Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

possible infection in bleeping forum


  • Please log in to reply
5 replies to this topic

#1 silon and garfunkel

silon and garfunkel

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 10 March 2009 - 04:14 AM

Hi,

I'm not sure if this is the right forum but its a bit difficult where this belongs.

While looking through the "am i infected" forums I noticed where a BC Advisor had recomended the use of a program called flash disinfector.exe, and had left a link. I thought it would be useful so I tried to download it but my AV program said it contained a worm so I blocked it.

The problem may be at my end as I am already having problems with my Avira AV as can be seen here, www.bleepingcomputer.com/forums/topic209597.html.

This is the article in which I found the problem, www.bleepingcomputer.com/forums/topic206874.html.

Would someone be able to put a link for flash disinfector here so that I can try to download it and see what happens.

Thanks.

BC AdBot (Login to Remove)

 


#2 Stang777

Stang777

    Just Hoping To Help


  • Members
  • 1,821 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:34 AM

Posted 10 March 2009 - 04:41 AM

Apparently Avira has a high rate of false positives and according to another forum, Avira is flagging the flash disinfector as bad, They are saying it is a false positive, I cannot say for sure that is the case in your situation but here is a portion of a thread about this on the eldergeek forum.....

Certain embedded files that are part of legitimate programs or specialized fix tools such as FlashDisinfector may at times be detected by some anti-virus/anti-malware scanners as a "RiskTool", "Hacking tool", "Potentially unwanted program", or even "malware (virus/trojan)" when that is not the case. This occurs for a variety of reasons to include the tool's compiler, the files it uses, registry fixes and malware strings it contains.

Such programs have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. When flagged by an anti-virus, it's because the program includes some features or additional files that can potentially be used for malicious purposes. These detections do not necessarily mean the file is malware or a bad program. It means it has the potential for being misused by others. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them. In these cases the detection is a "False Positive".

Here is a link to the thread....

http://www.theeldergeek.com/forum/index.php?showtopic=34512

Btw, I just looked through the thread you posted a link for that you got the link for the flash disinfector from and saw two links posted for it. If you used the link that DaChew posted, I would say what you got from your av program was a false positive, if you used the link posted by someone else, I cannot say for sure. This is nothing personal against the other poster who posted a link for it, just saying that the one DaChew posted can certainly be trusted.

Edited by Stang777, 10 March 2009 - 04:52 AM.


#3 silon and garfunkel

silon and garfunkel
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 10 March 2009 - 05:02 AM

Hi,

Yes it was the link from DaChew that I clicked on and Avira said was infected, (just did it again), so I guess that it must be a false positive.

Thanks.

#4 Stang777

Stang777

    Just Hoping To Help


  • Members
  • 1,821 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:34 AM

Posted 10 March 2009 - 05:09 AM

I would think it is a false positive then, especially with what I have been reading about this program and Avira and you are welcome

#5 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,663 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:34 AM

Posted 10 March 2009 - 12:45 PM

Hi silon and garfunkel,

You can rest assured that Flash Disinfector is not a malicious program--it's a false positive by AntiVir. As much as I like AntiVir, it is rather distressing that there are so many false positives and many of those are for security tools.

To prevent this from happening anymore I have downloaded FD and then submitted the file as a sample to Avira as a "possible" false positive. First I can confirm that AntiVir flags this file--wouldn't even let me download it while the guard was active. It calls it WORM/Generic.4084 "Generic" or "heuristic" is always a red flag for me that a detection could be a FP.

I have submitted the file to this page: http://analysis.avira.com/samples/index.php
Anyone could--and should do this as well any time a false positve is suspected, just be sure to indicate that it is a suspected FP.

Usually Avira will take 24 hours or less to notify you of whether the file is a false positive or not. This one must have been submitted already because the results were given as soon as the file upload was complete:

"The file 'Flash_Disinfector.exe' has been determined to be 'FALSE POSITIVE'. In particular this means that this file is not malicious but a false alarm. Detection will not be removed due to the fact that the file contains unencrypted malicious patterns. This is an indicator that a legitimate detection or removal program did not encrypt parts that are used to identify malicious content. Please contact the manufacturer of this file."

I was going to post that, once the file is verified to be a FP that the definitions would be updated shortly and this wouldn't be a problem any longer. But that is contradicted by the last part of the above message. They aren't going to change their definitions.

Probably the easiest way to work around this is to go offline--if you are on Broadband physically disconnect--and just before you run Flash_Disinfector, disable AntiVir guard (you can also disable the guard while online just long enough to download the file). Then insert any Flash drive or other removable drives and run Flash_Disinfector. You can then delete Flash_Disinfector--it shouldn't be needed again because it "innoculates" each drive by creating an autorun.inf file/folder in the drive's root folder--don't delete those.

Alternatively, you can tell AntiVir to not scan the file. The only problem with this is that the guard can make exceptions for the processes too for when you run it, but I am not sure which process should be excluded--there may be more than one.

To exclude a file from future detections, do the following:

1. Open AntiVir.

2. Click the Extras menu (top) and choose Configuration.

3. Click in the box next to Expert mode to put a checkmark there--this is important since the Exclusion option won't show up unless Expert mode is checked.

4. If there is a plus sign to the left of Scanner, click it to expand and if one is next to Scan do the same.

5. Click Exception.

6. Click the box with the three periods and browse to the file you want to exclude.

7. Click the Add>> button. The filepath should now appear in the text field to the right of the Add>> button.

To do the same for the Guard the instructions are the same, except at step 4 substitute Guard for Scan. The instructions are the same for excluding files. For the process, try entering Flash_Disinfector.exe. Strike that--I just tried to enter the file name and see it is limited to 15 characters. So you can't exclude this process. I would still exclude the file in the scanner and guard, but when you run the file you are going to have to disable AntiVir Guard first.

We always did feel the same

We just started from a different point of view

Tangled up in blue--Bob Dylan


#6 silon and garfunkel

silon and garfunkel
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 11 March 2009 - 01:51 AM

Hi Papakid,

Thanks for the help, that pretty much clears it up. I'll give it a try and see what happens.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users