Author Topic: False warning ?  (Read 4681 times)

0 Members and 1 Guest are viewing this topic.

anaigeon

  • Guest
False warning ?
« on: October 21, 2009, 10:59:47 PM »
Hi,

This evening, while executing my weekly light scan (I run a deeper one on Sunday), I got this virus alert :

avast! [REZ-DE-CHAUSSEE] : Fichier "C:\Documents and Settings\Admin\Mes documents\Arrivages\Installés\Images\virtualdubmod_virtualdubmod_1.5.10.1_francais_45486.exe" est infecté par "Win32:Adware-gen [Adw]" virus.
"_ Mon analyse légère" tâche utilisée


The mentioned file is the installation program of the french version of virtualdub (or an add-on to localize it).
This is a well known video program.
What's more surprising is the fact that it has been present for months on my disk, without any warning till today !

I'm not sure it's possible to post files somewhere, in case someone would like to analyse it more thoroughly - in any case I wouldn't post without having being invited to do so.
I doubt it contains really a virus - but I don't use this program, I've just run it a few times just after installation, to see what it can do, and never again since this moment.

Offline harman123

  • Sr. Member
  • ****
  • Posts: 299
Re: False warning ?
« Reply #1 on: October 21, 2009, 11:09:04 PM »
Can you submit the file to www.virustotal.com and check?

anaigeon

  • Guest
Re: False warning ?
« Reply #2 on: October 21, 2009, 11:22:29 PM »
Thanks for this jet answer :-)

I was to www.virustotal.com.
My first attempts were without success, since the site answered it received 0 bytes...
till I realized that I had to stop Avast  LOL

Here is the link to the result (or I'm supposed to post the text?)

http://www.virustotal.com/fr/analisis/d0de62c5114fa4310484d174afab80a443684a8054a116b3358c7b0c888bb85a-1256023016

Offline harman123

  • Sr. Member
  • ****
  • Posts: 299
Re: False warning ?
« Reply #3 on: October 21, 2009, 11:27:23 PM »
wow 17 out of 41  :o
definitely is malware not false positive
 
« Last Edit: October 21, 2009, 11:29:41 PM by harman123 »

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: False warning ?
« Reply #4 on: October 21, 2009, 11:33:51 PM »
Hi anaigeon,

Wasn't the developer aware of this, read this link where he reported some work-arounds on the code and started flaming av vendors for detection: http://www.virtualdub.org/blog/pivot/entry.php?id=245
At least the issue is a little controversial, here where they report a worm:
http://www.prevx.com/filenames/1920631375628518756-X1/VIRTUALDUB-V1.6.17.EXE.html
This because of heuristics being used more and more and simply because in the software
UPX executable compressor was being used it is detected as a worm trojan.

You could check this at avast or ask this actually is the reason for it to be flagged,
typical for this is the flag "AdWare.Rabio.db (Not a Virus)" and Comodo's
 "Unclassified Malware" , all typical for a heuristic find.

According to google Virtual Dub might be bundled with malware,
but at unmasked parasites the site is given as clean...
This source may be secure: http://virtualdub.sourceforge.net/
Or use an alternative like: http://sourceforge.net/projects/camstudio/

polonus
« Last Edit: October 21, 2009, 11:39:42 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

anaigeon

  • Guest
Re: False warning ?
« Reply #5 on: October 22, 2009, 12:03:18 AM »
Thank you very much  I'll probably delete this file, or consider getting the last (English) version, in which they seem to have taken this problem in account, if I understand correctly a comment on the sourceforge page.
Alain

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: False warning ?
« Reply #6 on: October 22, 2009, 12:09:45 AM »
Hi anaigeon,

Glad we could help with the additional info, welcome to the forums here,
stay safe and secure is the wish of,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

llariel

  • Guest
Re: False warning ?
« Reply #7 on: October 22, 2009, 02:00:30 AM »
Can be Notepad.exe false positive from Malwarebytes?

Here the logs:

Malwarebytes' Anti-Malware 1.41
Database version: 3001
Windows 6.0.6002 Service Pack 2

10/20/2009 10:38:34 PM
mbam-log-2009-10-20 (22-38-30).txt

Scan type: Quick Scan
Objects scanned: 31578
Time elapsed: 3 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\scrfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" /S) -> No action taken.
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: (regedit.exe "%1") -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


 

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: False warning ?
« Reply #8 on: October 22, 2009, 02:34:31 AM »
Submit it to www.virustotal.com to check.
The best things in life are free.

YoKenny

  • Guest
Re: False warning ?
« Reply #9 on: October 22, 2009, 06:27:03 AM »
Update MBAM to 3009 as it could be a False positive in your update but may have to be ignored:
http://www.malwarebytes.org/forums/index.php?showtopic=26770&hl=notepad