Avast WEBforum
Other => Viruses and worms => Topic started by: Bub12 on January 30, 2010, 06:18:31 AM
-
Hi,
First, I keep a very clean system running multiple AV/AS protections, use a hard & soft firewall & am very careful where I go online.
Tonight, Avast picked up the following after SuperAntiSpyware was clean.
Infection: A0012663.exe
Location: C:\SystemVolumeInformation\_restore{.........}\RP93
Virus: Win32:Malware-gen
Infection: Inchtour.exe
Location: C:\ProgramFiles\MicrosoftWorks\
Virus: Win32:Malware-gen
I have since scanned with Avast again & MBAM & came up clean. The infections are in the chest.
I did need to download some PDF & Word email attachments today from schools. I scanned the files & they came up clean. I also ran 3 different full scans after I downloaded the docs from one school & all was clean. I then downloaded docs from the 2nd school, which is a college, & ran some scans & came up clean. Not sure if I ran Avast at that time. I did run Avast a few hours later & that's when it picked up the infections.
Any thoughts?
Thanks!
-
Hi,
Please follow the advice on this thread regarding possible false positives.
http://forum.avast.com/index.php?board=2;action=display;threadid=7779 (http://forum.avast.com/index.php?board=2;action=display;threadid=7779)
-
Thanks Frank but I am not a big fan of using such online scans & uploading my files to such services. Like I said, I am extremely cautious online :-)
I was hoping that avast could tell me if it was an fp.
Also, I have in the past sent Avast potential FP's & never received a response. This happened more than once if memory serves me :-(
I am a bit unclear on how such a service would work as well. For example, I believe that inchtour is a normal MS Works file so how would uploading it to an online scanning service let me know if it was infected?
-
If it's clear in the email that it's a false positive, I believe the sample is given priority and definitions updated if it is confirmed.
But if you want a response, other AV companies are miles better. ;)
http://analysis.avira.com/samples/index.php (http://analysis.avira.com/samples/index.php)
-
A nice, easy to use form from Avira. But hey, beggers can't be choosers. I use Avast free version.
I hope someone from Avast will let me know in this forum if these are fp's.
I will try to email them as well. The method of sending Avast detections is not clear to me. There is an easy way directly from the logs, I think.
-
For example ...
"Pack the "infected" file into ZIP archive and lock it with password "virus" "
I have no idea how to lock a zip file or how to safely get potentially infected files into a zip.
-
Even if you manage it, many ISP's won't send .exe's, even zipped.
I think there is a way to send suspected false positives from the chest. That's probably the best way.
-
I'm gertting this as well.
inchtour.exe. win32:malware-gen
for some reason avast wont let me send an email when i rightclick on the file in the chest. its unresponsive
-
FWIW I downloaded FFDShow from free-codecs.com today just before Avast picked it up, however it was also right after a virus definition update, and during a MBAM scan
the file was found in C:\ProgramFiles\MicrosoftWorks
-
I got a similar virus alert yesterday regarding Microsoft audioconverter.exe, put the file in the Virus Chest and did a boot scan to make sure everything was clean. This morning after the Avast update I scanned the file again and all is clear, so I've restored the file on the assumption it was a false positive yesterday (especially judging from all similar reports on hers in past 24 hours).
-
Anybody else experiencing this?
-
A win32:malware-gen in msworks.exe was flagged on my PC today. The only thing I've installed recently is Microsoft's converter pack to allow me to open new MS Word .docx documents with an older version of Word. I've moved msworks.exe, which I have never used anyway, to the chest. This does sound like a false positive. Any ideas ?
Pete
-
Well, I tried emailing the infections via the "email Avast" option from the chest & nothing appeared to happen, any suggestions?
I have restored the files & am rescanning but I believe I already had the most current version of Avast when it detected the infections. We'll see what happens...
-
Bad News!
Like I said, I restored the files & the infection still being detected.
Anyone from Avast here that can help?
-
Well....Avast just updated so I figured they may have fixed the possible fp problem. I restored the files & they were still detected as infections. Since I restored the files, I was however able to access them to upload them to Jotti & VT. However, after submitting the files, I was told that the files were empty containing 0 bytes of info.
I went into C/:ProgramFile/MSWorks/Inchtour, clicked propereties, looked around & as I closed it by clicking "OK", I was told that I could not make changes s the file was in use or read only so I used "cancel" to escape. When I again went into MSWorks, there was a shortcut icon to "Inchtour" that was created adjacent to the "Inchtour" icon,. I did not create a shortcut so I deleted it.
I again put the "Inchtour" file in the chest. Any other suggestions?
-
still no fix after the update. its weird that we cant get the 'email avast' thing to work yet others can
-
still no fix after the update. its weird that we cant get the 'email avast' thing to work yet others can
I am told that is normal.
Also, on another subject...I cannot upload the file to Jotti or VT as I am told that the file is empty or is 0 bytes. I don't understand. It was suggested in another forum that my firewall may be responsible but I have never had a problem uploading a file before. It was also suggested that it might be a result of malware. (This was on bleepingcomputer.com)
-
still no fix after the update. its weird that we cant get the 'email avast' thing to work yet others can
I am told that is normal.
Are you referring to not being able to email?
-
Yes Jason...
Also, just an update...
I was able to upload the Inchtour.PIF,which is an apparent shortcut to the Inchtour.exe file, to Jotti & VirusTotal.
I was not able to upload the original Inchtour.exe file however. When I went to the properties of the Inchtour.exe file, an Inchtour icon shortcut was created automatically. This is a shortcut to "an msdos program" as it's stated in the properties of the shortcut. In the properties of this shortcut, it is also indicated that it's a shortcut to the Inchtour.exe. I am able to upload this file to the online scanners but when I upload the original Inchtour.exe file directly, it comes up as 0 bytes, although the file size is 3.92.
I hope this make sense. If not, please reread as I don't know how else to explain it :-) Thanks!
-
Because avast is blocking the upload.
Create a folder called Suspect in the C:\ drive.
Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect\*
That will stop the File System Shield scanning any file you put in that folder and allow it to be uploaded to VT.
-
Yes Jason...
I’m not sure what you mean exactly by 'normal'. Does it just randomly not work every once and a while? Or is there a known cause that I should look into?
It’s worked every other time I’ve tried it, and people in other recent threads don’t seem to have a problem.
I know it’s obviously 99.99% a false positive, the only reason I’m slightly concerned is that I downloaded some freeware recently after not having done so in a long while, and having zero detections in that time span.
-
Because avast is blocking the upload.
Create a folder called Suspect in the C:\ drive.
Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect\*
That will stop the File System Shield scanning any file you put in that folder and allow it to be uploaded to VT.
THANK YOU for replying! I really appreciate it. I have been at this for 24 hours & am still not sure what's going on. Knowing that Avast is blocking the upload, helps.
What about that shortcut that's getting automatically created? Does that ring any bells for you?
And...does my problem seem like a false positive?
Thanks again!
Jason,
I was told by someone in another forum that he suspected that it was normal that we are not receiving notification that we are actually emailing Avast. He experiences the same with another AV. The source of the info is trusted. But who knows for sure why we're not receiving verification?
-
I have no idea what is creating the inchtour.pif, which incidentally isn't a shortcut, but can be a dangerous file type, the .pif file type stands for program information file and is actually used to run/install/setup a program.
http://filext.com/file-extension/PIF (http://filext.com/file-extension/PIF)
The PIF file type is primarily associated with 'Windows' by Microsoft Corporation. A Program Information File dates back to the early versions of Windows. Basically, it's an information file that when you click on it the information in the file is used by Windows to run some program; including code that can be in the PIF file. It is a potentially dangerous file type and one should never click on one received via E-mail without extensive knowledge of exactly what it will do first. Note: This file type can become infected and should be carefully scanned if someone sends you a file with this extension.
As for is this an FP I haven't the slightest idea and that is why inchtour.exe should be uploaded to virustotal to confirm or deny the detection.
Uploading inchtour.pif to VT was a futile exercise as I would almost guarantee nothing would be detected as it is just a text file with a bunch of commands, etc. which in themselves aren't malicious, it is that actions or files that they might run that could be malicious. But avast wasn't alerting on this either so no real point in uploading it as it doesn't have any bearing on the inchtour.exe detection.
So once you have the suspect folder created and the exclusion set upload it to virustotal and post the URL to the results page of virustotal, then we might be able to say with any sort of confidence if the detection was good or not.
-
Hi DavidR & thanks...
As far as the lnchtour.pif not being a shortcut...I really don't know but it does state that it is a shortcut in the file properties.
Before I try to create the "suspect" folder, fyi, I uploaded the inchtour.exe file from my other pc to VT & Jotti. Is that enough or do I need to upload it from the computer showing the "malware" too?
From my other pc, which also has an lnchtour.exe file, the VT results showed 4 of 40 positives & 36 scans were clean.
Jotti showed no positives.
-
We are dealing with the one on this system that is considered infected. I don't know what is on your other system, even if it was the exact same file you uploaded to VT you didn't post the results URL.
So Please lets do this as suggested or we are both wasting time - you have to do it in the order that I laid it out in my previous post Reply #19 above, or avast will alert of block any action on a file it considers infected.
Create the suspect folder, exclude the folder in the file system shield before Extracting it from the chest (presumably that is where it is).
-
Okay, here ya go:
http://www.virustotal.com/analisis/2d1112d27497f13033de96f3312d740ef173347bef091dedbd101b7a0399a4b5-1264960911
Hope I did this right...
-
One more thing...
Avast updated this morning & AFTER I set up the Suspect folder & uploaded the file to VT, I moved the file back the the MS Works folder & clicked properties, which was setting off Avast sirens :-) as well as creating that MSDOS icon. Well, no more sirens & no more magically created icon.
I am scanning now to see if this was an FP which has been remedied. Seems to be the case, but we'll see...
UPDATE
Just did a full scan & all in clean!!! Grrrrrrr!!! Looks like the countless hours invested were for all for an FP after all. Just for kicks, I tried to upload the lnchtour file to VT again, directly from the MSWorks folder & it uploaded okay. You were right DavidR, must have been blocked from uploading initially by Avast. Also seems as though by Avast considering this file to be infected, that for some reason the MSDOS/lnchtour icon was being created, as that is no longer happening either.
Thanks everyone! Maybe Avast will post something confirming this FP for others to see as well. I have seen MBAM clearly post info of FP's on their site in the past & I have found that to be very considerate & helpful.
-
Yes looks like it was cleared in a VPS update as it was no longer detected by avast on VT.
Generally it will have been submitted to someone as well, so they are quick to act on an FP once acknowledged.
The time is seldom wasted as the experience gained is never wasted ;D
-
The time is seldom wasted as the experience gained is never wasted
Tell that to my wife ;)
The only things that still bugs me is that I wish I more clearly understood that MSDOS/lnchtour.pif file that was magically being created...
-
I don't know either, computer mysteries ah, can't live without them can't live with them.
-
And one more thing :-)
The other "mystery" is that Avast didn't pick up the lnchtour file on my old pc & come to think of it, when I uploaded the lnchtour file from the old pc(& today on the pc in question), VT said that the file had already been scanned. I, of course, chose the option to scan again both times, but yesterday on the old pc, the file was not shown as a positive by Avast on VT. It only showed as a positive on my newer pc, not the old pc & not on VT. Yesterday, when I uploaded the file from the old pc, VT did show 4 other positive scans for lnchtour.exe & today they only showed one. So it looks like other AV's were also having an FP problem.
-
Different versions of the same file may have different results unless you know for a fact that they are identical (MD5 Hash number), then there is no way to say for sure.
-
***
When you send a file from the Chest to avast, it will not be sent until an automatic update is performed or until you instigate a manual update.
***
-
When you send a file from the Chest to avast, it will not be sent until an automatic update is performed or until you instigate a manual update.
Depends on what version of avast you have as I believe I remember one of the Alwil team mention in avast 5 this detection and submission may change the auto update through sooner than the normal time interval. Me if I submit any file it is followed almost instantly by a manual update, to get it away promptly.