Author Topic: Possible false positive?  (Read 8315 times)

0 Members and 1 Guest are viewing this topic.

Offline twn321

  • Newbie
  • *
  • Posts: 7
Possible false positive?
« on: March 08, 2013, 06:17:36 AM »
Hi there all. (New here, so forgive me any omissions or errors in the following.)

So... I ran a boot time scan yesterday. No problems/all clear. Today, for whatever reason, I ran one again. And I got the following message:

File C:\Windows\assembly\NativeImages_2.0.50727_32\stdole\f698ac346476a20a02725b8e9de422cd\stdole.ni.dll is infected by Win32:Malware-gen.

Hadn't done anything during the day that I hadn't before yesterday's scan except update Adobe AIR and 64-bit Java- both on Avast's advice- plus update to the latest version of Avast, too. And to be told, the computer was running just fine all night last night (after yesterday's scan) and today. So, am I maybe looking at a false positive here? That said... as the above item is in a Windows folder, I did not want to just blindly go ahead and do something that I might not be able to undo (if needed). Is the above item safe to delete? To move to chest? To repair? Or, can it be ignored? For the time being, I have done the last thing...

Appreciate your advice/comments.
« Last Edit: March 08, 2013, 08:33:01 PM by twn321 »

Offline twn321

  • Newbie
  • *
  • Posts: 7
Re: Possible false positive?
« Reply #1 on: March 08, 2013, 06:20:23 AM »
Oh... I almost forgot:

When I scan the Windows\assembly folder with Malwarebytes, everything comes up clear. No infection found.

Offline A. User

  • Sr. Member
  • ****
  • Posts: 394
Re: Possible false positive?
« Reply #2 on: March 08, 2013, 06:27:28 AM »
If the file is NOT quarantined, you can upload it to Virus total here: https://www.virustotal.com and see the results.

Offline twn321

  • Newbie
  • *
  • Posts: 7
Re: Possible false positive?
« Reply #3 on: March 08, 2013, 06:42:33 AM »
Thanks for the tip. My only problem is that when I try to do what you've suggested ("Choose File" to be scanned by VirusTotal), I am unable to find said file in the Windows\assembly folder. And I do have my preferences set to show hidden files/folders. Any additional ideas?
« Last Edit: March 08, 2013, 06:50:52 AM by twn321 »

Offline ulix79

  • Newbie
  • *
  • Posts: 2
Re: Possible false positive?
« Reply #4 on: March 08, 2013, 07:34:47 AM »
I'm having the same problem. Can't find the file. Any suggestions?

Offline True Indian

  • Malware Hunter
  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 710
  • A Good Old Indian!
Re: Possible false positive?
« Reply #5 on: March 08, 2013, 07:35:55 AM »
it should be in your virus chest...

UI>>Maintainence>>virus chest>>select the file>>hit extract>>extract it to desktop>>upload to www.virustotal.com

Offline twn321

  • Newbie
  • *
  • Posts: 7
Re: Possible false positive?
« Reply #6 on: March 08, 2013, 07:52:42 AM »
it should be in your virus chest...

UI>>Maintainence>>virus chest>>select the file>>hit extract>>extract it to desktop>>upload to www.virustotal.com

Not if you haven't moved it to the chest. And that was part of my original question. More specifically, during the boot time scan, avast asks you if you are sure about moving a file that is in a Windows folder to the chest. Is it okay to do that?

Offline ulix79

  • Newbie
  • *
  • Posts: 2
Re: Possible false positive?
« Reply #7 on: March 08, 2013, 08:02:57 AM »
Avast doesn't allow me to put it in the chest. It's not there.

Offline Cluster-Lizard

  • Jr. Member
  • **
  • Posts: 98
Re: Possible false positive?
« Reply #8 on: March 08, 2013, 02:30:22 PM »
I found this Win32: Malware-gen thing on my Dell WinXP laptop last weekend during my post monthly program and Windows updates boot time scan with Avast. It wasn't there on 02/02/13 the last time I did an Avast boot time scan.

Neither earlier numerous quick scans made during the month found it and full system scans with Spybot or Malwarebytes flagged up nothing wrong post updates either.

The 'malware' was located in Windows default hidden Restore Point folder and I used the Avast delete option to kill it.

A new boot time scan was clean and I have had no problem since
« Last Edit: March 08, 2013, 06:29:02 PM by Undead-Divine-Assassin »

Offline A. User

  • Sr. Member
  • ****
  • Posts: 394
Re: Possible false positive?
« Reply #9 on: March 08, 2013, 04:53:33 PM »
Well, you can search the file by entering its name in the search box when you open "My Computer". Are you sure you checked the virus chest and the "stdole" directory? I'm not a virus removal expert, but if you think you are infected you can scan your computer with some of the tools here: http://www.selectrealsecurity.com/malware-removal-guide or you can post a new topic in the "viruses and worms" section, where you will get further assistance. Open avast GUI> security> antivirus, click settings in the boot time scan area and make sure that the default action is move to chest(not ask). Then run the boot time scan again.

Offline stitt

  • Jr. Member
  • **
  • Posts: 92
Re: Possible false positive?
« Reply #10 on: March 08, 2013, 05:26:56 PM »
I really like latest version of Avast! It does seem to flag up some false positives though. Latest one for me is the new version of Furmark benchmarking tool.
everyone I have had has been found safe after a couple of updates, I turned the setting for reputation off if seems a little eager.

Offline A. User

  • Sr. Member
  • ****
  • Posts: 394
Re: Possible false positive?
« Reply #11 on: March 08, 2013, 05:42:12 PM »
Report this to the Avast! virus lab.

Offline spywar

  • Malware Hunter
  • Poster
  • *
  • Posts: 441
Re: Possible false positive?
« Reply #12 on: March 08, 2013, 05:45:24 PM »
I really like latest version of Avast! It does seem to flag up some false positives though. Latest one for me is the new version of Furmark benchmarking tool.
everyone I have had has been found safe after a couple of updates, I turned the setting for reputation off if seems a little eager.
You should not turn off Reputation service, it powers the autosandbox (mainly) !
Are you talking about FurMark 1.10.5 (http://www.softpedia.com/get/System/Benchmarks/FurMark.shtml) ?
I downloaded it, executed the setup and file got autosandboxed. It's a rare file in the community ...

spywar

Offline stitt

  • Jr. Member
  • **
  • Posts: 92
Re: Possible false positive?
« Reply #13 on: March 08, 2013, 05:50:01 PM »
I did report it to them, I alpha and beta test games so many programs I use have little or no reputation.

Offline A. User

  • Sr. Member
  • ****
  • Posts: 394
Re: Possible false positive?
« Reply #14 on: March 08, 2013, 06:59:56 PM »
@twn321- if you create a topic in the viruses section attach this logs: http://forum.avast.com/index.php?topic=53253.0