Win32:Qqpass-DY [Trj] for rundll32.exe

[rrryan]

Hi,
I have been following the thread on the false positive alert on Win32:Qqpass-DZ [Trj].  I have already updated to the latest VPS 0643-6, 2006/10/26, but it is still saying C:\WINDOWS\system32\rundll32.exe is infected. 

I have 3 computer all showing the same alert after the virus update. 

They are all running winxp Pro SP2 traditional chinese version.

Any help is appreciated.

Thank you

[Lisandro]

I have been following the thread on the false positive alert on Win32:Qqpass-DZ [Trj].  I have already updated to the latest VPS 0643-6, 2006/10/26, but it is still saying C:\WINDOWS\system32\rundll32.exe is infected. 

To know if a file is a false positive, please submit it to JOTTI or VirusTotal and let us know the result. If it is indeed a false positive, send it in a password protected zip to virus@avast.com

Please, mention in the body of the message why you think it is a false positive and the password used.

[DavidR]

XP Pro, English version and no problem with the rundll32.exe.

There has been a similar problem with notpad.exe and this trojan name that would appear to only happen in the non English windows versions. See this topic http://forum.avast.com/index.php?topic=24494.0 and http://forum.avast.com/index.php?topic=24497.0.

I think this is a similar problem, You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. You can't do this with the file in the chest, you will need to move it out.

If it is indeed a false positive, add it to the exclusions lists (Standard Shield, Customize, Advanced and Program Settings, Exclusions) and periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.
Also see (Mini Sticky) False Positives, how to report and what to do to exclude them until the problem is corrected.

[rrryan]

Thanks for the tip for reporting problems.  I have tested the file on the 2 suggested site and both return no virus found except for Avast. 

Email with the attached zip file had been sent.  It is likely this is only for non english winxp.

Thank you again.

[Lisandro]

Thanks for the tip for reporting problems.  I have tested the file on the 2 suggested site and both return no virus found except for Avast. 

Most probably a false positive... hope they correct this soon 

[Ryo]

Problem still there after updated  VPS 0643-6,

I am using Windows XP Pro Chinese Traditional,

temp. solution to me is putting the rundll32.exe into exclusion list..,

hope can fix it in the later update, Thanks!

[K3172]

0643-7 can help you..

[Ryo]

0643-7 works fine, thanks you the engineer

[DavidR]

Glad that the latest VPS update resolves the FP, welcome to the forums, rrryan, Ryo and K3172.

[rrryan]

Thanks for the quick fix.  I am impress with the response time of the engineers.