Can anyone help with this issue???? This is what was reported by AMON. This happened during an install of printer software specifically HP PSC 1210 Printer. I choose to quarantine the file then delete it.


Time***Module***Object***Name***Virus***Action***User***Info
10/3/2003 5:41:41 AM***AMON***file***C:\Program Files\Hewlett-Packard\hpis\bin\MatcliWrapper.exe***Win32/Flooder.NewsAgent trojan***quarantined - deleted******

Any and all help would be appreciated. I would appreciate an ESET Moderator or Administrator to contact me as well as an forum member or forum moderator.

Hi,

Can you please download and run DCS's AutostartViewer from

http://www.diamondcs.com.au/downloads/asviewer.zip

Go to the "Main" menu and make sure that all three top options are selected and then press "Save" and then copy & paste the results here for us to review.

Also, if you have NT/2K/XP, can you please download DCS's OpenPorts program from

http://www.diamondcs.com.au/downloads/openports.zip

Unzip openports.exe in your Windows directory, and open up your Command Prompt and type;

openports > openports.txt

and then press the Enter key

Then type;

openports.txt

and press the Enter key again, and then copy the contents of the file in Notepad and paste it here for us to review

Also, send the infected file to samples@eset.com, in case it's a false positive (not infected, but detected).

Best regards,
Anders

I've had the exact same problem. I downloaded the trial version of NOD32 v.2 a few days ago. The very first scan I did with the program (all options at default settings; 40,000 files scanned) flagged down the very same file as a trojan, with the message

C:\Program Files\Hewlett-Packard\hpis\bin\MatcliWrapper.exe Win32/Flooder.NewsAgent trojan

When I used Windows Explorer to have a look at that file (with AMON being enabled), the program threw up a big red alert screen, repeating the above message and saying that this item cannot be cleaned. Before going any further (e.g. renaming the file or encrypting and quarantining it or sending it as a suspected trojan sample to the NOD32 labs), I decided to investigate a little further.

First, no information can be found on that trojan "Win32/Flooder.NewsAgent" in the virus/trojan databases of NOD32/ESET, Symantec or MCAfee. A Google search also brings up nothing.

Second, that MatcliWrapper.exe file (a piece of a client command line interface) appears to be part of a program suite coded by Motive Communications, Inc. and dated 2001 that's used by Hewlett-Packard in their GUI (called Printer Assistant) for setting up and supporting some of their printers. My copy of that file came on the CD included with my HP deskjet 5550. I installed that software in Jan. 2003. Since that date that alleged trojan has been sitting on my hard disk. However, numerous scans with NAV 2002 and several recent scans with NAV 2004, McAfee VS8, Kaspersky AV4.5, Panda Titanium v.2 and Trojan Hunter v3.6, all with the latest malware definitions installed, failed to flag this file.

Third, I've frequently looked at my open ports and startup programs using such programs as Port Explorer and AutoStartViewer and I've never seen anything suspect that looked like a trojan, certainly not that Matcliwrapper program.

I fished out the HP CD on which this file came (I presume it resides there in a compressed file named CONTENTS.CAB in the HPIS folder) and scanned the entire CD with NOD32, first straight, then from the DOS command line with the switch \AH which enables advanced heuristics, and then repeated the same thing for just that file alone. None of this produced any result.

Then I did another standard NOD32 scan of my hard disk, all with the same default settings as used earlier, except that
in the Setup Tab, in the box "objects to diagnose", runtime packers, archives, and email files were also checked. Without my knowingly having done anything to that MatcliWrapper file, now the scan sailed through the entire 10 GB of data (120,000 files scanned, with those additional options enabled) with "0 viruses found."

So what do you make of all of this? I'm inclined to think that NOD32 generated a false positive.

If you again need to set up or fiddle with your HP printer settings, I wonder if the Printer Assistant software still works properly now that you have deleted that MatcliWrapper.exe file.

You may want to send that file for examination to ESET if you can still undelete it. Copy the file as an attachment to an explanatory email sent to samples@nod32.com; feel free to include my comments. If you can't, then maybe I'll do it - right now I'm a little tired of wasting any more time on AV program related problems. Good luck! And don't worry much about it, for now!

BTW, I think NOD32 v.2 is a terrific program. I had my machine clobbered (Windows XP reinstall needed) by installing McAfee VS8 while NAV 2004 was also installed (although with all startup and memory resident functions of NAV disabled). I had wanted the choice of using two different AV programs for alternate scanning. Now, NAV and VS8 (and part of Windows XP) are gone, and I'll probably shell out the $40 for NOD32.

-----
ESET's instructions:

How could I send a sample to Eset?

When Nod32 detects a virus, it offers several actions. One of them is the "Export the file" button. If you want to send a sample to Eset - you can click on it, save it to the disk and send as an attachment to samples@nod32.com.

When any AV alerts on a known legit program file, especially when installing something like printer software, I'd first assume a false positve and check things out prior to deleting anything.

It's not completely unknown that some legit program files from legit sources have come with infections, but it's a very rare occurence. But as noted, it's best to send in to the vendor just to make sure and also to alert the vendor they've got a false positive, when that's the case. Given the number of similar reports here and elsewhere regarding this same file and NOD's alert, I'd put it in the likely false positive category.

FWIW I've had no NOD alerts on my HP software. But that may be due to different versions of the software.

-{ Quote: " quoting: Baayo link=board=39;threadid=14517;start=0#msg91910 date=1065384672]


First, no information can be found on that trojan "Win32/Flooder.NewsAgent" in the virus/trojan databases of NOD32/ESET, Symantec or MCAfee. A Google search also brings up nothing.


" }-

That does sound like a False Positive.

Here are some other links showing Flooder NewsAgent.

Weekly Update: August-31 - 19:34(UTC+2DST)
http://www.avp.ch/E/avp-news.stm

Trojan/Flooder.Win32.NewsAgent.1_06
http://www.rav.ro/scan/scan-stats.php?top=all

JAVA/NEWSAGENT FLOODER
http://support.ca.com/techbases/ilnt/31033a.html

Flooder.NewsAgent
(copy and paste in your browser)
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_NEWSAGENT.A

The only reference I've found to that trojan in a Google search, curiously enough is to the NOD32 website in Finland

http://www.nod32finland.com/updates.asp

where this trojan is listed as being included in the NOD32 v1.524 (2003-10-02) virus signature update file. I downloaded and installed NOD32 and ran the first scan on that same day, and it flags down an HP program written in 2001 and installed on my hard disk in Jan 2003 as being infected with a trojan the discovery of which is so new that was just included in the most recent update file distributed on the same day that I scanned. This is peculiar. It almost certainly is a false positive but I wonder if NOD32 not just misfired but rather malfunctioned.

Any comments?

Baayo,

Comments? It's aan existing trojan for sure. Could well be a false positive: as you've posted before, just provide a sample to the sample email addres you've mentioned yourself for investignation ;)

regards.

paul

I've sent the file in question as a sample to samples@nod32.com. We'll see what they have to say.

Hi,

>Can anyone help with this issue???? This is what was reported by AMON. This happened during an install of printer software specifically HP PSC 1210 Printer. I choose to quarantine the file then delete it.
Time Module Object Name Virus Action User Info
10/3/2003 5:41:41 AM AMON file C:\Program Files\Hewlett-Packard\hpis\bin\MatcliWrapper.exe Win32/Flooder.NewsAgent trojan quarantined - deleted

Sorry for the false positive - it was fixed in the today's update - 1.527 .

Thx., :)

jan