False Positive

[DarrellS]

For about five months, I've been getting a "suspicious file" warning for a temporary file. It's always dBPxx.tmp with numbers and sometimes a letter where the xs are. I've been searching Google and here but could never find anything about these files until today. They are from dBPoweranp which I suspected.

dBPoweramp said that these are needed files and that Avast shouldn't delete them. How do I keep Avast from popping up a warning when it finds these files in my tmp folder? These warnings pop up almost daily and drive me crazy. 

[DavidR]

When is this detection happening (shortly after boot or after a scan, etc.) ?
What is the location of this temporary file ?

First, confirm that it/they are a false positive, second send the sample/s for analysis and correction, exclude from scans if you accept the risk and finally monitor/scan a file in the chest and when it is no longer detected you can remove the exclusion.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect\*
That will stop the File System Shield scanning any file you put in that folder.

If only GData and avast detect it - GData uses avast as one of its two scanners so counts as 1 detection and almost certainly an FP.
Send the sample to avast as a False Positive:
Open the chest and right click on the file and select 'Submit to virus lab...' complete the form and submit, the file will be uploaded during the next update.

- In the meantime (if you accept the risk), add the full path to the file to the exclusions lists:
File System Shield, Expert Settings, Exclusions, Add and
avast Settings, Exclusions
example using widlcard c:\Folder_Name_path\dbp*.tmp, this will cater for the changing xx part of the file name.

Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the File System Shield and avast Settings, exclusions lists.

[DarrellS]

There is no real pattern to when the detection happens. It never finds anything while doing a scan. At first I thought it was giving me a warning on a file that was not even  there because I would check where it said it was and it was not there. I would also do a windows search and not find anything. It wasn’t until recently that I actually saw the dBP.tmp files in my temporary folder (C:\Documents and Settings\Darrell\Local Settings\Temp). I haven’t gotten an error today but there are nine dBP.tmp files in the folder.

I’ve scanned everything having to do with dBPoweramp and have found nothing so I guess I’ll put C:\Documents and Settings\Darrell\Local Settings\Temp\dbp*.tmp
in exclusions.

Every time that I get the warning (something about a possible threat and heuristic healing), I click on the button to send the file information but nothing happens and seeing others having problems with Avast on these files makes me believe that it’s an error with Avast.

[DavidR]

If you can do a screen capture of the avast alert that will help us pin down what element of avast is detecting it.

[Lisandro]

See how: http://forum.avast.com/index.php?topic=8982.0.
You can use Gadwin PrintScreen to get a screenshot (http://www.gadwin.com/printscreen/) or the free version of WinSnap 1.1.10 (http://www.filehippo.com/download_winsnap/?2173).

[The Dude 321]

I suggest you do a scan with the following tools:

1. Malwarebytes Anti-Malware
2. Super Anti Spyware
3. Hitman Pro

And remove all the results that it comes up with, and you should have you computer as right as rain!

[DavidR]

Regardless of the suggested security application - Deletion/removal isn't really a good first option (you have none left), 'first do no harm' don't delete, send virus to the quarantine (a protected area) and investigate.

[DarrellS]

I've run Superantispyware and Spywareblaster and they found nothing. Installed Hitman and it tagged...

C:\WINDOWS\system32\Macromedia\Flash\NPSWF32.dll

C:\Program Files\TeraCopy

as suspicious files.

I can't quarantine the files because their is no option to do this. I just click send.

I had put the *.tmp files in exceptions but today they popped up twice. Both times on reboot. Here are screenshots of the warning I get.