False Positive? Vista Codec Package

[Gunsumoa]

IObit Security 360

 

OS:Windows Vista

Version:0.4.0.20

Define Version:1129

Time Elapsed:8/21/2009 9:41:58 AM

Objects Scanned:1

Threats Found:1

 

|Name|Type|Description|ID|

Trojan.Downloader, File, C:\Program Files\VistaCodecPack\Tools\VistaUser.exe, 11-12004

 

I have been using this program for years and get it from the same site that I get this program from (Majorgeeks).I uninstalled the program removed all traces of it then installed it again I still get the same thing.

 

I also got one from SystemRequirmentsLabs but I uninstalled that program then reinstalled it and IObit 360 no longer flags it.At that time I didnt save the scan too file I really wish I did,oh well.One thing to say about that is I was using the last version of IObit 360 not the updated one that came out last night so maybe it was fixed?

[333halfevil]

Please upload the file to VirusTotal, and then report back here with the results.

 

Thank you.

[Gunsumoa]

Antivirus Version Last Update Result

a-squared 4.5.0.24 2009.08.07 -

AhnLab-V3 5.0.0.2 2009.08.07 -

AntiVir 7.9.0.246 2009.08.07 -

Antiy-AVL 2.0.3.7 2009.08.07 -

Authentium 5.1.2.4 2009.08.07 -

Avast 4.8.1335.0 2009.08.06 -

AVG 8.5.0.406 2009.08.07 -

BitDefender 7.2 2009.08.07 -

CAT-QuickHeal 10.00 2009.08.07 -

ClamAV 0.94.1 2009.08.07 -

Comodo 1898 2009.08.07 -

DrWeb 5.0.0.12182 2009.08.07 -

eSafe 7.0.17.0 2009.08.06 Suspicious File

eTrust-Vet 31.6.6665 2009.08.07 -

F-Prot 4.4.4.56 2009.08.07 -

F-Secure 8.0.14470.0 2009.08.07 -

Fortinet 3.120.0.0 2009.08.07 -

GData 19 2009.08.07 -

Ikarus T3.1.1.64.0 2009.08.07 -

Jiangmin 11.0.800 2009.08.07 -

K7AntiVirus 7.10.813 2009.08.07 -

Kaspersky 7.0.0.125 2009.08.07 -

McAfee 5700 2009.08.06 -

McAfee+Artemis 5700 2009.08.06 -

McAfee-GW-Edition 6.8.5 2009.08.07 Heuristic.LooksLike.Win32.Bifrose.C

Microsoft 1.4903 2009.08.07 -

NOD32 4315 2009.08.07 -

Norman 6.01.09 2009.08.07 -

nProtect 2009.1.8.0 2009.08.07 -

Panda 10.0.0.14 2009.08.07 -

PCTools 4.4.2.0 2009.08.07 -

Prevx 3.0 2009.08.07 -

Rising 21.41.44.00 2009.08.07 -

Sophos 4.44.0 2009.08.07 -

Sunbelt 3.2.1858.2 2009.08.07 -

Symantec 1.4.4.12 2009.08.07 -

TheHacker 6.3.4.3.377 2009.08.05 Trojan/Downloader.Agent.cgfw

TrendMicro 8.950.0.1094 2009.08.07 -

VBA32 3.12.10.9 2009.08.07 -

ViRobot 2009.8.7.1873 2009.08.07 -

VirusBuster 4.6.5.0 2009.08.06 -

Additional information

File size: 327825 bytes

MD5 : 83d9bbfc668ecf6a180b2822cbb17315

SHA1 : 8f6df3fc21bad7484535293dee7982d23eb0837d

SHA256: 4fd270996264f7acf86934d4490848819ebe41376301b6fb642b23a40707f921

PEInfo: PE Structure information

 

( base data )

entrypointaddress.: 0xAF1E0

timedatestamp.....: 0x4951FA17 (Wed Dec 24 10:00:07 2008)

machinetype.......: 0x14C (Intel I386)

 

( 3 sections )

name viradd virsiz rawdsiz ntrpy md5

UPX0 0x1000 0x6F000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e

UPX1 0x70000 0x40000 0x3F400 7.93 a43a6dd5ace3f9436d039504b3468877

.rsrc 0xB0000 0x8000 0x7600 5.88 716c072361e2413321af8dab262e4a8a

 

( 16 imports )

 

> advapi32.dll: AddAce

> comctl32.dll: ImageList_Remove

> comdlg32.dll: GetSaveFileNameW

> gdi32.dll: BitBlt

> kernel32.dll: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess

> mpr.dll: WNetGetConnectionW

> ole32.dll: CoInitialize

> oleaut32.dll: -

> psapi.dll: EnumProcesses

> shell32.dll: DragFinish

> user32.dll: GetDC

> userenv.dll: LoadUserProfileW

> version.dll: VerQueryValueW

> wininet.dll: FtpOpenFileW

> winmm.dll: timeGetTime

> wsock32.dll: -

 

( 0 exports )

 

TrID : File type identification

UPX compressed Win32 Executable (43.8%)

Win32 EXE Yoda's Crypter (38.1%)

Win32 Executable Generic (12.2%)

Generic Win/DOS Executable (2.8%)

DOS Executable Generic (2.8%)

ssdeep: 6144:ElZ/zUMu4pDSxsCMRzf7x3SfS1JAzXBtL76lLIPTO8:EHLUMuiv9RgfSjAzRtyUTO8

PEiD : UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser

packers (Kaspersky): PE_Patch.UPX, UPX

packers (F-Prot): UPX

RDS : NSRL Reference Data Set

 

I hope this is what I was supposed to post.

[333halfevil]

Thank you what you did was correct. However, the results are inconclusive, sorry. Please upload the file to: http://camas.comodo.com/. And post back with the link, thank you.

[Gunsumoa]

http://camas.comodo.com/cgi-bin/submit?file=4fd270996264f7acf86934d4490848819ebe41376301b6fb642b23a40707f921