Otwycal-AG[Wm] detected

[crococ]

Hello all,

Two days ago, Avast detected the Otwycal-X virus, apparently a FP.
Just after the 080613-1 VPS file was installed, I scanned this file in the chest,
and Avast told me it was no more a virus. So a have put the file in its original
location, and a scheduled an immediate and complete at boot time Avast scan.
During this scan, I had 3 detections :

SETUP_WM.EX_   C:\I386                                                                 Otwycal-AG[Wm]
SETUP_wm.EXE   C:\I386                                                                  Otwycal-AG[Wm]
A0021422.EXE     C:\System Volume Information\_restore{DE4A529F-98CE-4187-A0F7-08590C3BB5E5\RP63     Otwycal-AG[Wm]

This morning, I made a complete scan (not at boot time), and Avast did no complain at all
(only many SAS and Spybot files could not be scanned because protected by password)

I have'nt submitted this 3 files to VT yet. Shall I do it ? Are these detections also FP ?
Are these detections related in some way to those I had 2 days ago ?

TIA.

[DavidR]

It would seem they might well be related as the file names are the same, however the location being in the i386 folder means that they could possibly be older versions of the previous file/s on which the false positive detections occurred.

It would be worth while a) checking them at VT and posting the results and b) sending the samples to avast.

[crococ]

It would be worth while a) checking them at VT and posting the results and b) sending the samples to avast.

a) Here are the esults from VT :
Fichier setup_wm.exe
Résultat: 2/32 (6.25%)
Avast    4.8.1195.0    2008.06.13    Win32:Otwycal-AG
GData    2.0.7306.1023    2008.06.13    Win32:Otwycal-AG

Fichier SETUP_WM.EX_
Résultat: 0/32 (0%)

Fichier setup_wm.exe
Résultat: 2/32 (6.25%)
Avast    4.8.1195.0    2008.06.13    Win32:Otwycal-AG
GData    2.0.7306.1023    2008.06.13    Win32:Otwycal-AG


b) I am sending these 3 files directly to Avast out from the chest along with a comment for each.

I am waiting for what to do next.
Thanks a lot.

[DavidR]

You're welcome, it looks like an FP gdata also uses avast as one of its two scanning engines.

[crococ]

You're welcome, it looks like an FP gdata also uses avast as one of its two scanning engines.

Finally, with the latest 080614-1 VPS version that came today, I could achieve a fully complete
boot time scan (including the archives) without any alert ! Just hope only they were real FP ! 

Many thanks for Avast quick reponsiveness for this problem !

I am wondering if it would not wise, when Avast detects in infection, to inform users to
preferably put the detected files into the chest rather than delete them, or even let Avast
put them directly by default into the chest. This would allow to restore files if an expertise
reveals is it a FP. In fact, are there any situations where deleting is really the best ? It it
always possible to delete files from the chest after anyway, right ?

[DavidR]

Thanks for the update.

On detection I think that the default button in focus is Move to chest, but there is most certainly a Recommended action, see image and that is Move to chest.

Personally I don't thing there is ever a case where it is best to delete, it is never a good first action, you have none left.