Jump to content
  • Announcements

    • Rodion Nagornov

      Долгое сохранение сообщений || Delays while posting (click here to read the full text RU/EN)   09/20/2017

      Due to some technical reasons visual delays are possible while message sending. Actually your message is published immediately - just interface works long. In such case, please, do not re-send your message immediately! Press F5 to reload the page and check if your message/topic is published. || По техническим причинам возможно визуально долгое отправление сообщений на форуме. Фактически ваше сообщение публикуется мгновенно - долго отрабатывает графика. В случае подобной ситуации, пожалуйста, сначала обновите страницу (F5) и проверьте, появилось ли ваше сообщение. Не пытайтесь сразу отправить его заново.
Sign in to follow this  

Possible false positive: utorrent

Recommended Posts

I was running utorrent 1.7 rc2 (build 2999) overnight and when I turned on my monitor I got a warning.


Infected: adware not-a-virus:AdWare.Win32.Agent.bn uTorrent.exe\uTorrent.exe 608 KB


Infected: adware not-a-virus:AdWare.Win32.Agent.bn c:\program files\utorrent\utorrent.exe 239 KB


database published 05/07/2007 04:54:41


probably a false postive, i've been running utorrent rc2 since it came out and I have had no warnings from kav until now.




I've run utorrent.exe through virustotal.com and here are the positive results


Antivirus Version Update Result

eSafe 07.04.2007 suspicious Trojan/Worm

Kaspersky 07.05.2007 not-a-virus:AdWare.Win32.Agent.bn

Panda 07.05.2007 Suspicious file

Webwasher 6.0.1 07.05.2007 Win32.ModifiedUPX.gen!84 (suspicious)



Additional Information

File size: 244736 bytes

MD5: 7169bf84a07fb377601707332ed012c2

SHA1: 1bcf64bf81ea9345e9a95cf1f9125cf311d547db

packers: UPX_LZMA


I've checked the md5 and sha1 hashes and they are correct.

Edited by iuffra

Share this post

Link to post

I just got the same "adware not-a-virus:AdWare.Win32.Agent.bn" for the ImgBurn executables with the same databases. I sent it for analysis, too - has to be the same FP.

Edited by King Grub

Share this post

Link to post

While waiting, I downloaded a new ImgBurn from the official site, and it was "infected", too.

Share this post

Link to post


Sorry,this was a false detection

it will be fixed in the next updates

thank you for your help


Please quote all when answering.


Regards, Yampolsky Boris

Virus Analyst, Kaspersky Lab."


Sweet fast reply! smile.gif

Share this post

Link to post
While waiting, I downloaded a new ImgBurn from the official site, and it was "infected", too.



that's weird because I was using imgburn and it was ok, I scanned the exe and downloaded a new setupimgburn and kav didn't report anything.


i've got a e-mail saying utorrent is a false positive and will be out with the next update.


thank you kaspersky wub.gif

Share this post

Link to post

May have been my fault ohmy.gif




install_cr.exe, ddesupport.dll, edi.exe, main_uninstaller.exe, msole.dll - not-a-virus:AdWare.Win32.Agent.bn


These files are Advertizing Tools, theirs detection will be included in the next update of extended databases set. See more info about extended databases here: http://www.kaspersky.com/extraavupdates


Please quote all when answering.



Best regards, Yaroslav Kirillov

Virus analyst, Kaspersky Lab.


Share this post

Link to post

Now, after the new update, Kaspersky detects the very same executable that was a confirmed FP as "Trojan-Dropper.Win32.Agent.blk" instead...


Also downloaded the latest ImgBurn again from the official site, and upon installing, "Trojan-Dropper.Win32.Agent.blk" was "detected".

Edited by King Grub

Share this post

Link to post
will add what? the false positive was fixed two weeks ago, what's the problem?



Just updated my utorrent to 1.7 last night KAV is still detecting it as a trojan my KAV is up to date though. guess its still not fixed on my side??

Share this post

Link to post
what's the full detection for your utorrent (name)?



it says:


Possibly infected: riskware Trojan.generic - uTorrent.exe


Its under my quarantine at the moment.

Share this post

Link to post
you will always get that on installation. that's a behavioural detection from the proactive defense, it occurs when a software tries to add a copy of itself into startup. in this case is safe and you can choose "Skip"



Cool, thats what i thought as well i conferred to you guys just in case. better safe than sorry as they say. Cheers!

Share this post

Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this