False positive or not?

[REDACTED]

Hi
Last thursday I did a full system scan on my Windows 7 64bit with my Avast! Free and it found a "Win32:Malware-gen" in the directory "C://Program Files(x86)/Microsoft/Bing Bar/7.1.361.0/MUExe/7.1.361.0/BingBarSetup-Partner.EXE", so in a Bing Toolbar file, with regular Microsoft copyright. At the end of the analysis, suspecting it was a new false positive (my Avast had detected another FP just a few days before), I choosed to not automatically correct the problem. Instead, I analyzed the system with MBAM and the single file with the Kaspersky Virus Removal Tool, which didn't detect anything suspect. So I tried to view the file's properties but Avast blocked it again, indicating it as a malware and moving it  to the virus chest.

Trying to understand something more, I restored the file from the virus chest and analyzed it using Virustotal, getting the following result:
https://www.virustotal.com/it/file/2cbb7875067792f6f08e6439fa7776c4fc0071c9736f11754a06594df1cfe25a/analysis/1424530069/

Until two days ago only one antivirus (Avast!) on the 57 of Virustotal's analysis detected it as a malware, whereas the others viewed nothing suspect in it.
This fact makes me think about a FP, but I consider Avast responses to be very often reliable so I keep being suspicious, even more considering that, analyzing again the file, Avast keeps detecting it as a menace, and, cheking the Virustotal page about that file, I saw that it was updated yesterday with another user's analysis of the same file and now the antivirus GData detects it as a menace too, a "Win32.Trojan.Agent.BJRVXJ", as you can see in the Virustotal page at the link:
https://www.virustotal.com/it/file/2cbb7875067792f6f08e6439fa7776c4fc0071c9736f11754a06594df1cfe25a/analysis/

Two days ago I also sent the file from the virus chest to the Avast lab to analyze it and understand if I can actually consider it a FP or if it represents a true menace, but, until now, nothing changed.
Besides, I don't understand from where this "virus" should come from. In fact, I'm always very prudent and cautious in these things.
As I said, the file appears as a legitimate Microsoft file that arrived on my computer with normal updates, as I can see on the Windows Update history, it's been in the system from a very long time and never created any sort of problems.

I apologize for the lenght of the messagge but I don't know what to think about this file and if i can consider this a true menace or just another FP.

Many Thanks

[Pondus]

False Positive

First submission 2012-04-03 20:57:49 UTC ( 2 years, 10 months ago )

Copyright© Microsoft Corporation. All rights reserved.
Publisher Microsoft Corporation
Product Bing Bar
Original name WEXTRACT.EXE
Internal name Wextract
File version 7.1.361.0
Description Bing Bar Setup

[DavidR]

With only two hits on VT it is still likely to be an FP - the Win32:Malware-gen detection is also a generic detection trying to catch multiple samples of the same sort of malware group.

Whilst the BingBarSetup-Partner.EXE file and its location seem legit - however, if you didn't actually elect to install the Bing Toolbar, then that would be different. I really do think that Bing (a.k.a. Microsoft) would be getting more out of the deal than you.

http://www.backgroundtask.eu/Systeemtaken/taakinfo/92029/BingBarSetup-Partner.exe/

Personally If you want to use the Bing search engine, you can easily change it in your browser, without having a toolbar that is running in the background - possibly gathering data for the other half of the Partnership and I have no idea what benefit you are supposed to get out of the deal/partnership.

[polonus]

If you do not like toolbars, and a lot of folks do not, then it is a valid detection.
I think it is a good thing Avast flags this for what it is - BHO.

pol

[REDACTED]

Many many thanks to everyone.
Now Avast doesn't detect it as a menace anymore. It was really a FP.
Thanks