AVG detected knlwrap.exe as infected

[Syzich]

I ran a scan with AVG a little while ago and saw in the results that knlwrap.exe was infected. I decided to check my dad's computer to see if he also has this file on his computer. He does and as soon as I hovered the mouse pointer over it, his AVG flagged the file as well. Since the original file on my computer had already been deleted, I checked the creation date on his. It looks like it was created a few days after he installed Windows. I saw that it is related to the InstallShield(which makes sense, considering the folder it is/was in). Others also mention it after installing Roxio 5. I have Roxio 5 on my computer now and my dad had it on his at one point. So this leads me to think its a false positive since its just now flagging the file on my computer as well as his. I uploaded the file to Jotti. Here are the results:

AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found Dropper.Agent.JOC
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

MD5: 48befc3e2b36de65a415977b1288c0d7

AVG is the only scanner to flag this file, so I'm fairly sure it is a false positive. Though, some searches online do say that there is malware out there with the same filename. So to be sure, I want to send the file to AVG to analyze. Fink, I hope you see this thread. A short time ago, I had another false positive and you offered to password the .zip for me. Would you mind doing it again? I attached the .zip to my post.

FYI, the file location is: C:\Program Files\Common Files\Install Shield\engine\6\Intel32

[fink]

http://www.virustotal.com/analisis/c...3f4824fbcd3e1a

virustotal (similar to jotti) shows no hits at all incl AVG.

here's the zip.. password is password.

Wait until after the next time AVG updates to see if it's still flagged. 99.999% it's a false positive.

[Syzich]

It looks like Virustotal updated the definitions for the scanners they use. I went there again today and AVG is now flagging knlwrap.exe. I guess that might also explain the dates in your link and when I went there yesterday. Here are the results of the virustotal scan after going there a few minutes ago:

http://www.virustotal.com/analisis/1...8f6fb44fa09ecc

Here are the Jotti results:

AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found Dropper.Agent.JOC
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing


Thanks for passwording the .zip for me, fink. I'm going to send it to AVG now. Hopefully I get a quick reply like I did last time.

[fink]

Judging from the nearly (3000) 4000 hits this thread has got since yesterday you aren't the only one looking for an explanation. I'm guessing that AVG is getting a lot of inquiries about this.

Worth mentioning is another thing that points to this being a false positive is the location of the file. If it were a virus it would be in the Windows or Windows\system 32 folder.

[Broni]

Quote:

Judging from the nearly (3000) 4000 hits this thread has got since yesterday

What kind of tool do you use to see it?

[SpywareDr]

Quote:

Originally Posted by Broni

What kind of tool do you use to see it?

Go into the "Viruses/Trojans/Spyware" forum:

http://discussions.virtualdr.com/forumdisplay.php?f=40

and note the "Views" column:

[Syzich]

I just updated AVG and restored knlwrap.exe and then scanned it, AVG is no longer flagging it.

Here are today's Jotti results:

A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing


I also got an email reply from AVG confirming the false positive.

[Broni]

Quote:

Go into the "Viruses/Trojans/Spyware" forum:

http://discussions.virtualdr.com/forumdisplay.php?f=40

and note the "Views" column:

Forgive me, but I had to work yesterday, and apparently, I was tired....hehehe.

[SpywareDr]

Understandable. (Been there, done that).