Avast WEBforum
Other => Viruses and worms => Topic started by: baabel on February 03, 2011, 10:19:23 AM
-
Shwed up this morning after overnight scan.
False Alarms?
C:\\WINDOWS\$hf_mig$\KB945553\SP2QFE\dnsrslvr.dll
C:\\WINDOWS\$NTServicePackUninstall$\dnsrslvr.dll
Baabel
-
you say these are detected as malware ?
what is the malware name they are detected as ?
can you post the scan log...
-
The same occurred on my XP system during its overnight scan. The log showed the severity as High with the following status:
Threat: Win32:Malware-Gen
My settings direct the repair, then move to chest if the repair could not be done ... and the object was moved to the chest.
Bob Howard
-
This is also happening to me this morning. I suspect it is a false positive, but when I navigated in Windows Explorer to look at the file (was going to right click it and look at properties), avast moved it to the chest. Where physically on the PC does avast store the log file? If necessary I can repost and include it. For now, the two locations it was found in, avast moved the files to the chest. Other sources on the web indicate that this is a normal Microsoft file and that it is needed to resolve the PC's DNS name. What action do we take?
-
Hello,
send us (virus@avast.com) the file to analyze, please. Put "False positive" to subject.
Milos
-
Hello, will do. But can you tell me where the actual physical log file is located on the PC so I can send it? In the Avast interface, I only see log results. I cannot seem to find where the actual log file is stored.
-
I just emailed both files moved to the chest re: this issue. Both files are probably the same as one another. Bob Howard
-
I too have had these moved to my virus chest on an over night scan.
Name:- dnsrslvr.dll
Original Location :- C:\\WINDOWS\$hf_mig$\KB945553\SP2QFE
Size :- 45568
Last Modified :- 2/20/2008
Virus Description :- Win32:malware-gen
File ID :- 8
Name:- dnsrslvr.dll
Original Location :- C:\\WINDOWS\$NtServicePackUninstall$
Size :- 45568
Last Modified :- 2/20/2008
Virus Description :- Win32:malware-gen
File ID :- 9
As I was writing this another threat popped up while running Malwarebytes.. (Malwarebytes didnt report this as a threat.. Only Avast did)
Name:- A0187521.dll
Original Location :- C:\System Volume Information\_restore{09CBDF19............
Last Modified :- 2/20/2008
Virus Description :- Win32:malware-gen
File ID :- 10
-
Add me to the list. Here's the two files which turned up in last night's scan of my Windows XP box.
C:\WINDOWS\Shf_migS\KB945553\SP2QFE\dnsrslvr.dll [severity: high]
C:\WINDOWS\SNtServicePackUninstallS\dnsrslvr.dll [severity: high]
-
I have submitted the files moved to my chest for analysis.
C:\WINDOWS\$hf_mig$\KB945553\SP2QFE\dnsrslvr.dll
C:\WINDOWS\system32\dllcache\dnsrslvr.dll
-
Here is the scan log:
* avast! Scan Report
* This file is generated automatically
*
* Scan name: Daily scan
* Started on: Thursday, February 03, 2011 2:55:00 AM
* VPS: 110203-0, 02/02/2011
*
C:\WINDOWS\$hf_mig$\KB945553\SP2QFE\dnsrslvr.dll [L] Win32:Malware-gen (0)
C:\WINDOWS\system32\dllcache\dnsrslvr.dll [L] Win32:Malware-gen (0)
Infected files: 2
Total files: 400900
Total folders: 40818
Total size: 359.4 GB
*
* Scan stopped: Thursday, February 03, 2011 4:03:52 AM
* Run-time was 1 hour(s), 8 minute(s), 52 second(s)
*
-
I am not sure where the log file is but it appears that others have seen the same false positive.
If it pops up again on tonight's scan i will try to find the log file.
Baabel .
-
I had to scrounge around to find the location of log files, it was not immediately evident to me where they were located. I finally clicked the help file under reports and found this:
"For a computer running Windows 2000/XP - C:\Documents and Settings\All Users\Application Data\ALWIL Software\Avast5\report"
"For a computer running Windows Vista or Windows 7 - C:\ProgramData\ALWIL Software\Avast5\report"
-
So if avast analyzes this do they post findings here?
Do we restore files from chest then?
Some Google search results on this file - dnsrslvr.dll - indicate this file may be a "needed" file.
Anyone know?
-
I'd guess that you should restore them.
I never removed them - I ignored the "find".
Once Avast corrected the problem the files are no longer "found" on my nightly scans.
So I'd say restore them.
Baabel .
-
And once again, Avast is reporting that SOUNDMAN.EXE is infected with malware.
This single file seems to be doomed to a whole series of false positive notices.....
-
Then resubmit it to the virus labs for reanalysis.
Send the sample to avast as a False Positive:
Open the chest and right click on the file and select 'Submit to virus lab...' complete the form and submit, the file will be uploaded during the next update.
Or
Send the sample to virus (at) avast (dot) com zipped and password protected with the password in email body and false positive in the subject.
-
Another false positive today - Topaz Labs PSP and Photoshop filters. 8bf files. Didn't find it as malware two days ago - today it's grabbing it and putting it in the chest. Submitted a report. Getting tired of this. I did submit the file.
-
I uploaded that file to virus total.
http://www.virustotal.com/file-scan/report.html?id=e62d567e57be6648b791d467f0cedc4986f01f1018cb4305115df7182c0689ad-1287571018
Now I don't know what to do. Have been using it forever...malware scans by Spybot never found it, Avast never found it...until today.
-
Well to start with I would upload it again to VT as you have picked up an old analysis from 2010-10-20 which is positively ancient in AV terms. This one is from today and it tells a totally different story, http://www.virustotal.com/file-scan/report.html?id=e62d567e57be6648b791d467f0cedc4986f01f1018cb4305115df7182c0689ad-1296997448 (http://www.virustotal.com/file-scan/report.html?id=e62d567e57be6648b791d467f0cedc4986f01f1018cb4305115df7182c0689ad-1296997448).
Whilst there are 19/43 detections they are all either generic or heuristic and are more prone to FP. However there are still a lot of them find something suspicious about it, so for now send the file to avast for analysis as I mentioned above.
- In the meantime if you accept the risk (and I feel with 19/43 there is a risk it could have been infected), add the full path to the file to the exclusions lists (see Note below):
File System Shield, Expert Settings, Exclusions, Add and
avast Settings, Exclusions
Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the File System Shield and avast Settings, exclusions lists.
Note: When using the Browse button it only goes down to folder level accept that. Now open the entry in the exclusions and change the \* to \file_name.exe where file_name.exe is the file you want to exclude.
-
Thank you for your help. I appreciate it!
-
No problem, glad I could help.
Welcome to the forums.
-
Thanks!
I uninstalled that plugin.
Then installed the trial of the newest version. Uploaded that file for scan and it was 0/43. And Avast does not find it when I use it in PSP. The one it found was the old trial version, which is now uninstalled. Thanks for the info on that site - very useful tool.
-
You're welcome.
-
Just update - after uninstall, I cleared all temp files and ran a boot scan. All clear. Nothing left behind. You guys rock!
-
Good news.