Win32:Malware-gen...False Positives?

[jason67]

still no fix after the update. its weird that we cant get the 'email avast' thing to work yet others can

[Bub12]

still no fix after the update. its weird that we cant get the 'email avast' thing to work yet others can

I am told that is normal.

Also, on another subject...I cannot upload the file to Jotti or VT as I am told that the file is empty or is 0 bytes. I don't understand. It was suggested in another forum that my firewall may be responsible but I have never had a problem uploading a file before. It was also suggested that it might be a result of malware. (This was on bleepingcomputer.com)

[jason67]

still no fix after the update. its weird that we cant get the 'email avast' thing to work yet others can

I am told that is normal.

Are you referring to not being able to email?

[Bub12]

Yes Jason...

Also, just an update...

I was able to upload the Inchtour.PIF,which is an apparent shortcut to the Inchtour.exe file, to Jotti & VirusTotal.

I was not able to upload the original Inchtour.exe file however. When I went to the properties of the Inchtour.exe file, an Inchtour icon shortcut was created automatically. This is a shortcut to "an msdos program" as it's stated in the properties of the shortcut. In the properties of this shortcut, it is also indicated that it's a shortcut to the Inchtour.exe. I am able to upload this file to the online scanners but when I upload the original Inchtour.exe file directly, it comes up as 0 bytes, although the file size is 3.92.

I hope this make sense. If not, please reread as I don't know how else to explain it :-) Thanks!

[DavidR]

Because avast is blocking the upload.

Create a folder called Suspect in the C:\ drive.
Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect\*
That will stop the File System Shield scanning any file you put in that folder and allow it to be uploaded to VT.

[jason67]

Yes Jason...

I’m not sure what you mean exactly by 'normal'. Does it just randomly not work every once and a while? Or is there a known cause that I should look into?

It’s worked every other time I’ve tried it, and people in other recent threads don’t seem to have a problem.  

I know it’s obviously 99.99% a false positive, the only reason I’m slightly concerned is that I downloaded some freeware recently after not having done so in a long while, and having zero detections in that time span.

[Bub12]

Because avast is blocking the upload.

Create a folder called Suspect in the C:\ drive.
Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect\*
That will stop the File System Shield scanning any file you put in that folder and allow it to be uploaded to VT.

THANK YOU for replying! I really appreciate it. I have been at this for 24 hours & am still not sure what's going on. Knowing that Avast is blocking the upload, helps.

What about that shortcut that's getting automatically created? Does that ring any bells for you?
And...does my problem seem like a false positive?

Thanks again!

Jason,
I was told by someone in another forum that he suspected that it was normal that we are not receiving notification that we are actually emailing Avast. He experiences the same with another AV. The source of the info is trusted. But who knows for sure why we're not receiving verification?

[DavidR]

I have no idea what is creating the inchtour.pif, which incidentally isn't a shortcut, but can be a dangerous file type, the .pif file type stands for program information file and is actually used to run/install/setup a program.

http://filext.com/file-extension/PIF

The PIF file type is primarily associated with 'Windows' by Microsoft Corporation. A Program Information File dates back to the early versions of Windows. Basically, it's an information file that when you click on it the information in the file is used by Windows to run some program; including code that can be in the PIF file. It is a potentially dangerous file type and one should never click on one received via E-mail without extensive knowledge of exactly what it will do first. Note: This file type can become infected and should be carefully scanned if someone sends you a file with this extension.

As for is this an FP I haven't the slightest idea and that is why inchtour.exe should be uploaded to virustotal to confirm or deny the detection.

Uploading inchtour.pif to VT was a futile exercise as I would almost guarantee nothing would be detected as it is just a text file with a bunch of commands, etc. which in themselves aren't malicious, it is that actions or files that they might run that could be malicious. But avast wasn't alerting on this either so no real point in uploading it as it doesn't have any bearing on the inchtour.exe detection.

So once you have the suspect folder created and the exclusion set upload it to virustotal and post the URL to the results page of virustotal, then we might be able to say with any sort of confidence if the detection was good or not.

[Bub12]

Hi DavidR & thanks...

As far as the lnchtour.pif not being a shortcut...I really don't know but it does state that it is a shortcut in the file properties.

Before I try to create the "suspect" folder, fyi, I uploaded the inchtour.exe file from my other pc to VT & Jotti. Is that enough or do I need to upload it from the computer showing the "malware" too?

From my other pc, which also has an lnchtour.exe file, the VT results showed 4 of 40 positives & 36 scans were clean.

Jotti showed no positives.

[DavidR]

We are dealing with the one on this system that is considered infected. I don't know what is on your other system, even if it was the exact same file you uploaded to VT you didn't post the results URL.

So Please lets do this as suggested or we are both wasting time - you have to do it in the order that I laid it out in my previous post Reply #19 above, or avast will alert of block any action on a file it considers infected.

Create the suspect folder, exclude the folder in the file system shield before Extracting it from the chest (presumably that is where it is).

[Bub12]

Okay, here ya go:

http://www.virustotal.com/analisis/2d1112d27497f13033de96f3312d740ef173347bef091dedbd101b7a0399a4b5-1264960911

Hope I did this right...

[Bub12]

One more thing...

Avast updated this morning & AFTER I set up the Suspect folder & uploaded the file to VT, I moved the file back the the MS Works folder & clicked properties, which was setting off Avast sirens :-) as well as creating that MSDOS icon. Well, no more sirens & no more magically created icon.

I am scanning now to see if this was an FP which has been remedied. Seems to be the case, but we'll see...


UPDATE

Just did a full scan & all in clean!!! Grrrrrrr!!! Looks like the countless hours invested were for all for an FP after all. Just for kicks, I tried to upload the lnchtour file to VT again, directly from the MSWorks folder & it uploaded okay. You were right DavidR, must have been blocked from uploading initially by Avast. Also seems as though by Avast considering this file to be infected, that for some reason the MSDOS/lnchtour icon was being created, as that is no longer happening either.

Thanks everyone! Maybe Avast will post something confirming this FP for others to see as well. I have seen MBAM clearly post info of FP's on their site in the past & I have found that to be very considerate & helpful.

[DavidR]

Yes looks like it was cleared in a VPS update as it was no longer detected by avast on VT.

Generally it will have been submitted to someone as well, so they are quick to act on an FP once acknowledged.

The time is seldom wasted as the experience gained is never wasted

[Bub12]

The time is seldom wasted as the experience gained is never wasted

Tell that to my wife 

The only things that still bugs me is that I wish I more clearly understood that MSDOS/lnchtour.pif file that was magically being created...

[DavidR]

I don't know either, computer mysteries ah, can't live without them can't live with them.