Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: filc on March 01, 2011, 10:29:55 PM
-
Hi Folks,
I just installed SP1 for W7 and now it's saying I have a virus.
Original file name: mscorlib.dll
Original folder: c:\windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9EFD.tmp
Original size of file: 11490304
Last Modification Time: 3/1/2011 8:19:57 PM
Time of transfer to Chest: 3/1/2011 1:19:58 PM
Category: Infected files
Virus Decsription: Win32:Spyeye-BG[Trj]
File ID: 18
It's annoying because the "Trojan Horse Blocked" message is spamming my desktop every few minutes. It says no further action is required but just keeps popping up!
Any thoughts?
-
Upload as a false positive from the chest
-
I get the exact same thing, I have installed SP1 on my work PC that is protected by Sophos and it went fine, used the same DVD to install, so it must be false..or the infection is only showing since sp1 update (if its real)..
-
I have no problems with SP1 myself so definitely comes under the heading weird
-
Lovely a false positive that keep coming back and back and back....
I don't even get the time to fill in the feed-back form before another pops up again.
-
Ahh so I am not alone in this, thats good.
-
Hi
Have the same problem after installation of Service Pack 1 today.
I was able to fill the form. The information will be uploaded with the next virus definition update.
I put the link to this thread as additional information.
But I do not feel well to suppress the message :o. Is it really not an infected file downloaded from Microsoft? ???
Best regards
Paul
-
add another file to the list:
mscorlib.ni.dll
Same alert as the mscorlib.dll
For the record I am using Windows 7 x64 Ultimate
Avast! AIS6 installed (latest update)
-
Having the same exact issue as well.. All After installing Windows 7 SP1, system was fine all day until I installed the service pack... Now nothing but alerts every 5 seconds...
Windows 7 x64 Ultimate
Avast Program Version: 6.0.1000
Virus Definitions: 110301-1
-
I just downloaded Windows 7 Service pak 1 and have the same problem. HELP!
-
Well, I am not NOT going to install SP1 on another PC I have. Else I might have another PC having issue's in the end.
(Guess I will come back to the forum to see if it has been resolved or I might even read about it in the news... www.h-online.com might report it. They did so with other false possitive in the past too of other anti-virus vendors.)
-
Here is what you can do for now. Press the "PIN" on the top right next to the X on the warning dialog box. That at least will keep it from popping up every 30 seconds, but it will remain there. So you have to judge for yourself which is more annoying.
Then all we can do now is wait for definition updates. =p
-
Getting the same thing here as well, done an update on the program and definitions and still getting it.
-
Hi
I pressed the x pin on the top left of the window and it was closed.
But a new message is displayed just after ~2 minutes.
But I could temporary stop the message permanently: I stopped the service named "Microsoft .NET Framework NGEN v4.0.30319_X86".
This was consuming my CPU very much because of the high avast activity caused by the messages above.
Now the CPU load is down and the messages disappears. But with the next machine start the service will start again automatically. Not sure if I should disable the service complete.
Kind regards
Paul
-
I have the same file in the same location but with no continuous popups.
I installed SP1 days ago bu this morning was the first time that the warning appeared.
Maybe Avast update & ignore it?
Cheers :)
-
i had the same problem for a while after the service pack 1 install and it has now stopped.......
i ran ashampoo winoptimizer and updated avast program and updates.
not sure if either solved the problem.......... ???
-
Just installed Win7 SP1 and I get the same virus warning.
Windows 7 Home Premium 64bit.
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP428B.tmp\mscorlib.dll
Anyone know if this is real or a false positive for sure?
Updated virus definitions and program then rebooted. That did not resolve the issue.
Ran CCleaner, Cleaned all temp files and cleaned registry and it stopped.
-
just updated avast..program update..about to reboot..fingers crossed..
-
I just registered to add that I'm having the same problem. I hope they fix this soon, and REALLY hope windows patch service hasn't been breached and sending out malware in their updates! btw full legal non-pirated win7 home premium 64 fresh install. only other software on it is ms office 2010 (licensed), avast free and printer drivers.
(http://img.myph.us/YCp.gif)
-
Interestingly I just got Avast to run a scan on the c:\windows\microsoft.net\ folder and it found no viruses.
-
Seems like doing a Program update worked!! Been 15mins without a notice. BTW I could do without the Avast gadget, the sys tray icon does a good enough job of letting me know if I'm secure or not.
-
Seems like doing a Program update worked!! Been 15mins without a notice. BTW I could do without the Avast gadget, the sys tray icon does a good enough job of letting me know if I'm secure or not.
I did another program update about 10mins ago and it seems to have cleared up the problem.
-
I reported it as a false positive at the same time it stopped showing up so either the definitions update fixed it, or avast is now ignoring it.
-
Essexboy, I too have the exact same problem following a Windows 7 64 Bit update to SP1. How can I upload a false positive from the chest other than restoring? If I choose this option, Avast will keep on picking this file up as a Trojan.
-
NoordZee update your avast program and definitions and see if its still happening.
-
I got the same annoying problem just after installing Service Pack 1 from Microsoft. I do not know what to do....The warning keeps appearing every few seconds.
-
After doing the update it was clear until a minute ago when:
BING BING BING BING Threat Detected ....
AHHHHHHHHHH!!!!!!
-
http://forum.avast.com/index.php?topic=72696.0
I think if you manually update your virus definitions to the latest version 110301-2 it supposedly fixes the problem.
-
http://forum.avast.com/index.php?topic=72696.0
I think if you manually update your virus definitions to the latest version 110301-2 it supposedly fixes the problem.
Nope, see post above...
-
Just updated the virus defs at the very last version 010311-2, but the problem is still here >:(
-
NoordZee update your avast program and definitions and see if its still happening.
After updating program and definitions I rescanned c:/windows/Microsoft.NET folder and no threats were found. Thinking the update might have cleared the false positive I extracted mscorlib.dll from the virus chest back into c:/windows/Microsoft.NET and rescan and the same threat was detected. I updated program and virus definitions again and did a reboot thorough scan, which returned:
(http://img.myph.us/V3Q.gif)
virustotal.com says its a FP. Is everyone sure avast stopped reporting this as a threat for them or is it just bc its in the Chest? I had like 32 copies of it in mine.
-
Same problem heare!!!:):)
Object: C:\Windows\assembly\Native_v2050727...\mscorsw
Infection/; Win32.spyyey_BG[trj]
Aby ideas?????
-
lucky me I haven't re-installed Avast yet. For unrelated reasons here I re-installed Windows yesterday and mscorsvw.exe ran at a 50% CPU load during half and hour, three times (see screen shot). First time was after the install of "MS .net framework 4 client profile" through Windows update, second time through a security update for it, and finally a new update of the same stuff included in SP1 >>> = 01:30h of CPU @ 50%.
I ranted already about that on MS forum when the program was released. Just been told at the time that they were aware of that and it was wanted this way. Well as seen in task manager it's an optimization phase ;D
Sorry for the off topic but it's still about the same file ;)
-
lucky me I haven't re-installed Avast yet. For unrelated reasons here I re-installed Windows yesterday and mscorsvw.exe ran at a 50% CPU load during half and hour, three times (see screen shot). First time was after the install of "MS .net framework 4 client profile" through Windows update, second time through a security update for it, and finally a new update of the same stuff included in SP1 >>> = 01:30h of CPU @ 50%.
I ranted already about that on MS forum when the program was released. Just been told at the time that they were aware of that and it was wanted this way. Well as seen in task manager it's an optimization phase ;D
Sorry for the off topic but it's still about the same file ;)
Do you have a link to that thread on the ms forum?
-
filc, thank you. I am completely up to date but still went through the motions. When my computer restarted, the same message came up again. I believe that the only way we all can be sure that this particular file is not picked up as a Trojan is for Avast technicians to incorporate a 'cure' in the next update. As a matter of further interest, when I tried to restore the two files that reside in the Virus Chest, a message came up that the file in question is already in existence and would I like to replace it or overwrite it. Hm....!
-
lucky me I haven't re-installed Avast yet. For unrelated reasons here I re-installed Windows yesterday and mscorsvw.exe ran at a 50% CPU load during half and hour, three times (see screen shot). First time was after the install of "MS .net framework 4 client profile" through Windows update, second time through a security update for it, and finally a new update of the same stuff included in SP1 >>> = 01:30h of CPU @ 50%.
I ranted already about that on MS forum when the program was released. Just been told at the time that they were aware of that and it was wanted this way. Well as seen in task manager it's an optimization phase ;D
Sorry for the off topic but it's still about the same file ;)
Do you have a link to that thread on the ms forum?
http://social.technet.microsoft.com/Forums/en-US/w7itproui/thread/90f044b6-e48f-4d05-898d-bc2ea56f2837
(was related to .net 3.5 at the time)
-
May I ask why moving the file to chest fails and it's hard deleted instead? Not exactly happy with the whole thing getting recompiled over and over again - which drains CPU like hell because of broken M$ .Net code. (For those who wonder - the CPU usage ain't any fault of Avast, the "optimization" utility is just that shitty.) >:(
And no, 110301-2 virus definitions don't fix it, in fact this version caused the issue here.
-
And no, 110301-2 virus definitions don't fix it, in fact this version caused the issue here.
[/quote]
Doktornotor, I agree with you.
-
I wouldn't mind if the OP of this thread corrected the title, making it clear that it's obviously an FP.
-
Anyone who is still suffering from this problem can get temporary relief by uninstalling Service Pack 1. That was the only thing I could do to stop the constant pop ups. You can do this by going into the Control Panel, Programs and Features, click on View Installed Updates, and scroll down to the Microsoft Windows section. Right Click on Service Pack 1 and select Uninstall. Doing this will take several minutes, but seems to restore all of the previous Windows updates which were overwritten by Service Pack 1.
-
I wouldn't mind if the OP of this thread corrected the title, making it clear that it's obviously an FP.
Updated to, Windows 7 Service pack 1 installed. Virus warning is a FALSE POSITIVE
-
Doing this will take several minutes, but seems to restore all of the previous Windows updates which were overwritten by Service Pack 1.
Will take a lot more than minutes for most people, plus it's a huge overkill for something that can be easily fixed by a simple virus definitions update.
-
Doing this will take several minutes, but seems to restore all of the previous Windows updates which were overwritten by Service Pack 1.
Will take a lot more than minutes for most people, plus it's a huge overkill for something that can be easily fixed by a simple virus definitions update.
I agree, I wouldn't recommend un-installing SP1.
-
I am also having the same problem and had updates to 110301-2. The file that shows in the chest is C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a and listed as Win32:Spyeye-BG [Trj]. I extracted it to a folder to send to Virus Total and it shows in that folder as mscorlib.ni.dll. It picked it up a second time so to get it to stop I put it in the exclusions of the file shield and the main program settings under exclusions. When I look under windows explorer I find the file under C:Windows\assembly\mscorlib, not the way it is listed in the chest. Also Virus Total only showed one hit out of 42. Just wanted to add all this in case it helps. sly
-
I wouldn't mind if the OP of this thread corrected the title, making it clear that it's obviously an FP.
Updated to, Windows 7 Service pack 1 installed. Virus warning is a FALSE POSITIVE
nice thx ;)
-
Yah I had posted that the program update had fixed the issue. BUT it started to come back about 5 mins after I posted. I unistalled Avast and used Microsoft's free antivirus. Problem solved.
-
Just wanted to make sure people noticed I did stop getting the alert by putting it in the file shield and program settings exclusions. Also wanted to add under windows explorer there are two files one x86 and the other AMD64.
-
Doing this will take several minutes, but seems to restore all of the previous Windows updates which were overwritten by Service Pack 1.
Will take a lot more than minutes for most people, plus it's a huge overkill for something that can be easily fixed by a simple virus definitions update.
I agree, I wouldn't recommend un-installing SP1.
-
for those of you using avast and wanting the new Win7 sp1, available now through autoupdates:
Until avast gets on the ball and rectifies this issue, then this is a temp solution to get rid of the annoying virus alert messages.
(http://i53.tinypic.com/2yuyp0h.jpg)
-
Yeah I guess too many files from .net 4 possibly involved are detected as FPs, meaning that you can't easily exclude them from Avast, and you're better off disabling temporally the service.
-
Good call Mikeb!
-
Yeah I guess too many files from .net 4 possibly involved are detected as FPs, meaning that you can't easily exclude them from Avast, and you're better off disabling temporally the service.
I had no idea you were an avid user here, Logos. Hey old buddy!
-
I have the same problem. I take it this should be added to the exclusions?
-
I received the same multiple pop-up trojan warnings from avast. Windows 7 SP and Avast were simultaneously downloading when it occurred the first time. I think i eventually updated my virus definitions 3 times and updated the avast program itself 3 times (the last time it said it was already up-to-date) before the pop-ups stopped. I also ran my Superantispyware program.
Good luck. :-\
-
one more time for those that didn't see it ....
for those of you using avast and wanting the new Win7 sp1, available now through autoupdates:
Until avast gets on the ball and rectifies this issue, then this is a temp solution to get rid of the annoying virus alert messages.
(http://i53.tinypic.com/2yuyp0h.jpg)
-
Well in this topic there now appears to be three different files being detected, what the OP reported mscorlib.dll and that is further complicated with the fact that there are different versions (file sizes, 1,552KB and 4,444KB) and 5 different file locations on a search on my win7 SP1 netbook system. A scan of those locations doesn't get any alerts.
The other file plopana is mentioning mscorsvw.exe, may well not be covered in this VPS Update, so has anyone sent it off for analysis as an FP. I only have one instance of this file 65KB but not in the windows\assembly folder mne if in the windows\winsxs folder and also comes up clean
Also mscorlib.ni.exe the win32:spyeye-bg one and it seems this file gets created on the fly so it isn't permanent and being detected when created. This one prior to the latest VPS update (below) did alert but subsequently couldn't find the file (I didn't send to chest but blocked).
There has just been another VPS Update, 110302-0
~~~~
Edit: it also happens for .net 2.0 also:
C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll [L] Win32:Spyeye-BG [Trj] (0)
-
There has just been another VPS Update, 110302-0
Does that fix the FP issue?
-
David,
Is there anything we can do for you to help facilitate a resolution? I'd be happy to share any information on my system you request.
-
I haven't had a recurrence, but it would have to be triggered by the use of .net framework and the problem is only on my win7 SP1 netbook, which isn't in regular use.
So I can't really test it, but for a VPS update to come out this early in the day or rather released at 23:31:52 (01/03/2011 when the VPS version is 110302-0 (02/03/2011) it has to be related as it has come out very quick.
-
The other file plopana is mentioning mscorsvw.exe, may well not be covered in this VPS Update, so has anyone sent it off for analysis as an FP. I only have one instance of this file 65KB but not in the windows\assembly folder mne if in the windows\winsxs folder and also comes up clean
I don't think anyone reported mscorsvw.exe (the infamous .NET Runtime Optimization Service) binary to trigger a false positive. People were just reporting that it's eating their CPU for lunch. Yeah, it completely sucks, been like that for ages.
-
David,
Is there anything we can do for you to help facilitate a resolution? I'd be happy to share any information on my system you request.
Unfortunately not, I'm in the same boat as everyone else as I'm avast user like you all. The only thing is when detected send it to the chest and submit it from the chest to the virus labs for analysis as an FP.
-
Quick question, I'm looking for reassurance more than anything else I guess. Is the file mentioned by the OP definitely a false positive, or could it be genuinely infected. Can I restore it without risking my pc security/do I need to restore it? Normally I'd think nothing of it but I do game online quite a bit and anything involving a keylogger, as the infected file is described here http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDropper:Win32/Spyeye, makes me worry about my account security.
My own two cents would be to argue in favour of it being a FP, based on the fact that it's only been picked up now, but then I don't know how the NativeImage service works.
Any help would be much appreciated :)
To clarify, the file that got detected on my PC was mscorlib.ni.dll in C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a. The final modification date of the file is within 24 hours of SP1 for win7 being installed
-
The other file plopana is mentioning mscorsvw.exe, may well not be covered in this VPS Update, so has anyone sent it off for analysis as an FP. I only have one instance of this file 65KB but not in the windows\assembly folder mne if in the windows\winsxs folder and also comes up clean
I don't think anyone reported mscorsvw.exe (the infamous .NET Runtime Optimization Service) binary to trigger a false positive. People were just reporting that it's eating their CPU for lunch. Yeah, it completely sucks, been like that for ages.
I think plopana did report it as a win32:spyeye detection also. Though the path has been concatenated, but it wasn't like the others C:\Windows\assembly\Native_v2050727...\mscorlib (see quote below) so my assumption (dangerous I know) was that his detection was on mscorsvw.exe not mscorlib.dll.
Same problem heare!!!:):)
Object: C:\Windows\assembly\Native_v2050727...\mscorsw
Infection/; Win32.spyyey_BG[trj]
But it looks like a typing exercise rather than a copy and paste of the alert text, so confusion reigns.
-
with update 110302.0 looks good now, not showing an alert. ;D
I did restore the file first via right click, selecting restore while in the chest
Thanks
-
I got this alert earlier too, I kept trying to put it in the chest but it wouldn't do it and just kept alerting me. So I clicked on delete, I'm just wondering if there will be any problems now the file has been removed, do I need it?
-
I got this alert earlier too, I kept trying to put it in the chest but it wouldn't do it and just kept alerting me. So I clicked on delete, I'm just wondering if there will be any problems now the file has been removed, do I need it?
No, you don't need it. It's compiled from mscorlib.dll on-the-fly.
-
No, you don't need it. It's compiled from mscorlib.dll on-the-fly.
Excellent, thanks for letting me know.
-
I got this alert earlier too, I kept trying to put it in the chest but it wouldn't do it and just kept alerting me. So I clicked on delete, I'm just wondering if there will be any problems now the file has been removed, do I need it?
No, you don't need it. It's compiled from mscorlib.dll on-the-fly.
Doktor, can I take from this that I don't have to restore the file and can assume that the problem is fixed/my system is "safe"? I'm still running a few scans (malwarebytes, spybot S&D, ad-aware), just don't want to unduly panic more than I have to :) My original post is below
Quick question, I'm looking for reassurance more than anything else I guess. Is the file mentioned by the OP definitely a false positive, or could it be genuinely infected. Can I restore it without risking my pc security/do I need to restore it? Normally I'd think nothing of it but I do game online quite a bit and anything involving a keylogger, as the infected file is described here http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDropper:Win32/Spyeye, makes me worry about my account security.
My own two cents would be to argue in favour of it being a FP, based on the fact that it's only been picked up now, but then I don't know how the NativeImage service works.
Any help would be much appreciated :)
To clarify, the file that got detected on my PC was mscorlib.ni.dll in C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a. The final modification date of the file is within 24 hours of SP1 for win7 being installed
-
Strangely enough I got this alert while using Windows Live Mail, I don't if that makes any difference.
-
i deleted this file because avast told me to do, mscorlib.dll, it was a trojan? or i screwed up my system courtesy of avast 6?
I got this alert earlier too, I kept trying to put it in the chest but it wouldn't do it and just kept alerting me. So I clicked on delete, I'm just wondering if there will be any problems now the file has been removed, do I need it?
No, you don't need it. It's compiled from mscorlib.dll on-the-fly.
but the one deleted was mscrolib.dll, which compile which? mscorlib.dll compiles another file or mscrolib.dll is compiled?
-
i deleted this file because avast told me to do, mscorlib.dll, it was a trojan? or i screwed up my system courtesy of avast 6?
You deleted mscorlib.dll or mscorlib.ni.dll?
-
i deleted this file because avast told me to do, mscorlib.dll, it was a trojan? or i screwed up my system courtesy of avast 6?
You deleted mscorlib.dll or mscorlib.ni.dll?
as far as i remember it was mscorlib.dll
and not only that another OLE file in a temp folder was affected too (avast said it was corrupted).
-
Files in temporary folders don't matter. Deleting mscorlib.dll will break the particular .NET version it belonged to. Obviously blindly deleting some files is a bad thing - that's what the chest is for if you are unsure about the file.
-
I have no problems with SP1 myself so definitely comes under the heading weird
i didn't have problems with SP1 (installed the day of the release), but TODAY the problem appeared simultaneously in two different pc's....
Files in temporary folders don't matter. Deleting mscorlib.dll will break the particular .NET version it belonged to.
so im screwed up? cause avast told me to delete exactly that file...
-
so im screwed up? cause avast told me to delete exactly that file...
As noted above, you should put the file into chest, not delete it if you don't know whether it's infected or not. You should have the library in these locations:
C:\Windows\Microsoft.NET\Framework\v2.0.50727
C:\Windows\Microsoft.NET\Framework\v4.0.30319
-
Files in temporary folders don't matter. Deleting mscorlib.dll will break the particular .NET version it belonged to. Obviously blindly deleting some files is a bad thing - that's what the chest is for if you are unsure about the file.
"unsure"???? im trusting my security to avast, and avast said it was a trojan so i deleted it!, and after that im the one to blame???
the file is gone... this happen many hours ago (before this thread even exist).
-
As this example shows, blindly trusting any tool is not good. Do not let your AV delete any files unless you are absolutely sure that they are infected. They can do no harm once quarantined in chest and more importantly they can be restored back should it turn out that they are harmless - unlike when you delete them.
-
<snip>
Files in temporary folders don't matter. Deleting mscorlib.dll will break the particular .NET version it belonged to.
so im screwed up? cause avast told me to delete exactly that file...
Avast didn't tell you to delete anything the default action is to send it to the chest, unless you changed the default actions ?
Check the C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast\report\FileSystemShield.txt (XP location or C:\ProgramData\AVAST Software\Avast\report\FileSystemShield.txt (Vista, win7 location), using note pad as that should record the file system shield detections and you can find out what the file was.
If it was mscorlib.dll you can do a search as there are likely to be other versions on your system.
But post the detection information before trying to replace anything with one of the other mscorlib.dll files.
-
<snip>
Files in temporary folders don't matter. Deleting mscorlib.dll will break the particular .NET version it belonged to.
so im screwed up? cause avast told me to delete exactly that file...
Avast didn't tell you to delete anything the default action is to send it to the chest, unless you changed the default actions ?
Check the C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast\report\FileSystemShield.txt (XP location or C:\ProgramData\AVAST Software\Avast\report\FileSystemShield.txt (Vista, win7 location), using note pad as that should record the file system shield detections and you can find out what the file was.
If it was mscorlib.dll you can do a search as there are likely to be other versions on your system.
But post the detection information before trying to replace anything with one of the other mscorlib.dll files.
no man, i didn't change anything. avast told me to reboot my system in that moment, scanned my pc (in safe mode) and then told me it was a trojan, first option is delete it....so.....
yes it was mscorlib.dl as i mentioned and yes i can find another versions...
* Informe de análisis de escudos en tiempo real de avast!
* Este archivo es generado automáticamente
*
* Iniciado el: martes, 01 de marzo de 2011 15:55:57
*
01/03/2011 03:58:25 p.m. C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll [L] Win32:Spyeye-BG [Trj] (0)
El siguiente error ocurrió al mover el archivo al baúl: El proceso no tiene acceso al archivo porque está siendo utilizado por otro proceso
El archivo fue eliminado con éxito...
The file couldn't be move into the chest: the process doesn't have access to the file because it is being used by other process.
The file was deleted with successfully.
-
no man, i didn't change anything. avast told me to reboot my system in that moment, scanned my pc (in safe mode) and then told me it was a trojan, first option is delete it....so.....
Instead of continuing this absolutely unproductive "debate", how about following the advise above and finding out what you actually deleted (as opposed to what you think you might have deleted?) ::)
yes it was mscorlib.dl as i mentioned and yes i can find another versions...
Post the entire path to the file from the log.
-
no man, i didn't change anything. avast told me to reboot my system in that moment, scanned my pc (in safe mode) and then told me it was a trojan, first option is delete it....so.....
Instead of continuing this absolutely unproductive "debate", how about following the advise above and finding out what you actually deleted (as opposed to what you think you might have deleted?) ::)
yes it was mscorlib.dl as i mentioned and yes i can find another versions...
Personal Message (Online)
Re: Windows 7 Service pack 1 installed. Virus warning is a FALSE POSITIVE
« Reply #78 on: Today at 01:57:26 AM »
Reply with quoteQuote Modify messageModify
Quote from: DavidR on Today at 01:56:06 AM
Quote from: psikofunkster on Today at 01:42:08 AM
<snip>
Quote from: doktornotor on Today at 01:41:01 AM
Files in temporary folders don't matter. Deleting mscorlib.dll will break the particular .NET version it belonged to.
so im screwed up? cause avast told me to delete exactly that file...
Avast didn't tell you to delete anything the default action is to send it to the chest, unless you changed the default actions ?
Check the C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast\report\FileSystemShield.txt (XP location or C:\ProgramData\AVAST Software\Avast\report\FileSystemShield.txt (Vista, win7 location), using note pad as that should record the file system shield detections and you can find out what the file was.
If it was mscorlib.dll you can do a search as there are likely to be other versions on your system.
But post the detection information before trying to replace anything with one of the other mscorlib.dll files.
no man, i didn't change anything. avast told me to reboot my system in that moment, scanned my pc (in safe mode) and then told me it was a trojan, first option is delete it....so.....
* Informe de análisis de escudos en tiempo real de avast!
* Este archivo es generado automáticamente
*
* Iniciado el: martes, 01 de marzo de 2011 15:55:57
*
01/03/2011 03:58:25 p.m. C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll [L] Win32:Spyeye-BG [Trj] (0)
El siguiente error ocurrió al mover el archivo al baúl: El proceso no tiene acceso al archivo porque está siendo utilizado por otro proceso
El archivo fue eliminado con éxito...
The file couldn't be moved into the chest: the process doesn't have access to the file because it is being used by other process.
The file was deleted successfully.
Post the entire path to the file from the log.
so i was wrong it was mscrolib.ni.dll
-
yes it was mscorlib.dl as i mentioned and yes i can find another versions...
No, it was NOT - as clearly shown in the log.
01/03/2011 03:58:25 p.m. C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll [L] Win32:Spyeye-BG [Trj] (0)
El siguiente error ocurrió al mover el archivo al baúl: El proceso no tiene acceso al archivo porque está siendo utilizado por otro proceso
El archivo fue eliminado con éxito...
You don't need this dynamically compiled file so just move on.
-
yes it was mscorlib.dl as i mentioned and yes i can find another versions...
No, it was NOT - as clearly shown in the log.
01/03/2011 03:58:25 p.m. C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll [L] Win32:Spyeye-BG [Trj] (0)
El siguiente error ocurrió al mover el archivo al baúl: El proceso no tiene acceso al archivo porque está siendo utilizado por otro proceso
El archivo fue eliminado con éxito...
You don't need this dynamically compiled file so just move on.
so i was wrong it was mscrolib.ni.dll and??? what happens after? i deleted a file here anyway.
-
As already said multiple times, you do not need the NI (http://www.youtube.com/watch?v=QTQfGd3G6dg)
-
As already said multiple times, you do not need the NI (http://www.youtube.com/watch?v=QTQfGd3G6dg)
Hey, don't forget im a client i paid for a full license and i didn't provoke this was avast 6, if you don't have patience you shouldn't be here. Avast should have tested their new software before releasing it so soon after a windows 7 sp1, they shouldn't have hurried up.
Thanks for your help anyway.
-
Hey, don't forget im a client i paid for a full license and i didn't provoke this was avast 6, if you don't have patience you shouldn't be here.
Thanks for your help anyway.
Hey, don't forget I'm doing this for free in my free time and if people do not actually read the replies and make others repeat themself over and over again they are just wasting other people's time. IOW, I am not an Avast employee. Have a nice day.
Avast should have tested their new software before releasing it so soon after a windows 7 sp1, they shouldn't have hurried up.
Kindly note that this issue has nothing to do with releasing new version, the problem was in virus database signatures update - hence it affected any Avast version.
-
Hey, don't forget im a client i paid for a full license and i didn't provoke this was avast 6, if you don't have patience you shouldn't be here.
Thanks for your help anyway.
Hey, don't forget I'm doing this for free in my free time and if people do not actually read the replies and make others repeat themself over and over again they are just wasting other people's time. IOW, I am not an Avast employee. Have a nice day.
Only because you do it for free i should shut up my mouth and receive your scolding? i don't think so, take a break, relax and have a nice day too.
-
Only because you do it for free i should shut up my mouth and receive your scolding? i don't think so, take a break, relax and have a nice day too.
Right, scolding. Sorry to have wasted my time. Chill out, dude. :(
-
the FP positive was on the dll.... not the exe. the exe just triggered the dll as a service. come on guys, it's not rocket science.
seems the avast guys would know this by now..... where are the IT engineers?
It's a net4 service issue. analyze it it and solve it already.
I almost want to offer my services at a fee. I've been an IT engineer for 21 yrs, with McAfee corp training, but it's not my place.
-
Gosh...people? :-\
I am new to using Avast.
I have read the FAQ & many Help Files as I learn this software.
When I ran my Full System Scan this morning and it showed a serious Trojan Virus Threat.
#1 - I did not panic
#2 - I moved the file to the Virus Chest (that's the point...no need to delete until you know)
#3 - I Googled the Exact Virus Name & found an Avast Forum Thread
#4 - I Investigated and found MANY Avast Forum Threads pertaining to this Issue
#5 - I monitored the Forums several times throughout the day
#6 - Based on this info, I "restored" the file and ran the "Scan" again using v. 110301-2
#7 - When the Full System Scan showed the same results, I left...and went out to dinner
#8 - When I returned, I checked the Forums again
#9 - I updated to v. 110302-0...restored the file, and ran the Scan again
Yay!!!!
...and all of this without ever having to panic, run a boot-time scan, or post on these Forums
(until now - advice for all of us newbies)
:D
-
#1 - I did not panic
Yeah, that's indeed #1. ;)
-
Hi,
I've already every minute an warning after installing SP1.
Is there anyone who removed SP1? And what's the result, do you have stil the warnings?
Ab
-
Hi,
I've already every minute an warning after installing SP1.
Is there anyone who removed SP1? And what's the result, do you have stil the warnings?
Ab
I'm on SP1 from the first RTM leak, and i don't get this warning, really don't know what's happening for you, maybe it's somehow related to the localization ?
I'm from Moldova(Romanian localization).
-
I agree with the comments that you should put any files you are concerned about in the chest and not just delete them. The problem is Avast wouldn't let me put the file in the chest, no matter how many time I tried. So I had to delete it rather than let a potential virus through. Thankfully the file compiles again so no damage done.
-
I updated my laptop with windows 7 SP1 on the 25th Feb so I don't believe its SP1 at all. I must say that I did notice that automatic updates for windows 7 did not even inform me that there was updates waiting for me to download/install even with all the tick boxes selected. I had to do it manually. These are the updates I had to install upon manually asking it check for updates.
Windows 7 Service Pack 1 (KB976932)
Update for Microsoft Silverlight (KB2495644)
Update for Windows 7 (KB2488113)
Update for Windows 7 (KB2502285)
Update for Windows 7 (KB2488113)
Update for Windows 7 (KB2484033)
Security Update for Windows 7 (KB2485376)
Security Update for Windows 7 (KB2479628)
Security Update for Windows 7 (KB2475792)
Security Update for Windows 7 (KB2425227)
Cumulative Security Update for Internet Explorer 8 for Windows 7 (KB2482017)
The only updates since 25th Feb are Microsoft Security Essentials.
Today I booted up and then disabled active shields control for hour whilst I played a game. I had a phone call from family asking if I had anything detected by avast, nothing had popped up but I decided to check in virus chest and there was the file everyone is talking about mscorlib.ni.dll was detected today upon turning on laptop this morning 2nd march. Only things I have done today are update MS security essentials(Definition Update for Microsoft Security Essentials - KB2310138 (Definition 1.99.408.0)), run bit torrent to download a game, and load the game. So I have no idea where its come from. I just thought I would mention this as I have had SP1 for win 7 since 25th feb without it being detected until today that is why I don't believe its that. Avast updated its virus definitions yesterday as I shut down for bed. So must be false alert by Avast.
-
Wow, turned my computer on today and avast! went absolutely mental. Several Dell applications obviously use that file because I got several alerts pop up over and over again. Closing them didn't work - literally 2 seconds later they re-appeared (also, why have you set them to always appear in front of everything?! Damn annoying). Clicking to send to chest didn't work - the same thing happened with them just re-appearing. Also, how do you get ACCESS to the chest? I don't see it anywhere.
Even disabling real-time didn't work! Maybe because it had already detected them. I had to just log out of Windows with them there and re-enter, which then seemed to recognise I'd turned the real-time off. However I've tried to update definitions and I AM on the current set, so great, I've had to keep avast! disabled for now and am waiting for you to fix it for the rest of us.
What with this and the sidebar glitch of not properly closing unless you uninstall it I'm not as impressed with you lately.
-
Yeah I guess too many files from .net 4 possibly involved are detected as FPs, meaning that you can't easily exclude them from Avast, and you're better off disabling temporally the service.
I had no idea you were an avid user here, Logos. Hey old buddy!
you got pm ;)
-
I also don't have a problem with a pop-up. Just restored the file from the virus chest and added it to the exclusions. Job done.
-
Nothing is needed to be restored from a back-up or an exclusion set, as the file is one that is created on the fly (doesn't exist in that location when not in use). So it will get recreated as and when necessary, which has been stated in this and many of the other topics relating to this file.