Avast WEBforum
Other => Viruses and worms => Topic started by: anaigeon on October 21, 2009, 10:59:47 PM
-
Hi,
This evening, while executing my weekly light scan (I run a deeper one on Sunday), I got this virus alert :
avast! [REZ-DE-CHAUSSEE] : Fichier "C:\Documents and Settings\Admin\Mes documents\Arrivages\Installés\Images\virtualdubmod_virtualdubmod_1.5.10.1_francais_45486.exe" est infecté par "Win32:Adware-gen [Adw]" virus.
"_ Mon analyse légère" tâche utilisée
The mentioned file is the installation program of the french version of virtualdub (or an add-on to localize it).
This is a well known video program.
What's more surprising is the fact that it has been present for months on my disk, without any warning till today !
I'm not sure it's possible to post files somewhere, in case someone would like to analyse it more thoroughly - in any case I wouldn't post without having being invited to do so.
I doubt it contains really a virus - but I don't use this program, I've just run it a few times just after installation, to see what it can do, and never again since this moment.
-
Can you submit the file to www.virustotal.com and check?
-
Thanks for this jet answer :-)
I was to www.virustotal.com.
My first attempts were without success, since the site answered it received 0 bytes...
till I realized that I had to stop Avast LOL
Here is the link to the result (or I'm supposed to post the text?)
http://www.virustotal.com/fr/analisis/d0de62c5114fa4310484d174afab80a443684a8054a116b3358c7b0c888bb85a-1256023016 (http://www.virustotal.com/fr/analisis/d0de62c5114fa4310484d174afab80a443684a8054a116b3358c7b0c888bb85a-1256023016)
-
wow 17 out of 41 :o
definitely is malware not false positive
-
Hi anaigeon,
Wasn't the developer aware of this, read this link where he reported some work-arounds on the code and started flaming av vendors for detection: http://www.virtualdub.org/blog/pivot/entry.php?id=245
At least the issue is a little controversial, here where they report a worm:
http://www.prevx.com/filenames/1920631375628518756-X1/VIRTUALDUB-V1.6.17.EXE.html
This because of heuristics being used more and more and simply because in the software
UPX executable compressor was being used it is detected as a worm trojan.
You could check this at avast or ask this actually is the reason for it to be flagged,
typical for this is the flag "AdWare.Rabio.db (Not a Virus)" and Comodo's
"Unclassified Malware" , all typical for a heuristic find.
According to google Virtual Dub might be bundled with malware,
but at unmasked parasites the site is given as clean...
This source may be secure: http://virtualdub.sourceforge.net/
Or use an alternative like: http://sourceforge.net/projects/camstudio/
polonus
-
Thank you very much I'll probably delete this file, or consider getting the last (English) version, in which they seem to have taken this problem in account, if I understand correctly a comment on the sourceforge page.
Alain
-
Hi anaigeon,
Glad we could help with the additional info, welcome to the forums here,
stay safe and secure is the wish of,
polonus
-
Can be Notepad.exe false positive from Malwarebytes?
Here the logs:
Malwarebytes' Anti-Malware 1.41
Database version: 3001
Windows 6.0.6002 Service Pack 2
10/20/2009 10:38:34 PM
mbam-log-2009-10-20 (22-38-30).txt
Scan type: Quick Scan
Objects scanned: 31578
Time elapsed: 3 minute(s), 29 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_CLASSES_ROOT\scrfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" /S) -> No action taken.
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: (regedit.exe "%1") -> No action taken.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
-
Submit it to www.virustotal.com to check.
-
Update MBAM to 3009 as it could be a False positive in your update but may have to be ignored:
http://www.malwarebytes.org/forums/index.php?showtopic=26770&hl=notepad