Author Topic: Win32:Malware-gen found in avmanagerunified.dll - False positive?  (Read 8846 times)

0 Members and 1 Guest are viewing this topic.

Offline vinzi

  • Newbie
  • *
  • Posts: 2
Hello,

Avast has found a virus, although I think it may be a false positive as only Avast and GData pick it up at Virscan.org. Any help would be much appreciated.

I am using Windows 7 Home Premium with all the recent updates installed and Avast 4.8 Home Edition.

File name: C:\Program Files (x86)\Common Files\supportsoft\bin\avmanagerunified.dll\[UPX]
Malware name: Win32:Malware-gen
Malware type: Virus/Worm
VPS version:091206-1, 06/12/2009

When I click 'Move to chest' or 'Move/Rename' I get the following error:

"avast!: The system cannot find the file specified
Cannot process "C:\Program Files (x86)\Common Files\supportsoft\bin\avmanagerunified.dll\[UPX]" file"


The results from Virscan.org:

VirSCAN.org Scanned Report :
Scanned time   : 2009/12/07 21:51:16 (CST)
Scanner results: 5% Scanner(s) (2/37) found malware!
File Name      : avmanagerunified.dll
File Size      : 321024 byte
File Type      : PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bi
MD5            : c9191d1c5b248032563e07b654499bfa
SHA1           : d4d0e4aa86760f031952b4c0a2b4fe5929395df4
Online report  : http://virscan.org/report/527510013014f5741e12c8122be6d94a.html

Scanner        Engine Ver      Sig Ver           Sig Date    Time   Scan result
a-squared      4.5.0.8         20091207190313    2009-12-07  4.14   -
AhnLab V3      2009.12.07.00   2009.12.07        2009-12-07  1.00   -
AntiVir        8.2.1.102       7.10.1.174        2009-12-07  0.53   -
Antiy          2.0.18          20091204.3347676  2009-12-04  0.02   -
Arcavir        2009            200912070703      2009-12-07  0.17   -
Authentium     5.1.1           200912061651      2009-12-06  1.49   -
AVAST!         4.7.4           091206-1          2009-12-06  0.16   Win32:Malware-gen
AVG            8.5.288         270.14.97/2550    2009-12-07  1.37   -
BitDefender    7.81008.4703066 7.29343           2009-12-07  4.12   -
CA (VET)       35.1.0          7158              2009-12-04  12.26  -
ClamAV         0.95.2          10116             2009-12-07  0.37   -
Comodo         3.13            3167              2009-12-07  1.60   -
CP Secure      1.3.0.5         2009.12.04        2009-12-04  0.55   -
Dr.Web         4.44.0.9170     2009.12.07        2009-12-07  7.52   -
F-Prot         4.4.4.56        20091206          2009-12-06  1.39   -
F-Secure       7.02.73807      2009.12.07.08     2009-12-07  0.45   -
Fortinet       11.133-         11.133            2009-12-07  0.41   -
GData          19.9207/19.609  20091207          2009-12-07  6.65   Win32:Malware-gen [Engine:B]
ViRobot        20091207        2009.12.07        2009-12-07  0.41   -
Ikarus         T3.1.01.74      2009.12.07.74663  2009-12-07  4.31   -
JiangMin       13.0.900        2009.12.02        2009-12-02  4.87   -
Kaspersky      5.5.10          2009.12.07        2009-12-07  0.36   -
KingSoft       2009.2.5.15     2009.12.7.15      2009-12-07  0.68   -
McAfee         5.3.00          5824              2009-12-06  3.37   -
Microsoft      1.5302          2009.12.07        2009-12-07  8.90   -
Norman         6.01.09         6.01.00           2009-12-07  4.02   -
Panda          9.05.01         2009.12.06        2009-12-06  2.19   -
Trend Micro    9.000-1003      6.676.02          2009-12-07  0.13   -
Quick Heal     10.00           2009.12.07        2009-12-07  1.33   -
Rising         20.0            22.25.00.06       2009-12-07  1.49   -
Sophos         3.02.0          4.48              2009-12-07  5.27   -
Sunbelt        3.9.2381.2      5547              2009-12-06  2.62   -
Symantec       1.3.0.24        20091206.005      2009-12-06  0.18   -
nProtect       20091203.01     6487164           2009-12-03  5.30   -
The Hacker     6.5.0.2         v00086            2009-12-05  1.28   -
VBA32          3.12.12.0       20091206.2021     2009-12-06  2.42   -
VirusBuster    4.5.11.10       10.115.2/2003706  2009-12-07  3.19   -



Thank you.

Offline spg SCOTT

  • Massive Poster
  • ****
  • Posts: 4130
  • There is no magic, only lost physics
    • spg SCOTT
Re: Win32:Malware-gen found in avmanagerunified.dll - False positive?
« Reply #1 on: December 07, 2009, 03:37:54 PM »
Hi vinzi, welcome to the forum :)

From the scan report, I'd be inclined to say it is a FP (GDATA uses avast! as one of it's detections so it is technically one detection.)

Just for kicks, could you please upload it to www.virustotal.com  (it uses more scanners, and apparently more updated programs...avast! 4.7.4...we are at 4.8.x now...)


Please could you report the file as being a false positive to ALWIL? It should help others that have been affected.


You could also send the file in a password protected archive to virus(at)avast(dot)com with 'potential false positive' in the subject line and the password in the email body.

or

You could add the file to the user files of the virus chest and send it from there:

Right click avast icon in taskbar -->click start avast antivirus -->right click scanner background --> click virus chest --> navigate to user files --> click add files -->
right click file -->email to alwil software.

NOTE:
The file will actually be uploaded when the next update is performed (you can do a manual update to initiate the sending)



You could also add a link to this thread and some more information when you do.

-Scott-
“There is a computer disease that anybody who works with computers knows about. It's a very serious disease and it interferes completely with the work. The trouble with computers is that you 'play' with them!”Richard Feynman

Offline vinzi

  • Newbie
  • *
  • Posts: 2
Re: Win32:Malware-gen found in avmanagerunified.dll - False positive?
« Reply #2 on: December 07, 2009, 04:07:31 PM »
Hello Scott,

Thanks for the prompt response.

I have submitted the file via User Files of the Virus Chest.

I noticed http://forum.avast.com/index.php?topic=51926.0, I am also using a Dell, a Dell Inspiron 545 desktop. It seems that this False Positive may be something to do with Dell.

Virustotal.com (https://www.virustotal.com/analisis/811180f967d5f3bc2d126ad2e000e4bfee03379ecf188a3ecfee2b3385fd4ec3-1260193663):


File avmanagerunified.dll received on 2009.12.07 13:47:43 (UTC)
Current status: finished


Result: 2/41 (4.88%)
Loading server information...
Your file is queued in position: 4.
Estimated start time is between 70 and 100 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
 Compact Print results  Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.  Email: 
 

Antivirus Version Last Update Result
a-squared 4.5.0.43 2009.12.07 -
AhnLab-V3 5.0.0.2 2009.12.07 -
AntiVir 7.9.1.102 2009.12.07 -
Antiy-AVL 2.0.3.7 2009.12.07 -
Authentium 5.2.0.5 2009.12.02 -
Avast 4.8.1351.0 2009.12.06 Win32:Malware-gen
AVG 8.5.0.426 2009.12.07 -
BitDefender 7.2 2009.12.07 -
CAT-QuickHeal 10.00 2009.12.07 -
ClamAV 0.94.1 2009.12.07 -
Comodo 3103 2009.12.01 -
DrWeb 5.0.0.12182 2009.12.07 -
eSafe 7.0.17.0 2009.12.06 -
eTrust-Vet 35.1.7162 2009.12.07 -
F-Prot 4.5.1.85 2009.12.06 -
F-Secure 9.0.15370.0 2009.12.07 -
Fortinet 4.0.14.0 2009.12.07 -
GData 19 2009.12.07 Win32:Malware-gen
Ikarus T3.1.1.74.0 2009.12.07 -
Jiangmin 13.0.900 2009.12.02 -
K7AntiVirus 7.10.913 2009.12.07 -
Kaspersky 7.0.0.125 2009.12.07 -
McAfee 5824 2009.12.06 -
McAfee+Artemis 5824 2009.12.06 -
McAfee-GW-Edition 6.8.5 2009.12.07 -
Microsoft 1.5302 2009.12.07 -
NOD32 4667 2009.12.07 -
Norman 6.03.02 2009.12.07 -
nProtect 2009.1.8.0 2009.12.07 -
Panda 10.0.2.2 2009.12.06 -
PCTools 7.0.3.5 2009.12.07 -
Prevx 3.0 2009.12.07 -
Rising 22.25.00.09 2009.12.07 -
Sophos 4.48.0 2009.12.07 -
Sunbelt 3.2.1858.2 2009.12.06 -
Symantec 1.4.4.12 2009.12.07 -
TheHacker 6.5.0.2.086 2009.12.05 -
TrendMicro 9.100.0.1001 2009.12.07 -
VBA32 3.12.12.0 2009.12.07 -
ViRobot 2009.12.7.2074 2009.12.07 -
VirusBuster 5.0.21.0 2009.12.06 -
Additional information
File size: 321024 bytes
MD5...: c9191d1c5b248032563e07b654499bfa
SHA1..: d4d0e4aa86760f031952b4c0a2b4fe5929395df4
SHA256: 811180f967d5f3bc2d126ad2e000e4bfee03379ecf188a3ecfee2b3385fd4ec3
ssdeep: 6144:XRNH5j/2DJUTYZya9xCRq7X3ultznXXMVF0PpjHbkDx73ixJxqKK:XF/sJU
La9pj3uHzHMbseDF3ixmZ
 
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1db7a0
timedatestamp.....: 0x4574bdd4 (Tue Dec 05 00:31:16 2006)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0x1000 0x18d000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0x18e000 0x4e000 0x4da00 7.88 e36194b708fbe9196eb1bafb55abf525
.rsrc 0x1dc000 0x1000 0x800 3.67 e1d010686f8da3f31bd68ac06d7680fe

( 11 imports )
> KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect
> ADVAPI32.dll: RegCloseKey
> MSVCP60.dll: __Xlen@std@@YAXXZ
> MSVCRT.dll: atol
> ole32.dll: OleRun
> OLEAUT32.dll: -
> OPSWATAVCommon.dll: __0CRegKey@@QAE@XZ
> SHELL32.dll: SHGetFolderPathA
> SHLWAPI.dll: PathAddBackslashA
> USER32.dll: SetFocus
> VERSION.dll: VerQueryValueA

( 7 exports )
AVManagerObjectCreate, AVManagerObjectCreate2, AVManagerObjectFree, AVManagerObjectFree2, AVObjectCreate, AVObjectFree, GetSdkVersion
 
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win64 Executable Generic (52.5%)
UPX compressed Win32 Executable (18.7%)
Win32 EXE Yoda's Crypter (16.3%)
Win32 Executable Generic (5.2%)
Win32 Dynamic Link Library (generic) (4.6%)
packers (Avast): UPX
packers (Kaspersky): PE_Patch.UPX, UPX
sigcheck:
publisher....: OPSWAT, Inc.
copyright....: (c) OPSWAT, Inc. All rights reserved.
product......: n/a
description..: n/a
original name: AVManagerUnified.dll
internal name: AVManagerUnified
file version.: 2, 3, 1, 1
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
 
packers (F-Prot): UPX


 
Thanks again.

Offline spg SCOTT

  • Massive Poster
  • ****
  • Posts: 4130
  • There is no magic, only lost physics
    • spg SCOTT
Re: Win32:Malware-gen found in avmanagerunified.dll - False positive?
« Reply #3 on: December 07, 2009, 04:23:18 PM »
Yep, I think it is a Dell thing. I have just found a copy in an old windows installation that I have (I am also using a Dell), so I will email it to them also.

-Scott-
“There is a computer disease that anybody who works with computers knows about. It's a very serious disease and it interferes completely with the work. The trouble with computers is that you 'play' with them!”Richard Feynman

Offline redboots

  • Jr. Member
  • **
  • Posts: 37
Re: Win32:Malware-gen found in avmanagerunified.dll - False positive?
« Reply #4 on: December 07, 2009, 04:37:18 PM »

Just hooked up my new Dell Studio 540 and got the same virus notification. I am using Windows 7 Home Premium 64 bit. & Avast 4.8 Home Edition.
I have attached the .txt file with the info.
When I try to move it to chest, I get a popup saying the file cannot be found.


Offline spg SCOTT

  • Massive Poster
  • ****
  • Posts: 4130
  • There is no magic, only lost physics
    • spg SCOTT
Re: Win32:Malware-gen found in avmanagerunified.dll - False positive?
« Reply #5 on: December 07, 2009, 04:43:58 PM »
Ok, as said above, it is likely to be a False positive.

For now, I would click on the 'No action' option, as the other options don't work.
This will (IIRC) block the file from loading, but leave it where it is. Then when the FP is corrected, it will be ok.

Definitely a Dell thing...

-Scott-

« Last Edit: December 07, 2009, 04:46:52 PM by spg SCOTT »
“There is a computer disease that anybody who works with computers knows about. It's a very serious disease and it interferes completely with the work. The trouble with computers is that you 'play' with them!”Richard Feynman

Offline Milos

  • Avast team
  • Super Poster
  • *
  • Posts: 2135
Re: Win32:Malware-gen found in avmanagerunified.dll - False positive?
« Reply #6 on: December 07, 2009, 04:46:37 PM »
Hello,
thank you for notice, fixed in VPS 091207-0.

Milos

Offline redboots

  • Jr. Member
  • **
  • Posts: 37
Re: Win32:Malware-gen found in avmanagerunified.dll - False positive?
« Reply #7 on: December 07, 2009, 04:47:50 PM »
thanks for quick response :D

Offline spg SCOTT

  • Massive Poster
  • ****
  • Posts: 4130
  • There is no magic, only lost physics
    • spg SCOTT
Re: Win32:Malware-gen found in avmanagerunified.dll - False positive?
« Reply #8 on: December 07, 2009, 04:49:37 PM »
Hello Milos,

That was very quick :)

Confirmed, is scanned clean now.

To the other users, you can do a manual update to get the fixed VPS.

-Scott-
“There is a computer disease that anybody who works with computers knows about. It's a very serious disease and it interferes completely with the work. The trouble with computers is that you 'play' with them!”Richard Feynman

Offline spg SCOTT

  • Massive Poster
  • ****
  • Posts: 4130
  • There is no magic, only lost physics
    • spg SCOTT
Re: Win32:Malware-gen found in avmanagerunified.dll - False positive?
« Reply #9 on: January 11, 2010, 03:07:08 PM »
Hi JoanTilley,

This is a slightly old, small(ish) false positive issue that was corrected.
I have a dell and I have no troubles at all. Although I have seen a thread about Win 7, avast! and Dells. Specifically the 64 bit version I think.
http://forum.avast.com/index.php?topic=52087.msg451055#msg451055

I would suggest that if you are having issues that you would like some help with, start a new thread and those here will try to help if they can. :)

-Scott-
“There is a computer disease that anybody who works with computers knows about. It's a very serious disease and it interferes completely with the work. The trouble with computers is that you 'play' with them!”Richard Feynman

Offline bubo64

  • Newbie
  • *
  • Posts: 1
Re: Win32:Malware-gen found in avmanagerunified.dll - False positive?
« Reply #10 on: January 18, 2010, 11:42:22 AM »
To Milos - Alwil team

The fix doesn't seem being complete. VPS 100117-1 on release 4.8.1351 (Win XP) reports it again. Other behaviour: re-appearing upgea.bak file (23kB) in user\Local Settings\Temp directory. I'll make regular error report when returning home. Please check.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 82724
  • No support PMs thanks
Re: Win32:Malware-gen found in avmanagerunified.dll - False positive?
« Reply #11 on: January 18, 2010, 05:05:46 PM »
Whilst it shouldn't make a difference, your program version is out of date, so I would suggest that you update to avast 4.8.1368.

Does your file that is being detected by avast have the same MD5: c9191d1c5b248032563e07b654499bfa number as this ?
If not it is a different version.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.2.2401 (build 20.2.5130.561) UI-1.0.502/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro