Help Needed Please

[Saint Pancreas]

I Downloaded a SKYPE Plug-In yesterday which is a Call Rercoder which Iuse
for my business and it operates brilliantly BUT on doing a File Scan on
BULLGUARD Ver 6.1 a Trojan called: Trojan.Hacktool.Prockill.A was found.

BULLGUARD recommend uninstallation of the Program but having paid $24.95 for
this over the NET I am reluctant to Un Install.

Is there any kind soul out there that could point me in the direction of an
App that will kill this Bloddy thing off..Please

Sym

 

[Art]

I Downloaded a SKYPE Plug-In yesterday which is a Call Rercoder which Iuse
for my business and it operates brilliantly BUT on doing a File Scan on
BULLGUARD Ver 6.1 a Trojan called: Trojan.Hacktool.Prockill.A was found.

BULLGUARD recommend uninstallation of the Program but having paid $24.95 for
this over the NET I am reluctant to Un Install.

Is there any kind soul out there that could point me in the direction of an
App that will kill this Bloddy thing off..Please

Did you upload the suspicious file(s) to Virus Total as I suggested on
alt.comp.freeware? What were the results?

Art
http://home.epix.net/~artnpeg

 

[David H. Lipman]

From: "Saint Pancreas" <[email protected]>

| I Downloaded a SKYPE Plug-In yesterday which is a Call Rercoder which Iuse
| for my business and it operates brilliantly BUT on doing a File Scan on
| BULLGUARD Ver 6.1 a Trojan called: Trojan.Hacktool.Prockill.A was found.
|
| BULLGUARD recommend uninstallation of the Program but having paid $24.95 for
| this over the NET I am reluctant to Un Install.
|
| Is there any kind soul out there that could point me in the direction of an
| App that will kill this Bloddy thing off..Please
|
| Sym
|

BullGuard is an OEM of BitDefender.

Hacktool.Prockill is basically a Procedure Killing utility.

So what is this SKYPE Plug-In "Call Rercoder" ?
Have you subitted smaples to Virus Total ?

If not... please submit a sample to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:[email protected]?subject=SCAN

When you get the report, please post back the exact results.

 

[Saint Pancreas]

I would like to thank you all for your helpful advice.
I did submit the suspect file to the links that you suggested and sure
enough one or two out of the many files in their Databases DID recognise the
exact virus reported in BULLGUARD.
I also reported these findings from BULLGUARD directly to the Vendor who
replied with a rather short and dismissive Mail advising me to get rid of my
Anti Virus Software immediately.
The problem as BULLGUARD reported lurked in the Uninstal.exe component of
the App which I Deleted using 'SAFE MODE' and then Re Boooted.
The Trojan was then identifed to be in the System Files area. I closed the
RESTORE featue in XP, cleared everything out using BE CLEAN, Re Scanned and
at last the Preditor was Deleted
Fortunately, the App still functions ok and if a complete Un Install is
needed at any time the ADD/REMOVE Pro will do the job.

According to my reseach into this nasty lttle Bastard:
"Trojan.Hacktool.Prockill.A" can be quite destructive

Thanks again for your Help,

Sym

 

[David H. Lipman]

From: "Saint Pancreas" <[email protected]>

| I would like to thank you all for your helpful advice.
| I did submit the suspect file to the links that you suggested and sure
| enough one or two out of the many files in their Databases DID recognise the
| exact virus reported in BULLGUARD.
| I also reported these findings from BULLGUARD directly to the Vendor who
| replied with a rather short and dismissive Mail advising me to get rid of my
| Anti Virus Software immediately.
| The problem as BULLGUARD reported lurked in the Uninstal.exe component of
| the App which I Deleted using 'SAFE MODE' and then Re Boooted.
| The Trojan was then identifed to be in the System Files area. I closed the
| RESTORE featue in XP, cleared everything out using BE CLEAN, Re Scanned and
| at last the Preditor was Deleted
| Fortunately, the App still functions ok and if a complete Un Install is
| needed at any time the ADD/REMOVE Pro will do the job.
|
| According to my reseach into this nasty lttle Bastard:
| "Trojan.Hacktool.Prockill.A" can be quite destructive
|

I again want to stress that Prockill.A kis NOT a virus it is a utilitity in the calss of
"potentially unwanted programs" becuase in itself it is not malicious but it may be used
maliciosly.

I also stated "please post back the exact results." when I mentioned sun\bmitting to Virus
Total. I did NOT see that Virus Total report in your reply.

 

[Saint Pancreas]

David,

I have Re Downloaded this file onto an empty CD to re create the problem
which is in the Uninstal section of the App.

Hope this helps

You will no doubt see that Bit Defender has found the same result as
BULLGUARD, KASOERSKY has also found someting Complete scanning result of
"PrettyMay-setup.exe", received in VirusTotal at 02.26.2007, 12:27:59 (CET).

When you say that this can be potentially used as Malware.Does that mean
[and please forgive my ignorance] that a Hacker could get into this and
Distribute it in some kind of processed form?

Regards

Mike

Antivirus Version Update Result

AntiVir 7.3.1.38 02.26.2007 no virus found Authentium 4.93.8 02.25.2007 no
virus found Avast 4.7.936.0 02.26.2007 no virus found AVG 386 02.25.2007 no
virus found BitDefender 7.2 02.26.2007 Trojan.Hacktool.Prockill.A
CAT-QuickHeal 9.00 02.24.2007 no virus found ClamAV devel-20060426
02.26.2007 no virus found DrWeb 4.33 02.26.2007 no virus found eSafe
7.0.14.0 02.25.2007 no virus found eTrust-Vet 30.4.3434 02.26.2007 no virus
found Ewido 4.0 02.26.2007 no virus found FileAdvisor 1 02.26.2007 no virus
found Fortinet 2.85.0.0 02.26.2007 no virus found F-Prot 4.3.1.45 02.25.2007
no virus found F-Secure 6.70.13030.0 02.26.2007 no virus found Ikarus
T3.1.0.31 02.26.2007 Trojan-Downloader Kaspersky 4.0.2.24 02.26.2007
not-a-virus:RiskTool.Win32.PsKill.q

McAfee 4970 02.23.2007 no virus found

Microsoft 1.2204 02.26.2007 no virus found

NOD32v2 2080 02.25.2007 no virus found Norman 5.80.02 02.26.2007 no virus
found Panda 9.0.0.4 02.26.2007 no virus found

Prevx1 V2 02.26.2007 no virus found

Sophos 4.14.0 02.24.2007 no virus found Sunbelt 2.2.907.0 02.24.2007 no
virus found Symantec 10 02.26.2007 no virus found TheHacker 6.1.6.065
02.26.2007 no virus found UNA 1.83 02.23.2007 no virus found

VBA32 3.11.2 02.25.2007 no virus found VirusBuster 4.3.19:9 02.25.2007 no
virus found



Aditional Information

File size: 3878680 bytes

MD5: 48e50b826c3cc5a0895321c6f0f8dd98

SHA1: f730ec9fe13443dc1d10fc0848b428ae5ee9130d

packers: BINARYRES, UPX, UPX

VirusTotal is a free service offered by Hispasec Sistemas. There are no
guarantees about the availability and continuity of this service. Although
the detection rate afforded by the use of multiple antivirus engines is far
superior to that offered by just one product, these results DO NOT guarantee
the harmlessness of a file. Currently, there is not any solution that offers
a 100% effectiveness rate for detecting viruses and malware.

Go to: Home Contactar En Español

--------------------------------------------------------------------------------

www.virustotal.com :: ©Hispasec Sistemas 2004-07:: e-mail
(e-mail address removed)

From: "Saint Pancreas" <[email protected]>

| I would like to thank you all for your helpful advice.

| I did submit the suspect file to the links that you suggested and

| sure enough one or two out of the many files in their Databases DID

| recognise the exact virus reported in BULLGUARD.

| I also reported these findings from BULLGUARD directly to the Vendor

| who replied with a rather short and dismissive Mail advising me to

| get rid of my Anti Virus Software immediately.

| The problem as BULLGUARD reported lurked in the Uninstal.exe

| component of the App which I Deleted using 'SAFE MODE' and then Re
Boooted.

| The Trojan was then identifed to be in the System Files area. I

| closed the RESTORE featue in XP, cleared everything out using BE

| CLEAN, Re Scanned and at last the Preditor was Deleted Fortunately,

| the App still functions ok and if a complete Un Install is needed at

| any time the ADD/REMOVE Pro will do the job.

| According to my reseach into this nasty lttle Bastard:

| "Trojan.Hacktool.Prockill.A" can be quite destructive


I again want to stress that Prockill.A kis NOT a virus it is a

utilitity in the calss of "potentially unwanted programs" becuase in

itself it is not malicious but it may be used maliciosly.

I also stated "please post back the exact results." when I mentioned

 

[Saint Pancreas]

David,

I have Re Downloaded this file onto an empty CD to re create the problem
which is in the Uninstal section of the App.

Hope this helps

You will no doubt see that Bit Defender has found the same result as
BULLGUARD, KASOERSKY has also found someting Complete scanning result of
"PrettyMay-setup.exe", received in VirusTotal at 02.26.2007, 12:27:59 (CET).

When you say that this can be potentially used as Malware.Does that mean
[and please forgive my ignorance] that a Hacker could get into this and
Distribute it in some kind of processed form?

Regards

Mike

Antivirus Version Update Result

AntiVir 7.3.1.38 02.26.2007 no virus found Authentium 4.93.8 02.25.2007 no
virus found Avast 4.7.936.0 02.26.2007 no virus found AVG 386 02.25.2007 no
virus found BitDefender 7.2 02.26.2007 Trojan.Hacktool.Prockill.A
CAT-QuickHeal 9.00 02.24.2007 no virus found ClamAV devel-20060426
02.26.2007 no virus found DrWeb 4.33 02.26.2007 no virus found eSafe
7.0.14.0 02.25.2007 no virus found eTrust-Vet 30.4.3434 02.26.2007 no virus
found Ewido 4.0 02.26.2007 no virus found FileAdvisor 1 02.26.2007 no virus
found Fortinet 2.85.0.0 02.26.2007 no virus found F-Prot 4.3.1.45 02.25.2007
no virus found F-Secure 6.70.13030.0 02.26.2007 no virus found Ikarus
T3.1.0.31 02.26.2007 Trojan-Downloader Kaspersky 4.0.2.24 02.26.2007
not-a-virus:RiskTool.Win32.PsKill.q

McAfee 4970 02.23.2007 no virus found

Microsoft 1.2204 02.26.2007 no virus found

NOD32v2 2080 02.25.2007 no virus found Norman 5.80.02 02.26.2007 no virus
found Panda 9.0.0.4 02.26.2007 no virus found

Prevx1 V2 02.26.2007 no virus found

Sophos 4.14.0 02.24.2007 no virus found Sunbelt 2.2.907.0 02.24.2007 no
virus found Symantec 10 02.26.2007 no virus found TheHacker 6.1.6.065
02.26.2007 no virus found UNA 1.83 02.23.2007 no virus found

VBA32 3.11.2 02.25.2007 no virus found VirusBuster 4.3.19:9 02.25.2007 no
virus found



Aditional Information

File size: 3878680 bytes

MD5: 48e50b826c3cc5a0895321c6f0f8dd98

SHA1: f730ec9fe13443dc1d10fc0848b428ae5ee9130d

packers: BINARYRES, UPX, UPX

VirusTotal is a free service offered by Hispasec Sistemas. There are no
guarantees about the availability and continuity of this service. Although
the detection rate afforded by the use of multiple antivirus engines is far
superior to that offered by just one product, these results DO NOT guarantee
the harmlessness of a file. Currently, there is not any solution that offers
a 100% effectiveness rate for detecting viruses and malware.

Go to: Home Contactar En Español

--------------------------------------------------------------------------------

www.virustotal.com :: ©Hispasec Sistemas 2004-07:: e-mail
(e-mail address removed)

From: "Saint Pancreas" <[email protected]>

| I would like to thank you all for your helpful advice.

| I did submit the suspect file to the links that you suggested and

| sure enough one or two out of the many files in their Databases DID

| recognise the exact virus reported in BULLGUARD.

| I also reported these findings from BULLGUARD directly to the Vendor

| who replied with a rather short and dismissive Mail advising me to

| get rid of my Anti Virus Software immediately.

| The problem as BULLGUARD reported lurked in the Uninstal.exe

| component of the App which I Deleted using 'SAFE MODE' and then Re
Boooted.

| The Trojan was then identifed to be in the System Files area. I

| closed the RESTORE featue in XP, cleared everything out using BE

| CLEAN, Re Scanned and at last the Preditor was Deleted Fortunately,

| the App still functions ok and if a complete Un Install is needed at

| any time the ADD/REMOVE Pro will do the job.

| According to my reseach into this nasty lttle Bastard:

| "Trojan.Hacktool.Prockill.A" can be quite destructive


I again want to stress that Prockill.A kis NOT a virus it is a

utilitity in the calss of "potentially unwanted programs" becuase in

itself it is not malicious but it may be used maliciosly.

I also stated "please post back the exact results." when I mentioned

 

[Carol]

I would like to thank you all for your helpful advice.

But, but... you didn't wait for the end of it.

I did submit the suspect file to the links that you suggested and sure
enough one or two out of the many files in their Databases DID recognise the
exact virus reported in BULLGUARD.
I also reported these findings from BULLGUARD directly to the Vendor who
replied with a rather short and dismissive Mail advising me to get rid of my
Anti Virus Software immediately.

Obviously they've heard this problem before. Perhaps they've
already reported it as a false positive, and all but those few vendors
have fixed any problems.

The problem as BULLGUARD reported lurked in the Uninstal.exe component of
the App

The first thing to do when your AV identifies a file is DON'T PANIC.

If you were SURE this file came with your app, and your app is
trusted, your actions should probably have been different. Anti-virus
programs aren't infallible, and this case left you with a decision to
make. The odds say a paid legitimate program is not going to contain
anything to hurt you, so the suspect here is the AV identification.
Either way, the ID indicates a process killer, and if you aren't
having any obvious wanted processes killed, your decision didn't need
to be immediate.

which I Deleted using 'SAFE MODE' and then Re Boooted.
The Trojan was then identifed to be in the System Files area. I closed the
RESTORE featue in XP, cleared everything out using BE CLEAN, Re Scanned and
at last the Preditor was Deleted
Fortunately, the App still functions ok and if a complete Un Install is
needed at any time the ADD/REMOVE Pro will do the job.

No, Add/Remove Programs uses the program's uninstaller, which has now
been deleted.

According to my reseach into this nasty lttle Bastard:
"Trojan.Hacktool.Prockill.A" can be quite destructive

Obviously. It just caused you to destroy both the uninstall function
of your program and all your Restore files.

Look... Pay attention to the name and use some deductive reasoning.
An uninstaller needs a process killer, both because most people have
no idea they should attempt to close all running processes before
attempting an uninstall, and because some are so hidden they might not
be found if you did know. The term "hacktool" normally refers to a
program on the local machine, installed by a local user, that can be
used to effect other machines, or sometimes to discover information on
the local machine, like passwords. While they CAN be used as part of
a larger trojan installation, that's rarely going to be the case if
discovered alone by your antivirus program.

MY reaction here would have been to tell the AV to ignore that file.

 

[Art]

David,

I have Re Downloaded this file onto an empty CD to re create the problem
which is in the Uninstal section of the App.

Hope this helps

You will no doubt see that Bit Defender has found the same result as
BULLGUARD, KASOERSKY has also found someting Complete scanning result of
"PrettyMay-setup.exe", received in VirusTotal at 02.26.2007, 12:27:59 (CET).

When you say that this can be potentially used as Malware.Does that mean
[and please forgive my ignorance] that a Hacker could get into this and
Distribute it in some kind of processed form?

Since David has not yet responded, I'll try to explain as best I can.

The answer to your question is "no, not really". That's not the reason
some av products alert on this sort of thing. Kaspersky identifies the
file as "not a virus" which means it's not malware, as such. Kaspersky
calls this sort of thing "riskware" and it will not offer to remove it
since such detections most often occur on legit files _which might be
used_ for nefarious purposes. Consider a keylogger program, for
example. It can be used for both legit and nefarious purposes. Some av
such as Kaspersky alert on them in the same way with the "not a virus"
prefix. In this case, the Kaspersky scanner "saw" some characteristics
in the code typical of the kinds of things malware often does, such as
messing with the registry and deleting files ... the same things a
legit uninstaller does. In fact, it saw some things typical of a
particular malware type that it identified, yet it _did not_ identify
it as malware ... it implied it was simply something to investigate,
actually. It produced a kind of warning message based on its
heuristics.

The Bullguard/Bit Defender alert was not of the "warning" type,
and you were misled by the alert. It was, strictly speaking, a false
alert which should be reported to Bit Defender (and Bullguard) so
they won't false alert in the future ... or at least they should
modify the alert and make it clear that their heuristics are simply
warning you. To their credit, they apparently did not offer to delete
the uninstaller, which is a _good thing_ since it's apparently just a
normal legit program (from what I gather from your posts).

This behaviour of some av such as Bit Defender/Bullguard) is one
reason I don't like them. Lotsa luck getting them to change their
ways, though.

Connected with this, is the issue of setting scanners to delete
malware they find without first investigating whether or not the
detections are valid. Every detection should first be investigated.
When most av at Virus Total do not alert, you know that the
detection is very questionable. That's why I suggested uploading
the suspicious file to Virus Total.

Hope that helps.

Art
http://home.epix.net/~artnpeg

 

[David H. Lipman]

From: "Saint Pancreas" <[email protected]>

| David,
|
| I have Re Downloaded this file onto an empty CD to re create the problem
| which is in the Uninstal section of the App.
|
| Hope this helps
|
| You will no doubt see that Bit Defender has found the same result as
| BULLGUARD, KASOERSKY has also found someting Complete scanning result of
| "PrettyMay-setup.exe", received in VirusTotal at 02.26.2007, 12:27:59 (CET).
|
| When you say that this can be potentially used as Malware.Does that mean
| [and please forgive my ignorance] that a Hacker could get into this and
| Distribute it in some kind of processed form?
|
| Regards
|
| Mike
|
< snip >

Like I repklied earlier...

I again want to stress that Prockill.A kis NOT a virus it is a utilitity in the class of
"potentially unwanted programs" because in itself it is not malicious but it may be used
maliciously.

 

[Saint Pancreas]

Thanks once again for those who took the trouble to help me out with a
reported problem from BULLGUARD's AV Prog.
A Special thanks to Art for pointing me to this Newsgroup as I had
originally posted the Help request on Alt.Comp.Freeware NG in the hope that
there was something out there that would get rid of my then perceived
problem.
BULLGUARD offered to fix the reported problem and after 'Turning up the
Heat' [when the first round of fixing failed] they ask you to send them the
Scan Log which I did. When I received the remedial instructions from them of
'How to fix' I carried out the processes already mentioned.
I am still very much an ignoramus when it comes to reported 'Nasties'
[particularly having read of the horrendous actions of Hackers and what they
can achieve] which is why I rely on the AV Program advised by my ISP and yes
I did PANIC when I got the results. Hindsight is a Perfect Science which
none of us possess and my actions [certainly shorterm] have likely caused me
more loss than gain but at least thanks to this NG I have learned to ask
'those in the know' before spontaneous and ignorant embarkation,

Thanks again