A-Squared Serious False Positive

[Ritho]

Anyone running Win XP Home or Pro?

I installed A-Squared on my wife's computer as an on demand scanner, and it identified what it thinks are two high-risk trojans in the files "Taskman.exe" & "Systray.exe"

I tested the same two files on VirusTotal.com and a-squared there returned the same result but it was the only one. I then uploaded taskman.exe and systray.exe from my virtualbox installation of XP Pro and got the same result. I further tried files from a third installation of XP with the same result. The MD5 hashes are the same as other peoples who have scanned the files.

Can someone else upload their copies and confirm this? Taskman.exe is located in C:\Windows, and Systray.exe is located in C:\Windows\System32

These are some pretty important operating system files for A-Squared to be identifying as trojans.

[Anupam]

Ritho, I uploaded the Taskman file to VirusTotal, and I get the same result as you. Just A-Squared is flagging it as malware. I think its a case of false positive.

[Bengt S]

Ritho, I am running XP Home and uploaded both files to VirusTotal. Nothing found.

I also took a quick A-Squared scan, but none of the two files were identified. Which type of scan did you take?

I have stopped using A-Squared for the following reason.

When starting it (after updating), a rescan of quarantined files is performed. Every time I get the following message:

After rescanning the quarantined objects with the new downloaded signatures, it turned out that some of them were detected in wrong (false positives). Do you want to restore these objects now to their original locations. Yes or No.

What irritates me is that I don´t get a list of which files are considered false positives, and hence I cannot make an informed decision.

Bengt S

[Anupam]

Whoa! Bengt, you are scaring me now . I am having WinXP Pro. I had uploaded just the Taskman file to VirusTotal, and had got the same result as Ritho. That would mean, both our PCs are infected?

Mine is fresh install of XP on a new hard disk, don't scare me .

[Bengt S]

Well Anupam, I guess you´re not behind a router.

[Anupam]

Are you still trying to scare me?

Well yeah, you guessed it right. I am not behind a router, neither am I using a firewall nowadays. Its just Avast, and just today, installed WinPatrol. I hope I am not infected already.

[Ritho]

If you want to check the hash codes I listed them below.

All of my files from the three different installations have the same hash codes, even between XP Home and Pro.

MD5 hash codes.

Taskman.exe f4dfd83153e8c9088ae2db704107060d

Systray.exe 46e07fd3a40760fda18cf6b4fc691742

Bengt I would like to see your MD5's they appear on the site when you first upload your files. Could you do that?

[Bengt S]

Ritho, here they are:

Taskman.exe ca7ca45c6156c950a5d4645d51e294f3

Systray.exe 70f18d1965ea8b3aa73264cfe0f9144f

[Ritho]

Thanks, Bengt! Obviously you have a different set of files some how. Maybe a European version of Windows?

I went and extracted the files fresh from my install disk, and they are exactly the same as my others. So I am not worried about a virus.

I think I will make a report to A-Squared. It just would not be good if someone deleted their systray and taskmanager. But I don't think you can do it very easy because windows protects those files. Still I was not willing to click quarantine or delete to test my theory.

[Bengt S]

Quote:

Originally Posted by Ritho

Thanks, Bengt! Obviously you have a different set of files some how. Maybe a European version of Windows?

Yes, it is a rather old Swedish Version 2002

Quote:

Originally Posted by Ritho

Still I was not willing to click quarantine or delete to test my theory.

I thought every editor loved testing software theories, keeping their disk images warm.