false positiv

[The Major]

hi since the update 091010-0 avast says the soundman.exe (realtek controlpanel) is infected by a virus. (Win32:Malware-gen)
i think this is a false positive, this file is on the driver dvd (fujitsu siemens) too.

virus total says 3/41 infected.
link: http://www.virustotal.com/de/analisis/d98efa4aef5b8d046823b31e0c9bd3e02f607803ec11f01ae5e03f7387a2665c-1255254476

yes i know its a old realtek driver but it still works

[spg SCOTT]

Hi,

This seems to be a false positive with effectively only 2 detections (GDATA uses avast's engine) so:

You could send the file in a password protected archive to virus(at)avast(dot)com with 'potential false positive' in the subject line and the password in the email body.

or

You could add the file to the user files of the virus chest and send it from there:

Right click avast icon in taskbar -->click start avast antivirus -->right click scanner background --> click virus chest --> navigate to user files --> click add files -->
right click file -->email to alwil software.

NOTE:
The file will actually be uploaded when the next update is performed (you can do a manual update to initiate the sending)

You could also add a link to this thread and some more information when you do.

-Scott-

[The Major]

hi Scott,
thank you for answering.

I have the file now sent out from the virus chest to avast.

[suhas007]

I too got the same problem with soundman.exe and i have sent the file to avast team.. searched to see if it was for all and got this thread...

[DavidR]

<snip>
I have the file now sent out from the virus chest to avast.

For the future, you can right click the file inside the chest and scan it, when the alert happens, click the report as false positive, just another option.

[Milos]

Thank you for sending sample. Will be fixed in next VPS update.

Milos

[Keithuk]

hi since the update 091010-0 avast says the soundman.exe (realtek controlpanel) is infected by a virus. (Win32:Malware-gen)
i think this is a false positive, this file is on the driver dvd (fujitsu siemens) too.

I've had this same problem for the past week. I just posted this fault. It picks up on soundman.exe and Alcmtr.exe which are Realtek drivers. Now these drivers come from the Gigabyte CD that came with the computer (2 months old).

It also picked up on other programs I've used for years without a problem. I've sent the false positive report but it still tries to catch it on a scan even after updating the database.

Don't click the Ignore/Continue as Avast does something to the exe so it can't be used, just press the Stop button.

[DavidR]

Did you send the alcmtr.exe to avast as a possible false positive for analysis (that is how thy get to know) and correction as required.

Another point, avast does nothing to the file so it can't be used. Ignore/Continue does just that but it won't let a file it considers infected to run.

Before executable files run, they are scanned; if they are considered infected then you will get the alert; if they aren't infected then avast allows the file to be run, this is how an on-access, resident antivirus works.

[Keithuk]

Did you send the alcmtr.exe to avast as a possible false positive for analysis (that is how thy get to know) and correction as required.

Another point, avast does nothing to the file so it can't be used. Ignore/Continue does just that but it won't let a file it considers infected to run.

Before executable files run, they are scanned; if they are considered infected then you will get the alert; if they aren't infected then avast allows the file to be run, this is how an on-access, resident antivirus works.

I didn't know you could send exe's to Avast, I presume this is by email to virus@avast.com?. The info in the report should tell them the filename, version number who made it and where you can download it from.

When I click on Ignore/Continue  and I try to run the exe there is no icon as there is originally to it its just blank and it brings up an error message can't execute.

Yes I get the alert but I click Ignore/Continue and it still doesn't run. 

[DavidR]

They have to be zipped and password protected or sent from the chest, etc.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and possible false positive in the subject.
 
Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn't already in the chest) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.
 
Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.

[Keithuk]

They have to be zipped and password protected or sent from the chest, etc.

I wonder why they have to be password protected?

Anyway I think I've found my problem its another virus that Avast obviously doesn't pickup on. This one kids Avast that certain files are a virus/trojan. I did another format and rebuild last night. I installed Avast first job, did a full scan and all clean. I installed my Realtek sound drives, scan again all clear. I installed things one at a time and rescanned to try and find which app is installing this virus. Now I thought the other day am I picking something up of my flash drives which I install a lot of. I took all 10 flash drives to work and scanned each one with McAfee 8.5. I picked up of a few that shows a W32/VIRUT.N.GEN virus and it cleaned them successfully.

All was going well until I used one of the last flash drives. Now I can't remember exactly what I installed as there are a few on there then Avast pops up saying virus in a lot of the Malware apps in a sub folder. Now I know these aren't virus's so I kept on clicking continue. I have CCleaner running so I click on Startup and there is reader_s.exe supposed to run on startup along with a couple of dll's msxm192z.dll and msxm193z.dll. You can't delete then as they are in use. You search the registry for these and delete every mension of it.

Then it pops up saying taskmgr.exe, logoff.exe and a few more exe's are virus's. Well I make a note of the name and delete them. Put the WinXP CD in and find the original files which are compressed. Put them on the drive and uncompress them and put them in the System32 folder. I do a restart and it won't startup only in Safe Mode.

Now I know the flash drive these files were on so I formatted it. I did a rebuild this morning just the get Windows operating. I shall have to see tonight when I start installing again if anything else gets inserted.

There was a strange thing yesterday after I rebuilt I have a short-cut for here and it didn't work, it showed site/page not available. I did a Google for it and it showed a few links and all those weren't available either.

My opinion of these virus makers is they are quite good/effective why don't they use their programming talents to useful software and make money? The other thing is I think they are promoted by these anti-virus makers of which there are loads. These companies could be making virus's just so you have to buy anti-virus software. There other thing is they don't like Microsoft and are trying to hack there protection systems. You don't need a virus checker on a MAC or Linux system.

[Lisandro]

I wonder why they have to be password protected?

To avoid scanning of antivirus and improper blocking of the email being sent.

[Lisandro]

My opinion of these virus makers is they are quite good/effective why don't they use their programming talents to useful software and make money? The other thing is I think they are promoted by these anti-virus makers of which there are loads. These companies could be making virus's just so you have to buy anti-virus software.

An eternal FUD of serious antivirus company... it's a matter of trust. If you can't trust your security software company is time to move on...

There other thing is they don't like Microsoft and are trying to hack there protection systems. You don't need a virus checker on a MAC or Linux system.

It's a matter of market share of Linux and Mac (number of computers).
It's a matter of time.
It's a matter of software architecture (Windows is more vulnerable).
But saying you don't need a protection could be overestimating the situation.

[CharleyO]

***

The other thing is I think they are promoted by these anti-virus makers of which there are loads. These companies could be making virus's just so you have to buy anti-virus software.

How can you think this when there are free versions of the best anti-virus programs?


***

[Keithuk]

The other thing is I think they are promoted by these anti-virus makers of which there are loads. These companies could be making viruses just so you have to buy anti-virus software.

How can you think this when there are free versions of the best anti-virus programs?

Yes I agree with that but they all promote Professional or registered version. If Avast Home Free Edition is that good what advantages do you get with the paid for Pro version?

Ok an update of my rebuild last night. As on previous occasions I install something then do a full scan all clean. I do this with everything installed and all is clean. I'm just about to install my Broadband and Avast pops up with a virus warning. It’s an WinXP installed exe in System32. I continue and it finds another and another. There are 300 + exe's with viruses, which is virtually all the exe's in System32. How come it never picked up on these with previous full scans or when they were first installed? Then it came back to my Realtek files alcmtr.exe and soundman.exe. I do a scan of System32 and click Repair all. After its finished 800 + files infected. I do another scan and the same number are still infected so Repair did nothing.

If you check on these files in System32 as soon as you select one Avast warning again so ignore so I can check the properties and they are blank and no icon. I put the WinXP CD in again and uncompress all *.ex_ files and put them in the System32 folder. Now some are in use so these can't easily be over written. Now the infected files are reduced but I don't know for how long.

I check CCleaner and there is nothing out of order on startup, no reader_s.exe, servises.exe, no msxm192z.dll and msxm193z.dll.

I did a few Malwarebytes checks in between. Now the strange thing with this is Avast normally runs in the background on previous builds when I've scanned. All was clean.

Correct me if I'm wrong but I thought that a format would remove all files. I know there are BIOS and Boot viruses. It looks like yet another format and rebuild.  I think out of curiosity I my try AVG 8.0 to compare what it finds.