false positive in "AdvancedRemoteInfo 0.6.5.3"

[zivilist]

Hello,

when I use in "AdvancedRemoteInfo 0.6.5.3" (http://masterbootrecord.de/english/advancedremoteinfo.php) the "XP CD-Key" tool the notification pop-up appear:

----
C:\DOCUME~1\xxx\LOCALS~1\Temp\ta0D0.tmp.exe\[UPX]

Win32:PsExec [Tool]
----

There is a hint on this site (scroll down):

Attention - false Virus Alert!
Some scanners detected a trojan horse in the setup of AdvanedRemoteInfo. This are false alerts. All files of ARI are checked with two virus scanners before release. The false alert was caused by compression of the setup files with the executable packer "UPX". This is reverted in version 0.6.5.1.

thanks

[DavidR]

The key is the malware name's suffix [Tool] as they can be used for good or evil, since you downloaded it and I assume know its purpose if you decide it is for good and no risk then you can exclude it. In any case you should confirm the detection, see below.

Also to me something with a double file type/extension is suspicious and could be trying to trick you into thinking you have a harmless text file when it is an executable file. There are also no hits in a google search for that file name which in itself is suspicious.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. You can't do this with the file in the chest, you will need to move it out.

If it is indeed a false positive, add it to the exclusions lists (Standard Shield, Customize, Advanced and Program Settings, Exclusions) and periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.
Also see (Mini Sticky) False Positives, how to report and what to do to exclude them until the problem is corrected.

[zivilist]

scanned with http://virusscan.jotti.org/ after renamed it with avast:

File:      [UPX].vir
Status:    INFECTED/MALWARE
MD5    18551cae5a306bb929445d3192059310
Packers detected:    UPX

Scanner results
AntiVir    Found nothing
ArcaVir    Found nothing
Avast    Found Win32:PsExec
AVG Antivirus    Found nothing
BitDefender    Found nothing
ClamAV    Found nothing
Dr.Web    Found Program.PsExec.131
F-Prot Antivirus    Found nothing
F-Secure Anti-Virus    Found not-a-virus:RiskTool.Win32.PsExec.13 (6, 2, 611)
Fortinet    Found HackerTool/ProcLaunch
Kaspersky Anti-Virus    Found not-a-virus:RiskTool.Win32.PsExec.13
NOD32    Found nothing
Norman Virus Control    Found nothing
VirusBuster    Found nothing
VBA32    Found nothing

[DavidR]

Which basically confirms what I said it is a [tool] and there is a risk involved in its potential use.

I prefer the virustotal site as it uses the windows version of avast and it has as a last count 27 different engines. You can submit it to avast as outlined in the False Positive link above, but given the classification/name [tool] given I doubt anything would change. So if you are happy with the file and its use restore it from the chest and add it to the exclusions given above.