July 2012 Avast Database generates Win32:Dropper-gen [Drp] Errors

[MasterVBGuru]

All:

    This morning my desktop and laptop updated the Avast database from the June 2012 virus definition database (file version 120622-0/compilation date 6/22/2012) to the July 2012 database (file version 120717-0/compilation date 7/17/2012).  As soon as it was installed, legitimate programs on my desktop and laptop machines started reporting they were infected with Win32:Dropper-gen [Drp] "malware".

    I restored an image of my Windows 7 Ultimate (x64) desktop (from an image I created back in June 2012) and all the problems went away -- until Avast updated the database to file version 120717-0.  Then the errors came back.

    I was also able to test this in a Windows XP Professional (SP3) virtual box which had the June 2012 database installed.  I turned automatic updates off to update the virus definition database, and everything worked fine.  When I updated the database to the July 2012 120717-0 database, the malware messages started appearing when I attempted to run my legitimate apps.

    The problem seems to be with the July 2012 file version 120717-0 database update.  June 2012's database works fine.  I have been able to duplicate this problem with Avast 4.8 Home as well as Avast 2012 (build 7.0.1456.418).

    The work-around:  Don't update your system to the July 2012 database.  If it's already updated your system (as is my case), you're outta luck.  Screen shot attached.

[bobo1]

No faults with my computer with this database. You are more than likley be infected? you are using old avast 4 which is out of date now in your screenshot. Download the new free version.

Suggest a test on your computer with malware bytes free & update it & do a full scan and remove what ever it finds

[MasterVBGuru]

I don't think so.  As soon as I update the database to July 2012, the messages appear. 

I tested this in a Virtual Box (running the June 2012 database).  As long as I don't update to July 2012, everything is fine.  Once I update to July 2012, I cannot run some of my apps.

[bobo1]

Still do some malware scans though. No issues with my computer with this update

[MasterVBGuru]

Yep; did that.  Nothing.  Restoring the system back to June removes the issue.  Will wait for the next virus database update from Avast to see what happens.

[Gopher John]

Please upload C:\Program Files (x86)\Babel\babel.exe to https://www.virustotal.com/ and post the results VirusTotal link here.

Also, click on the "Report as False positive".  Of course, to do this would require that you update anew to the 'problem' VPS 120717-0.

[MasterVBGuru]

Hi John:

    I just uploaded it moments ago.  Here's the link of the analysis:


https://www.virustotal.com/file/377598a25e9cdc06559f8db1552dd78d93cb9aeffb43ab7fee8b109d4a8c83e2/analysis/1342546118/

   There was no place for me to click on "Report as false positive" at this analysis link.


So here's how I fixed my machine in the meantime:

--Made a copy of 400.vps (the July 7, 2012 version of the database) from my VirtualBox.
--Uninstalled Avast 4.8 Home from my desktop
--Rebooted the machine
--Installed Avast 4.8 Home on my desktop
--Before rebooting, I changed the program settings, changing BOTH the "Update" options (program/virus database) to MANUAL and copying the 400.vps database to the DATA folder.
--Rebooted machine
--Entered the license key.
--Clicked on the ABOUT menu option to confirm I am running the July 7, 2012 virus definition (file version 120705-0)
--Right-clicked on the program that was generating a "Malware" error (i.e. Babel.exe); no error message.  Application now runs flawlessly.

[Gopher John]

The "Report as false positive" link was in the picture of your Avast alert you posted.  Since you are no longer alerting on babel.exe, the link is gone.

Avast and GData use essentially the same signatures, so they count as one detection.

There is a link for submitting a false positive to Avast thru a browser, but I can't find it now.

[MasterVBGuru]

Hi John:

I submitted this to Avast early this afternoon when I clicked on the UPDATE within Avast.  I saw it upload the file.  Is there anything else I need to do?

[DavidR]

Will you stop creating multiple topics and posts relating to the same issue, it just duplicates/triplicates the effort for those trying to help. Please stick with this one.

[MasterVBGuru]

Will do.  My sincere apologies for any confusion or trouble this may have caused.

[DZSP21]

Hi Avast,

Our company has the Avast Endpoint Protection Suite Plus and we're also having the same issue up to now. It started a couple of months ago (around July timeframe too) wherein almost all of our workstations seems to be infected with Win32:Dropper-gen [Drp] Trojan based on the Avast logs and reports. In our case, it's adobe.exe, acrobat.exe, A00xxxxx and winsever.exe that gets infected. Our workstations are mostly WinXP Pro x86.

Please advise if this is false-positive because we are going crazy on how to mitigate this outbreak. We have over a hundred computers in our network and almost 80% were reported infected.

Any assistance is greatly appreciated.
Thank you Avast.

DZSP21

[Pondus]

@DZSP21......you are posting in a old topic...
and the forum section for endpoint is here.   http://forum.avast.com/index.php?board=33.0