False Positives?

Hello,
Yesterday I scanned my computer with Avast and it found 4 infections. Two of them were instances of 4dwo4mc9.exe, which were identified as Win32:Trojan-gen {other}. Both were in temp folders. Another trojan was found, A0024703.exe, identified as Win32:Trojan-gen {VC}. It is in System Volume Info. The last file found is KillWind.exe, and it was identified as Win32:Trojan-gen {VC}. It was found in C:\hp\bin. I googled all of these file names and found hardly any results, leading me to believe that they are false positives, since there would most likely be a lot of hits on google with others asking about these files. I also found nothing here on the boards about them. As soon as I found the files I sent them to the chest, so they are quarantined. Should I just wait for the next avast update and re-scan them? Anybody have any info on these files? Thank You for your help.

Well the number of hits on google can be a double edged sword, if I find zero or few hits on google I’m more suspicious rather than less suspicious, especially when they are in temp folders.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently 32 different scanners.

Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. Whichever scanner you use, you can’t do this with the file in the chest, you will need to move it out.

If it is indeed a false positive, add it to the exclusions lists (Standard Shield, Customize, Advanced, Add and Program Settings, Exclusions) and Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.

Also see False Positives, how to report it to avast! and what to do to exclude them until the problem is corrected.

The c:\System Volume Information folder is a part of the system restore function it could be that a previous infection in a system folder was deleted causing it to be saved as restore point. I would say if there is any doubt you should clean it out so that in the future doing a system restore you don’t in inadvertently infect your system.

– Create Clean Restore Point - Clear old Restore Points.
Once you are clear of infection create a clean System Restore point:

  1. Click Start, All Programs, Accessories, System tools, System Restore.
  2. In the pop-up that appears fill in the radio button to Create a Restore Point
  3. Click NEXT
  4. Enter a useful name that you will remember if you need to find this again (Clean Restore Point)
  5. Click CREATE

You now have a clean restore point, you should clear the old ones:

  1. Click Start, All Programs, Accessories, System tools, Disk Clean Up
  2. Click OK on the C: drive
  3. Click the More Options tab
  4. In the System Restore section click the Clean Up button

Yeah I was thinking of a virustotal scan, but I wasn’t sure if it is ok to temporarily restore the files from the chest to have them scanned. So would it be ok? Thanks.

Don’t use the restore function that sends them back to the original location and you don’t want that if they are malware. Use the extract function to send a copy (copy remains in the chest) to a temporary location (I have a ‘suspect’ folder that I exclude from avast scans) and upload to VT from that.

Ok I ran the virus total scan. For both instances of 4dwo4mc9.exe, only Avast found a virus. For both KillWind.exe and A0024703.exe, 6 of the scanners found a virus. Since 4dwo4mc9.exe is in a temp folder, how do I clear it out? Should I wait on clearing out my system restore since A0024703.exe is kinda up in the air?

You can manually clear the Temp folders, you don’t mention where it is though, just delete the content.

Here are some tools for cleaning temp folders and cr*p in general.
ClearProg - Temp File Cleaner or CCleaner - Temp File Cleaner, etc.

I wouldn’t say A0024703.exe is kinda up in the air, with 6 detections it is enough to be suspicious enough not to take any risk with it being restored at a time in the future.

If you had pasted the contents of the VT scan or posted a link to the results or posted a screenshot would have been helpful to see just what other AVs are calling the detection. Since some google hits for KillWind.exe indicate that it is more a “potentially unwanted program” because of what it can do, kill processes and this kind of tool, can be used for evil or good. If you are happy it is a legit HP application and accept the risk then restore it and exclude it from scans.

http://www.annoyances.org/exec/forum/winme/1063886170?s

KillWind.exe is a utility program that HP includes in their software packages. It is part of their BackWeb software. Software that allows their tech's to call into your machine when you have a problem and try to fix it (under warranty). The KillWind.exe file is a program they may use that "kills" or terminates any running or background process.

Ok I think everything is back to normal here. I deleted all the files in the chest except KillWind.exe cause I’m not sure what to do with it right now. I cleared my temp folder with CCleaner, and deleted the old restore points. Tonight I’ll do another avast scan just to make sure everything is ok. I made a suspicious files folder for the virus total scan, so can I just send those extracted files to the recycle bin? Thank you for all of your help.

Hi WarHorseXJ,

KillWind.exe is a utility program to end TSP programs in windows.
It can be dangerous if not handled with care.

killWind properties
type of file: application
description: a ruthless killer of windows
location C:HPbin
size: 32.0kb
version: 1.0.0.2
author: Matt Gerrans
comments: efficiently assassinates windows or processes;run with no parameters to see syntax
company name key concepts,Inc
original filename: killwind.exe
modified: 9 dec 1998

polonus

No problem, glad I could help, welcome to the forums.

That should go a long way to ensuring you are in the clear.

I don’t know if you have any other security applications as a multi-application/level approach to security should increase your level of protection.

If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode.

  1. If using winXP AVG anti-spyware (formerly Ewido). Or SUPERantispyware Or Spyware Terminator.
  2. Ad-Aware SE Personal Edition
  3. Spybot Search and Destroy
  4. Spywareblaster Don’t install this until you are clean.

I have another one that I know is good…

%programfiles%\kh blocker\khb.exe

This is a file installed with KH Blocker. This app is used to download and update your host file with “blocked” sites. I’ve been using this app for a while now and it just now being dumped into the chest. Anyway we can tweak it so it won’t throw up red flags?

06-28-07
1238
Rob @ HomeNet

If you have confirmed it using virustotal, etc. then send the sample to avast as outlined above in reply #1.

Also in reply #1 is how to exclude the file from scans.