Author Topic: virus alert VBS.Davinia: false positive?  (Read 4282 times)

0 Members and 1 Guest are viewing this topic.

sculus

  • Guest
virus alert VBS.Davinia: false positive?
« on: August 20, 2006, 02:06:44 PM »
Hello,

Concerned about a suspicious-looking pop-up I did a complete scan of my system yesterday and Avast! claimed to find the above virus. I moved the infected file to the chest as prompted, but when I opened the chest after the end of the scan, the file was nowhere to be found!

I did a search for the virus on the web and found that Davinia is normally received as an email message containing either no subject/body or, in other versions, a body stating "Onel 2 virus programmer / Melilla, Espana / 25 Diciembre 2000". However, I have not received (or opened) any email of that type.

Could this be a false positive, and if so, how do I ascertain this? Also, why didn't Avast! move the infected file to the chest as instructed?

I am currently running WinXP SP1 and have Avast! 4.7 Home edition updated to the latest definitions.

Any help will be greatly appreciated!

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67236
Re: virus alert VBS.Davinia: false positive?
« Reply #1 on: August 20, 2006, 03:06:11 PM »
Concerned about a suspicious-looking pop-up I did a complete scan of my system yesterday and Avast! claimed to find the above virus. I moved the infected file to the chest as prompted, but when I opened the chest after the end of the scan, the file was nowhere to be found!
Also, why didn't Avast! move the infected file to the chest as instructed?
Sometimes the 'infection' is not a 'saved' file in your computer, so... it could not be 'moved to Chest'.
But, indeed, is it that often? Maybe some virus analyst could say something here...

I did a search for the virus on the web and found that Davinia is normally received as an email message containing either no subject/body or, in other versions, a body stating "Onel 2 virus programmer / Melilla, Espana / 25 Diciembre 2000". However, I have not received (or opened) any email of that type.
Is there any Heuristic setting that avoid the mail delivery? I mean, into Interent Mail provider Heuristic tab of settings.

Could this be a false positive, and if so, how do I ascertain this?
It will be very difficult to say, without the mail, without the file in Chest.
Is there anything related to this into the avast logs?
 
I am currently running WinXP SP1 and have Avast! 4.7 Home edition updated to the latest definitions.
Why don't you get SP2?
I can't understand why people with XP does not get SP2...  ::) ???
The best things in life are free.

Online DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 86822
  • No support PMs thanks
Re: virus alert VBS.Davinia: false positive?
« Reply #2 on: August 20, 2006, 03:14:26 PM »
What was the infected file name, where was it found example (C:\windows\system32\infected-file-name.xxx) ?
Check the avast Log Viewer, Warning section, that should contain information about the avast alert.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. You can't do this with the file in the chest, you will need to move it out.

If it is indeed a false positive, add it to the exclusions lists (Standard Shield, Customize, Advanced and Program Settings, Exclusions) and check scan it periodically using the ashQuick scan (right click scan), when it is no longer detected then remove it from the exclusions.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.5.6015 (build 22.5.7263.730) UI 1.0.711/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

sculus

  • Guest
Re: virus alert VBS.Davinia: false positive?
« Reply #3 on: August 20, 2006, 04:06:28 PM »
What was the infected file name, where was it found
example (C:\windows\system32\infected-file-name.xxx) ?
Check the avast Log Viewer, Warning section, that should contain information about the avast alert.
I checked the avast Log Viewer and the infected files was in My Documents. The name of the file is: "ubcd34-basic\ubcd34-basic.iso\IMAGES\SGD.ISO\boot\sdg\S10en\S30_specialboot\S30hide_and_seek\cd\hd0\part2\menu.lst"   
This is a file within the iso image used to create an "ultimate boot cd" bootable disc. I searched the ubcd forums and found that this user had a similar avast alert about the same file, so this must be a false positive.
 
Quote
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner

I tried virustotal but the file was too big to be uploaded.

Quote
If it is indeed a false positive, add it to the exclusions lists (Standard Shield, Customize, Advanced and Program Settings, Exclusions) and check scan it periodically using the ashQuick scan (right click scan), when it is no longer detected then remove it from the exclusions.

Thanks for the advice DavidR. :)

Tech, you're right, I'll upgrade to SP2 asap. ;)

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67236
Re: virus alert VBS.Davinia: false positive?
« Reply #4 on: August 20, 2006, 05:03:19 PM »
So this must be a false positive.
So, follow David suggestion:

Quote
If it is indeed a false positive, add it to the exclusions lists (Standard Shield, Customize, Advanced and Program Settings, Exclusions) and check scan it periodically using the ashQuick scan (right click scan), when it is no longer detected then remove it from the exclusions.
The best things in life are free.

Online DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 86822
  • No support PMs thanks
Re: virus alert VBS.Davinia: false positive?
« Reply #5 on: August 20, 2006, 05:22:08 PM »
I have a copy of the "ultimate boot cd" .iso and avast also picked up one of the tools that could be used for good or evil, unfortunately an AV can't determine which.

From your link and that it is a text file it does seem that it is an FP. If you create a bootable CD from the iso file it will extract the suspect file (you may need to pause the Standard Shield to get this done), then scan the file on its own or upload it to VirusTotal, etc.

That should also allow you to send it to virus @ avast.com as mentioned here (Mini Sticky) False Positives.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.5.6015 (build 22.5.7263.730) UI 1.0.711/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security