I wanted to do a quick scan just as part of my routine, and I chose to use the x-cleaner microscan. I immediately got a pop-up saying it was a virus. I’ve used it before and never had this, and doing a search of avast! forums shows x-cleaner as a recommended antimalware scan. Has this program been compromised or is this a false positive?
This is the link to the scan: http://www.spywareguide.com/onlinescan.php . I tried it with my normal FF3 browser, and then switched it to IE6 and tried again, and got the same results both times. I was using Returnil at the time, so I rebooted just in case, so no harm was possible.
Welcome to the forums, oyvayeh.
As I do not use x-cleaner, I can not be of help. Hopefully, someone will post help for you soon.
I was actually hoping someone (or several someones) would use the link and try the scan and see what happens. Avast picked it up before anything could happen, so if it really is a worm there wouldn’t be a problem if you closed the website down. I just find it odd that a recommended antimalware site would be picked up as being a problem.
You don’t say the exact file the detection was on nor what malware name was given by avast ?
Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections.
Is it possible that the virus signatures in this scanner aren’t encrypted in the same way avast detects panda’s signature files.
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.
Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.
If it is indeed a false positive, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.
The file name is “hxxp://www.xblock.com/download/xclean_micro.exe”, the malware name is “Win32:Trojan-gen {Other}”, the malware type is “Virus/Worm”, and the VPS version is “080729-1, 07/29/2008”.
I exported the file to my desktop as “a.txt”, then sent it to VirusTotal and had it scanned. If that was the right way to do it, the scan was totally clean. If that wasn’t the right way, then you need to give me more explicit instructions.
It looks like it is an FP as DrWeb and Linkscanner Online don’t find anything.
Though you should modify your post so the link isn’t active to avoid accidental exposure, e.g. hXXp://www.xblock.com/download/xclean_micro.exe, replacing the tt with XX wil break the link but be readable by humans.
Your VT scan was the right thing to do and confirms the other points above. I don’t know if changing it to a.txt might have had any impact on the file structure so as not to detect the problem. But you should send an unadulterated copy of xclean_micro.exe to avast for analysis.
Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and false positive in the subject.
Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already there) where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.
I haven’t executed the scan, so no virus exists yet. The avast! chest is empty. I tried to download the .exe file from the website to my desktop to send to get scanned, but avast! wouldn’t let me download it either. I got the .txt file from the log viewer, so it may not be an actual scannable file.
You can pause the web shield that would allow you to at least download the file (don’t try to run it and it should be fine), the standard shield would alert off course, but you can choose No Action (see image), that leave the file where it was downloaded to.
Then you can use the above instructions about c:\suspect folder, etc. to be able to upload to virustotal, there is a 10MB file upload limit though.
I have now sent a sample to avast for analysis, we will have to await the results.
Update:
I have now uploaded it to VirusTotal and although 12 of 35 scanners detect it as malware, they are all virtually Heuristic or Generic detections, which are more prone to FP, so the jury is still out on this and we will have to wait for the avast analysis.
A link to the virustotal scan results, http://www.virustotal.com/analisis/0b2513c70a9961739d4baba2f14318ce.
DavidR, thank you very much. I was having trouble finding my way around and trying to submit to VT. I hope it’s a FP because the scan is quick and easy, and corrects any problems it finds, but if it’s malware I guess it’s not the end of the world.
You’re welcome, now we have to wait, hopefully not too long.
I haven’t seen any answer here, but I tried the scan last night, and it worked, so I guess it must be fixed now.
I sent a sample so that would have been acted on relatively quickly, so yes it has been fixed.
Normally it is the originating poster, who would be periodically scanning the file in the chest to see when it is corrected who would report that fact.
The latest update which was downloaded overnight 4 Oct 2008 is again detecting it as a trojan generic,
I have used this utility many times xclean_micro.exe
I disabled web and standard scans so I could run it.
I uploaded to Virus Total, and some heuristic scans detect a trojan called lineage.
On researching
http://www.sophos.com/security/analyses/viruses-and-spyware/trojlineagef.html
Says how to remove the trojan, I looked in the registry and the entry wasn’t there.
I ran Dr Web Cureit on the file too and there was no trojan
I notice that any file called keygen is detected as a generic trojan
It looks like a definite false positive, please rectify
Thanks
Can you post the virustotal analysis link?
They usually corrects false positives within a day… hope they take a look on it…
Well I have just downloaded it again and this version of microscan x-cleaner is different to the one I sent to VT before as it has a different MD5…: 919ddf9315271329344499372c1dc9a0 so there looks to have been an update there too.
This time there are 8/36 detections less than before (http://www.virustotal.com/analisis/a11e2fac4f5e36c41083c7b6ee443f0e), but most of these are generic, like avast’s or heuristic, so you should send the sample to avast.
See http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.