Virus not detected

Hello

I’ve launched an on-line scan with Kaspersky.
It founds some infected files ( see attached file ).

I’ve scanned the same files with Avast. Result : nothing found.

Can someone explain me why ?

Sincerely.

Hi gtaillandier,

Kaspersky here flags a so-called risktool (smitfraudfix is being flagged). This can be a totally legit program when you installed it yourself on the computer. If a hacker has installed it on your computer or it came there through a drive-by download it could mean an additional risk (that’s why the name riskware). Some av programs even flag joke programs as riskware, because users may get frightened by them.
For the flash related inapp4.exe: see:
http://translate.google.com/translate?hl=en&sl=ru&u=http://virusinfo.info/showthread.php%3Fp%3D195209&sa=X&oi=translate&resnum=4&ct=result&prev=/search%3Fq%3Dinapp4.exe%2B%26hl%3Den
,and you better upgrade to the latest Flash version,

polonus

I would say some are certainly false positives or incorrectly

Lets put your report in the open so people don’t have to download it to view the contents.

E:\Program Files\

Scan Statistics
Total number of scanned objects 14197
Number of viruses found 2
Number of infected objects 4
Number of suspicious objects 0
Duration of the scan process 00:08:41

Infected Object Name Virus Name Last Action
E:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
E:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
E:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
E:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
E:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
E:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
E:\Program Files\Alwil Software\Avast4\DATA\report\Protection résidente.txt Object is locked skipped
E:\Program Files\Divers\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
E:\Program Files\Divers\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
E:\Program Files\Divers\SmitfraudFix.exe RarSFX: infected - 2 skipped
E:\Program Files\FlashGet\inapp4.exe Infected: Trojan-Dropper.Win32.Agent.exo skipped
Scan process completed.

Reporting an object that is locked in the same way as a virus is just plain wrong.

The three relating to smitfraudfix:
I would say reboot.exe and smitfraudfix.exe be classed as a tool not a virus and in fact it is Infected: not-a-virus:RiskTool.Win32.Reboot.f, so two more removed.
The same is true of the duplicate detection of smitfraudfix.exe as another malware name, so again another I wouldn’t be concerned with.

This is the only one I would suggest you check out, E:\Program Files\FlashGet\inapp4.exe. Check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently over 30 different scanners.

As to your ‘Can someone explain me why,’ for every detection you should investigate.
Firstly what file name and location is being detected and does the detection look good for the file and location, etc.
Secondly if you can’t determine the detection from that check at somewhere like virustotal to confirm the detection.
Finally if you still can’t determine, then you could ask ‘why’ (but for me the doctor is very much out on this kaspersky scan) ?

Hi gtaillandier,

Yes I do hope that you fill us in on the virus total scan report. As DrWeb has added this recently, like to see what other scanners will flag this also. We wait for you to post it next,

polonus

Hi polonus and gtaillandier

If gtaillandier has used smitfraudfix and didn’t remove it properly, I would say that those 3 are of no real concern. Smitfraudfix and other removal tools do behave somewhat like trojans. That is why I have users remove the tools before any type of antvirus scan.

I haven’t come across any malware desguising itself as smitfraudfix. The cleanup routine of this program should remove smitfraudfix if it’s still on the computer.

Please download
OTMoveIt2 by OldTimer.

Open OTMOVEIT2 then click the Clean Up button. You may get prompted by your firewall that OTMoveIt wants to contact the internet - allow this. A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself.

The other file though, I’m not sure what to make of it. It seems inapp5.exe is also detected.

Here’s a virus total from 3 days ago

AhnLab V3 - 2008.2.28.2 2008.02.28 - –
AntiVir 7.6.0.67 2008.02.28 HEUR/Malware HEUR / Malware
Authentium 4.93.8 2008.02.28 - –
Avast 4.7.1098.0 2008.02.28 - –
AVG 7.5.0.516 2008.02.28 - –
BitDefender 7.2 2008.02.28 - –
CAT-QuickHeal 9.50 2008.02.28 - –
ClamAV 0.92.1 2008.02.28 - –
DrWeb 4.44.0.09170 2008.02.28 - –
eSafe 7.0.15.0 2008.02.28 Suspicious File Suspicious File
eTrust-Vet 31.3.5571 2008.02.28 - –
Ewido 4.0 2008.02.28 - –
FileAdvisor 1 2008.02.28 - –
Fortinet 3.14.0.0 2008.02.28 - –
F-Prot 4.4.2.54 2008.02.28 - –
F-Secure 6.70.13260.0 2008.02.28 - –
Ikarus T3.1.1.20 2008.02.28 - –
Kaspersky 7.0.0.125 2008.02.28 - –
McAfee 5241 2008.02.28 - –
Microsoft 1.3301 2008.02.28 - –
NOD32v2 2909 2008.02.28 - –
Norman 5.80.02 2008.02.28 - –
Panda 9.0.0.4 2008.02.27 Suspicious file Suspicious file
Prevx1 V2 2008.02.28 Heuristic: Suspicious Self Modifying File Heuristic: Suspicious Self Modifying File
Rising 20.33.32.00 2008.02.28 - –
Sophos 4.27.0 2008.02.28 - –
Sunbelt 3.0.906.0 2008.02.28 - –
Symantec 10 2008.02.28 - –
TheHacker 6.2.9.229 2008.02.25 - –
VBA32 3.12.6.2 2008.02.27 - –
VirusBuster 4.3.26:9 2008.02.28 - –
Webwasher-Gateway 6.6.2 2008.02.28 Heuristic.Malware
Дополнительная информация Additional information
File size: 41472 bytes File size: 41472 bytes
MD5: 08fa2d46c9acece369f8f3f6c0f824c5 MD5: 08fa2d46c9acece369f8f3f6c0f824c5
SHA1: 7e5661cd97318572d6395c9df1673fa8eea53ceb SHA1: 7e5661cd97318572d6395c9df1673fa8eea53ceb
PEiD: Armadillo v1.71 PEiD: Armadillo v1.71
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=1A6AC33E00C5842AA2EF0066B23D140032815946 Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=1A6AC33E00C5842AA2EF0066B23D140032815946

Hi oldman,

I thought that was what it was, remnants of fixtools misinterpreted by this scan,

pol


gtaillandier -

Can you tell us if you have used smitfraudfix sometime in the past?


There are a couple of files - inapp4.exe, inapp5.exe which flashget tries to execute when it starts. Your firewall should most probably block them.
I believe they transmit data about downloads done. Not sure but I was always suspicious about flashget. I use leachget myself

Hi essexboy,

I found this info also: “After running inapp4.exe - Trojan.MulDrop.11828 appears:
C:\WINDOWS\system32\biosnt.dll - Trojan.DownLoader.49401 C: \ WINDOWS \ system32 \ biosnt.dll - Trojan.DownLoader.49401”
inapp4.exe was first seen in Spain. Question, can it be initial to a trojan dropper infection?
File: c:\windows\system32\biosnt.dll Company: [Not Available] file Under Review
Or second question, are these the remnants we find of a former infection cleansed with the flagged fix tool?

polonus

Threse is some discussion (in Russian only, sorry) about last FlashGet updates
http://virusinfo.info/showthread.php?t=18861
Not only inapp4.exe was infected but subsequent updates inapp5.exe and inapp6.exe too.
May be FlashGet update site was hacked.

I can’t believe… I’ve give up on FlashGet some years ago due to ‘adware’ behavior.
Try www.freedownloadmanager.com

Thank you :slight_smile:
But I bought Reget 3 years ago. But now it also free for home use.

==> CharleyO : I’ve used smitfraufix some time ago but don’t remember when.

==> oldman : I’ve downloaded OTMoveIt2 and run it. inapp4 hasn’t been removed.

I don’t understand.
Virustotal tells me :

File inapp4.exe received on 02.28.2008 22:02:40 (CET)
Current status: finished
Result: 5/32 (15.62%)

Antivirus Version Last Update Result
AhnLab-V3 2008.2.28.2 2008.02.28 -
AntiVir 7.6.0.67 2008.02.28 HEUR/Malware
Authentium 4.93.8 2008.02.28 -
Avast 4.7.1098.0 2008.02.28 -
AVG 7.5.0.516 2008.02.28 -
BitDefender 7.2 2008.02.28 -
CAT-QuickHeal 9.50 2008.02.28 -
ClamAV 0.92.1 2008.02.28 -
DrWeb 4.44.0.09170 2008.02.28 -
eSafe 7.0.15.0 2008.02.28 Suspicious File
eTrust-Vet 31.3.5571 2008.02.28 -
Ewido 4.0 2008.02.28 -
FileAdvisor 1 2008.02.28 -
Fortinet 3.14.0.0 2008.02.28 -
F-Prot 4.4.2.54 2008.02.28 -
F-Secure 6.70.13260.0 2008.02.28 -
Ikarus T3.1.1.20 2008.02.28 -
Kaspersky 7.0.0.125 2008.02.28 -
McAfee 5241 2008.02.28 -
Microsoft 1.3301 2008.02.28 -
NOD32v2 2909 2008.02.28 -
Norman 5.80.02 2008.02.28 -
Panda 9.0.0.4 2008.02.27 Suspicious file
Prevx1 V2 2008.02.28 Heuristic: Suspicious Self Modifying File
Rising 20.33.32.00 2008.02.28 -
Sophos 4.27.0 2008.02.28 -
Sunbelt 3.0.906.0 2008.02.28 -
Symantec 10 2008.02.28 -
TheHacker 6.2.9.229 2008.02.25 -
VBA32 3.12.6.2 2008.02.27 -
VirusBuster 4.3.26:9 2008.02.28 -
Webwasher-Gateway 6.6.2 2008.02.28 Heuristic.Malware

but http://online.drweb.com/ ( Anti-virus engine version: 4.44.0.9170 ) tells that “In file inapp4.exe found virus Trojan.MulDrop.11828”

and http://www.viruslist.com/en/scanforvirus : Scanned file: inapp4.exe - Infected
inapp4.exe - infected by Trojan-Dropper.Win32.Agent.exo

Why inapp4 is recognized as safe on virustotal by Drweb ?

oldman : I've downloaded OTMoveIt2 and run it. inapp4 hasn't been removed.

Sorry for the misunderstanding. OTMOVEIT2’s clean up routine would only remove the Smitfraudfix tools.

Dr.Web is not the only one not finding anything. 26 others classify the file as safe. The virustotal results are 5 days old. Please resubmit the file and see if anything has changed.

To submit a file to virustoal, please click om this link

www.virustotal.com

copy and paste the following into the upload a file box (one at a time if more than one file is listed)

E:\Program Files\FlashGet\inapp4.exe

scroll down a bit and click “send file”, wait for the results and post then in your next reply.

I’ve removed the file manually.

If it appears in the future, I’ll submit it to virustotal and I’ll post the result.

i send inapp4.exe from virus chest to avast! with password(on archive):virus
29.02.08 - not detected now…

virus here: hxxp://ifolder.ru/5605569

This virus gifted by Flashget >:(

ADMIN: Please do not link live samples!

Again, it’s not anymore a trustable application. Try Free Download Manager instead.