2 x hpt3xxNT.sys and one other flagged up, not sure what to do.

[Portran]

Hi

Using Avast Free edition on XP. The PC is a Hewlett Packard Pavilion.

Avast has just flagged up

hpt3xxNT.sys

In:

D:\i386\SYSTEM32\drivers

and

D:\MiniNT\system32\drivers

A few days ago also flagged up:

TCPIP.SYS

in

D:\MiniNT\system32\drivers

All three designated as Win32:Malware-gen. They are all in the restore partition. Have searched around and on the forum. There seem to be some cases of wrongful identification on TCPIP.SYS earlier this month but still not sure and finding nothing on the other file. Concerned the restore facility wouldn't work if needed, or other effects.

Hope someone can help, or point me in the right direction for information.

[DavidR]

Ensure that you have the latest virus definitions as I believe the modified tcpip.sys detections were corrected.

The hpt3xxNT.sys you should check at: VirusTotal - Multi engine on-line virus scanner and report the findings here, post the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to Open the chest and right click on the file and select 'Extract' it to a temporary (not original) location first, see below. If you didn't send them to the chest, copy it from the original location into the suspect folder you created.

Create a folder called Suspect in the C:\ drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect\*
That will stop the File System Shield scanning any file you put in that folder.


What scan are you doing that is detecting these ?

[Portran]

Hi David

Thanks for the fantastic help. The warnings didn't come up on a particular scan. I think both were flagged while Avast was running as a screensaver.

The URLs are:

https://www.virustotal.com/file/3b44edbf61ce920e3d09c1c2eb841f322c714427fdabaa82092745878ca27154/analysis/

https://www.virustotal.com/file/d9cdf125e13a42f49f2a81a34c25ef9dab1cd1978d401a930057c1caeb1006e2/analysis/

Interesting that one doesn't even come up re Avast now. Guess this means the file can be restored but your view welcome. hpt3xxNT.sys is still coming up on Avast and one other, what do you feel is best?

[DavidR]

Yes it looks like the tcpip.sys one has been corrected as I mentioned previously.

You should add a copy of the hpt3xxNT.sys file to the virus chest as outlined above and send it to avast for analysis as a false positive.

I think you will find that the tcpip.sys should still be in the original location ?

[Portran]

Hi David

Thanks again, sounds as if all files are okay. Have submitted a report to Avast

[DavidR]

You're welcome.

In the meantime (if you accept the limited risk given the VT results), add the full path to the file to the exclusions lists (see Note below):
File System Shield, Expert Settings, Exclusions, Add and
avast Settings, Exclusions

If required, restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the File System Shield and avast Settings, exclusions lists.

Note: When using the Browse button it only goes down to folder level accept that. Now open the entry in the exclusions and change the \* to \file_name.exe where file_name.exe is the file you want to exclude.

Generally avast are quick to correct FPs.