avast-alarm during AVPE-Update: Small-1700 false positive ?

[whocares]

Hi, during Update of AVPE i get the following warnign by avast on-acces..:

Sign of "Win32:Small-1700" has been found in "C:\Dokumente und Einstellungen\All
Users\Anwendungsdaten\AntiVir PersonalEdition Classic\TEMP\AVUPDATE_44d253fa\engine\avewin32.dll" file.

reproducible with each update (today..) .

false positive, isn't it..? someone else has this..?

*
a short search in avpe/avast-board: zip..
I use avast as On-Access, AVPE only on-Demand (AVPE-Guard service is off)
*

my recent HJT-log (overloaded, I know, but hopefully nothing nasty..?)
haven't had much time recently for IT/security..

Logfile of HijackThis v1.99.1
Scan saved at 22:32:33, on 03.08.2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Programme\0190Warn\w0svc.exe
C:\Programme\AntiVir\Avast\aswUpdSv.exe
C:\Programme\AntiVir\Avast\ashServ.exe
C:\WINNT\System32\svchost.exe
D:\Programs\KerioFW\persfw.exe
C:\WINNT\system32\HPZipm12.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
D:\Programs\system\MoBo_Monitor\MBM5.EXE
C:\PROGRA~1\AntiVir\Avast\ashDisp.exe
C:\PROGRA~1\0190WARN\WARN0190.EXE
D:\Programs\Spass\Folding\FAH502-Console.exe
D:\Programs\AntiSpam-K9\K9.exe
C:\Programme\Office\Office\1031\msoffice.exe
C:\Programme\SmartSurfer23\SmartSurfer.exe
D:\Programs\Netscape7\Netscp.exe
D:\Programs\Security\Ad-Aware\Ad-Aware.exe
C:\Programme\AntiVir\Avast\ashLogV.exe
C:\Programme\AntiVir\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
D:\Programs\Security\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat7\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre150_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [MBM 5] "D:\Programs\system\MoBo_Monitor\MBM5.EXE"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\AntiVir\Avast\ashDisp.exe
O4 - HKLM\..\Run: [0190 Warner] C:\PROGRA~1\0190WARN\WARN0190.EXE
O4 - Startup: Folding@Home.lnk = D:\Programs\Spass\Folding\FAH502-Console.exe
O4 - Startup: Launch K9.lnk = D:\Programs\AntiSpam-K9\K9.exe
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat7\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre150_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre150_06\bin\ssv.dll
O15 - Trusted Zone: http://channel1.aolsvc.de
O15 - Trusted Zone: http://by13fd.bay13.hotmail.msn.com
O15 - Trusted Zone: http://www.pcpitstop.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdat...b?1122407243313
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupd...b?1130602417183
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_07) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{C0E9508C-3004-4807-95C8-0575517A0630}: NameServer = 62.53.222.132 193.189.244.205
O23 - Service: 0190/0900 Warner Überwachungsdienst (0190_0900_Warner_MonitorService) - Mirko Böer - C:\Programme\0190Warn\w0svc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programme\AntiVir\Avast\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programme\AntiVir\Avast\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programme\AntiVir\Avast\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programme\AntiVir\Avast\ashWebSv.exe" /service (file missing)
O23 - Service: Verwaltungsdienst für die Verwaltung logischer Datenträger (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - D:\Programs\KerioFW\persfw.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe

Thanks for your feedback and help..  :-)

[whocares]

Hi Igor,
surely a false positive ??

(I trapped/moved the file with avast,
and got this from JOTTI):

 File:   avewin32.dll     Status:
POSSIBLY INFECTED/MALWARE (Note: this file was only classified as malware by scanners known to generate more false positives than the average scanner. Do not consider these results definately accurate. Also, because of this, results of this scan will not be recorded in the database.)
MD5 1d79e357a5dcc4ed4d8ba2adc83ae266 Packers detected:
-
Scanner results
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found Win32:Small-1700
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
UNA
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing


File has just been sent in to virus at avast dot com

 

[DavidR]

Try VirusTotal - Multi engine on-line virus scanner as it has more AVs and it uses the windows versions of the virus engines.

Sorry not wanting to take this off-topic but how are you managing to get Antivir to work with avast many that have tried have failed to get it to work as a back-up scanner or vice versa without conflict ?

[whocares]

Hi David,

thanks for the tips..
I tried to try Virustotal yesterday, but the server queue of 30 min put me off..
(same just now..:
Your file "avewin32.dll" is queued in position: 398. Estimated start time is between 37 and 56 minutes.)

You don't think that only one hit out of 15 is not a pretty sure indicatiopn of a false alarm..?

AVPE-analysts haven't found anything in the file (surprise    or they wouldn't have sent it out..)

*

As to the avast-AVPE conflict..:

I managed this
with a little help from Vlk:

http://forum.avast.com/index.php?topic=4679.0

-> Disabling and renaming the Antivir-Service helps.:

What avast is doing is that it's checking the presence of the
"AntiVirService" service. If it is present, it's assuming that H+BEDV is active.

What you could probably do (if you need this service) is rename it -- by changing the key name in HKLM\System\CurrentControlSet\Services.


==> This works for me on W2k-SP4
 

[DavidR]

Thanks for the info and the link.

You can submit a file by email and be emailed either the results saving you having to wait.

1 of 15 in Jotti is a good indication VirusTotal has 21 and using windows AV engines where some Linux AV engines might not detect the virus the windows ones might.

[MrChris]

I had the same problem.  Avewin32.dll would not update.  I finally went into the Avast! on-access scanner->Standard Shield->Customize->Advanced and added the file's download and runtime locations to the exclusion list there. 

Also ran the Virus Total utility to find that Avast! is the only anti-virus program out of 27 that had a problem with this file.  Great utility by the way, David!

Sorry not wanting to take this off-topic but how are you managing to get Antivir to work with avast many that have tried have failed to get it to work as a back-up scanner or vice versa without conflict ?

With regard to getting Antivir working as an on-demand-only scanner along side of Avast!:  I'm running Windows XP Home SP2, and I have my scheduler run a simple batch file whenever my computer starts up that deletes the avguard.exe from Antivir's folder - a good option if you don't like fiddling with the registry.

[Lisandro]

I have my scheduler run a simple batch file whenever my computer starts up that deletes the avguard.exe from Antivir's folder - a good option if you don't like fiddling with the registry.

What avast is doing is that it's checking the presence of the
"AntiVirService" service. If it is present, it's assuming that H+BEDV is active.

Yeah... I've tried a lot of systems and after all, AntiVir starts to mess the Windows Security Center... avast is not detected anymore, legacy drivers of Antivir started to be detected...  :'(
Well, my bad experience with this...

[mauserme]

false positive, isn't it..? someone else has this..?

Yes, I'm also using AntiVir as a non-resident scanner and avast! detected Win32:Small-1700 this morning while AntiVir was updating.

I tried unsuccessfully to move the file to the chest three times but the file could not be found.  I eventually opted to take no action and a subsequent avast! scan revealed no malware.

I'm taking this to be a false positive.

[whocares]

well,
I tried excluding this obvious false alarm, too, but that helps only once, as the temp-folder name is different for the next AVPE-Update..

I hope avast will correct this soon.. 
 

***
As DavidR is so keen on Virustotal results, here they are:
avast is the only AV who flags the file:


Virus Total
_______________________________________________

Scan results
 File: avewin32.dll
 Date: 08/06/2006 00:18:44 (CET)
----
AntiVir   6.35.1.0/20060805   found nothing
Authentium   4.93.8/20060804   found nothing
Avast   4.7.844.0/20060804   found [Win32:Small-1700]
AVG   386/20060805   found nothing
BitDefender   7.2/20060806   found nothing
CAT-QuickHeal   8.00/20060804   found nothing
ClamAV   devel-20060426/20060805   found nothing
DrWeb    4.33/20060805   found nothing
eTrust-InoculateIT   23.72.87/20060804   found nothing
eTrust-Vet   12.6.2324/20060804   found nothing
Ewido   4.0/20060805   found nothing
Fortinet   2.77.0.0/20060805   found nothing
F-Prot   3.16f/20060804   found nothing
F-Prot4   4.2.1.29/20060804   found nothing
Ikarus   0.2.65.0/20060804   found nothing
Kaspersky   4.0.2.24/20060805   found nothing
McAfee   4822/20060804   found nothing
Microsoft   1.1508/20060804   found nothing
NOD32v2   1.1694/20060805   found nothing
Norman   5.90.23/20060804   found nothing
Panda   9.0.0.4/20060805   found nothing
Sophos   4.08.0/20060805   found nothing
Symantec   8.0/20060805   found nothing
TheHacker   5.9.8.186/20060804   found nothing
UNA   1.83/20060804   found nothing
VBA32   3.11.0/20060804   found nothing
VirusBuster   4.3.7:9/20060805   found nothing

[DavidR]

Not so much keen but it does have 27 different scanners and if it gets through that lot you would know one way or another and it does as you say look like an FP.

Sending the sample zipped and password protected, marked as a false positive, to virus @ avast.com as there is no false positive feed back from VirusTotal (or Jotti).

[whocares]

Sending the sample zipped and password protected, marked as a false positive, to virus @ avast.com as there is no false positive feed back from VirusTotal (or Jotti).

Hi David,

thx, I already did that, no reply so far, and the FP is still popping up every AVPE-Update.
I guess I just have to wait then, and disable avast while updating AVPE

[whocares]

Still unresolved! avast False-positive during AVPE-Update: Small-1700

huhuu..? anybody looking here..?

No change despite avast-update today..

Is there a known/usual time-frame for resolving false positives by avast-team ?
Thanks

 

[mauserme]

I have not had the problem since August 4.   I just manually updated AntiVir before posting and got no alerts at all.

[igor]

The mentioned file (avewin32.dll) contains uncrypted samples of viruses - so I'm afraid the only solution is to put this file (or the whole AVPE folder maybe) into the list of Standard Shield exclusions.

[mauserme]

And of course the problem recurred for me this morning (maybe the sample was not included in yesterday's update?).

Clicking "Take No Action" several times works too but makes the update process sort of a nuisance.