False Positive?

[Gryphen]

Receiving an alert on "Battlefield HitFixer 1.31.exe" [file downloaded from http://www.mediafire.com/?yigayixxgd0 ] Have had this file on my PC for quite a while (in excess of 6 months) and after a recent AVAST update it starts to be identified as a Win32:Trojan-gen {other}


The program is used to alter some settings in Battlefield 2 gameplay.

The online scan at http://virusscan.jotti.org/ gave the following results.

Scan taken on 13 Sep 2008 12:52:40 (GMT) 
A-Squared  Found nothing
AntiVir  Found nothing
ArcaVir  Found Trojan.Rootkit.Agent.Ez 
Avast  Found Win32:Trojan-gen {Other}  
AVG Antivirus  Found nothing
BitDefender  Found nothing
ClamAV  Found nothing
CPsecure  Found Troj.Spy.W32.Agent.bdw  
Dr.Web  Found nothing
F-Prot Antivirus  Found nothing
F-Secure Anti-Virus  Found nothing
Ikarus  Found Trojan-Spy.Win32.Agent.bbg  
Kaspersky Anti-Virus  Found nothing
NOD32  Found nothing
Norman Virus Control  Found nothing
Panda Antivirus  Found nothing
Sophos Antivirus  Found nothing
VirusBuster  Found nothing
VBA32  Found nothing

[Gryphen]

Virus total advises the following:

Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - -
Authentium - - -
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - TrojanSpy.Agent.bcx
ClamAV - - Trojan.Spy-29218
DrWeb - - -
eSafe - - Suspicious File
eTrust-Vet - - -
Ewido - - -
F-Prot - - -
Fortinet - - -
GData - - -
Ikarus - - Trojan-Spy.Win32.Agent.bbg
K7AntiVirus - - Trojan-Spy.Win32.Agent.bga
Kaspersky - - -
McAfee - - -
Microsoft - - -
NOD32v2 - - archive damaged
Norman - - -
Panda - - Suspicious file
PCTools - - -
Rising - - -
Sophos - - -
Sunbelt - - -
Symantec - - -
TheHacker - - Trojan/Spy.Agent.bem
TrendMicro - - -
ViRobot - - -
VirusBuster - - -
Webwasher-Gateway - - -
Additional information
MD5: 2ddbd9948b67fc0536f483d94ec42431
SHA1: a7e0656d84c26920b5b6466a1cdd20433b87d744
SHA256: b79fabdc7674a7d96460fb9560932cd7367b951149e2c8969de2e8082964f1b8
SHA512: e5e05c55fd270b7ea22f7168412ef8e544516ea0a09697c554dbd5f95a74ffeea5aea3d37ff6329b0ca5b328c76daeb3ec3dfdd4f151a70d95070880c41f749d

[RainDrops]

Hi. I had a similar problem... Try to update Avast - the database and the program too... Hope that it would solve your problem.
Good luck!

[DavidR]

@ Gryphen
I think because several of the detections are generic or heuristic it could well be an FP.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and possible false positive in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn't already there) where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.

If it is indeed a false positive and it seems so, if you accept the risk you could, add it to the exclusions lists:
Standard Shield, Customize, Advanced, Add and
Program Settings, Exclusions (right click the avast ' a ' icon)

Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.

[Gryphen]

Okay I added it to the exclusions, I also changed the standard shield... and it still blocks it? (Fixed, only alerts when run directly off the desktop)

p.s Also sent the file as advised.

[DavidR]

When you get an alert, copy the path to the file being detected, the alert window alows you to copy the full path, paste that into the standard shield exclusion.

[jsejtko]

Hello guys,

fixed in actual vps update. Thank you All for help.