nircmd.exe

Hello,

I just joined the forum as I found useful advice to help remove the autorun.inf trojan. I followed advice including using Flash Disinfector. On another computer now, when I tried downloading Flash Disinfector, Avast gives me a message that a rootkit trojan has been found and implicates the file nircmd.exe

If I delete or quarantine the file, Flash Disinfector does not work and I get a message that the files are corrupt. When I disable Avast and re-download Flash Disinfector, it then works OK.

Can I confirm the the file is OK and that the Avast warning is a false positive?

Also, should the Flash utility be used for cameras and mobile phones or just for the flash memory sticks or thumbdrives?

Appreciate all the help!

Kind regards.

Hi gerang,

No, it’s not bad. Most probably you have been using ComboFix before - and nircmd.exe is a part of ComboFix
Nircmd.exe is a commandline tool used in many removal tools.
http://www.nirsoft.net/utils/nircmd.html
Some scanners flag commandline tools as “bad”, this because malware may also use this command line tool, but in your case, it was most probably been used by Combofix. smile.gif
So don’t worry here.
Actually you may delete the file though, since you won’t need it anymore. It is neither a risk tool nor a root kit Trojan,

polonus

Hi Polonus,

Thanks so much for the fast reply!

I have used SDFix but not ComboFix. Is this similar? I had already deleted SDFix but still get the warning when I try to use Flash_Disinfector.

Is it correct that I should disable Avast before using Flash_Disinfector if I need to disinfect usb drives and thumb drives?

Can it work with cameras’ and mobile phones’ built-in memory or just with the memory cards/sticks?

Thanks in advance!

The fille may also be a part of FDD. You can and should use FDD on cameras, phones or any type of usb storage device.

Hi oldman,

Is there any instance this commandline tool is being used as flagged by avast’s or is it better for avast to treat this as a FP? Netcat is being flagged, in a while someone that is doing legit forensics on his OWN machines is nearly considered to be a malcreant, that is helping security through obscurity as I see it. You can use a hammer to sculpt, and you can use it to ruin…

polonus

Hi guys,

Forgive my ignorance, I’m not sure I understand the last post by Polonus.

Any way, can I assume that I should disable Avast when I use Flash Disinfector for usb drives? or should I simply add the file flagged as an exclusion?

Once again, many thanks. You’re doing us all a great service by helping us non-techies.

I haven’t come across any for Nircmd.exe.

There is some malware that is using legit files for evil. Partizan.exe from Unhackme or RegRun Suite, has been used by malware to remove files. Google Partizan.exe and you will see what I mean.

I don’t know what to suggest for detection. If it’s flagged you get the warning, exclude it and you may not know anything is amiss if the malware files are not detected during a scan.

ps polonus was refering to another file/situation. My post may explain.

Either way would be alright. Though I think I would go with an exclusion.

nircmd.exe is a comand line utility that is use to automat windows functions. I use it to activate my screensaver and to blank out my monator when im not useing the computer. Avast neads to exclude it from the real time shields. Right now it wont let it work on my computer and im a little bit mad! Please update it so it will or tell me how to exclude it. I excluded it from the scan but it still wont let it run. Im real pleased with how good Avast works up intill now.

Please fix this!

thanks, Billy

gerang,

I’m using Panda USB Vaccine Antimalware and Vaccine for USB device
http://www.pandasecurity.com/homeusers/downloads/usbvaccine/, which works the same way way as Flash Disinfector. I keep Avast on at all times, and I’ve had no conflicts while using it nor have I received any warning messages. Although I keep a clean machine too. ;D