What Pondus finds here is supported what we read here about similar generic finds and false positives here: http://lupo.forumactif.net/t13-virus-detected
More in depth about hstart.exe read here: http://www.ntwind.com/software/utilities/hstart.html
and as Rappaping stated you will see UAC confirmation dialogs for this small,
only DrWeb finds this FP - >http://www.ntwind.com/download/hstart.zip/hstart.exe contains a potentially dangerous software Program.HiddenStart. The detection is because this program can be used to run programs without your knowledge, that is all.
nircmd.exe is also flagged by many anti-malware programs as part of Combo-fix, USB-disinfector, etc. etc., but this is due of using very aggressive heuristics. And this is all that Pondus here backed up with getting these reports. At first glance the tool is considered a pest because these very aggressive heuristic scanners pick something up that resembles real malware functionality.
And for nircmd.exe we had this FP discussion before here: http://forum.avast.com/index.php?topic=34916.0
nircmd.ex0 - detected as NirCmd ()
nircmdc.ex0 - detected as NirCmd ()
As you can read @ http://www.nirsoft.net/utils/nircmd2.html :
“NirCmd is a small command-line utility that allows you to do some useful tasks without displaying any user interface. By running NirCmd with simple command-line option, you can write and delete values and keys in the Registry, write values into INI file, DIAL TO YOUR INTERNET ACCOUNT OR CONNECT TO A VPN NETWORK (!!!), restart windows or shut down the computer, create shortcut to a file, change the created/modified date of a file, change your display settings, turn off your monitor, open the door of your CD-ROM drive, and more…”
Could the patch use Nircmd to connect to a undesirable host? Or(according to what polonus said: “this program can be used to run programs without your knowledge”), can hstart.exe do a similar job?
P.S.: I’m more and more thinking to, at last, install the patch.
What have we been investigating so far and to which conclusions has this investigation led us? We have been thoroughly investigating this tool with respects to its being malicious or suspicious, and this also for everything in there. I have reached the conclusion that this tool is neither suspicious and nor malicious and does not contain any malcode. Pondus has supported this through his investigations.
The functionality and the use of it should qualify this to be marked “riskware” for those first time users that are not familiar with the use of it and whenever it comes installed unto their computers without prior knowledge or consent of the user.
There is a lot of reputable software that matches the same characteristics as the one described in this thread. We mentioned some. For that group of files I would like that av solutions, that really use aggressive generic methods in their scans, will come to use a “whitelist” of tools and programs that would else be classified as FP or PUP, and now only are qualified as risktool.
Therefore the developer of such tools and software should sign their software accordingly to make it stand apart from malware clones or malicious counterparts, that normally cannot have these signatures. I think you could install now, I think this thread has shown it is free of malware,
So, my starting doubts about the false-positive response of Avast AV about this patch seem to have been confirmed. We have three AV software houses that state the patch is safe and a good evidence (probability) that MANY OF (not all) the files tagged as “malware” are safe too.
I will install the patch!
However, it is a program that doesn’t need an Internet access: I will tell you (if you want) if my firewall will detect any Internet access request from any file of the patch.
Thank you Pondus.
Thank you Polonus.
Thank you all.
It was a very nice conversation.
You are welcome. We like to thank you as well for asking us all the inevitable appropriate questions that made these investigations really worth while. I hope a lot of users may find this thread and the conversation therin useful. I enjoyed the conversation as much as you did, and I also think Pondus will feel likewise.
If while using the software other questions pop up, do not hesitate to come here again and we’ll see what we can do,