Virus not detected

[gtaillandier]

Hello

I've launched an on-line scan with Kaspersky.
It founds some infected files ( see attached file ).

I've scanned the same files with Avast. Result : nothing found.

Can someone explain me why ?

Sincerely.

[polonus]

Hi gtaillandier,

Kaspersky here flags a so-called risktool (smitfraudfix is being flagged). This can be a totally legit program when you installed it yourself on the computer. If a hacker has installed it on your computer or it came there through a drive-by download it could mean an additional risk (that's why the name riskware). Some av programs even flag joke programs as riskware, because users may get frightened by them.
For the flash related inapp4.exe: see:
http://translate.google.com/translate?hl=en&sl=ru&u=http://virusinfo.info/showthread.php%3Fp%3D195209&sa=X&oi=translate&resnum=4&ct=result&prev=/search%3Fq%3Dinapp4.exe%2B%26hl%3Den
,and you better upgrade to the latest Flash version,

polonus

[DavidR]

I would say some are certainly false positives or incorrectly

Lets put your report in the open so people don't have to download it to view the contents.

E:\Program Files\

Scan Statistics
Total number of scanned objects    14197
Number of viruses found    2
Number of infected objects    4
Number of suspicious objects    0
Duration of the scan process    00:08:41

Infected Object Name    Virus Name    Last Action
E:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat          Object is locked             skipped
E:\Program Files\Alwil Software\Avast4\DATA\Avast4.db             Object is locked             skipped
E:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int          Object is locked             skipped
E:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws          Object is locked             skipped
E:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log          Object is locked             skipped
E:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log          Object is locked             skipped
E:\Program Files\Alwil Software\Avast4\DATA\report\Protection résidente.txt    Object is locked             skipped
E:\Program Files\Divers\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe    Infected: not-a-virus:RiskTool.Win32.Reboot.f    skipped
E:\Program Files\Divers\SmitfraudFix.exe/data.rar             Infected: not-a-virus:RiskTool.Win32.Reboot.f    skipped
E:\Program Files\Divers\SmitfraudFix.exe                RarSFX: infected - 2             skipped
E:\Program Files\FlashGet\inapp4.exe                   Infected: Trojan-Dropper.Win32.Agent.exo    skipped
Scan process completed.

Reporting an object that is locked in the same way as a virus is just plain wrong.

The three relating to smitfraudfix:
I would say reboot.exe and smitfraudfix.exe be classed as a tool not a virus and in fact it is Infected: not-a-virus:RiskTool.Win32.Reboot.f, so two more removed.
The same is true of the duplicate detection of smitfraudfix.exe as another malware name, so again another I wouldn't be concerned with.

This is the only one I would suggest you check out, E:\Program Files\FlashGet\inapp4.exe. Check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently over 30 different scanners.

As to your 'Can someone explain me why,' for every detection you should investigate.
Firstly what file name and location is being detected and does the detection look good for the file and location, etc.
Secondly if you can't determine the detection from that check at somewhere like virustotal to confirm the detection.
Finally if you still can't determine, then you could ask 'why' (but for me the doctor is very much out on this kaspersky scan) ?

[polonus]

Hi gtaillandier,

Yes I do hope that you fill us in on the virus total scan report. As DrWeb has added this recently, like to see what other scanners will flag this also. We wait for you to post it next,

polonus

[oldman]

Hi polonus and gtaillandier

If gtaillandier has used smitfraudfix and didn't remove it properly, I would say that those 3 are of no real concern. Smitfraudfix and other removal tools do behave somewhat like trojans. That is why I have users remove the tools before any type of antvirus scan.

I haven't come across any malware desguising itself as smitfraudfix. The cleanup routine of this program should remove smitfraudfix if it's still on the computer.

Please download
 OTMoveIt2 by OldTimer.


Open OTMOVEIT2 then click the Clean Up button. You may get prompted by your firewall that OTMoveIt wants to contact the internet -  allow this.  A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself.


The other file though, I'm not sure what to make of it. It seems inapp5.exe is also detected.

[oldman]

Here's a virus total from 3 days ago

AhnLab V3 -  2008.2.28.2  2008.02.28  - -- 
AntiVir  7.6.0.67  2008.02.28  HEUR/Malware HEUR / Malware 
Authentium  4.93.8  2008.02.28  - -- 
Avast  4.7.1098.0  2008.02.28  - -- 
AVG  7.5.0.516  2008.02.28  - -- 
BitDefender  7.2  2008.02.28  - -- 
CAT-QuickHeal  9.50  2008.02.28  - -- 
ClamAV  0.92.1  2008.02.28  - -- 
DrWeb  4.44.0.09170  2008.02.28  - -- 
eSafe  7.0.15.0  2008.02.28  Suspicious File Suspicious File 
eTrust-Vet  31.3.5571  2008.02.28  - -- 
Ewido  4.0  2008.02.28  - -- 
FileAdvisor  1  2008.02.28  - -- 
Fortinet  3.14.0.0  2008.02.28  - -- 
F-Prot  4.4.2.54  2008.02.28  - -- 
F-Secure  6.70.13260.0  2008.02.28  - -- 
Ikarus  T3.1.1.20  2008.02.28  - -- 
Kaspersky  7.0.0.125  2008.02.28  - -- 
McAfee  5241  2008.02.28  - -- 
Microsoft  1.3301  2008.02.28  - -- 
NOD32v2  2909  2008.02.28  - -- 
Norman  5.80.02  2008.02.28  - -- 
Panda  9.0.0.4  2008.02.27  Suspicious file Suspicious file 
Prevx1  V2  2008.02.28  Heuristic: Suspicious Self Modifying File Heuristic: Suspicious Self Modifying File 
Rising  20.33.32.00  2008.02.28  - -- 
Sophos  4.27.0  2008.02.28  - -- 
Sunbelt  3.0.906.0  2008.02.28  - -- 
Symantec  10  2008.02.28  - -- 
TheHacker  6.2.9.229  2008.02.25  - -- 
VBA32  3.12.6.2  2008.02.27  - -- 
VirusBuster  4.3.26:9  2008.02.28  - -- 
Webwasher-Gateway  6.6.2  2008.02.28  Heuristic.Malware 
Дополнительная информация Additional information 
File size: 41472 bytes File size: 41472 bytes 
MD5: 08fa2d46c9acece369f8f3f6c0f824c5 MD5: 08fa2d46c9acece369f8f3f6c0f824c5 
SHA1: 7e5661cd97318572d6395c9df1673fa8eea53ceb SHA1: 7e5661cd97318572d6395c9df1673fa8eea53ceb 
PEiD: Armadillo v1.71 PEiD: Armadillo v1.71 
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=1A6AC33E00C5842AA2EF0066B23D140032815946 Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=1A6AC33E00C5842AA2EF0066B23D140032815946 

[polonus]

Hi oldman,

I thought that was what it was, remnants of fixtools misinterpreted by this scan,

pol

[CharleyO]

***

gtaillandier -

Can you tell us if you have used smitfraudfix sometime in the past?


***

[essexboy]

There are a couple of files - inapp4.exe, inapp5.exe which flashget tries to execute when it starts. Your firewall should most probably block them.

I believe they transmit data about downloads done.  Not sure but  I was always suspicious about flashget.  I use leachget myself 

[polonus]

Hi essexboy,

I found this info also:  "After running inapp4.exe - Trojan.MulDrop.11828 appears:
C:\WINDOWS\system32\biosnt.dll - Trojan.DownLoader.49401 C: \ WINDOWS \ system32 \ biosnt.dll - Trojan.DownLoader.49401"
inapp4.exe was first seen in Spain. Question, can it be initial to a trojan dropper infection?
File:  c:\windows\system32\biosnt.dll Company: [Not Available] file Under Review
Or second question, are these the remnants we find of a former infection cleansed with the flagged fix tool?

polonus

[psw]

Threse is some discussion (in Russian only, sorry) about last FlashGet updates
http://virusinfo.info/showthread.php?t=18861
Not only inapp4.exe was infected but subsequent updates inapp5.exe and inapp6.exe too.
May be FlashGet update site was hacked.

[Lisandro]

May be FlashGet update site was hacked.

I can't believe... I've give up on FlashGet some years ago due to 'adware' behavior.
Try www.freedownloadmanager.com

[psw]

May be FlashGet update site was hacked.

I can't believe... I've give up on FlashGet some years ago due to 'adware' behavior.
Try www.freedownloadmanager.com

Thank you
But I bought Reget 3 years ago. But now it also free for home use.

[gtaillandier]

==> CharleyO : I've used smitfraufix some time ago but don't remember when.

==> oldman : I've downloaded OTMoveIt2 and run it. inapp4 hasn't been removed.

I don't understand.
Virustotal tells me :

File inapp4.exe received on 02.28.2008 22:02:40 (CET)
Current status: finished
Result: 5/32 (15.62%)

Antivirus    Version    Last Update    Result
AhnLab-V3    2008.2.28.2    2008.02.28    -
AntiVir    7.6.0.67    2008.02.28    HEUR/Malware
Authentium    4.93.8    2008.02.28    -
Avast    4.7.1098.0    2008.02.28    -
AVG    7.5.0.516    2008.02.28    -
BitDefender    7.2    2008.02.28    -
CAT-QuickHeal    9.50    2008.02.28    -
ClamAV    0.92.1    2008.02.28    -
DrWeb    4.44.0.09170    2008.02.28    -
eSafe    7.0.15.0    2008.02.28    Suspicious File
eTrust-Vet    31.3.5571    2008.02.28    -
Ewido    4.0    2008.02.28    -
FileAdvisor    1    2008.02.28    -
Fortinet    3.14.0.0    2008.02.28    -
F-Prot    4.4.2.54    2008.02.28    -
F-Secure    6.70.13260.0    2008.02.28    -
Ikarus    T3.1.1.20    2008.02.28    -
Kaspersky    7.0.0.125    2008.02.28    -
McAfee    5241    2008.02.28    -
Microsoft    1.3301    2008.02.28    -
NOD32v2    2909    2008.02.28    -
Norman    5.80.02    2008.02.28    -
Panda    9.0.0.4    2008.02.27    Suspicious file
Prevx1    V2    2008.02.28    Heuristic: Suspicious Self Modifying File
Rising    20.33.32.00    2008.02.28    -
Sophos    4.27.0    2008.02.28    -
Sunbelt    3.0.906.0    2008.02.28    -
Symantec    10    2008.02.28    -
TheHacker    6.2.9.229    2008.02.25    -
VBA32    3.12.6.2    2008.02.27    -
VirusBuster    4.3.26:9    2008.02.28    -
Webwasher-Gateway    6.6.2    2008.02.28    Heuristic.Malware

but http://online.drweb.com/ ( Anti-virus engine version: 4.44.0.9170 ) tells that "In file inapp4.exe found virus Trojan.MulDrop.11828"

and http://www.viruslist.com/en/scanforvirus : Scanned file:   inapp4.exe  - Infected
inapp4.exe - infected by Trojan-Dropper.Win32.Agent.exo

Why inapp4 is recognized as safe on virustotal by Drweb ?

[oldman]

oldman : I've downloaded OTMoveIt2 and run it. inapp4 hasn't been removed.

Sorry for the misunderstanding. OTMOVEIT2's clean up routine would only remove the Smitfraudfix tools.

Dr.Web is not the only one not finding anything. 26 others classify the file as safe. The virustotal results are 5 days old. Please resubmit the file and see if anything has changed.

To submit a file to virustoal, please click om this link

www.virustotal.com

copy and paste the following into the upload a file box (one at a time if more than one file is listed)

E:\Program Files\FlashGet\inapp4.exe

scroll down a bit and click "send file", wait for the results and post then in your next reply.