Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Win32:Indec infection on Glary Utilities???

  • Please log in to reply
1 reply to this topic

#1 black069


  • Members
  • 66 posts
  • Gender:Male
  • Location:Tabor City, NC
  • Local time:05:29 AM

Posted 19 August 2009 - 07:50 AM

Yesterday, I uninstalled AVG Free version 8.5. I did this because for every 2-3 days over the last several weeks, all of the previous scanning logs would mysteriously disappear such that it would say "Last Scan: Has Not Been Performed." Even the events in the "Event Viewer" would mysteriously disappear along with the scanning logs. Plus, the program had not found any traces of anything bad in months. Needless to say, I thought something was fishy, and wanted to try a different antivirus program.

So as soon as I removed AVG, I installed the most recent version of Avast. (Note: I did this with my Windows Firewall on "Allow no exceptions." I also use a router, which to my understanding, works like a firewall.)

I did the boot-time scan for Avast once I downloaded it, and it didn't find anything. After configuring the settings, I ran an "on-demand" scan of all of the files on my computer with the level on "Thorough Scan" as well as "Scan Archived Files."

It found a virus (Win32:Indec) in 4 locations total. Two of the "infected" files were from C:\Program Files\Glary Utilities. These 2 files were encryptexe.exe and joinexe.exe. By the way, I downloaded Glary Utilities v2.14.0.711 in late June-early July and have had no issues with it. The status tab on the GUI states Last Update: 2009-06-24 and Database Date: 2009-07-01.

Avast also found this same virus in C:\System Volume Information in 2 locations (both in Restore Point 82). These 2 files are the same size as the 2 .exe files found in Glary Utilities, so it obvious that it just found duplicate copies in System Restore.

So I thought I would be able to Google and find a quick and easy answer to this. To me, it seems odd that Glary Utilities (a legit program) would be infected, especially since I downloaded from Download.com. Plus, I have run Malwarebytes' Anti-Malware and SuperAntiSpyware at least twice a week since July 1 without finding anything. I have also run 4 free online scanners at least once during this time frame (Kaspersky, McAfee, CA Threat Scanner, and a-Squared Trojan Scanner).

For completeness, I have SpywareBlaster, which I keep updated, and the same for MVP's Host File. I am the only person who has touched this computer in the last six months (if not longer), and I never clicked on a site unless it had AVG's stamp of approval. And, of course, I never downloaded any attachments unless I was expecting, nor did I even open emails from persons or institutions whom I did not know/trust.

So the question now is what to do? I followed the suggestions of Avast and placed the files in the virus chest. But if I am to believe what I read about this bug, I may need to take further action....that is, if I do not think this is a false positive. A Google of ["Win32:Indec" and "Glary Utilities"] turned up one result in English that describes a situation almost identical to mine except that the bug was found by a-Squared. Most there thought it was a false positive since it was not found on other AV programs, but now this makes at least two programs that have identified the bug. So next steps????

BC AdBot (Login to Remove)


#2 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,771 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:29 AM

Posted 19 August 2009 - 12:01 PM

Certain embedded files that are part of legitimate programs or specialized fix tools, may at times be detected by some anti-virus and anti-malware scanners as a "Risk Tool", "Hacking Tool", "Potentially Unwanted Program", or even "Malware" (virus/trojan) when that is not the case. This occurs for a variety of reasons to include the tool's compiler, the files it uses, registry fixes, malware strings it contains and the type of security engine that was used during the scan.

Packed files use a specially compressed (protected) file that may have been obfuscated or encrypted in order to conceal itself and often trigger alerts by anti-virus software using heuristic detection because they are resistant to scanning (difficult to read).

Such programs have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. When flagged by an anti-virus or security scanner, it's because the program includes features, behavior or files that appear suspicious or it can potentially be used for malicious purposes. These detections do not necessarily mean the file is malware or a bad program.

It means it has the potential for being misused by others or that it was simply detected as suspicious due to the security program's heuristic analysis engine which provides the ability to detect possible new variants of malware. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them. In these cases the detection is a "False Positive".

RejZoR, avast! Evangelist at the avast forum posted these instructions for suspected FP's.

If you encounter alert for which you think that it's a false positive, do the following:

Check the file with this service:

- if file is detected by any other antivirus too (like Kaspersky), than its most probably not a false positive. Treat it with caution.
- false positive files are usually detected as: Win32:Trojan-Gen
(this usually happens because of generic detection)
- if scan still shows that only avast! detects the file, then it could be a virus detected only by avast!. If you think that it's still a false positive,then follow the next step:

Pack the "infected" file into ZIP archive and lock it with password "virus" (without quotes) and attach it to e-mail.
Write the same password inside mail body, so Alwil virus analysts will know the password right away without guessing.
You can also add web address to that file (or webpage of the file/program) if it's on the internet.
Add your own note on why do you think that it's a false positive. Every info helps Alwil staff.
Send the mail to: virus@avast.com

You'll probably get a reply mail about file info (if it was really a false positve) after some time.
If not, check the file with Explorer extension when new VPS is released.
This way you'll know if the false positive was fixed.

Until then, you can add the "false positive" file into exclusions:...

avast forum [Mini Sticky] False Positives
avast forum: Tutorial For False detection
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users