igfxdiag coming up as Win32:Malware-gen

[cromag]

Hi, I'd like some guidance.

While running a MBAM scan Avast! popped up to warn me about

Code: [Select]

C:\WINDOWS\system32\igfxdiag.exe

Specifically, that there was a sign of Win32:Malware-gen, I believe.

I put it in the chest, but would like to verify it.  The file has a "last changed" date of 7/1/2004, although I suppose that could be faked.  Rescanning in the chest still shows it as a virus, FileID:145.

How do I go about having this verified?

I hope I'm not being too dense, but I just want to make sure I know what I have.  I've been pretty careful out there, but stuff can still happen.

Thanks.

[.: L' arc :.]

 To check it, send the file to VirusTotal

[cromag]

Thanks.  It's in the "Chest."  Do you know where that would be in my filesystem -- or in the documentation?

[DavidR]

Follow the details here, which should allow you to upload the file for checking:
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

[juiceUK]

Hi, I'd like some guidance.

While running a MBAM scan Avast! popped up to warn me about

Code: [Select]

C:\WINDOWS\system32\igfxdiag.exe

Specifically, that there was a sign of Win32:Malware-gen, I believe.

I put it in the chest, but would like to verify it.  The file has a "last changed" date of 7/1/2004, although I suppose that could be faked.  Rescanning in the chest still shows it as a virus, FileID:145.

How do I go about having this verified?

I hope I'm not being too dense, but I just want to make sure I know what I have.  I've been pretty careful out there, but stuff can still happen.

Thanks.

I had this too while running a MBAM scan. I uploaded the file to Virustotal and only Avast and Gdata said it had signs of WIN32:Malware-gen. Is it a F/P then?

[cromag]

Thanks, DavidR -- sorry to make you repeat yourself -- I found your instructions in one of the other threads.

My VirusTotal results are the same as juiceUK.  Under the circumstances I'm going to restore this file and cross my fingers.

Thanks again for everyone's help!



EDIT:  the VirusTotal analysis page for this file is <HERE>.


EDIT 2:  And I just emailed it to Alwil directly from the Chest.

[.: L' arc :.]

Thank you for submitting the file. The result shows that it is a highly probable false positive, please send it to avast for analysis. Send it to virus@avast.com. The ideal way to send such files is to compress them as a ZIP file with the password virus

[cromag]

Sorry, .: L' arc :. -- looks like I made my second edit while you were replying. 

Anyway, I sent the file directly from the Chest, with a brief explanation and a reference to the forum posts.  Hopefully, that will be good enough.

Thanks.

[DavidR]

Thanks, DavidR -- sorry to make you repeat yourself -- I found your instructions in one of the other threads.

My VirusTotal results are the same as juiceUK.  Under the circumstances I'm going to restore this file and cross my fingers.

Thanks again for everyone's help!
<snip>

Yes almost certainly an FP as GData also uses avast as one of its two scanners.

Periodically scan the file within the chest, when it is no longer detected, you can conclude that the FP has been corrected in a VPS update.

In the meantime Restoration is fine, but you will first have to exclude the file and full path (C:\WINDOWS\system32\igfxdiag.exe) from the standard shield or when you move/restore it avast will alert again.

[Avastiest]

Avast found the same thing in C:\Program Files\Spyware Doctor\avdb\temp\7729802C.vbt

Spyware Doctor was running it's scheduled scan and all of the sudden Avast pops up saying it found Win32:Malware-gen in that. This is a false positive isn't it, should I restore it now an do a system restore or would restoring this type of file be enough.

[DavidR]

Follow the above instructions in Reply #3 to confirm if it is or isn't an FP and report the findings.

Never restore without confirming.

[Avastiest]

Follow the above instructions in Reply #3 to confirm if it is or isn't an FP and report the findings.

Never restore without confirming.

I followed the instructions and only 2 found something in it, Avast and GData.

Here's the link to the VirusTotal Scan.
http://www.virustotal.com/analisis/3b771b858475b9eadacf602114a1efab59d8ed1306ea36ab754ee9559e8e8928-1260147688

*EDIT*
Had to rescan with VT since my link wasn't working.

[DavidR]

Yes looks that way, as I mentioned, GData also uses avast as one of its two scanners.

In the meantime Restoration should be OK, but you will first have to exclude the file and full path (C:\Program Files\Spyware Doctor\avdb\temp\*.vbt) from the standard shield or when you move/restore it avast will alert again.

However, having had another look at this file name and path (shouldn't have been so quick first time round) it looks like isn't a false positive in the true sense as I suspect this may be bad practice on the part of Spyware Doctor by not encrypting its virus data base. That is why I have but the *.vbt in the path as if this is truly a temporary file the numbers are likely to change and the * is a wildcard that should take care of that.

So avast has been able to take a peek inside the avdb (AntiVirusDataBase) temp folder and .vbt file and found a pattern match to a virus signature.

Were you doing a Spyware Doctor scan or a Spyware Doctor update at the time of the alert ?

~~~~
I don't know if in the light of what I have said above if this should be sent to avast for analysis, but it won't hurt:

You can send it from the Infected Files section of the Chest (select the file, right click, email to Alwil Software), as a Possible false positive, you could give a link to this topic to help. It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.

[Avastiest]

Yes looks that way, as I mentioned, GData also uses avast as one of its two scanners.

In the meantime Restoration should be OK, but you will first have to exclude the file and full path (C:\Program Files\Spyware Doctor\avdb\temp\*.vbt) from the standard shield or when you move/restore it avast will alert again.

However, having had another look at this file name and path (shouldn't have been so quick first time round) it looks like isn't a false positive in the true sense as I suspect this may be bad practice on the part of Spyware Doctor by not encrypting its virus data base. That is why I have but the *.vbt in the path as if this is truly a temporary file the numbers are likely to change and the * is a wildcard that should take care of that.

So avast has been able to take a peek inside the avdb (AntiVirusDataBase) temp folder and .vbt file and found a pattern match to a virus signature.

Were you doing a Spyware Doctor scan or a Spyware Doctor update at the time of the alert ?

~~~~
I don't know if in the light of what I have said above if this should be sent to avast for analysis, but it won't hurt:

You can send it from the Infected Files section of the Chest (select the file, right click, email to Alwil Software), as a Possible false positive, you could give a link to this topic to help. It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.

Spyware doctor was running a full scan, it is set to start scanning at 6:00pm central everyday. Is it safe for me to do what you said and exclude (C:\Program Files\Spyware Doctor\avdb\temp\*.vbt), I guess I'm afraid of if a virus somehow gets its way in there an can't be detected.

I right clicked the file an selected Email to Alwil Software and then I did a manual update. [Sorry that I sent twice, I wasn't 100% sure I did it correctly first time so did again.]

-EDIT-
When I tell it to e-mail the file nothing appears, is that what it is supposed to do? Or should I of gotten a pop-up when I told it to e-mail?

[Avastiest]

Since I was done with the suspect folder I deleted the file in it, I guess I wasn't thinking when I did that. Avast detected it when I deleted it, so I just let avast delete it after detecting it. That should be ok right since it's still in the chest to restore to normal anyway.