Malware-Cryptor in Recuva

I just downloaded Recuva from https://www.piriform.com/recuva/download/standard.

I checked the file for viruses and malware in virustotal.com, and one of the scan turned out to be positive. In particular:

VBA32 finds “Malware-Cryptor.Win32.General.4” in the downloaded Recuva.

I don’t know what I should do. Could please someone help?

1-4 hits is usually a false positive, in this case likely triggered by the google offer in the standard build. Is the hit, by any chance eset or clamwin

1-4 hits is usually a false positive, in this case likely triggered by the google offer in the standard build. Is the hit, by any chance eset or clamwin

Nergal,

I get 2 hits, the first from ESET is negligible – “Win32/Bundled.Toolbar.Google.D” – which is a false positive referring to the google toolbar bundled with Recuva (I get this also scanning Ccleaner).

The second, which I reported, is more worrisome. Why should Recuva turn out positive for a known trojan such as “Malware-Cryptor.Win32.General.4”?

What engine grabbed it. Have you scanned it locally? I'm still going to say, likely a FP

The engine that grabbed it is called VBA32. I must admit I have never heard of this engine before but is one of those listed in virustotal.com, as well as virscan.org. Recuva gives the same results in either scans.

I scanned locally with Norton and Malwarebytes and I get no positives.

Ok so here's an info page on what was detected. http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=459817

I would say since the other engines listed didn't grab it it's a false positive and should be uploaded/reported-to VBA32 http://anti-virus.by/en/ (I couldn't find a report email but am mobile so might've missed it)

Thanks Nergal,

so you think I should go ahead and use Recuva with no danger for my computer. Am i correct?

The engine that grabbed it is called VBA32. I must admit I have never heard of this engine before but is one of those listed in virustotal.com, as well as virscan.org. Recuva gives the same results in either scans.

Most installers that include something bundled with them (in this case Google software) will get flagged by 1 or more of the scanners. That and supposedly Piriform uses NSIS which itself will sometimes produce an FP. If you wish to avoid FP's, etc., use the Portable versions which are available in a ZIP archive.

______________

Onto Nergal's asking of ClamWin -- it triggers mostly on files compressed with UPX, it triggers so often I began to completely ignore its results. Funny thing is using ClamWin Portable (Windows) it doesn't give an FP against the same files it gives an FP on multiple scanning sites, but those scanning sites are using the Linux version.

Thanks Andavari, I appreciate your help.