New update - Trojan.KillFiles

[Fluffo]

The update-file called "1c3e6764-8c6e-45fc-aeae-c3b01f3cdbf3.exe" has been detetcted as "Trojan.KillFiles" by MalwareBytes. https://www.virustotal.com/file/aea6ceba23621f56bec0c47e0053aa8a976a949294312ddbeaae82558eaa8538/analysis/1434548903/

[SentaiBrad]

Fluffo said The update-file called "1c3e6764-8c6e-45fc-aeae-c3b01f3cdbf3.exe" has been detetcted as "Trojan.KillFiles" by MalwareBytes. https://www.virustotal.com/file/aea6ceba23621f56bec0c47e0053aa8a976a949294312ddbeaae82558eaa8538/analysis/1434548903/

Fluffo said The update-file called "1c3e6764-8c6e-45fc-aeae-c3b01f3cdbf3.exe" has been detetcted as "Trojan.KillFiles" by MalwareBytes. https://www.virustotal.com/file/aea6ceba23621f56bec0c47e0053aa8a976a949294312ddbeaae82558eaa8538/analysis/1434548903/

This must be because of the method that Jason uses to close LaunchBox so that the update can be applied. LaunchBox can't be open or there are errors. However, I would call this easily a False Positive. I've never had Malwarebytes say anything about a Trojan... I'll link this to Jason and see if he knows anything more. However, that is what I think.

[Fluffo]

It's probably a false-positive but my daily scan found it so I thought I should post it here.

[Jason Carr]

Hi Fluffo, I just scanned the file here, and it came up clean for Malwarebytes and around ~50 other engines, so I have no idea what might have happened. I suppose it's possible that your computer is infected somehow, but otherwise, I don't get it. https://www.virustotal.com/en/file/c73146bfc0e1f51ad3cccd435f15f7d9f0b219e182bd480dd5aa0c0adb417faf/analysis/1434598233/

[Fluffo]

You did not scan the same file. The file I scanned was one of the files downloaded by the program itself and placed in the "updates" folder Filename: 1c3e6764-8c6e-45fc-aeae-c3b01f3cdbf3.exe SHA256: aea6ceba23621f56bec0c47e0053aa8a976a949294312ddbeaae82558eaa8538 Link to scan: https://www.virustotal.com/en/file/aea6ceba23621f56bec0c47e0053aa8a976a949294312ddbeaae82558eaa8538/analysis/1434548903/ Edit: Here is a log of the scan that found the file

Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 2015-06-17 Scan Time: 14:00:00 Logfile: test.txt Administrator: Yes Version: 2.01.6.1022 Malware Database: v2015.06.17.02 Rootkit Database: v2015.06.15.01 License: Premium Malware Protection: Enabled Malicious Website Protection: Enabled Self-protection: Enabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: Fluffo Scan Type: Custom Scan Result: Completed Objects Scanned: 844989 Time Elapsed: 1 hr, 42 min, 19 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 0 (No malicious items detected) Registry Values: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Folders: 0 (No malicious items detected) Files: 1 Trojan.KillFiles, C:\LaunchBox\Updates\1c3e6764-8c6e-45fc-aeae-c3b01f3cdbf3.exe, Quarantined, [f5d187344149b87e7a3182838d75768a], Physical Sectors: 0 (No malicious items detected) (end)

[SentaiBrad]

So the file Jason scanned, and the file you scanned are essentially the same. They're made up of no different files. Malwarebytes doesn't like that the update file was downloaded by the program then sends a kill command to LaunchBox so that the update runs properly. The only difference in the files is that the one you had is downloaded from LB, Jason's can be downloaded from the site directly. Edit: Also, I would assume that the file that Jason scanned is essentially the same file that resides on the server, it just doesn't carry the same name as its downloaded from inside LaunchBox. It also.. apprently doesn't carry the same SHA256, probably because of its nature from the server. The file needs to remain the exact same for the SHA256 to also remain the same.

[Jason Carr]

If the SHAs are different...then it's a different file. Why on earth would the SHAs be different, I don't know. I took the file directly from the server, which is what the app does (even though the app renames the file to a random GUID, which is what you see, it's still the same file). So...something changed the file. Either the download got corrupted (possible), or it got infected somehow (also possible). That's my best guess.

[Fluffo]

They are indeed 2 different files. The one detected as a trojan was downloaded from within the program during a betaupdate and is only on 258.8 kB. The undetected file is a full installer on 47.2 MB and can be downloaded here: http://api.launchbox-app.com/DownloadBeta.ashx The question is, where did it come from? I have not been able to find anything related to this on my system.

[spycat]

Hi Fluffo. I just ran a MalwareBytes scan of my LaunchBox Updates folder and all files came up clean. I don't have any file this small (258.8 KB) inside. While these files have totally random names and mine may not be like yours here is my Updates folder just for a comparison. And as far as I know, these files are not needed once the LaunchBox update has finished and can be deleted.

[Jason Carr]

Hi @Fluffo, that 258.8 kB file is an incomplete download, most likely. That's not a complete download file, so I'm guessing the download failed for whatever reason. It might just have randomly happened that the download didn't complete, and some sort of really odd coincidence triggered the anti-virus because the download didn't complete. That's pretty odd, but I'm guessing nothing to worry about. There's an off chance that a virus infected the file, but I highly doubt it.