Malware or false positive?

[Rappaping]

"We also have this Dialer DNS Changer fuctionality to consider."
What dialer DNS changer functionality?

Also:
http://www.threatexpert.com/files/nircmd.exe.html , threat in 60% of cases

[Rappaping]

I've posted VirusTotal result to Morris Lee. Now I'm waiting for his answer.

[polonus]

Hi Rappaping,

That is why I asked you to do that specific check after you installed the questionable launcher to establish if that launcher has DNS Changing functionality, like with a malcode dialer, and alters DNS server numbers in your configuration after install.

See also here: http://whatisprocess.com/x32-exe/1172/  67% will rate it as DANGEROUS

This gives us some insight in what we have to consider with this software before we can eventually give it the all clear. All intruiging considerations. Also my special thanks go out to forum friend, Pondus, for all his assistance and perseverance to clear this issue; and Altarir for giving the ThreatExpert report, very helpful indeed.  We all learn a lot during this process, good you presented it to us,

polonus

[Rappaping]

Sorry polonus, but I haven't installed the patch and I will not before I can't know it's safe.
However, it would be useful launching the patch in a sandbox like BufferZone to see which system files are virtualized after the installation and if the patch full-works inside the virtual zone (a virtual zone that can't communicate with system files out of itself.

Another idea is to monitor the installation of the patch with a program like InCtrl5 to see which files the installation modify/create in the system.

I've formatted my laptop few years ago and in this days I can't risk to compromise my system with a malware.

[Pondus]

Hi guys!
Can we trust Norman senior researchers? I don't know

why not.... 

maybe this will help...


SOPHOS lab

Thank you for your submission. Here is the result of the analyze:
Morris_ Launch Manager~.0 x~.exe - clean and you are free to authorize
nircmd.ex0 - detected as NirCmd ()
nircmdc.ex0 - detected as NirCmd ()

All the other files are free from virus.

Avira lab

Thank you for your email to Avira's virus lab.
 Tracking number: INC00777947.

A listing of files alongside their results can be found below:
File ID
Filename
Size (Byte)
Result

26211609
Morris' Launch Ma...it.exe
738.5 KB
CLEAN

26211946
nircmdc.exe
36 KB
FALSE POSITIVE

26211947
nircmd.exe
36.5 KB
FALSE POSITIVE

26211948
hstart.exe
16.5 KB
FALSE POSITIVE

[polonus]

What Pondus finds here is supported what we read here about similar generic finds and false positives here: http://lupo.forumactif.net/t13-virus-detected
More in depth about hstart.exe read here: http://www.ntwind.com/software/utilities/hstart.html
and as Rappaping stated you will see UAC confirmation dialogs for this small,
only DrWeb finds this FP - >http://www.ntwind.com/download/hstart.zip/hstart.exe contains a potentially dangerous software Program.HiddenStart. The detection is because this program can be used to run programs without your knowledge, that is all.
nircmd.exe is also flagged by many anti-malware programs as part of Combo-fix, USB-disinfector, etc. etc., but this is due of using very aggressive heuristics. And this is all that Pondus here backed up with getting these reports. At first glance the tool is considered a pest because these very aggressive heuristic scanners pick something up that resembles real malware functionality.
And for nircmd.exe we had this FP discussion before here: http://forum.avast.com/index.php?topic=34916.0

pol

[Rappaping]

nircmd.ex0 - detected as NirCmd ()
nircmdc.ex0 - detected as NirCmd ()

As you can read @ http://www.nirsoft.net/utils/nircmd2.html :
"NirCmd is a small command-line utility that allows you to do some useful tasks without displaying any user interface. By running NirCmd with simple command-line option, you can write and delete values and keys in the Registry, write values into INI file, DIAL TO YOUR INTERNET ACCOUNT OR CONNECT TO A VPN NETWORK (!!!), restart windows or shut down the computer, create shortcut to a file, change the created/modified date of a file, change your display settings, turn off your monitor, open the door of your CD-ROM drive, and more..."
 Could the patch use Nircmd to connect to a undesirable host? Or(according to what polonus said: "this program can be used to run programs without your knowledge"), can hstart.exe do a similar job?

P.S.: I'm more and more thinking to, at last, install the patch.

[polonus]

Hi Rappaping,

What have we been investigating so far and to which conclusions has this investigation led us? We have been thoroughly investigating this tool with respects to its being malicious or suspicious, and this also for everything in there. I have reached the conclusion that this tool is neither suspicious and nor malicious and does not contain any malcode. Pondus has supported this through his investigations.

The functionality and the use of it should qualify this to be marked "riskware" for those first time users that are not familiar with the use of it and whenever it comes installed unto their computers without prior knowledge or consent of the user.

There is a lot of reputable software that matches the same characteristics as the one described in this thread. We mentioned some. For that group of files I would like that av solutions, that really use aggressive generic methods in their scans, will come to use a "whitelist" of tools and programs that would else be classified as FP or PUP, and now only are qualified as risktool.

Therefore the developer of such tools and software should sign their software accordingly to make it stand apart from malware clones or malicious counterparts, that normally cannot have these signatures. I think you could install now, I think this thread has shown it is free of malware,

polonus

[Pondus]

I think this thread has shown it is free of malware,

yepp i think that is very clear now

[Rappaping]

So, my starting doubts about the false-positive response of Avast AV about this patch seem to have been confirmed. We have three AV software houses that state the patch is safe and a good evidence (probability) that MANY OF (not all) the files tagged as "malware" are safe too.
I will install the patch!
However, it is a program that doesn't need an Internet access: I will tell you (if you want) if my firewall will detect any Internet access request from any file of the patch.
Thank you Pondus.
Thank you Polonus.
Thank you all.
It was a very nice conversation.

[polonus]

Hi Rappaping,

You are welcome. We like to thank you as well for asking us all the inevitable appropriate questions that made these investigations really worth while. I hope a lot of users may find this thread and the conversation therin useful. I enjoyed the conversation as much as you did, and I also think Pondus will feel likewise.
If while using the software other questions pop up, do not hesitate to come here again and we'll see what we can do,

polonus