Scan Results - Win32:FlvDirect-C - False Positives?

[BFarmer1980]

A recent scan moved the following files to the Virus Chest with the Win32:FlvDirect-C virus.  Avast was unable to repair the files.

Strange thing is this:  Avast seems to be the only program picking up these files as being infected.  Malwarebytes and Ad-Aware both scanned these files and came back clean.

I've done a google search for removing Wind32:FlvDirect-C, but can only get advertisements for companies wanting me to buy there anti-malware suite.

So, since Avast seems to be the only program picking this up (that I've tried thus far), could it be a false positive?  If not, anyone have any ideas as to how I can remove this?

[Pondus]

upload suspicious file(s) to www.virustotal.com and test with 40+ malware scanners
when you have the result, copy the url in the address bar and post it here for us to see


alternative
Jotti     http://virusscan.jotti.org/en
VirSCAN   http://virscan.org/
Metascan   http://www.metascan-online.com/

 Avast was unable to repair the files.

Clean, Quarantine, or Delete?
http://antivirus.about.com/b/2007/03/11/clean-quarantine-or-delete.htm


can you expand the "original location" column so we can see the full location path  ?

[BFarmer1980]

Pondus,

First off, thanks so much for your reply!

I will upload those files later this evening and post the url results.

As to "Clean, Quarantine, Or Delete," all the files were originally quarantined.  I've restored the ones that are listed in system32 and the user folder, at least on a temporary basis, because I was unable to login to my profile in Windows Vista without at least one of them, though I don't really know which.  I attempted to clean the ones I restored, but Avast failed to do so, and, as I've mentioned, Malware Bytes, Ad-Aware, and now Windows Defender all fail to see the infection.

I'll also expand the original location column when I post the virustotal results later this evening.

Thanks again, and I'll post the results as quickly as I can.

[Pondus]

I attempted to clean the ones I restored, but Avast failed to do so,

That was one of the reasons why i posted the link to "Clean, Quarantine, or Delete"  as it explain how and what can be cleaned!

Clean: attempts to remove the infection from the file. This is only pertinent to virus behavior, wherein a legitimate file has been 'infected' with non-legitimate (usually viral) code.

On the other hand, antivirus software can't 'clean' a worm or a trojan, because there is nothing to clean - the entire file IS the worm or trojan.

[BFarmer1980]

Thanks for the clarification, Pondus.

Here is the updated view of the virus chest window.  I've had to use two pictures to get the full width.




Update:  Here are the virustotal results for each file, in the order they're listed in the pictures.

http://www.virustotal.com/file-scan/report.html?id=da488c019e8059118daf263e7ea28cfe8b2434d7817bdde759821562600917b8-1321497049

http://www.virustotal.com/file-scan/report.html?id=563433ad5f0eb1442293e6506c59af68e9316a57d12b2c528b8f87200880145f-1321498487

http://www.virustotal.com/file-scan/report.html?id=fb952b6c0a82d181e02a9d510caf9a59610ffde17b41c299ab722eb6f123c93c-1321498952

http://www.virustotal.com/file-scan/report.html?id=78ed2db232eb2e867114abb6de123d7765721d43cca07754dd44a5ff87aa8d8a-1321500372

http://www.virustotal.com/file-scan/report.html?id=3569de3332066cafec58c9af4d1675a6c39e4a81516cff217e75dd97b98ed9dc-1321501360

http://www.virustotal.com/file-scan/report.html?id=2df4ac24ca79768891c9127b3f99679f0ba540681871ce29b8bbea533405068f-1321502561

http://www.virustotal.com/file-scan/report.html?id=fd4558e6a16c481452f64b80d8714b7fe3989070149808f7cd55fbf0d94d9a54-1321502760

http://www.virustotal.com/file-scan/report.html?id=69561ac5dee3c28b73ff8479b76f4246251b6422a12e422589872ee3bef7583e-1321504309

http://www.virustotal.com/file-scan/report.html?id=93b3bdfd1e8adfd4f0584ab8b496ae25b5d514885c6c1faa385dd8744b67c166-1321505678

http://www.virustotal.com/file-scan/report.html?id=9c31dba5b894eb13e9b0ed067ebb93b0a9202b745a2a0fe3d2eae4dc704b8824-1321506213

http://www.virustotal.com/file-scan/report.html?id=9a0dc4bb9dcdcf418c85da4c02a8bbdc6cdee83f8d43a3886d94a4e0c7823f3a-1321506981

http://www.virustotal.com/file-scan/report.html?id=10faafff12727bf36701753d41d0f477fdf06d4f30683fab1a18de98029cb927-1321507670

BookCKCL.etl is too large for virustotal.

http://www.virustotal.com/file-scan/report.html?id=0dfc621ceda95d297c34951272311e1f7f433d07810da65b233bf7241ada68ad-1321508957

Ntuser.dat couldn't be uploaded.  Message said it was in use.

http://www.virustotal.com/file-scan/report.html?id=a492c6b2c04d044b9fdbb13331acf49b3fc6074a5c3984e77a69ed5b6916f12f-1321512570   

http://www.virustotal.com/file-scan/report.html?id=9c4b1b5b3dabf04cddb4e2d5a2d304153a9993de19fc947be1a3cc235d541ebb-1321511661   

http://www.virustotal.com/file-scan/report.html?id=8285e5a25e1b4d20ecdadd0c4804375ea565343e524056004888961568cb0d13-1321513647   

http://www.virustotal.com/file-scan/report.html?id=719853683a77dfb044530f159f982db0bd9f20950842a44626602d9256cd7de7-1321514389   

Software.gbck is too large for virustotal.

[DavidR]

Send some of these samples to avast for analysis:
If only GData and avast detect it - GData uses avast as one of its two scanners so counts as 1 detection and almost certainly an FP (also see ~~~~ below).
Send the sample to avast as a False Positive:
Open the chest and right click on the file and select 'Submit to virus lab...' complete the form and submit, the file will be uploaded during the next update. A link to this topic wouldn't hurt.

@@@@
- In the meantime (if you accept the risk), add the full path to the file to the exclusions lists (see Note below):
File System Shield, Expert Settings, Exclusions, Add and
avast Settings, Exclusions

Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the File System Shield and avast Settings, exclusions lists.

Note: When using the Browse button it only goes down to folder level accept that. Now open the entry in the exclusions and change the \* to \file_name.exe where file_name.exe is the file you want to exclude.

Because of the variable nature of the file names you would need to use a mask, so rather than try to change the \* at the end to a file name change it to \*.rcs e.g. c:\users\your_username\appdata\roaming\auslogics\rescue\boost speed\*.rsc (change the your_username to that in the image)

~~~~
Because some of these VT results have other detections other than just avast and gdata, they are still generally low and should be sent to avast for analysis also.

[BFarmer1980]

Thanks for the help, folks.  I'm submitting the files for analysis now.

I restored only those files which were listed as being either user files or Windows files.  Other programs seem to be working fine without the files restored, so I'll leave well enough alone with them for now.

[DavidR]

You're welcome.