Win32:SdBot-2325 [Trj] - Real??

[ShyWriter]

Scanning of selected files      (0535-0) VPS

Action was completed successfully!

Virus has been detected!
File Name: a0031777.dll
FileID: 5
Virus Description: Win32:SdBot-2325 [Trj]

In CHEST now - was in a SystemRestore archive.

[Eddy]

Disable system restore and reboot. Problem solved.

[ShyWriter]

Disable system restore and reboot. Problem solved.

I know how to get rid of it; I was asking if it was a false positive or not. 

Shy

[DavidR]

Unfortunately there is insufficient information to be able to say, without information on what the original file name and its location before it was sent to a restore point. The a0031777.dll is I believe a system restore uniquely generated file name and not the original file name, a google search for a0031777.dll returns 0 hits.

You may have at some point deleted an infected file/virus from one of the system folders (whilst system restore was enabled), so windows creates a restore point just in case you want to reverse the delete at some time. Windows SR doesn't know it was a virus so will still protect the deletion from a system folder.

[ShyWriter]

Unfortunately there is insufficient information to be able to say, without information on what the original file name and its location before it was sent to a restore point.

Got'cha.. I'll go ahead and clean out my system restore stuff.. Thanks !

[DavidR]

No problem, it is no bad thing to periodically clean out the system restore's System Volume Information folder. This folder can get to be very large.

[mouse]

I got the same alert today but in:
Program Files\TDS3\xDynamic\TDS.fps\DCSFPS13.bak".

I did a testdrive of TDS3 early this year but don't think anything was picked up at that time, nor did any avast scan until today show up this file. Given that it appears in TDS3 (Antitrojan software) could that be a fp?

[DavidR]

Well it could be that this has been a file that TDS3 found and renamed, but that is a bit strange as it would appear to be inside another file not a folder TDS.fps. Aside from a possible FP it could well be an unencrypded detection inside the TDS signature file if that is what TDS.fps is?

If you have finished your testdrive the simple answer would be to uninstall it.

However, you could check it, can you see the file DCSFPS13.bak in the location given (possibly not) if you can check it at Jotti, if not check the TDS.fps at Jotti.
To check the offending/suspect file at: Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. You can't do this with the file in the chest, you will need to move it out.

[mouse]

Did the online check at Jotti's but nothing showed up.
Btw, it worked from the chest or at least I did not notice any problem uploading this file from the alwil/data/chest folder

The info from the TDS forum seems also to indicate that the original folder of TDS contained back-up files in case the system becomes corrupted (similar to the system files Avast copies into the chest). Based on this I also suspect that Avast picked up on the definitions and it might be a false positive.

Is there any way to submit a file to Avast so that a possible false positive may be corrected?

[Lisandro]

Btw, it worked from the chest or at least I did not notice any problem uploading this file from the alwil/data/chest folder

You can't upload from Chest 
Are you sure you did it? Strange... how?
You can only send the file to Alwil for analysis, nothing more.

Is there any way to submit a file to Avast so that a possible false positive may be corrected?

Sure, send to virus (at) avast.com
Maybe zip the file and use a password, tell the password in the email body 

[mouse]

You can't upload from Chest 
Are you sure you did it? Strange... how?
You can only send the file to Alwil for analysis, nothing more.

Maybe I misunderstand but I selected the file in Jotti looking  for the program folder/Alwil/data/chest. Using Explorer I can see the files there (3 system files and this particular one). While it does not have the full name anymore in the chest, I assume it's still the same file.

I did send the file to avast too before seeing your response - did not zip it though, hope that is no problem.

[DavidR]

1. Usually when you try to upload a file from the chest you get an error 0KB file, since the chest is protected storage nothing is able to work within or externally to it. Only avast can work within it to scan again, send to Alwil, delete etc. that is the purpose of protecting it.
2. the fact that it isn't the same name is showing that the chest changes it encrypts I believe, so nothing could possibly scan it without knowing the encryption routine, the same as avast can't scan encrypted files in its scanning.

If the file isn't zipped when you send it to avast, it may never reach avast! many ISP and mail servers use anti-virus programs if they detect a virus it may well be deleted. Zipping it and password protecting the zip file stops scanners from being able to scan it, they don't know the password.

[igor]

I don't think the files in Chest folder are protected from reading... I mean, they are encrypted, so that you won't see anything useful in there (and it's useless to submit such files to Jotti), but you should be able to open them.

The file by mouse is really a false alarm - it will be fixed soon. Thanks.