On Saturday an AVG Free scan turned up the Downloader.VB.AXO trojan
horse in C:\Program Files\music_now\inetchk.exe. As far as I know, this
folder and file have been on my PC since I got it last August (it came
pre-installed with other HP software).

Googling turns up a few posts indicating this might be a false positive
from AVG.

Any thoughts?

--

Dennis

From: "Dennis" <(E-Mail Removed)>

| On Saturday an AVG Free scan turned up the Downloader.VB.AXO trojan
| horse in C:\Program Files\music_now\inetchk.exe. As far as I know, this
| folder and file have been on my PC since I got it last August (it came
| pre-installed with other HP software).
|
| Googling turns up a few posts indicating this might be a false positive
| from AVG.
|
| Any thoughts?
|


Please submit a sample of "inetchk.exe" to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
private.php?do=newpm&u=?subject=SCAN

When you get the report, please post back the exact results.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

On Mon, 11 Feb 2008 22:10:44 GMT, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

>When you get the report, please post back the exact results.

grisoft suggested I post a sample to http://virusscan.jotti.org/. Here
are their results...

>File: inetchk.exe
>Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
>MD5: 09b51f86b604affee200ee78c5c31290
>Packers detected: -
>Bit9 reports: No threat detected (more info)
>
>Scanner results
>Scan taken on 11 Feb 2008 21:46:11 (GMT)
>A-Squared Found nothing
>AntiVir Found TR/Click.HD
>ArcaVir Found nothing
>Avast Found Win32:Neptunia-KH
>AVG Antivirus Found Downloader.VB.AXO
>BitDefender Found nothing
>ClamAV Found nothing
>CPsecure Found nothing
>Dr.Web Found Trojan.Click.2093
>F-Prot Antivirus Found nothing
>F-Secure Anti-Virus Found nothing
>Fortinet Found nothing
>Ikarus Found Trojan.Click.2093
>Kaspersky Anti-Virus Found nothing
>NOD32 Found nothing
>Norman Virus Control Found nothing
>Panda Antivirus Found nothing
>Rising Antivirus Found nothing
>Sophos Antivirus Found nothing
>VirusBuster Found Trojan.CL.Agent.IJS
>VBA32 Found Trojan.Click.2093

It looks like they can't agree as to what it is, if anything.

Thanks.

--

Dennis

From: "Dennis" <(E-Mail Removed)>


>> File: inetchk.exe
>> Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this
file's scan
>> results will not be stored in the database) MD5: 09b51f86b604affee200ee78c5c31290
Packers
>> detected: - Bit9 reports: No threat detected (more info)
>>
>> Scanner results
>> Scan taken on 11 Feb 2008 21:46:11 (GMT)
>> A-Squared Found nothing
>> AntiVir Found TR/Click.HD
>> ArcaVir Found nothing
>> Avast Found Win32:Neptunia-KH
>> AVG Antivirus Found Downloader.VB.AXO
>> BitDefender Found nothing
>> ClamAV Found nothing
>> CPsecure Found nothing
>> Dr.Web Found Trojan.Click.2093
>> F-Prot Antivirus Found nothing
>> F-Secure Anti-Virus Found nothing
>> Fortinet Found nothing
>> Ikarus Found Trojan.Click.2093
>> Kaspersky Anti-Virus Found nothing
>> NOD32 Found nothing
>> Norman Virus Control Found nothing
>> Panda Antivirus Found nothing
>> Rising Antivirus Found nothing
>> Sophos Antivirus Found nothing
>> VirusBuster Found Trojan.CL.Agent.IJS
>> VBA32 Found Trojan.Click.2093
|
| It looks like they can't agree as to what it is, if anything.
|
| Thanks.
|

Jotti's is a good alternative to Virus Total.
I rate Virus Total higher with NO offense meant towards Jordi.

There is no real naming convention in naming malware. Very few anti virus companies name
the same infector the same way and often when they do, the version is often different
amongst the various vendors. A good example would be a ZLob Trojan. Several vendors may
call it a ZLob Trojan but will show the version differently.

That is why the US Gov't. commissioned MITRE to come up with the Common Malware Enumeration
(CME) list which cross references with high infection rates. Often vendors will append
CME-xxx to the name of the infector. Inspect the below URL and you'll see just how
differently the various vendors name the SAME infector.
http://cme.mitre.org/data/list.html

Anyway, based upon the high "hit" rate, I'd say this is NOT a False Positive.

Remove the Trojan by moving into the Virus Vault.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

On Mon, 11 Feb 2008 23:03:02 GMT, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

>Anyway, based upon the high "hit" rate, I'd say this is NOT a False Positive.

I suspect the PC came with this. I wonder if grisoft just recently
updated their definitions to find this. I haven't downloaded anything in
the past 10 days that I can remember and the PC was clean the Saturday
before.

>Remove the Trojan by moving into the Virus Vault.

Done.

***

I haven't been able to find a description of this one so I don't know
what it is supposed to do. I'd like to know what to look for if anything
funny starts happening.

Thanks,

--

Dennis

From: "Dennis" <(E-Mail Removed)>

| On Mon, 11 Feb 2008 23:03:02 GMT, "David H. Lipman"
| <DLipman~nospam~@Verizon.Net> wrote:
|
>> Anyway, based upon the high "hit" rate, I'd say this is NOT a False Positive.
|
| I suspect the PC came with this. I wonder if grisoft just recently
| updated their definitions to find this. I haven't downloaded anything in
| the past 10 days that I can remember and the PC was clean the Saturday
| before.
|
>> Remove the Trojan by moving into the Virus Vault.
|
| Done.
|
| ***
|
| I haven't been able to find a description of this one so I don't know
| what it is supposed to do. I'd like to know what to look for if anything
| funny starts happening.
|
| Thanks,
|

To find that information, use the information obtained from Jotti.

Based upon the infector name and the anti virus vendor, check the vendor's respective virus
libraries/encyclopedias.

BTW: The reason I stated to move this into the Virus Vault is becuase if this is
ebventually deemed to be a False Positive then it can be restored.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

On Mon, 11 Feb 2008 23:47:38 GMT, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

>Based upon the infector name and the anti virus vendor, check the vendor's respective virus
>libraries/encyclopedias.

I just tried that. AVG doesn't have a listing for this trojan (maybe
it's too new). The only other vendor I could find with an encyclopedia
was Avira, and they didn't have their infector name either. Maybe I'll
try looking more tomorrow.

Thanks,

--

Dennis

On Mon, 11 Feb 2008 23:03:02 GMT, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

>Anyway, based upon the high "hit" rate, I'd say this is NOT a False Positive.

I sent inetchk.exe (zipped and password protected) to grisoft. They just
got back to me and said it was a false positive.

Thanks for your help...

--

Dennis

From: "Dennis" <(E-Mail Removed)>

| On Mon, 11 Feb 2008 23:03:02 GMT, "David H. Lipman"
| <DLipman~nospam~@Verizon.Net> wrote:
|
>> Anyway, based upon the high "hit" rate, I'd say this is NOT a False Positive.
|
| I sent inetchk.exe (zipped and password protected) to grisoft. They just
| got back to me and said it was a false positive.
|
| Thanks for your help...
|

Arghhhhhhhh !

Thank for the update.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp