DriveImage XML & Win32:VB-EIJ

[PixelaseR]

I did a backup of my C Drive using BartPE & DriveImage XML Plugin.  The resulting file is Drive_C.dat and Drive_C.xml.  When I ran a scan with the latest avast home and virus definition, I get this Win32:VB-EIJ virus on the Drive_C.dat.  But, according to my understanding, the dat file just contains the sector data of the C Drive.  How could it be a virus?  Could this be a false positive?  Please advise.

[DavidR]

How big is this Drive_C.dat file ?

If under 10MB you could check it out at:  VirusTotal - Multi engine on-line virus scanner and report the findings here. I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently over 30 different scanners.

[Lisandro]

It seems a false positive.
DriveImage XLM generates just the partition copy and it should be a huge file in size.
Did you run avast in your real hdd? Are you clean? And, as a consequence, is this copy (.dat) clean?

[PixelaseR]

@DavidR,

The file is 8GB, so I couldn't use that VirusTotal Scanner.

@Tech

I ran Avast in my real HDD that's just clean installed with only the following installed.

SpyBot
AdAware
Avast
Quicktime Alternatives
Real Alternatives
DivX
XVid
FFDShow
Burrrn
ImgBurn
7-Zip
Mozilla Firefox
Notepad++
PDFCreator
Adobe Acrobat Reader
OpenOffice
Microsoft AppLocale

As soon as the OS is installed, I installed SpyBot, AdAware and Avast right away.  After each program installation, I checked my HDD using the three programs.
So, I am pretty sure that my system is clean at this point since none of the three reports anything.

I then went ahead and used BartPE to create a DriveImage XML boot disk to make the image file.

I would assume that the resulting .dat is also clean.

[DavidR]

I thought it was going to be on the large side. As to how it might have been detected is probably down to a fluke that in that 8GB dat file there was a string that matched a virus signature.

Assuming as you say you had scanned your system and it was clean prior to the image being taken then it is most likely that it is a false positive. A back-up image has a limited life as you make changed/additions to your system, so as you create new back-ups you will be able to remove old back-ups.

I use Drive Image 7.1 and I do weekly image back-ups, prior to that I do my security scans so I'm reasonably confident that my system is clean. I keep my image back-ups in a folder in a partition on my second HDD and I exclude that folders backup images from scans. Program Settings, Exclusions, Add. An example of my exclusion entry G:\DriveImages\drive-images\*.v21 this excludes all .v21 files, the drive image 7.1 back-up image file type.

[Lisandro]

So, I am pretty sure that my system is clean at this point since none of the three reports anything.

Besides this two antispyware (ad-aware does not detect anything... ), I suggest you to use AVG Antispyware; SUPERantispyware and/or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.

[PixelaseR]

@DavidR,

The reason for this backup image was so that in case I need to re-install my system, I don't have to start from scratch (e.g. Windows Update, Software and Drivers).  So I am not really looking for incremental updates or anything like that.  Based on your suggestion, I could just exclude that one file from Avast scanner and that should solve my problem.  However, what I am curious of is, why does Avast think DriveImage XML backup as a virus.  Wonder if someone (developer) can try using DriveImage XML via BartPE and maybe find out why this is happening?

@Tech,

Thanks for the suggestion.  I downloaded all three and ran all three.  Each one of them found a spyware.  One is svch0st.exe (attributes SHR) in windows system32 directory.  The other is svchost.exe under windows directory as well as a service registry entry as netpker.  I cleaned all three, rescanned and made sure there are no more spyware and recreated another image file with DriveImage XML.  Avast still picks up the file as a virus.  I think something else is there or avast just find something interesting in that image file.  Kinda hope someone can shed some light to this problem.

[Lisandro]

One is svch0st.exe (attributes SHR) in windows system32 directory.  The other is svchost.exe under windows directory as well as a service registry entry as netpker.  I cleaned all three, rescanned and made sure there are no more spyware and recreated another image file with DriveImage XML.

Hasn't avast pick them as virus?
Did you quarantine the files or just delete them? Is there a way to extract them from Chest and send to virus (at) avast.com for analysis?

[DavidR]

@DavidR,

The reason for this backup image was so that in case I need to re-install my system, I don't have to start from scratch (e.g. Windows Update, Software and Drivers).  So I am not really looking for incremental updates or anything like that.  Based on your suggestion, I could just exclude that one file from Avast scanner and that should solve my problem.  However, what I am curious of is, why does Avast think DriveImage XML backup as a virus.  Wonder if someone (developer) can try using DriveImage XML via BartPE and maybe find out why this is happening?
<snp>

I don't use it as incremental updates but a full image of my partitions in my primary HDD which I do weekly and keep the last 6 images so I can restore my complete primary HDD partitions in 20 minutes. If you every do need to do a re-install of your system, this one image you made will gradually become old and you will have to look at what updates, etc. have happened after that update.

Your system though, so your choice.

[PixelaseR]

One is svch0st.exe (attributes SHR) in windows system32 directory.  The other is svchost.exe under windows directory as well as a service registry entry as netpker.  I cleaned all three, rescanned and made sure there are no more spyware and recreated another image file with DriveImage XML.

Hasn't avast pick them as virus?
Did you quarantine the files or just delete them? Is there a way to extract them from Chest and send to virus (at) avast.com for analysis?

LOL, a little too late.
Kinda deleted both.  Ah well

However, I think the reason Avast didn't pick up the two files is probably because of the SHR attributes.  Both files have that attributes.  Interestingly, SUPER picked up the first one but missed the 2nd one and AVG picked up the 2nd one.

[PixelaseR]

@DavidR,

The reason for this backup image was so that in case I need to re-install my system, I don't have to start from scratch (e.g. Windows Update, Software and Drivers).  So I am not really looking for incremental updates or anything like that.  Based on your suggestion, I could just exclude that one file from Avast scanner and that should solve my problem.  However, what I am curious of is, why does Avast think DriveImage XML backup as a virus.  Wonder if someone (developer) can try using DriveImage XML via BartPE and maybe find out why this is happening?
<snp>

I don't use it as incremental updates but a full image of my partitions in my primary HDD which I do weekly and keep the last 6 images so I can restore my complete primary HDD partitions in 20 minutes. If you every do need to do a re-install of your system, this one image you made will gradually become old and you will have to look at what updates, etc. have happened after that update.

Your system though, so your choice.

Hmm....interesting point of view, I think that is something worth thinking over.  Though I don't really like having an additional software installed on my system.  Know any imaging software that would run off the CD instead of having to install within the system?  Normally what I do is, I regularly backup my system.  It's quick and easy so I don't need to set it to backup daily   Any suggestion appreciated

[DavidR]

Sorry I only have experience of Drive Image, been using it for years from early versions up to 7.1 the last before Symantec bought out PowerQuest (Drive Image and Partition Magic, two excellent programs).

Whilst the DriveImage CD is bootable so it can run to restore images I have never checked if it can create a back-up image, I have always initiated it from the windows installation.

[PixelaseR]

Sorry I only have experience of Drive Image, been using it for years from early versions up to 7.1 the last before Symantec bought out PowerQuest (Drive Image and Partition Magic, two excellent programs).

Whilst the DriveImage CD is bootable so it can run to restore images I have never checked if it can create a back-up image, I have always initiated it from the windows installation.

Hmm....oh well, I guess I'll have to go spot me one that work from the CD. 

Now, I wonder, will Avast devs go and try out DriverImage XML and maybe find out why it's pick up the image file as an virus?

[DavidR]

The only DriveImage (I assume you had a tpe, DriverImage) I had previously hear of is the PowerQuest one I had never heard of DriveImage XML before.

I don't know if they would have checked it or even have it. I think it is more likely to be a fluke that a string in the .dat file matched a malware string, rather than how the program compiles the dat file.

You can test that again when you next make a back-up.

[Lisandro]

I had never heard of DriveImage XML before

It's a very good tool http://www.runtime.org/dixml.htm