False Positive ? gtdownde_87.ocx

[Mr K]

An avast scan has indicated 'gtdownde_87.ocx' is a high risk file.  I've put it in the virus chest for now.

I'm not sure it is harmful.  Googling it gives different answers and a lot of paranoia (as ever !).  Some seem to think its part of Dell Support  (i have a Dell PC).

So any ideas ? Putting in the chest doesn't seem to have caused me any problems at the moment.  The file dates from 2004, when i got the pc.

[Pondus]

and where was the file located....post full path

[Mr K]

it was in c:\i386 

[Pondus]

what malware name did avast give it ?

one file with that name scanned at VT yesterday

https://www.virustotal.com/file/5c251565efff7efca6520938fcf7ab73ddeb7084be712890b36726961d147979/analysis/

First seen by VirusTotal  2006-06-07 03:58:34 UTC ( 5 år, 9 måneder ago )


Sigcheck

publisher................: Gteko Ltd.
product..................: GTDown Module
internal name............: GTDown
copyright................: Copyright (C) 2000 - 2004 Gteko Ltd.
original name............: GTDown.OCX
comments.................:
file version.............: 1, 0, 0, 89
description..............: GTDown Module




so you should upload and scan your file to see

[Mr K]

thanks for the help

Avast said it was:-    Win32:malware-gen

sorry to be a bit dumb but where will i find the file (to upload it to Virus Total) now i've put it in the virus chest ?

[Pondus]

easy...in the virus chest   

first right click the file in chest and upload to avast lab as false positive so they can check it again

Then

Create a folder called Suspect in the C:\ drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect\*
That will stop the File System Shield scanning any file you put in that folder.

right click the file in chest and restore to that folder....then go to virustotal and browse to that folder/file

post scan result

[Mr K]

ok, thanks, have done.

scanned and got the below.

https://www.virustotal.com/file/5c251565efff7efca6520938fcf7ab73ddeb7084be712890b36726961d147979/analysis/1331246290/

can't say i'm much the wiser, does this mean some programmes think it is a virus and others don't ?

Guess it'll stay in the virus chest.  If it is part of Dell Support I never use it anyway.  I've enabled a boot time scan, is there anything else I should do ?

Incidentally the file seems to have recreated itself in the same location.

[Pondus]

well from the SHA-256 hash it is the exact same file as the VT scan i found

file is 5 years old....i suspect FP 

[Mr K]

ok thanks, i can go to sleep now   

[Pondus]

Avira lab

The file 'GTDownDE_87.ocx' has been determined to be 'FALSE POSITIVE'. In particular this means that this file is not malicious but a false alarm. Detection is removed from our virus definition file (VDF) with the version: 7.1.6.147.

[Milos]

Hello,
thank you for notice. False positive will be fixed in next VPS update.

Milos

[Mr K]

Thanks for the info. 

 Following this false positive, i did a full scan.  As well as gtdownde_87.ocx, it came up with 'A0414502.ocx', seems to be in a system restore folder  c:\system volume information\_restore....'  .

Virus total says:-
https://www.virustotal.com/file/5c251565efff7efca6520938fcf7ab73ddeb7084be712890b36726961d147979/analysis/1331292067/

Another false positive ?

[Pondus]

since it is in system restore i guess it is a backup of the one already detected

clear your restore point and make new and it should be gone...or wait for the avast VPS fix

[Mr K]

ah makes sense, ta.