Whe I try to "Download AutoHelp Plugins" My virus scanner goes off stateing it found a virus named "Agent.813".

It finds it in C:\Reatgo-240\plugins\Get_Plugins.exe

Any Idea why?

False positive. Common with some AVs including Avast!

Disable the AV while you download the file, then instruct the AV to exclude the file in it's searches.

To feel comfortable with doing this, after downloading the file and before executing it, scan your hd with one or more of the online virus scanners. McAfee has one, Trend Micros does and I'm sure there are others.

If you suspect a file to be a false positive. Test the file at http://virusscan.jotti.org/ or at http://www.virustotal.com/

Perfect.

Thanks rdsok.

I came across this post after scanning REATOGO-240.exe (MD5 32eb12354ed14c2d8c1ed9f1ed5d7227) at VirusTotal, something I always do with any new software that's small enough to be uploaded to VirusTotal. The results were alarming, 9/32 positives (http://www.virustotal.com/analisis/751d77724db844f93427fcddc3cca07d). Here are just the positives:

AntiVir 7.8.0.59 2008.06.23 SPR/Tool.PsKill.1101
ClamAV 0.93.1 2008.06.23 PUA.Tool.PSKill
Fortinet 3.14.0.0 2008.06.23 RAT/AntiZlob
Ikarus T3.1.1.26.0 2008.06.23 Trojan-Dropper.Win32.Autoit.h
Kaspersky 7.0.0.125 2008.06.23 not-a-virus:RiskTool.Win32.PsKill.1101
McAfee 5322 2008.06.20 potentially unwanted program RemAdm-PSKill
Panda 9.0.0.4 2008.06.22 Application/Pskill.A
Sophos 4.30.0 2008.06.23 NirSoft

(Hmmm. That's only 8, VirusTotal. Why add an extra one that's not there?!)

Anyway, I'd say that 8/32 is quite alarming to say the least. To be fair, I Googled each one in turn.

SPR/Tool.PsKill.1101 - a few meaningless hits

PUA.Tool.PSKill - a few meaningless hits

I decided to Google Tool.PsKill - many meaningless hits; the few relevant ones indicate the presence of pskill.exe which is sometimes used by malware to kill antivirus/anti-spyware software so it isn't detected; not an issue since most good anti-malware tools can't be killed with this; I submitted the two versions of pskill.exe installed on my PC in the SysinternalsSuite and PsTools (they have identical MD5 hashes) to VirusTotal (http://www.virustotal.com/analisis/fc94b5ca708445a353243964130585f1) and got two positives:

DrWeb 4.44.0.09170 2008.06.15 Tool.ProcessKill.12
Sophos 4.30.0 2008.06.15 PsKill

Obviously nothing to worry about.

RAT/AntiZlob - a few meaningless hits

Trojan-Dropper.Win32.Autoit.h - a few meaningless hits; AutoIt itself is an excellent Windows scripting tool that I use all the time to automate repetitive tasks and it would definitely be useful for this application.

not-a-virus:RiskTool.Win32.PsKill.1101 - a number of meaningless hits and it does say "not-a-virus" and there's pskill again, so . . .

potentially unwanted program RemAdm-PSKill - A fair number of hits; According to McAfee, "The program can terminate processes on local or remote WinNT or Win2K systems. This tool was built for use by administrators to do remote system administration." Again, a useful tool for the current application. And there's pskill a fourth time.

Application/Pskill.A - According to Panda, "Pskill.A is not a risk by itself, but the processes ended can belong to antivirus programs or firewalls. This leaves the affected computer vulnerable to the attack of viruses, worms or Trojans." Again pskill.

NirSoft - NirSoft (http://www.nirsoft.net) has an astounding collection of freeware system tools that are incredibly useful and would definitely be useful to Reatogo. (No doubt they'd also be useful to malicious programmers too but that's another story.)

So, in conclusion, although I was certainly alarmed when I first laid eyes on the VirusTotal results, if I consider the evidence, it looks circumstantial at best. It seems that Siegfried has put a lot of effort into this program and it looks like it would make setting up and adding custom plugins to BartPE much easier. I can't imagine why someone who has gone to so much effort to create such a useful tool and shared it with the huge afflicted Windows community would include anything malicious in it. Still, one can't be too careful. It is best to be sceptical with the unfamiliar and test it as much as possible. I would like to know what others think about this and what experiences they may have with the tool.

Another issue that concerns me - I originally downloaded REATOGO-240.exe with Orbit downloader (v2.7.1) from Firefox 2. When I saw the VirusTotal results, I decided to check the MD5 hash with Karen's Hasher, a very reliable freeware tool. Much to my chagrin, it was different from the one posted on the download page. So I downloaded it again twice with Orbit just to see what happened. Each download had a different hash! Then I downloaded it the usual way using the Firefox downloader. This time it had the correct hash and I resubmitted it to VirusTotal. It had already been scanned by someone else with the same results but I rescanned it just to be sure and got the same results. This really concerns me though about Orbit. I've been using it for years and thought it was reliable. Now I'm not sure. I will have to investigate but that is beyond the scope of this post. Just a 'heads up' to all users of the program.

I also decided to scan REATOGO-240.exe at Jotti's VirusScan (http://virusscan.jotti.org) and got same/different/additional/new results:



AntiVir - SPR/Tool.PsKill.1101 (same)
Clam - AVPUA.Tool.PSKill (same)
Kaspersky - not-a-virus:RiskTool.Win32.PsKill.1101 (same)
Panda - Application/Pskill.A (same)

Fortinet (VirusTotal) - RAT/AntiZlob
Fortinet - Found nothing (different)
Sophos (VirusTotal) - NirSoft
Sophos - Found nothing (different)

Ikarus (VirusTotal) - Trojan-Dropper.Win32.Autoit.h
Ikarus - Trojan-Dropper.Win32.Autoit.h, Trojan-PWS.Win32.Lmir, not-a-virus:RiskTool.Win32.PsKill.1101 (additional)

CPsecure - BackDoor.W32.Agobot.aiw (new)
Dr.Web - Program.PsKill.101 (new)
F-Secure Anti-Virus - not-a-virus:RiskTool.Win32.PsKill.1101 (6, 2, 611) (new)

I could find nothing about BackDoor.W32.Agobot.aiw. The results are similar and I would draw the same conclusions based on the additional results.

Read the description: potentially unwanted program
PSKill is designed to kill a process. Works as designed.
This application can be use in a good or bad manner.

Compare there are knifes.
You may use a knife to eat. Or to harm another one.
A knife can be use in a good or bad manner.
A knife is a potentially unwanted tool.

Or the other way round:
A virus scanner is a potentially unwanted program.

Palse positive are quite common for a virus scanner.

No that's not a virus or trojaner or malicious application.

Siegfried's Reatogo is out since several years now.
There hasn't been a bad experience relating virus or trojaner so far.

I trust Siegfried.