Trojan horses in SPO7500 software? (Resolved)

[KSMike]

I have a copy of the SPO7500 installer image on my USB drive (I do this with most of my important installers due to the fact that I have multiple PC's, and as a form of backup). I just ran a backup of my USB drive, and Avast reported trojan horse "Win32:Dropper-BOI" in both the following:

... \SPO 7500\fscommand\GsFrancais.exe
... \SPO 7500\fscommand\GsItaliano.exe

Obviously these are language files, but I'm unsure as to whether these have become infected, or if (perhaps due to the language content), Avast thinks they're infected when in fact they aren't. Any thoughts or verification on your own installations would be greatly appreciated.

[Pugsy]

You can always upload the questionable files to Jotti or Virus total scan for confirmation or ease your mind. This way you can see what several different products or virus programs will say about the individual file without haven't to use their product.

I don't use Avast now and unfortunately haven't had the extra cash to get the oximeter. So all I can offer are links to the online scans below. There are quick because you only upload the file in question for scanning.


http://virusscan.jotti.org/en

http://www.virustotal.com/

[GumbyCT]

I have a copy of the SPO7500 installer image on my USB drive ....

Where did this copy originate from? That may provide your most important first clue.

[KSMike]

Where did this copy originate from?

From the CD that came with the oximeter. Guess I'll run a scan on that just for grins.

I'm a 24 year veteran IT guy so none of this is new to me, but just wondered if anyone else had encountered any of the the SPO7500 files tripping their anti-virus program.

Thanks for those links, those are two I hadn't see before. On Total Virus, the GsFrancais file tripped on 14 out of 41 AV engines.

[KSMike]

Sorry, false alarm. Avast trips on the same files directly on the installation CD also.

[ozij]

Thanks for the links, Pugsy.
I scanned my original CD with Avira just now -- no problems.

Mike, would you mind adding "false alarm" to you subject heading?

O.

[Pugsy]

Mike,
You could report those false positives to Avast and hopefully they will change their definitions so future reports won't be so annoying and also not alarm someone who doesn't have the presence of mind to investigate.

Jotti and VirusTotal use a number of different products to test questionable files. Often different products will use similar definitions that they borrow from each other so it is quite common for several of the products to flag a certain file. So I suspect that the products that reported these files as bad also use the same definitions database.

I had a friend that had his Vista OS completely fried by a false positive removal. He knew better. He knew he should have investigated but didn't. It wasn't Avast. I mention this only because people need to be aware that these security products do make mistakes and panic causes more grief than most of these pests ever thought about.

[GumbyCT]

Just look as Pugsy's avatar and think "False Alarm".
Isn't it the perfect avatar?

[Pugsy]

Just look as Pugsy's avatar and think "False Alarm".
Isn't it the perfect avatar?

You know I joined the forum during one of the monkey revivals. I now sometimes look for a different avatar but the little spider monkey seems to fit me and my personality.

Little bitty but with a big mouth and usually creating lots of noise.

[GumbyCT]

I do remember, I had to resist the urge myself.

I don't know you personally but think it is fitting too. You are known for some very fitting and accurate posts, as above.

Keep up the good work you little Pug-sy

[john_dozer]

Sorry, false alarm. Avast trips on the same files directly on the installation CD also.

You know, even Microsoft has distributed viruses on retail CDs.

I would be cautious and contact avast. Its also possible there is spyware that Avast considers malicious and others do not.

[KSMike]

You know, even Microsoft has distributed viruses on retail CDs.

Exactly. I did update the post subject to "possible false alarm" but it is possible that these two files actually are infected. I'll definitely contact Avast and let them know. Thanks for everyone's input.

Oh - I meant to mention, my CD is labeled Version 2.003. Funny, the "3" was hand-written in permanent marker over what was originally "0" (2.000). This is from the manufacturer, I promise.

[twokatmew]

I have the same CD (label hand-written .003), and I scanned it this morning using Eset's NOD32 4.x. It didn't find anything suspicious.

[KSMike]

Thanks for checking, TKM. I just reported this to Avast, so we'll see what they say. I'll post again when there's any news.

[KSMike]

Avast updated the status on the ticket I opened to "solved." I ran a new scan using the updated signature file received today. Avast no longer trips on these files. I checked them again on VirusTotal; these files still trip on a number of other engines.