False? Trojan Troj.KillReg

[Mark Lovell]

I am running MSAS with the latest defs file, and it
detects Troj.KillReg in the file c:\windows\autoclk.exe. I
then ran a full scan with Trend Micro PC-cillin Internet
Security 12 (which I had just purchased) but it found
nothing. I have quarantined the file with MSAS whilst I
consider whether this is a false positive in MSAS.
The only reference I can find on the Trend Micro Virus
encyclopaedia is for TROJ_KILLREG.C (http://uk.trendmicro-
europe.com/consumer/vinfo/encyclopedia.php?
LYstr=VMAINDATA&vNav=1&VName=TROJ_KILLREG.C&highlight=killr
eg) which makes no reference to autoclk.exe being the
infected file, and is detected with the TM pattern file I
am using.
Can anyone help.

 

[Robin Walker [MVP]]

I am running MSAS with the latest defs file, and it
detects Troj.KillReg in the file c:\windows\autoclk.exe. I
then ran a full scan with Trend Micro PC-cillin Internet
Security 12 (which I had just purchased) but it found
nothing. I have quarantined the file with MSAS whilst I
consider whether this is a false positive in MSAS.

Look at the Properties of autoclk.exe. Does it look as if it came from
Microsoft?

I have no such file in any system under my care.

 

[Mark Lovell]

-----Original Message-----

I am running MSAS with the latest defs file, and it
detects Troj.KillReg in the file c:\windows\autoclk.exe. I
then ran a full scan with Trend Micro PC-cillin Internet
Security 12 (which I had just purchased) but it found
nothing. I have quarantined the file with MSAS whilst I
consider whether this is a false positive in MSAS.

Look at the Properties of autoclk.exe. Does it look as if it came from
Microsoft?

I have no such file in any system under my care.

--
Robin Walker [MVP Networking]
(e-mail address removed)


.
Thanks, Robin.

Certainly doesn't have any connection with Microsoft in
the file properties, in fact it doesn't identify the
Company at all - very suspicious

 

[bill sanderson]

-----Original Message-----
Certainly doesn't have any connection with Microsoft in
the file properties, in fact it doesn't identify the
Company at all - very suspicious
.

Consider submitting the binary to:

http://www.virusscan.com
http://virusscan.jotti.org

These will get you a reading from multiple a/v vendors--
no news is not necessarily good news, but a bad reading
from one or more vendors is worth taking notice of.

See the browse window in the upper right of the screen.

 

[Tom Emmelot]

Hello Mark,
see here:

http://castlecops.com/s7533-autoclk.html
So dont worry.


Regards >*< TOM >*<

-----Original Message-----

c:\windows\autoclk.exe. I

Internet

I


Look at the Properties of autoclk.exe. Does it look as

if it came from

Microsoft?

I have no such file in any system under my care.

--
Robin Walker [MVP Networking]
(e-mail address removed)


.
Thanks, Robin.

Certainly doesn't have any connection with Microsoft in
the file properties, in fact it doesn't identify the
Company at all - very suspicious

 

[Mark Lovell]

See foollowing message from Trend Micro EMEA AntiVirus
Service:
Dear Mark Lovell,

The file autoclk.exe (143,360 bytes) was previously
detected by Trend Micro as TROJ_KILLREG.D. However, upon
further verification, this file is a component file that
is used by a certain proprietary software. Hence, Trend
Micro already dropped detection for this malware.

Please retain the subject heading of this email as it
will serve as the case-ID reference for this case.

Best Regards,
_______________________________________

TREND MICRO EMEA
_______________________________________

 

[Bill Sanderson]

Thanks!