TweakVI.exe=Win32:Trojan-gen {Other}......false-positive?

[noobby]

 Vista Home Premium,installed TweakVI Oct/2007 (tweakui for vista)and now Avast Home 4.8 with compilation date 110708 comes up with Win32:Trojan-gen {Other}. I uploaded the file to totalvirus and here is the results.
  Note the virus database dates


Antivirus                  Version           Last Update           Result
AhnLab-V3                  2008.10.22.0    2008.10.23    -
AntiVir                  7.9.0.5            2008.10.23    TR/Dldr.Bagle.aaq
Authentium          5.1.0.4            2008.10.23    W32/Heuristic-THX!Eldorado
Avast                  4.8.1248.0            2008.10.23    -
AVG                          8.0.0.161            2008.10.23    -
BitDefender          7.2                    2008.10.23    -
CAT-QuickHeal          9.50                    2008.10.23    -
ClamAV                  0.93.1                    2008.10.23    -
DrWeb                  4.44.0.09170    2008.10.23    -
eSafe                  7.0.17.0            2008.10.23    -
eTrust-Vet                  31.6.6164            2008.10.22    -
Ewido                  4.0                    2008.10.23    -
F-Prot                  4.4.4.56            2008.10.23    W32/Heuristic-THX!Eldorado
F-Secure                  8.0.14332.0            2008.10.23    -
Fortinet                  3.113.0.0            2008.10.23    -
GData                  19                    2008.10.23    -
Ikarus                  T3.1.1.44.0            2008.10.23    -
K7AntiVirus          7.10.505            2008.10.23    -
Kaspersky                  7.0.0.125            2008.10.23    -
McAfee                  5413                    2008.10.23    -
Microsoft                  1.4005            2008.10.23    -
NOD32                  3550                    2008.10.23    -
Norman                  5.80.02            2008.10.23    -
Panda                  9.0.0.4            2008.10.23    -
PCTools                  4.4.2.0            2008.10.23    -
Prevx1                  V2                    2008.10.23    -
Rising                  21.00.32.00            2008.10.23    -
SecureWeb-Gateway    6.7.6            2008.10.23    Trojan.Dldr.Bagle.aaq
Sophos                  4.34.0                    2008.10.23    Sus/ComPack
Sunbelt                  3.1.1747.1            2008.10.23    -
Symantec                  10                    2008.10.23    -
TheHacker                  6.3.1.0.125            2008.10.23    -
TrendMicro               8.700.0.1004    2008.10.23    -
VBA32                  3.12.8.8            2008.10.22    -
ViRobot                  2008.10.23.1434   2008.10.23    -
VirusBuster          4.5.11.0            2008.10.23    -


Additional information
File size: 6057984 bytes
MD5...: b40246b99a3722616bc6fc3df05ab4bb
SHA1..: 20b23cd15d1574302095b681c6f93c10973e33cf
SHA256: 753a79539a23daa7d097db6496e9d4ab59245da8225bf91c33b1a0b41db7f804
SHA512: 365811f34817080528cbe11ef641eb51847fb22dbfb2ab83c4fcfcdec39804d9
48ee92304550717cc8b3bcd5c13c3d6aac0f6725fe494bfe4501227db1f7d7f8
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x86d014
timedatestamp.....: 0x46f7e810 (Mon Sep 24 16:38:40 2007)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
0x1000 0x44d000 0x2e3000 7.96 da600d9be3219ed76c932a5f7674b15f
.rsrc 0x44e000 0x1d6b1 0x1e000 6.21 a5dcb9b09a1bf6a385e7d58a7f46c8ce
.idata 0x46c000 0x1000 0x1000 0.24 66e14847e24b4796e0273c0c3d11c03b
TweakVI 0x46d000 0x662000 0x2c4000 7.95 efb3992fa4d94e9d6fc633b1ad4fe584

( 2 imports )
> KERNEL32.dll: CreateFileA, ExitProcess
> COMCTL32.dll: InitCommonControls

( 0 exports )   





So what do you think false-positive ?

[DavidR]

It isn't unusual to not have avast detect on VirusTotal when it does so on your system. VT isn't able to update the VPS in real time as the user is and this is often the cause. Remember the point of submitting it to VT is to see what the other scanners find.

Ordinarily I would say no based on the numbers of detections (also depends on the trustworthiness of the download source)  but a number of those are heuristic/suspicious and the avast detection is generic which are more prone to false detection, so it needs further investigation.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic, VT results URL might help and possible false positive in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn't already there) where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.

[Lisandro]

Are you sure you've downloaded TweakVI from a trustable site?
Bagle infection is dangerous. Some of them could destroy avast (and its protection). Take care.

[noobby]

DavidR thanks for your quick response. I tried to send the file to avast but the transfer failed,file was too big.
Tech thanks also for a quick response. Yes I did download from trusted site...totalidea.com/product.php?Product=TweakVI. At least I hope it's a trusted site. Anyway I downloaded the newest version and installed it,rescanned and all is clean.What I don't understand is why after a year of being on my computer, avast home decides that tweakvi is a virus?

[Lisandro]

What I don't understand is why after a year of being on my computer, avast home decides that tweakvi is a virus?

It's just a false detection. A clean file that was mistakenly detected as being infected. Don't worry, specially if the error is already corrected.

[noobby]

I just hate false positives  !!!!!!!!!!!!

[misak]

I just hate false positives  !!!!!!!!!!!!

Me too :-). To fix false positive alert we need the falsely detected file. You are using some version from Oct/2007. Actual version is v1.0 build 1090 from September 2008. Older can't be downloaded from http://totalidea.com/download.php

So please send us falsely detected file to virus@avast.com in password protected archive. Use email subject "false positive".

[DavidR]

DavidR thanks for your quick response. I tried to send the file to avast but the transfer failed,file was too big.
<snip>

If you tried to send from the chest, then you would need to increase the 'Maximum file size to send' value, Program Settings (right click the avast icon), Chest.

[noobby]

Thanks again DavidR, adjusted file size and off it went.

[DavidR]

You're welcome, hopefully it can be analysed and quickly corrected.