Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: AGirlWithQuestions on November 20, 2009, 11:36:29 PM

Title: npmirage.dll a false positive?
Post by: AGirlWithQuestions on November 20, 2009, 11:36:29 PM

Hello!  Last night I was doing a scan and npmirage.dll came up as a trojan horse.  Specifically: 

Win32:Agent-AIDQ [trj]

This never was detected by Avast before.  The file was listed as last being modified on January 02, 2006.  Google results haven't said it's anything bad.  I also came across a Hi-Jack This log I posted on an anti-spyware forum a few years ago and the file was listed in the log, but the helper didn't say it was a problem.

I also did scans in A-squared, Malwarebytes, and Spybot Search And Destroy yesterday and today.  It has not been detected by any of those programs.  I did try uploading the file to the online virus scans like it was suggested in the false positives sticky topic but I only got a message saying something about "0 bytes".  I also tried mailing in the file to the Avast team as suggested, but I'm unable to zip the file.  Perhaps because it's in the Windows System 32 folder?

Any help/clarification on this matter would be GREATLY appreciated!  :)

Title: Re: npmirage.dll a false positive?
Post by: DavidR on November 21, 2009, 01:12:11 AM

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner (http://www.virustotal.com/) and report the findings here the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.


The zero bytes usually indicates avast is either alerting or blocking activity on the file:
Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

If on;y avast and GData detect this:
Send the sample to virus@avast.com zipped and password protected with the password in email body, a reference to this topic (give URL) and possible false positive in the subject. Given the difficulty you had emailing, try this.
 
You can also add the file to the User Files (File, Add) section of the avast chest (if it isn't already there) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.
 
Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.

Title: Re: npmirage.dll a false positive?
Post by: Milos on November 23, 2009, 09:24:05 PM

Hi,
thank you for sending sample. False positive will be fixed.

Milos

Title: Re: npmirage.dll a false positive?
Post by: DeLuk on November 24, 2009, 08:03:56 PM

Glad I could be of help, having sent the file, and thank you, Milos, for promptly taking care of this false-positive issue. I have just re-scanned the file npmirage.dll with the latest defs (VPS 091124-0) and it is no longer detected. Thank you again.

Title: Re: npmirage.dll a false positive?
Post by: DavidR on November 24, 2009, 08:37:20 PM

Thanks for the feedback.