×
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
patflgn
Contributor
Message 1 of 25

SiteAdvisor file mcinst.exe detected as trojan

Today I opened IE6 and received a notice on top of my home page that McAfee SiteAdvistor had downloaded an updated version, etc. There was a continue button on the bottom right of the notice.

Simultaneously, I received a pop-up from Kaspersky Anti-Virus 7.0 that it had detected a trojan: C:\WINNT\Temp\SiteAdvisor\mcinst.exe. mcinst.exe was detected as Riskware Trojan.generic and as a running process. I attempted to quarantine it, but the action failed.

I killed the notification window and deleted the SiteAdvisor folder in Temp. I also killed the mcinst.exe process.

After looking around siteadvisor.com, I can't find anything about a new version or upgrade of SiteAdvisor being released, either on the home page, support, or these forums.

If it's valid, however, you should at least know that Kaspersky is detecting it as a trojan.

I also need to ask if you have, actually, released an upgrade, or do I really have a trojan trying to get in.

Thanks,
Pat
24 Replies
exbrit
MVP
MVP
Message 2 of 25

RE: SiteAdvisor file mcinst.exe detected as trojan

It's only a temporary installation file so doesn't really matter but in future if anything strange is detected by Kaspersky, you should be asking them and/or forwarding the file to them for analysis.

http://forum.kaspersky.com/index.php?showtopic=13881
patflgn
Contributor
Message 3 of 25

Thanks

Thanks Peter,

Especially for the link.

I felt McAfee was the best first stop on this, since they would know whether or not an updated version had been released, and I found it strange that there's no mention of one on the site (siteadvisor.com).

However, if this behavior recurrs, I will add the file to quarantine and submit it to Kaspersky as per your link.

Thanks again,
Pat
exbrit
MVP
MVP
Message 4 of 25

RE: Thanks

You are the 2nd person to mention that SiteAdvisor upgraded today, yet mine hasn't and the other updates came in already. Maybe because I'm using SiteAdvisor Plus, although I wouldn't have thought that would make any difference.

There is a new version of SA being tested as we speak, but I don't think it's released yet.

Check for spyware as a precaution using the free version of this tool: http://www.superantispyware.com/superantispywarefreevspro.html

Meanwhile keep your eyes on the Kaspersky forums to see if anyone else posts similar experiences. I'll keep my eyes open here too.
patflgn
Contributor
Message 5 of 25

Scans run

Peter,

I ran scans with Kaspersky (thorough critical areas, file system, and rootkit), and with Spybot (run in advanced mode, fully configured), and found nothing. Additionally, Spyware Blaster is current.

It's possible some hacker is targeting SiteAdvisor users, but I think unlikely since that's probably a pretty small percentage of the total computers on line.

I appreciate your willingness to follow up, and if I find any further information on this, I'll post here.

Pat
exbrit
MVP
MVP
Message 6 of 25

RE: Scans run

Thanks. Just out of interest what is your version/build of SiteAdvisor?

(Click the little arrow on the toolbar icon and then select "About".)
patflgn
Contributor
Message 7 of 25

Version

Since last posting, I thought I'd try to get ahead of this by manually installing the current version.

I've removed SiteAdvisor, then downloaded the current setup file (free version), and reinstalled it, so it's current, at least to the extent of what's posted on the site.

My current version is 2.6.0.6261.

Pat
exbrit
MVP
MVP
Message 8 of 25

RE: Version

OK, that's the same as mine.
patflgn
Contributor
Message 9 of 25

Happened again today

This is getting frustrating.

A few minutes ago, Kaspersky popped up a warning:

"6/13/2008 2:01:49 PM C:\WINNT\Temp\SiteAdvisor\mcinst.exe Process is trying to register its copy as an autorun startup object. This behavior is typical of Trojans."

I got the banner notiec in the middle of my IE page advising me a new version had been downloaded.

I terminated the mcinst.exe process, using a choice in Kaspersky's warning pop up.

I had previously deleted the folder C:\WINNT\Temp\SiteAdvisor after the last debacle, so this is a new download. I deleted it again.

I did open my browser, and the SiteAdvisor icon had disappeared from the toolbar.

I reinstalled it from the setup file I downloaded a couple of days ago.

So, for feedback purposes to McAfee:

WHAT MAKES ME SUSPECT THIS IS A VIRUS OR SPYWARE:

(1) Kaspersky's warning.

(2) The banner notice in the middle of my IE page. McAfee has a perfectly good method of notification, the pop-out balloon from the toolbar icon if you visit a red page or instruct it to show balloon. I would assume that if this was really a notification from McAfee, it would appear there? If it did, I'd have a lot more confidence that this update was really from McAFee.

QUESTIONS I WOULD LIKE ANSWERED.

(1) There is nothing I can find on the site about a new version. Is SiteAdvisor in the process of distributing updates? If the answer is no, then I'd like a statement to that effect so I would know this must be a virus or spyware. If the answer is yes, then please post something (like an answer here), so I can add this item to Kaspersky's Trusted Zone.

(2) Is there a SiteAdvisor site that discloses information about new versions distribution and "definition" updates (ie: lists of new site ratings additions/changes IF they're downloaded to the local computer).

(3) When site ratings are changed/added to, does SiteAdvisor retrieve those lists and store them on the local machine for reference, or is SiteAdvisor constantly checking sites against a database at McAfee's site?

WHAT I WOULD LIKE TO ASK MCAFEE TO DO BEYOND THE ABOVE: Please talk to Kaspersky. I'm sure they'd be willing to include an exclusion for a valid update file or process from detection in a definition file soon.

Thanks,
Pat
exbrit
MVP
MVP
Message 10 of 25

RE: Happened again today

OK, first of all the ball is in Kaspersky's court as it's their product that is finding this, most likely falsely.

However, I will certainly point this out at Monday's conference call, but it's still up to Kaspersky to investigate it.

If you want to be totally sure that your machine is spyware/malware free then run Hijackthis and post its log on one of the following forums for expert analysis and advice:

Do not post the log here, we can't help!

DOWNLOAD HIJACKTHIS

Post the logs at a specialist Forum:

AUMHA FORUM

BLEEPING COMPUTER FORUM

GEEKS TO GO FORUM

MAJOR GEEKS FORUM

MALWARE REMOVAL FORUM

SPYWARE INFO FORUM

TECH SUPPORT GUY FORUM

WHAT THE TECH FORUM (Formerly Tom Coyote)

Be sure to read all the sticky announcements/instructions at the top of each malware forum!

You could also submit the problem to SiteAdvisor directly using the form here: http://www.siteadvisor.com/userfeedback.html
How Many Badges Can You Collect?
Ready for a little competition? Members like you are earning badges and unlocking perks for their helpful answers. Are you? Click here to find out.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community