Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: twn321 on March 08, 2013, 06:17:36 AM
-
Hi there all. (New here, so forgive me any omissions or errors in the following.)
So... I ran a boot time scan yesterday. No problems/all clear. Today, for whatever reason, I ran one again. And I got the following message:
File C:\Windows\assembly\NativeImages_2.0.50727_32\stdole\f698ac346476a20a02725b8e9de422cd\stdole.ni.dll is infected by Win32:Malware-gen.
Hadn't done anything during the day that I hadn't before yesterday's scan except update Adobe AIR and 64-bit Java- both on Avast's advice- plus update to the latest version of Avast, too. And to be told, the computer was running just fine all night last night (after yesterday's scan) and today. So, am I maybe looking at a false positive here? That said... as the above item is in a Windows folder, I did not want to just blindly go ahead and do something that I might not be able to undo (if needed). Is the above item safe to delete? To move to chest? To repair? Or, can it be ignored? For the time being, I have done the last thing...
Appreciate your advice/comments.
-
Oh... I almost forgot:
When I scan the Windows\assembly folder with Malwarebytes, everything comes up clear. No infection found.
-
If the file is NOT quarantined, you can upload it to Virus total here: https://www.virustotal.com (https://www.virustotal.com) and see the results.
-
Thanks for the tip. My only problem is that when I try to do what you've suggested ("Choose File" to be scanned by VirusTotal), I am unable to find said file in the Windows\assembly folder. And I do have my preferences set to show hidden files/folders. Any additional ideas?
-
I'm having the same problem. Can't find the file. Any suggestions?
-
it should be in your virus chest...
UI>>Maintainence>>virus chest>>select the file>>hit extract>>extract it to desktop>>upload to www.virustotal.com
-
it should be in your virus chest...
UI>>Maintainence>>virus chest>>select the file>>hit extract>>extract it to desktop>>upload to www.virustotal.com
Not if you haven't moved it to the chest. And that was part of my original question. More specifically, during the boot time scan, avast asks you if you are sure about moving a file that is in a Windows folder to the chest. Is it okay to do that?
-
Avast doesn't allow me to put it in the chest. It's not there.
-
I found this Win32: Malware-gen thing on my Dell WinXP laptop last weekend during my post monthly program and Windows updates boot time scan with Avast. It wasn't there on 02/02/13 the last time I did an Avast boot time scan.
Neither earlier numerous quick scans made during the month found it and full system scans with Spybot or Malwarebytes flagged up nothing wrong post updates either.
The 'malware' was located in Windows default hidden Restore Point folder and I used the Avast delete option to kill it.
A new boot time scan was clean and I have had no problem since
-
Well, you can search the file by entering its name in the search box when you open "My Computer". Are you sure you checked the virus chest and the "stdole" directory? I'm not a virus removal expert, but if you think you are infected you can scan your computer with some of the tools here: http://www.selectrealsecurity.com/malware-removal-guide (http://www.selectrealsecurity.com/malware-removal-guide) or you can post a new topic in the "viruses and worms" section, where you will get further assistance. Open avast GUI> security> antivirus, click settings in the boot time scan area and make sure that the default action is move to chest(not ask). Then run the boot time scan again.
-
I really like latest version of Avast! It does seem to flag up some false positives though. Latest one for me is the new version of Furmark benchmarking tool.
everyone I have had has been found safe after a couple of updates, I turned the setting for reputation off if seems a little eager.
-
Report this to the Avast! virus lab.
-
I really like latest version of Avast! It does seem to flag up some false positives though. Latest one for me is the new version of Furmark benchmarking tool.
everyone I have had has been found safe after a couple of updates, I turned the setting for reputation off if seems a little eager.
You should not turn off Reputation service, it powers the autosandbox (mainly) !
Are you talking about FurMark 1.10.5 (http://www.softpedia.com/get/System/Benchmarks/FurMark.shtml) ?
I downloaded it, executed the setup and file got autosandboxed. It's a rare file in the community ...
spywar
-
I did report it to them, I alpha and beta test games so many programs I use have little or no reputation.
-
@twn321- if you create a topic in the viruses section attach this logs: http://forum.avast.com/index.php?topic=53253.0 (http://forum.avast.com/index.php?topic=53253.0)
-
Well... Ran a boot time scan again today. And the system comes up clean this time around. Without the file ever having had anything done to it. Interesting...
-
Well... Ran a boot time scan again today. And the system comes up clean this time around. Without the file ever having had anything done to it. Interesting...
Maybe it's a false positive. Do you find the file? Are you sure that the file was not deleted when avast! find it? If you find the file upload it to the avast! virus lab!. How to upload files to the lab ->-> http://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1406#idt_07 (http://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1406#idt_07).
-
Win32:Malware-gen is a detection from the proactive part of avast!(heuristic engine, autosandbox, behaviour shield etc.). If you scanned the "infected" directory again with avast! and malwarebytes, and they can't find anything, it is likely to be a false positive. You can scan with Hitman pro to be sure: http://www.surfright.nl/en/hitmanpro/ (http://www.surfright.nl/en/hitmanpro/). Hitman pro is a cloud antimalware. It runs a behavioural scan and uploads the suspicious files to the hitman pro servers.
-
Win32:Malware-gen is a detection from the proactive part of avast!(heuristic engine, autosandbox, behaviour shield etc.). If you scanned the "infected" directory again with avast! and malwarebytes, and they can't find anything, it is very likely to be a false positive. You can scan with Hitman pro to be sure: http://www.surfright.nl/en/hitmanpro/ (http://www.surfright.nl/en/hitmanpro/). Hitman pro is a cloud antimalware. It runs a behavioural scan and uploads the suspicious files to the hitman pro servers.
How do you know that any source ? Win32:Malware-gen is a signature generated by automated analysis systems, ATM behavior shield is mostly passive as it reports to virus lab all the suspicious binaries (CommunityIQ).
-
Take a look here: http://www.im-infected.com/trojan/win32malware-gen.html (http://www.im-infected.com/trojan/win32malware-gen.html)
:)
-
Take a look here: http://www.im-infected.com/trojan/win32malware-gen.html (http://www.im-infected.com/trojan/win32malware-gen.html)
:)
This is not from Avast ... ::)
It's mostly a signature generated by automated analysis system (like Win32:Rootkit-Gen or Win32:Dropper-Gen or Win32:Trojan-Gen) they are added very quickly, I can submit an undetected sample from program and 2 hours later it gets detected with one of these signatures.
-
Ok, then we need to help twn321 to get rid of this. He said that he can't find it in the "stdole" directory and in the virus chest. Do you think that avast! has deleted the threat or he is still infected ?
-
Ok, then we need to help twn321 to get rid of this. He said that he can't find it in the "stdole" directory and in the virus chest. Do you think that avast! has deleted the threat or he is still infected ?
Avast! never delete file unless the user chose "Delete" instead of "Move to Chest" or he has deleted it from the virus Chest ...
-
So has this Win32: Malware-gen thing been confirmed as a real threat or a false positive?
I'm still suspicious of it but I've had three different files being reported as Win32: Malware-gen by Avast and only using boot time high snesitivity scans. I used Avast's delete option to get rid of the first reported problem which was a file in my Restore Points folder. A new boot time scan afterwards was clean.
That was last weekend. This weekend I did another boot time scan and very quickly up came another case, this time in my Docs & Settings > All Users > Application Data folder. This time I sent it to the virus chest. Later that day I did another boot time scan and there was another reported Win32: Malware-gen this time again in the Restore Points folder but a different file from the previous deleted case.
As I knew where it was I found the folder and used both Spybot and then Malwarebytes to scan the folder. They reported nothing. I then tried a Quick Avast scan and that, which like the Full System scan I'd also done and had shown up nothing previously with this this or the earlier 'infections', was now also reporting the file as a virus.
Again I put it in the virus chest, repeated a boot time scan (clean), Quick scan (clean) and a full system Malwarebytes scan (clean). This morning I did a boot time scan at Normal sensitivity and that came out clean too.
That's where I am at but now no longer sure what to trust and not looking foward to doing a boot time scan at highest sensitivity in case it throws up another Win32: Malware-gen report somewhere else.
I thought I'd check
-
Take a look here: http://www.im-infected.com/trojan/win32malware-gen.html (http://www.im-infected.com/trojan/win32malware-gen.html)
:)
This is not from Avast ... ::)
It's mostly a signature generated by automated analysis system (like Win32:Rootkit-Gen or Win32:Dropper-Gen or Win32:Trojan-Gen) they are added very quickly, I can submit an undetected sample from program and 2 hours later it gets detected with one of these signatures.
If it is signature based then it looks like it's not a false positive. But there still is a minimum chance to be a false positive.
-
The win32:Malware-gen or win32:Trojan-gen are generic signatures (the -gen at the end), which are designed to detect multiple variants of the same malware type, this is why you see them on different files and variants, so it isn't a single signature detecting a single piece/variant of malware..