virus alert VBS.Davinia: false positive?

[sculus]

Hello,

Concerned about a suspicious-looking pop-up I did a complete scan of my system yesterday and Avast! claimed to find the above virus. I moved the infected file to the chest as prompted, but when I opened the chest after the end of the scan, the file was nowhere to be found!

I did a search for the virus on the web and found that Davinia is normally received as an email message containing either no subject/body or, in other versions, a body stating "Onel 2 virus programmer / Melilla, Espana / 25 Diciembre 2000". However, I have not received (or opened) any email of that type.

Could this be a false positive, and if so, how do I ascertain this? Also, why didn't Avast! move the infected file to the chest as instructed?

I am currently running WinXP SP1 and have Avast! 4.7 Home edition updated to the latest definitions.

Any help will be greatly appreciated!

[Lisandro]

Concerned about a suspicious-looking pop-up I did a complete scan of my system yesterday and Avast! claimed to find the above virus. I moved the infected file to the chest as prompted, but when I opened the chest after the end of the scan, the file was nowhere to be found!
Also, why didn't Avast! move the infected file to the chest as instructed?

Sometimes the 'infection' is not a 'saved' file in your computer, so... it could not be 'moved to Chest'.
But, indeed, is it that often? Maybe some virus analyst could say something here...

I did a search for the virus on the web and found that Davinia is normally received as an email message containing either no subject/body or, in other versions, a body stating "Onel 2 virus programmer / Melilla, Espana / 25 Diciembre 2000". However, I have not received (or opened) any email of that type.

Is there any Heuristic setting that avoid the mail delivery? I mean, into Interent Mail provider Heuristic tab of settings.

Could this be a false positive, and if so, how do I ascertain this?

It will be very difficult to say, without the mail, without the file in Chest.
Is there anything related to this into the avast logs?
 

I am currently running WinXP SP1 and have Avast! 4.7 Home edition updated to the latest definitions.

Why don't you get SP2?
I can't understand why people with XP does not get SP2... 

[DavidR]

What was the infected file name, where was it found example (C:\windows\system32\infected-file-name.xxx) ?
Check the avast Log Viewer, Warning section, that should contain information about the avast alert.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. You can't do this with the file in the chest, you will need to move it out.

If it is indeed a false positive, add it to the exclusions lists (Standard Shield, Customize, Advanced and Program Settings, Exclusions) and check scan it periodically using the ashQuick scan (right click scan), when it is no longer detected then remove it from the exclusions.

[sculus]

What was the infected file name, where was it found
example (C:\windows\system32\infected-file-name.xxx) ?
Check the avast Log Viewer, Warning section, that should contain information about the avast alert.

I checked the avast Log Viewer and the infected files was in My Documents. The name of the file is: "ubcd34-basic\ubcd34-basic.iso\IMAGES\SGD.ISO\boot\sdg\S10en\S30_specialboot\S30hide_and_seek\cd\hd0\part2\menu.lst"   
This is a file within the iso image used to create an "ultimate boot cd" bootable disc. I searched the ubcd forums and found that this user had a similar avast alert about the same file, so this must be a false positive.
 

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner

I tried virustotal but the file was too big to be uploaded.

If it is indeed a false positive, add it to the exclusions lists (Standard Shield, Customize, Advanced and Program Settings, Exclusions) and check scan it periodically using the ashQuick scan (right click scan), when it is no longer detected then remove it from the exclusions.

Thanks for the advice DavidR.

Tech, you're right, I'll upgrade to SP2 asap.

[Lisandro]

So this must be a false positive.

So, follow David suggestion:

If it is indeed a false positive, add it to the exclusions lists (Standard Shield, Customize, Advanced and Program Settings, Exclusions) and check scan it periodically using the ashQuick scan (right click scan), when it is no longer detected then remove it from the exclusions.

[DavidR]

I have a copy of the "ultimate boot cd" .iso and avast also picked up one of the tools that could be used for good or evil, unfortunately an AV can't determine which.

From your link and that it is a text file it does seem that it is an FP. If you create a bootable CD from the iso file it will extract the suspect file (you may need to pause the Standard Shield to get this done), then scan the file on its own or upload it to VirusTotal, etc.

That should also allow you to send it to virus @ avast.com as mentioned here (Mini Sticky) False Positives.