[hewwo2u2]

My school has a bad worm that has been circulating through the network and infecting students' flash drives. Luckily, I haven't used a flash drive in a while so I did not get infected; however, a friend of mine recently tried to use her flash drive at home and her AV program came up saying it was infected. What seems weird to me is that when she tried to download flash disinfector her AV came up again and said the actual flash detector file was infected and that the cleaning of the the infection failed! She said she downloaded it from here

http://www.precisesecurity.com/tools...h-disinfector/

She also said that when she tried to run it she couldn't and that a screen popped up saying something along the lines of it not being a valid 32bit program

I am going to tell her to join these forums so she can get help, but she may find it too overwhelming as she is less computer literate than myself. I asked her what virus program she is using and she said she has no idea and doesn't know where to look. :/ My question is if you look at the link that she went to, it says the download is from techsupportforum.com which is the same as the one I've seen people use on here. I was wondering has anyone heard of this file being infected, or is it the virus on her computer telling her it is? Or perhaps it's just her AV software finding a false positive. I just wanted to bring this to someone's attention in case for some reason one of the tools that we are using in these forums has somehow gotten infected itself...

Also, when doing a google search on the issue, it appears others are having the same problem (one person posted about it saying it was infected coming from bleepingcomputer.com)
then I saw this which says the program itself is an infection. Is this legit?

http://www.prevx.com/filenames/48191...CTOR2EEXE.html

[Byteman]

Hi,

We get questions just about every day for one antimalware program or another, and most of the alerts turn out to be false positives....or, the malware itself produces fake alerts....definitely is possible.

Your link does not work, I get a redirect when trying it....not a problem, we have one

It's good that you asked.... we have been using this download for flash drive disinfection:

Download Flash_Disinfector.exe by sUBs and save it to your desktop.

• Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
• The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
• Wait until it has finished scanning and then exit the program.
• Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

Most likely if the drive is infected so is her computer> so do have her join and post a thread in Malware Removal


Get her to send you a link to her thread in case she gets overwhelmed....

[hewwo2u2]

ok I will tell her. The link you posted downloads from the same place she downloaded from. Do you have any outlook on the last link I posted?
http://www.prevx.com/filenames/48191...CTOR2EEXE.html
It looks like it's saying some pretty harsh stuff about it but maybe its talking about something else?

Thanks for the info!

[Cookiegal]

Many of the tools we use are flagged as malware when they are not. This is due to their capabilities and what they do, creating files, deleting files, making changes in the registry, etc. so basically they act like malware as this is what malware does. These false detections are based on heuristics or behaviour. The anti-malware program can't tell the different between friend and foe in such instances.

[Byteman]

Hi,

The link I pasted in last reply does not work, either but this one does>

http://download.bleepingcomputer.com...isinfector.exe

Like I said, have her re-download the file and try it again please, then let me know what happens

Security programs will alert about downloads.... ooops, I see Cookiegal has supplied an answer so will let that rest.....

The flash disinfect tool is very legitimate.

[hewwo2u2]

thanks you guys! I'll let her know this when I see her tomorrow.

[perfume]

Dear Byteman,
While downloading the file "Ad-Watch Live has blocked the process as it identified it as a win32 generic worm!Shall i go ahead? This query may kindly be replied only by Byteman,please!

[Byteman]

Hi perfume

So that my reply is not just a bunch of words, which you might not take the right way, I am combining the results of a just-done scan on the Flash Disinfector download file:


Things to consider: Which of the scanners found anything- AntiVir, Ikarus, CPsecure, to me these 3 are newcomers, not to say they are bad, but perhaps they need a tuneup.

Waht was found: The file or item they objected to, is NirCmd, which is also found in ComboFix.....and which is also commonly detected as a "Not-A-Virus". or "RiskTool".... it is being judged on what it appears to be able to do to the scanners.

If the people who "made" or were more or less responsible for Flash_Disinfector complained loud and long enough, perhaps the people who control the scan engines or programs' code that detect low-risk utilities like NirCmd could whitelist the item so it is not "objected to" by scans or programs..... from what I know, some items can more easily be added and some you would not want added as that would let real malware possibly get skipped in scans at least that is what I get from the many articles etc I've run across about the subject of common false positives. Every scan or program has some...based not on an actual detection of a signature malware item, but rather on heurisitics, more along the lines of "what it could do based on what it is". As malware has become very much more intricate and stealthy, so to our tools have to contain more powerful things...which, unfortunately, can appear to be malicious but in reality are not
So, Flash_Disinfector obviously to me contains no malware, is not a worm, and only that one part of it is objected to, and that item is an already well documented false positive, much along the lines of "Block/Allow" when you need to run a script and have security programs that you must answer with a Yes/No


This is also why, for example with ComboFix, we often have you Disable RealTime protection....like Resident Shield in AVG....otherwise, the things we need to make changes to clean out malware would not be able to work.

And, often the detection of a known good tool or part thereof is OK since that part CAN BE stolen and put to less than good use, you see..... but when something is detected you just have to use your wits and look objectively at the situation....here, we strongly suspect that it is a false positive, we know it is a known GOOD tool, and we find that it contains a certain file or object that is known to upset scanners....we then can ignore the detection based on what we can see. All in all, yes there certainly is some margin for error in computer use, there certainly could be a virus-laden copy of any utility floating around, but we would get word almost instantly and action would be taken as quickly as possible.....

To this day, on my old HP machines, two or three HP files are still detected as infected: C:\hp\bin\KillWind.exe , and Fondlewindow
http://forums13.itrc.hp.com/service/...hreadId=784057
http://www.dslreports.com/forum/r185...false-positive

Service load: 0% 100%

e: Flash_Disinfector.exe <what was scanned
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: a37c8c8523b2027897be24c9dec7cf35
Packers detected: PE_PATCH.UPX, UPX

Scanner results
Scan taken on 01 Mar 2009 01:28:30 (GMT)
A-Squared Found nothing
AntiVir Found WORM/Generic.4084, APPL/NirCmd.2
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found Malware.Generic
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Ikarus Found not-a-virus:RiskTool.Win32.NirCMD
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

[perfume]

Dear Byteman,
Thanks a lot for your observations and suggestions! I am sorry that i missed reading your post. Your knowledge is awesome and may i suggest that your contributions really make the difference between other tech related sites and our site! I am only a teenager learning as i go along and i would like to thank cookiegal for pardoning my misplaced enthusiasm! I have learnt so much from this site that it's become second nature to lookup the site before even googilng for any help!