Author Topic: Win 32:Dropper-gen [Drp] - False positive? (Read 6643 times)

PamJ · « **on:** March 18, 2014, 12:43:19 AM »

I'm confused a bit in that all of a sudden today avast! said a program I've been using for years is infected with this Win32:Dropper-gen [Drp]. The program was open and I clicked on it to load a file, avast! warning popped up, grabbed the file, and moved it to the Chest. I tried using the EXE file from a flash drive thinking no way that could be infected, and avast! did the same thing with that (I copied the EXE from the flash driver to the computer desktop and tried to re-install from there).

I'm running that exact same program on another computer with avast! and it's running fine. The program never has updates, just newer versions that I don't upgrade to (my version is free and they don't offer another free version that's this good). I ask avast! to set it as an exception so I can use it and sent it in to avast! as a false positive, but how can I be sure it is? It's a transcription program by NCH Software. I use this program every single day, all day, and cannot do my work without it.

I ran a quick scan by Malwarebytes and it found nothing. I'm running a deeper scan through them right now.

Any suggestions? Does it sound like a false positive?

Pondus · « **Reply #1 on:** March 18, 2014, 12:54:21 AM »

report and upload the file to avast lab so they can correct it

PamJ · « **Reply #2 on:** March 18, 2014, 01:28:07 AM »

Pondus, in the chest when I chose to restore and set an exception a form also popped up to report to avast! as a false positive. I did that. Is there something else I should do?

Michael (alan1998) · « **Reply #3 on:** March 18, 2014, 01:33:40 AM »

Nope, you're fine after that.

PamJ · « **Reply #4 on:** March 18, 2014, 01:49:48 AM »

Just to add this...I did an online Virus Total scan of the install exe and file exe for this program from NCH Software (Express Scribe). The install exe is the one that came from my flash drive that's been there for three months. Out of 46 antivirus program, these are the only two that "found" something.

The Install EXE gave me these 2 issues. The other 44 AVs found nothing:

Avast      Win32:Dropper-gen [Drp]    20140317
ESET-NOD32    a variant of Win32/Toolbar.Conduit.I    20140318

The program EXE gave me these 3. The other 47 AV programs found nothing.

Avast      Win32:Dropper-gen [Drp]    20140318
Baidu-International    Adware.Win32.Conduit.I    20140317
ESET-NOD32      a variant of Win32/Toolbar.Conduit.I    20140318

And thanks Michael!

Pam

Pondus · « **Reply #5 on:** March 18, 2014, 07:16:07 AM »

when posting VT scan results, you should post link to the scan result, bc we are missing all the extra file info VT give

PamJ · « **Reply #6 on:** March 18, 2014, 08:14:21 AM »

Pondus, here are the links.

To install the program:
https://www.virustotal.com/en/file/4b9135280f3f1349908c55611878eb1605eb783d61abb839814e4fbf00471bef/analysis/1395123844/

To run the program once installed (scribe . exe):
https://www.virustotal.com/en/file/d4369fee08af23737acd44688d12f7fc779231dd9d2de7e0532534d0b85bc658/analysis/1395124000/

Housecall shoes a trojan on the exe that runs the program on this scan, but it didn't on the scan I ran earlier. AND I downloaded Housecall and ran a quick scan...it found nothing.

The file to install the program is one I've used for at least five years. It's been on my flash drive. And it's on another computer that is not showing these results.

Pondus · « **Reply #7 on:** March 18, 2014, 08:40:00 AM »

seems like FP

First submission 2009-12-16 07:58:33 UTC ( 4 years, 3 months ago )

Quote

CopyrightNCH Software
Publisher NCH Software
Internal name Scribe
File version 5.01
Description Express Scribe
Signature verification Signed file, verified signature
Signing date 10:35 PM 12/14/2009

First submission 2009-12-29 21:41:16 UTC ( 4 years, 2 months ago )

Quote

CopyrightNCH Software
Publisher NCH Software
Internal name Scribe
File version 5.01
Description Express Scribe

PamJ · « **Reply #8 on:** March 18, 2014, 08:43:05 AM »

Thanks, Pondus!

essexboy · « **Reply #9 on:** March 18, 2014, 03:25:52 PM »

It is alerting as a PUP on the conduit toolbar thingy

PamJ · « **Reply #10 on:** March 19, 2014, 06:09:31 AM »

Thanks essexboy. Had no idea that's what that was.! It's definitely not an unwanted program!

essexboy · « **Reply #11 on:** March 19, 2014, 03:02:25 PM »

That is why PUP detection is turned off, if you want to keep the toolbar then it is up to you. Conduit has a so-so reputation with its toolbars and search engine

jefferson sant · « **Reply #12 on:** March 19, 2014, 08:29:06 PM »

is a false positive
Already fixed in VPS 140319-1

https://www.virustotal.com/en/file/4b9135280f3f1349908c55611878eb1605eb783d61abb839814e4fbf00471bef/analysis/

https://www.virustotal.com/en/file/d4369fee08af23737acd44688d12f7fc779231dd9d2de7e0532534d0b85bc658/analysis/

PamJ · « **Reply #13 on:** March 22, 2014, 07:45:20 PM »

Actually, essexboy, I don't even see any kind of toolbar at all that hasn't always been there or is out of the ordinary.

Great to hear it's been fixed, jefferson!

~Pam

Author Topic: Win 32:Dropper-gen [Drp] - False positive? (Read 6643 times)

PamJ

Win 32:Dropper-gen [Drp] - False positive?

Pondus

Re: Win 32:Dropper-gen [Drp] - False positive?

PamJ

Re: Win 32:Dropper-gen [Drp] - False positive?

Michael (alan1998)

Re: Win 32:Dropper-gen [Drp] - False positive?

PamJ

Re: Win 32:Dropper-gen [Drp] - False positive?

Pondus

Re: Win 32:Dropper-gen [Drp] - False positive?

PamJ

Re: Win 32:Dropper-gen [Drp] - False positive?

Pondus

Re: Win 32:Dropper-gen [Drp] - False positive?

PamJ

Re: Win 32:Dropper-gen [Drp] - False positive?

essexboy

Re: Win 32:Dropper-gen [Drp] - False positive?

PamJ

Re: Win 32:Dropper-gen [Drp] - False positive?

essexboy

Re: Win 32:Dropper-gen [Drp] - False positive?

jefferson sant

Re: Win 32:Dropper-gen [Drp] - False positive?

PamJ

Re: Win 32:Dropper-gen [Drp] - False positive?