be used rather maliciously.
There once was a fun thing, an animated gif that showed your hard disk being deleted. DrWeb thought some people could hold it for real, and it could give them a heart attack, so they flagged this innocent joke thing as JOKE VIRUS. So you see it is just what evaluations they make, and where they draw the line, and it is not Mr or Mrs Average that use the SmitRem tool, so some flag it as an intrusion tool, bad thing for the malware fighters and trusted users of it.
I hope they come to their senses, and tell the users that they must do some thinking themselves. Did I install this thing willingly and by my own accord, or did someone put it on my computer to help some miscreant  in a malicious way.

polonus

[DavidR]

Well the resident scanner will have scanned it when I downloaded it to my downloads folder, neither standard shield or web shield alarmed, the above result is using the ashQuick.exe scan and that doesn't alarm either.

I downloaded it again and you can see that the resident scanner (Standard Shield, see image) has scanned it and no detection. So I don't know what the state of their VPS updates are as it currently isn't being detected.

If they report it they should do a manual Update (iAVS) that should ensure they have the latest signatures.
Assuming worst case scenario and it is being detected, Pausing the Web Shield would allow it to be downloaded, but Standard Shield chip in select No Action. They would now have it on their system, before running it they should pause Standard Shield as I would recommend for any active scan with another security based tool (otherwise it would block it).

I appreciate this is a pain, having to respond to people reporting this, but with an up to date VPS they shouldn't have a problem.

I have done a forum search for smitrem.exe in the Viruses and Worms, avast 4 Home/Pro and General forums and this Topic is the latest in chronological order, nothing after this. Also, beside this current topic all the other references are about using smitrem.exe to clear infection. If it were a consistant problem then I believe there would be more hits relating to a possible FP on smitrem.exe. So I'm as baffled as you as to why they are reporting it.