Trojan detected by BoClean in msfeedssync.exe

I woke up yesterday to find the first BoClean detection alert I have ever witnessed. It reported that a trojan, WEBDL4LITE, has been found in memory and was killed along with a warning that the file that started it is still on the disk. What I found strange about it is the following:

The file in question, msfeedssync.exe (approx 1Xkb in size, close to what CA reports to be the the original WEBDL variant’s size) seems to belong to Windows and does not appear to have been modified since it’s original creation date.

The warning occured only once, after closing the original detection window it hasn’t popped up again even though the msfeedsync app supposedly runs in regullary scheduled intervals.

The only reference to this file and suspicious activity / detections / fp was on Kaspersky forums where it was flagged as a fp with very little info. Avira remained silent the whole time, Virustotal and Jotti found nothing in the file which was expected, neither did Kaspersky’s file upload scanner. VT reported the file being scanned already on 26th so there is a chance that someone else ran into the same detection.

No unknown new executable files dated 01/28/08 can be found on the machine. Machine performance has not been visibly degraded or affected in any way.

Any ideas as to why the detection popped up? False positive? Exploit? Random disturbance in the Force? I am kind of worried.

Submitted file to the Comodo email address I found in a FAQ thread, no response yet.

It must be a false positive,since that file is a component of IE7 and hasn’t been modified.It doesn’t appear to be of great impotance,being related to various live feeds.

Yes that would be my guess. The thing that got me worried however is that it BC went off only once. I would expect a fp to occur whenever the process is started which did not happen once since the original warning. I’m not sure what to make of it… (i hate strange behavior >:()

Yes I agree with your point it seems to just be a glitch on your set-up since it hasn’t been reported before. I hate these kind of mysteries too that’s why I turn to ■■■■ :■■■■

Isn’t that file related to Windows Defender. Seems like when I had Windows Defender installed this file showed up when it would update.


Yes it’s quite possible that the live update of Windows Defender would utilise that.