Infected file on Guru3d.com ???????

Avast Anti-virus says it`s infected, Is it a false positive ????

The file is "PowerStrip 3.75"

The link to the website with the download link is below for the BRAVE


http://downloads.guru3d.com/downloadget.php?id=169&file=1&evp=7c97b26262f34f3357f1ab7be3213ddf

 

I don't know if the version you can d/l from guru3d is infected; however, powerstrip 3.75 is a utility produced by a Taiwanese firm called EnTech, which they offer as shareware. It can be downloaded directly from the EnTech Powerstrip webpage.

Unless someone's spiked the version being offered on guru3d, it's probably a false-positive triggered by the fact that powerstrip contains a number of very low-level diagnostic and interaction routines that Avast probably sees as being potential malware on that account alone.

I've d/l'd a version of powerstrip from the EnTech site before and used it without any ill effect.

 

Tried it too. Avast does not like it

Cheers,
Theo

 

Seems like that both files (from EnTech and Guru3D) are in fact infected.

VirusTotal Result (showing only infected results, others may be found within the PermaLink):

PermaLink To Analysis Report.

AntiVir - - DR/Hupigon.dodi.1
Authentium - - W32/Heuristic-210!Eldorado
Avast - - Win32:Trojan-gen {Other}
eSafe - - Suspicious File
F-Prot - - W32/Heuristic-210!Eldorado
F-Secure - - Backdoor.Win32.Hupigon.dodi
Fortinet - - W32/Hupigon.DODI!tr.bdr
GData - - Backdoor.Win32.Hupigon.dodi
Ikarus - - Backdoor.Win32.Hupigon.dodi
K7AntiVirus - - Trojan.Win32.Malware.1
Kaspersky - - Backdoor.Win32.Hupigon.dodi
VBA32 - - suspected of Win32.BrokenEmbeddedSignature (paranoid heuristics)
Webwasher-Gateway - - Trojan.Dropper.Hupigon.dodi.1

 

I'd suggest trying it on the version that comes straight from EnTech - if they all hit on that as well and show the same likely infection, I'd still be willing to wager that it's a false positive caused by the low level nature of some of the routines in the utility.

 

Both files scored the same infection-rank, even though their PermaLink's are the same, but you are right, it might be a false-positive, though, there is information about the virus it is supossedly infected by:

http://www.viruslist.com/en/viruses/encyclopedia?virusid=44430

It creates some registry entries and creates two .exe's in the System directory as notepod.exe and winreg.exe.

So, we cannot know for sure unless someone installs the latest version of EnTech's PowerStrip (I would do it, but I am on my old computer due to my NP9262 being out of action, and I'd not like to risk the only computer I have available at the moment) and tells us if the registry entries (found in the link above) and .exe's are created and / or modified, but I still agree, it seems like a false-positive.

 

I've posted on this on Wilders and someone there has uploaded Powerstrip to Kaspersky.
Reaction from Kaspersky Lab;
" Hello,
PStrap.dll
We are sorry, it is false alarm. It will be fixed as soon as possible. Thank you for your help."

 

Lots of times those are false alarms. If they have some code that may look malicious even though its not, it can be flagged as a virus.

 

Thanks for the update. Any idea what in PStrap.dll is giving all the A/V stuff hiccups?

 

Probably it's the fact that there was an IE toolbar/data miner called PowerStrip some years ago, which could mean it's simply an old malware name/abbreviation in a signature causing the fp.

 

That would explain it; thanks for the hard work.