False Positive for file ALCRMV.EXE

[snow49]

OS Windows xp Home SP3 using Avast 5 free.  I was letting Malwarebytes scan my computer.  When it reached C:\Windows\alcrmv.exe my Avast popped up and said that it was being placed it in the Virus Vault as it was Malware-32.
This file has been in my computer since 2004 as it is a file from Realtek Corp. and is needed.  I waited until I receive an update from Avast hoping that it would correct itself.  It didn't.  I restored to a point two days earlier.  It was ok until Avast updated.  I have sent this file to Avast but I haven't heard any thing.  Just wondering if anyone else has had this problem

[Marc57]

Try sending the file to Virus Total just to be sure and post the results:

http://www.virustotal.com/

[snow49]

Below is the report...........

Thanks,
Joe

--------------
ALCRMV.EXE received on 2010.07.10 14:47:54 (UTC)
Current status: finished

Result: 3/40 (7.50%)
 Compact Print results 
Antivirus Version Last Update Result
a-squared 5.0.0.31 2010.07.10 -
AhnLab-V3 2010.07.10.00 2010.07.09 -
AntiVir 8.2.4.10 2010.07.09 -
Antiy-AVL 2.0.3.7 2010.07.09 -
Authentium 5.2.0.5 2010.07.10 -
Avast 4.8.1351.0 2010.07.10 Win32:Malware-gen
Avast5 5.0.332.0 2010.07.10 Win32:Malware-gen
AVG 9.0.0.836 2010.07.10 -
BitDefender 7.2 2010.07.10 -
CAT-QuickHeal 11.00 2010.07.10 -
ClamAV 0.96.0.3-git 2010.07.10 -
Comodo 5381 2010.07.10 -
DrWeb 5.0.2.03300 2010.07.10 -
eTrust-Vet 36.1.7696 2010.07.10 -
F-Prot 4.6.1.107 2010.07.09 -
F-Secure 9.0.15370.0 2010.07.09 -
Fortinet 4.1.143.0 2010.07.10 -
GData 21 2010.07.10 Win32:Malware-gen
Ikarus T3.1.1.84.0 2010.07.10 -
Jiangmin 13.0.900 2010.07.10 -
Kaspersky 7.0.0.125 2010.07.10 -
McAfee 5.400.0.1158 2010.07.10 -
McAfee-GW-Edition 2010.1 2010.07.05 -
Microsoft 1.5902 2010.07.10 -
NOD32 5267 2010.07.10 -
Norman 6.05.11 2010.07.10 -
nProtect 2010-07-10.01 2010.07.10 -
Panda 10.0.2.7 2010.07.10 -
PCTools 7.0.3.5 2010.07.10 -
Prevx 3.0 2010.07.10 -
Rising 22.55.04.04 2010.07.09 -
Sophos 4.55.0 2010.07.10 -
Sunbelt 6566 2010.07.10 -
Symantec 20101.1.0.89 2010.07.10 -
TheHacker 6.5.2.1.311 2010.07.08 -
TrendMicro 9.120.0.1004 2010.07.10 -
TrendMicro-HouseCall 9.120.0.1004 2010.07.10 -
VBA32 3.12.12.6 2010.07.09 -
ViRobot 2010.6.29.3912 2010.07.10 -
VirusBuster 5.0.27.0 2010.07.09 -
Additional information
File size: 139264 bytes
MD5   : b0f1b46426ee2467395df642cd8900cf
SHA1  : 1a616ac4f22bd831eff0e754a6cf78231637c6df
SHA256: 30153fc6f78da1ee0f7939894be3c05dd93f27691be2388abb5d4dc59b0478fc
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x5A0D
timedatestamp.....: 0x3F171EAE (Fri Jul 18 00:09:50 2003)
machinetype.......: 0x14C (Intel I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x16062 0x17000 6.37 e8a62d25181de0f806911e4b2146f70f
.rdata 0x18000 0x4D98 0x5000 4.79 039d77668c92b8eee7a7365cb8c9f1a8
.data 0x1D000 0x6068 0x2000 3.92 e9ac21d24d073090774c881b3fcd97c1
.rsrc 0x24000 0x2F48 0x3000 3.97 b3041e9c97db4097aa33e5f6d8b689eb

( 7 imports )

> advapi32.dll: RegCreateKeyExA, RegSetValueExA, RegOpenKeyExA, RegDeleteValueA, RegOpenKeyA, RegDeleteKeyA, RegCloseKey, RegQueryValueExA
> comctl32.dll: -
> gdi32.dll: GetClipBox, SetBkColor, GetObjectA, DeleteDC, SaveDC, RestoreDC, SelectObject, GetStockObject, SetBkMode, SetMapMode, SetViewportOrgEx, OffsetViewportOrgEx, SetViewportExtEx, ScaleViewportExtEx, SetWindowExtEx, ScaleWindowExtEx, IntersectClipRect, CreateBitmap, PatBlt, DeleteObject, GetDeviceCaps, CreateSolidBrush, PtVisible, RectVisible, TextOutA, ExtTextOutA, Escape, CreateDIBitmap, CreateCompatibleDC, BitBlt, GetTextExtentPointA, SetTextColor
> kernel32.dll: RtlUnwind, GetStartupInfoA, ExitProcess, TerminateProcess, HeapAlloc, RaiseException, HeapReAlloc, HeapSize, GetACP, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStrings, HeapFree, WideCharToMultiByte, HeapCreate, VirtualFree, VirtualAlloc, IsBadWritePtr, LCMapStringA, LCMapStringW, SetUnhandledExceptionFilter, GetStringTypeA, GetStringTypeW, IsBadReadPtr, IsBadCodePtr, SetStdHandle, FindNextFileA, GetLastError, FormatMessageA, LocalFree, SetLastError, GetProfileStringA, FlushFileBuffers, SetFilePointer, WriteFile, GetCurrentProcess, SetErrorMode, GetOEMCP, GetCPInfo, SizeofResource, GetProcessVersion, WritePrivateProfileStringA, GlobalFlags, lstrcpynA, TlsGetValue, LocalReAlloc, TlsSetValue, EnterCriticalSection, GlobalReAlloc, LeaveCriticalSection, TlsFree, GlobalHandle, DeleteCriticalSection, TlsAlloc, InitializeCriticalSection, MulDiv, LoadLibraryA, FreeLibrary, GetVersion, GlobalGetAtomNameA, GlobalAddAtomA, GlobalFindAtomA, GetModuleHandleA, OutputDebugStringA, Sleep, GetProcAddress, MultiByteToWideChar, InterlockedDecrement, GetCommandLineA, InterlockedIncrement, GlobalUnlock, GlobalFree, LockResource, FindResourceA, LoadResource, CloseHandle, GetModuleFileNameA, GlobalLock, GlobalAlloc, GlobalDeleteAtom, lstrcmpA, lstrcmpiA, GetCurrentThread, GetCurrentThreadId, LocalAlloc, lstrlenA, GetWindowsDirectoryA, FindFirstFileA, lstrcpyA, lstrcatA, SetFileAttributesA, DeleteFileA, GetFileType, HeapDestroy, GetEnvironmentStringsW, SetHandleCount, GetStdHandle
> setupapi.dll: SetupCloseInfFile, SetupDiGetClassDevsA, SetupGetInfFileListA, SetupGetStringFieldA, SetupFindFirstLineA, SetupOpenInfFileA, SetupDiEnumDeviceInfo, SetupDiDestroyDeviceInfoList, SetupDiRemoveDevice, SetupDiGetDeviceRegistryPropertyA, SetupDiGetDeviceInstanceIdA
> user32.dll: SetWindowTextA, ShowWindow, ClientToScreen, GetWindowDC, BeginPaint, IsDialogMessageA, EndPaint, DrawTextA, GrayStringA, LoadCursorA, GetClassNameA, PtInRect, TabbedTextOutA, LoadStringA, GetSysColorBrush, InflateRect, DestroyMenu, InvalidateRect, GetTopWindow, GetCapture, WinHelpA, wsprintfA, GetClassInfoA, RegisterClassA, GetMenu, GetMenuItemCount, GetSubMenu, UpdateWindow, DefWindowProcA, CreateWindowExA, GetClassLongA, SetPropA, UnhookWindowsHookEx, GetPropA, CallWindowProcA, RemovePropA, GetMessageTime, GetMessagePos, GetForegroundWindow, GetWindow, SetWindowLongA, OffsetRect, IntersectRect, GetWindowRect, CopyRect, GetDC, ReleaseDC, EndDialog, SetActiveWindow, IsWindow, CreateDialogIndirectParamA, DestroyWindow, GetDlgItem, GetMenuCheckMarkDimensions, LoadBitmapA, GetMenuState, ModifyMenuA, SetMenuItemBitmaps, CheckMenuItem, EnableMenuItem, GetFocus, GetNextDlgTabItem, GetMessageA, TranslateMessage, DispatchMessageA, GetActiveWindow, GetKeyState, CallNextHookEx, ValidateRect, IsWindowVisible, PeekMessageA, GetCursorPos, SetWindowsHookExA, GetParent, GetLastActivePopup, IsWindowEnabled, GetWindowLongA, MessageBoxA, SetCursor, PostQuitMessage, LoadIconA, EnableWindow, GetClientRect, IsIconic, MapWindowPoints, GetSysColor, SetFocus, AdjustWindowRectEx, ScreenToClient, SendDlgItemMessageA, GetWindowTextA, GetDlgCtrlID, GetMenuItemID, GetWindowTextLengthA, PostMessageA, SendMessageA, DrawIcon, GetSystemMetrics, RegisterWindowMessageA, SetWindowPos, GetWindowPlacement, SystemParametersInfoA, SetForegroundWindow, ShowCaret, IsWindowUnicode, CharNextA, DefDlgProcA, DrawFocusRect, ExcludeUpdateRgn, HideCaret, UnregisterClassA
> winspool.drv: OpenPrinterA, DocumentPropertiesA, ClosePrinter

( 0 exports )
 
TrID  : File type identification
Win64 Executable Generic (54.6%)
Win32 Executable MS Visual C++ (generic) (24.0%)
Windows Screen Saver (8.3%)
Win32 Executable Generic (5.4%)
Win32 Dynamic Link Library (generic) (4.8%)
ssdeep: 3072:TMF6KWkHBBj8FJQ+mZRS+BavbaQo6wV2NnyI:TMF6KWYBBIFWPF2N
sigcheck: publisher....: Realtek Semiconductor Corp.
copyright....: Copyright (C) 2000-2001 Realtek Semiconductor Corp.
product......: Realtek AC_97 Removing Tool
description..: Tool for Removing Drivers
original name: alcrmv.exe
internal name: alcrmv
file version.: 1, 6, 2, 0
comments.....: Written by Desker
signers......: -
signing date.: -
verified.....: Unsigned
 
PEiD  : -
RDS   : NSRL Reference Data Set
 

[DavidR]

If only GData and avast detect it - GData uses avast as one of its two scanners so counts as 1 detection and almost certainly an FP.
Send the sample to avast as a False Positive:
Open the chest and right click on the file and select 'Submit to virus lab...' complete the form and submit, the file will be uploaded during the next update.

- In the meantime (if you accept the risk), add it to the exclusions lists:
File System Shield, Expert Settings, Exclusions, Add and
avast Settings, Exclusions

Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the File System Shield and avast Settings, exclusions lists.

[snow49]

Thanks David.  I have ask that the file be sent to Avast at the next update.  I have entered the file in the exclusion list. Actually, Avast found it when Malwarebytes was scanning.  Avast didn't find it on the quick scan only the full scan. We will see how we come out.

Joe

[DavidR]

You're welcome.

That is one of the things when other security applications are scanning they open files to scan them and that forces avast's resident (on-access) protection to scan the same file, otherwise it could lay dormant if it was never in use.

[snow49]

Hi David.  I just did a scan with Malwarebytes with no problem from Avast.  I followed that up with a full system scan with Avast.  It didn't find anything wrong.  I went to my virus vault which had about 6-8 Win XP restore files there.  I restored all that would restore and deleted the rest.  It also had 7 or 8 copies of the alcrmv.exe file.  I deleted all but two.  All of this was after placing the file on Exclusion.  It seems like we are ok for now.  I also created a new restore point after doing all of this  Thanks again for helping this old 80 yr old man with his problem.

Joe S.

[DavidR]

No problem, glad I could help.

If the file was moved to the chest or you excluded it from scans then MBAM would either not be able to scan it in the chest, or if in its original location avast would be ignoring it.

[snow49]

Yes David, the file remains in it's original location which is C:\Windows.  Since it's on the exclusion list, Avast is ignoring it so it's no problem now for Malwarebytes.  The funny thing about it was my wife's computer has the same file.  I held off letting Avast update until I was able to get mine fixed.  I just updated her computer and it didn't effect it.  So both of us are OK.

Again, I appreciate it.

[DavidR]

You're welcome.