PSPX7_Cleanup_v1.0.zip contains a Trojan

[r_jeff_m]

Avast claims this file contains Win32:Malware-gen and I can't download an run it.

I have a failed install of PSP X7 Ultimate that I need to clean so I can reinstall.

When I run the installer, it extracts and as soon as I see the "Initializing the Installation Wizard" screen I get:
"your system has not been modified. to complete installation at another time, please run setup again."

OS: Windows 10 64 bit

What can I do?

Thanks

[JoeB]

Temporarily disable your anti-virus before running the cleanup tool. The cleanup tool will remove some registry entries related to PSP and because it will be making those changes to the registry your anti-virus thinks it is malware. You can start your anti-virus again after you have done the cleanup.

[r_jeff_m]

Thanks for the thought... but I downloaded the others to see if that might be the case, and they are came up clean. As well, the PSP7 zip has a different internal structure than the others. I'm guessing it's hacked.

[JoeB]

Thanks for the thought... but I downloaded the others to see if that might be the case, and they are came up clean. As well, the PSP7 zip has a different internal structure than the others. I'm guessing it's hacked.

If it came from the Corel link than I doubt that it was hacked, but it could have been corrupted during the download. But glad to see that you got it sorted.

[r_jeff_m]

Nope.... Not sorted... running PSPX7_Cleanup_v1.0.zip through https://www.virustotal.com results in virus hits as well
so does https://www.metascan-online.com

I believe it has a trojan

VirusTotal
SHA256: e70109807359c2d0a8e761efe0767899481a2f4976bbe5c6b7059bc751b85c77
File name: PSPX7_Cleanup_v1.0.zip
Detection ratio: 10 / 56
Analysis date: 2015-09-23 12:31:21 UTC ( 0 minutes ago )
0 0
Analysis
File detail
Additional information
Comments
Votes
Antivirus Result Update
AVware Trojan.Win32.Generic!BT 20150923
Avast Win32:Malware-gen 20150923
DrWeb Trojan.KillFiles.19713 20150923
Ikarus Trojan.Agent 20150923
McAfee Artemis!5D7E364024AD 20150923
McAfee-GW-Edition BehavesLike.Downloader.gc 20150923
NANO-Antivirus Trojan.Win32.KillFiles.dmpoga 20150923
Qihoo-360 HEUR/QVM11.1.Malware.Gen 20150923
TheHacker Trojan/Cosmu.bizd 20150922
VIPRE Trojan.Win32.Generic!BT 20150923


From https://www.metascan-online.com

DrWebGateway
2387 ms
Sep 22 2015 (More than 13 hours ago)
Trojan.KillFiles.19713
Ikarus
203 ms
Sep 22 2015 (More than 13 hours ago)
Trojan.Agent
McAfee-Gateway
1903 ms
Sep 22 2015 (More than 13 hours ago)
BehavesLike.Win32.Trojan.gc
NANO
297 ms
Sep 22 2015 (More than 13 hours ago)
Trojan.Win32.KillFiles.dmpoga
STOPzilla
5772 ms
Sep 10 2015 (More than 13 days ago)
Trojan.Win32.Mal.Gen.42112
ThreatTrack
967 ms
Sep 22 2015 (More than 13 hours ago)
Trojan.Win32.Generic!BT
Xvirus
4072 ms
Sep 21 2015 (More than 2 days ago)
Suspicious:NewThreat

[LeviFiction]

It keeps showing up as a "generic threat" in all of those. This isn't the first time Anti-virus has flagged something of Corel's. You need to keep in mind that Anti-Virus doesn't match whole viruses, it matches virus patterns and similar code through heuristics. False positive are possible. And not all anti-virus will see the same thing. As shown in your scan.

If you don't trust it, send it to Avast for testing. Often times after a file has been sent to Avast as a false-positive an exception is made for that program and Avast doesn't complain about it any longer.

[skier-hughes]

As Corel rarely if ever visit and read these forums, it is best to use the Facebook page, which they do monitor, to alert them, so they can look into it and see at the same time as Avast do.

[r_jeff_m]

Well, I'll send it off to avast. Odd thing is though, the other files do NOT cause the antivirus programs to react.

[trueblue]

Even though it is showing as having a virus it does not contain a trojan or virus. As a previous poster suggested to disable your anti-virus.

[r_jeff_m]

Avast agrees that it was a false positive.

[JoeB]

Avast agrees that it was a false positive.

I say again that the reason for the false positive is that the tool deletes several registry entries. Most anti-virus software will raise a warning when software appears to make registry changes like that unless it is a known program that the anti-virus is programmed to ignore. When anti-virus software first started to become widespread they often didn't recognize even some well known legitimate programs and the installer would warn that you should turn off your anti-virus before installation or the installation might fail - and it often would. That problem is very much less prevalent today but still an issue with some things like cleanup tools.

[joeb1]

Don't know much about this stuff. But if my anti-virus programs quarantines a file, I'm NOT using it.

[JoeB]

Don't know much about this stuff. But if my anti-virus programs quarantines a file, I'm NOT using it.

Well, if you think that they're smarter than you - and the many of us who have used the tools with no ill effects whatsoever - then that's your choice. As for me, I even get vaccinations!