11 replies to this topic

[Peter_NZ]

Hi all

I ran Avast Home Ed on a complete system scan this morning, and it picked up the Dir2File.exe prog in both XP and Vista Autopatcher folders I have resident on the hard drive, as well as the actual "live" install of the file in my Program Files directory. I reported all 3 as "false positives" to Avast. Is it possible that the file IS infected? I've been using Autopatcher on all my client's PCs for the last 3 years, and Avast has not picked up Dir2File in all that time (has the prog changed at all in the last 3 years?). The first time I saw Avast pick it up was yesterday when I used the Avast BART CD to scan a client's XP Home PC (I would have run Autopatcher on that PC probably 6 months ago) - I allowed the deletion, thinking perhaps his PC might be compromised. However, scans using BART of client's PC's at the end of last week - where Autopatcher had already been run a few month's previously - showed nothing, so obviously Avast has only just decided to "recognise" Dir2File as a "virus"

Confirmation of Dir2File's integrity would be appreciated.

Cheers
Peter

Here are the messages from the Avast scan:

Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\All Users\Documents\Autopatcher_Vista32\modules\Tweaks\__Functionality\DIR2File_x86_enu.apm_files\dir2file.exe\[tElock]" file.
Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\All Users\Documents\AutoPatcher_XP\modules\Tweaks\__Functionality\DIR2File_x86_enu.apm_files\dir2file.exe\[tElock]" file.
Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Program Files\Dir2File\dir2file.exe\[tElock]" file

[_def_x_]

How did you create your AutoPatcher releases, downloading using APUP or did you download the large files from the internet?

Quote

(has the prog changed at all in the last 3 years?)

Yes, you use APUP to download directly from Microsoft all the updates to create a release. The days of the single large update
downloaded from our mirrors (or anywhere off the internet) is discouraged and illegal.

I scanned my AutoPatcher folders using Avast Home, SysClean, Malwarebytes etc and nothing is being flagged, so you very well
could be infected but it's origin is not AutoPatcher, rather, AutoPatcher may have been infected.

Mike

[Peter_NZ]

gUiTaR_mIkE, on May 13 2009, 09:31 AM, said:

How did you create your AutoPatcher releases, downloading using APUP or did you download the large files from the internet?

Yes, you use APUP to download directly from Microsoft all the updates to create a release. The days of the single large update
downloaded from our mirrors (or anywhere off the internet) is discouraged and illegal.

I scanned my AutoPatcher folders using Avast Home, SysClean, Malwarebytes etc and nothing is being flagged, so you very well
could be infected but it's origin is not AutoPatcher, rather, AutoPatcher may have been infected.

Mike

Hi Mike

Thanks for the reply. I've used APUP ever since the full downloadable versions were pulled from the 'net. I'm using a special version of APUP supplied by Christiano, but other than that, am following the "usual" way of doing things. I recreated my Autopatcher folders from scratch a month or so back, so they are "new" in that sense (i.e. not old stuff I've been using for years or months). Note that the Dir2File that was "picked up" by Avast on the client's PC was one installed over 6 months ago (possibly a year back), where the one on my system can't be more than 1 month (since that is when I last recreated my Autopatcher folders from scratch). How likely is it that the old one on the client PC AND mine are infected? I would have said the probability is extremely low. Not only that, but when I did the scan on the client's PC I was running off the BART CD - his PC was not networked to mine.

Interesting that your scans returned nothing - I'll try Malwarebytes & Super Antispyware later and see what they turn up. I'm loathe to recreate my Autopatcher folders yet AGAIN (I've had to do them 3 times over the last year due to APUP getting corrupted or it's knickers in some sort of knot), since "broadband" plans in New Zealand are not cheap (it basically costs $10-$15 each time I recreate the Autopatcher folders - I have separate folders for Office, XP & Vista, to cut down on corruption issues and make them faster to run).

Cheers
Peter

[_def_x_]

I wanted to double check so I updated Avast Home, Malwarebytes, etc and Avast DID flag the same file ->dir2file.exe
but the other apps had no issues so I'm going to assume (hope) it is a false-positive.

I would run a few online scanners if you are worried and report back, but I do believe it is fine.

Also, if your release is Official (no stray/altered files) this should help in relieving any worry, I would think a virus / trojan or any altered
file (changed md5hash) would negate the Official status - maybe Cristiano can confirm this.

Here is a few online scanners you can use.
OnLine Scanners

Mike

Edited by gUiTaR_mIkE, 13 May 2009 - 12:00 AM.

[Cristiano]

according to this, dir2file.exe is:
Avast 4.8.1335.0 2009.05.12 Win32:Trojan-gen {Other}
eSafe 7.0.17.0 2009.05.12 Suspicious File
Sophos 4.41.0 2009.05.12 Sus/ComPack-C
TheHacker 6.3.4.1.325 2009.05.12 W32/Behav-Heuristic-066

all the other engines (36 from an total of 40) say that this file is safe. so, it is, in fact, an false positive. i've checked the ancient versions of autopatcher that i have in here and this file is still the same one, without any change. if i'm not mistaken, this file is around since 2005 or so. by me, this is the sort of issue that we could safely avoid, by removing that file. it is not really required and this file only do this: dir > file.txt or something like that. every single time that i had to list the content of an folder, i always did by hand. but i don't know about other people. if i'm not mistaken, if you say "open an command prompt, then write dir > file.txt" the guy will think that you are talking greek or something like that. so, i may very well be one of the few that feels more comfortable by writing the command than choosing an tool to that, so, i'm thinking about 2 things:
1 - choose the "keep like that" way and truest that this is just an mistake and it will be fixed by those 4 fools. ok, that number may grow too;
2 - avoid more issues and remove the file. i believe that this shall be the patch to follow if this false positive remains like it is for some time, let's say 30-60 days. it would be a shame, because this tool can be useful to a lot of people, but we can't fight with those guys. or they fix this by his own will or we will remain forever explaining that this is an mistake. and, in that time, most of people will say that autopatcher contains malware and that is not true

so, i really don't know guys. what yours think about? give an time to they fix the false-positive or remove it anyway?

[]s

[_def_x_]

I wouldn't remove something useful from AutoPatcher just because of a false-positive, maybe we can add a new
pinned false-positive list that people can check that offer file name, size, md5 etc.

Mike

[Cristiano]

that's the point. so far i know, there's another false positive with ms common controls, at apup_bin folder, but i'm not sure. but still, it's an issue to look for from times to times, just to check if the issue has an solution. of course, if more and more engines do the same mistake, we may have no choice.

[]s

[Peter_NZ]

Thanks for the info and thoughts. I ran the Malwarebytes scanner and it didn't flag the file as bad (although Avast did again, since it checks what the scanner is checking...). My thoughts at this stage is most certainly to leave the program in Autopatcher. A false-positive "sticky" would be a good idea: it will be interesting to see if it is used, at all, and what sort of results it might yield. In terms of a period of waiting for a false-positive to be resolved, I think that would be a disappointing and long wait, esp given how long McAfee took to sort themselves out. Avast are a pretty good company to deal with, but they may still take many months to "look into" the matter. Perhaps if one of you lads were to contact them directly it might speed things up? I know the Autopatcher team is busy and has lives to be lived, but it may help to "head this one off at the pass" before word of the "infection" spreads and gets tagged simply because a few have already tagged it.

Anyway, just my thoughts, and thanks again for your help.

[mkear21]

Hi,
I am also following up on why Avast has detected dir2file.exe as a trojan.
The file dir2file.exe used by Autopatcher which has an "Md5 :e8bf4f790ab6a3f46dee58747c2507be " is OK according to the following reference.

http://www.spywarelib.com/FileDetails.aspx...dee58747c2507be

Other references of this file name where it is infected and has a different Md5
http://www.spywareli...-Viking-lr.html

[Cristiano]

i did this about know false positives. if any of yours have any more questions about this kind of issue, please report that in there

the topic is fixed and will be at our main page as well

[]s

[White Knight]

Have just scanned Autopatcher using Avast 4.8.1335.0 2009.05.16 and no positives for any files.

[Cristiano]

White Knight, thanks. topic about false-positives updated to reflect that, with thanks to Avast team by their quick fix and to you, by your report of it

[]s