False Positive when downloading the latest AdwCleaner v3.100

G’day Avast,

False Positive when downloading the latest AdwCleaner v3.100 when detect as a virus see screenshot

From the original website:- h**p://general-changelog-team.fr/en/downloads/viewdownload/20-outils-de-xplode/2-adwcleaner


http://my.jetscreenshot.com/18514/m_20140420-kvfl-17kb.jpg

Contact Form
Zoek.exe is also getting a FP detection.

Is this FP fixed ?

download and find out…

now i have done it for you :wink:
https://www.virustotal.com/en/file/f605d75e2584a46e134b7793fd1ce3e1f8ec941996c5835e6faa0e059deadc4b/analysis/1397984876/
https://www.virustotal.com/en/file/766fb59fbdbba35a122ed7d3696069740e6cacda548369357e4d4ae156f2f020/analysis/1397985024/

Hi Pondus,

What if the very tool that is recommended for removal is being flagged. Read: http://www.malwareremovalguides.info/win32dropper-gen-drp-removal-instructions/ The trojan requires other components in order to run properly and may may arrive as a file that exports functions used by other malware.
I think it is a FP,

pol

Hi Pondus,

Even ComboFix is marked as malware in VirusTotal scan. See here.

This is one of reasons why helpers asks the victims to temporary disable the anti-virus shield before proceeding with the shield.
One of the reasons can be the following –

During the process of removing malware from your computer, there are times you may need to use specialized fix tools. This is especially true if you are receiving help from a member of the HJT Team. Certain embedded files that are part of these specialized fix tools may at times be detected by your anti-virus or anti-malware scanner as a "RiskTool", "Hacking tool", "Potentially unwanted tool", a virus or a "Trojan" when that is not the case.

These tools have been carefully created and tested by security experts so if your anti-virus or anti-malware program flags them as malware, the detection is what’s known as a “False Positive”. Anti-virus scanners cannot distinguish between “good” and “malicious” use of such programs, therefore they may alert you or even automatically remove them. In these cases, the removal of these files can have “unpredictable results” and unintentional results.

Source: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

Hi Valinorum,

I guess that it is a false heuristic packer detection on UPX, AutoIt, UPX.

Compiled AutoIt scripts can optionally be compressed with UPX. UPX is an open source software compression packer. It is used with many viruses (to make them smaller).
quote info source: http://www.autoitscript.com/wiki/AutoIt_and_Malware

Would not be surprised at all when again this would be the case for the ComboFix FP. :wink:
also possible it is in the AutoIt bin file where the detection is being flagged ;D

Also see: http://anubis.iseclab.org/?action=result&task_id=16d9e74075c2d7574516ab635ed197560&format=html

Source code should be forwarded in a report to avast! to independently verify the generic dropper find is indeed based upon a false positive detection!

greets and a happy Easter to you and yours,

polonus

P.S. avast! no longer flags it? → https://www.virustotal.com/nl/file/7926e3e0e44d02df8740471cd0ad4bd8ba74af8363e7f9682d75b1163345c45e/analysis/

zoek.exe confirmed False Positive by Norman lab
zoek.exe confirmed False Positive by Sophos lab

combofix.exe confirmed False Positive by Sophos lab

Thank you polonus for the information. Happy Easter to all. :slight_smile:

AdwCleaner 3.100 FP is fixed.

https://www.virustotal.com/en/file/f605d75e2584a46e134b7793fd1ce3e1f8ec941996c5835e6faa0e059deadc4b/analysis/1398006813/