Windows 7 Service pack 1 installed. Virus warning is a FALSE POSITIVE

[DavidR]

David,

Is there anything we can do for you to help facilitate a resolution? I'd be happy to share any information on my system you request.

Unfortunately not, I'm in the same boat as everyone else as I'm avast user like you all. The only thing is when detected send it to the chest and submit it from the chest to the virus labs for analysis as an FP.

[NickNZ]

Quick question, I'm looking for reassurance more than anything else I guess.  Is the file mentioned by the OP definitely a false positive, or could it be genuinely infected.  Can I restore it without risking my pc security/do I need to restore it?  Normally I'd think nothing of it but I do game online quite a bit and anything involving a keylogger, as the infected file is described here http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDropper:Win32/Spyeye, makes me worry about my account security.

My own two cents would be to argue in favour of it being a FP, based on the fact that it's only been picked up now, but then I don't know how the NativeImage service works.

Any help would be much appreciated 

To clarify, the file that got detected on my PC was mscorlib.ni.dll in C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a.  The final modification date of the file is within 24 hours of SP1 for win7 being installed

[DavidR]

The other file plopana is mentioning mscorsvw.exe, may well not be covered in this VPS Update, so has anyone sent it off for analysis as an FP. I only have one instance of this file 65KB but not in the windows\assembly folder mne if in the windows\winsxs folder and also comes up clean

I don't think anyone reported mscorsvw.exe (the infamous .NET Runtime Optimization Service) binary to trigger a false positive. People were just reporting that it's eating their CPU for lunch. Yeah, it completely sucks, been like that for ages.

I think plopana did report it as a win32:spyeye detection also. Though the path has been concatenated, but it wasn't like the others C:\Windows\assembly\Native_v2050727...\mscorlib (see quote below) so my assumption (dangerous I know) was that his detection was on mscorsvw.exe not mscorlib.dll.

Same problem heare!!!:)

Object:  C:\Windows\assembly\Native_v2050727...\mscorsw
Infection/; Win32.spyyey_BG[trj]

But it looks like a typing exercise rather than a copy and paste of the alert text, so confusion reigns.

[Tyreman]

with update 110302.0 looks good now,  not showing an alert.
I did restore the file first via right click, selecting restore while in the chest
Thanks

[MrMaxaMan]

I got this alert earlier too, I kept trying to put it in the chest but it wouldn't do it and just kept alerting me. So I clicked on delete, I'm just wondering if there will be any problems now the file has been removed, do I need it?

[doktornotor]

I got this alert earlier too, I kept trying to put it in the chest but it wouldn't do it and just kept alerting me. So I clicked on delete, I'm just wondering if there will be any problems now the file has been removed, do I need it?

No, you don't need it. It's compiled from mscorlib.dll on-the-fly.

[MrMaxaMan]

No, you don't need it. It's compiled from mscorlib.dll on-the-fly.

Excellent, thanks for letting me know.

[NickNZ]

I got this alert earlier too, I kept trying to put it in the chest but it wouldn't do it and just kept alerting me. So I clicked on delete, I'm just wondering if there will be any problems now the file has been removed, do I need it?

No, you don't need it. It's compiled from mscorlib.dll on-the-fly.

Doktor, can I take from this that I don't have to restore the file and can assume that the problem is fixed/my system is "safe"?  I'm still running a few scans (malwarebytes, spybot S&D, ad-aware), just don't want to unduly panic more than I have to   My original post is below

Quick question, I'm looking for reassurance more than anything else I guess.  Is the file mentioned by the OP definitely a false positive, or could it be genuinely infected.  Can I restore it without risking my pc security/do I need to restore it?  Normally I'd think nothing of it but I do game online quite a bit and anything involving a keylogger, as the infected file is described here http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDropper:Win32/Spyeye, makes me worry about my account security.

My own two cents would be to argue in favour of it being a FP, based on the fact that it's only been picked up now, but then I don't know how the NativeImage service works.

Any help would be much appreciated 

To clarify, the file that got detected on my PC was mscorlib.ni.dll in C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a.  The final modification date of the file is within 24 hours of SP1 for win7 being installed

[MrMaxaMan]

Strangely enough I got this alert while using Windows Live Mail, I don't if that makes any difference.

[psikofunkster]

i deleted this file because avast told me to do, mscorlib.dll, it was a trojan? or i screwed up my system courtesy of avast 6?

I got this alert earlier too, I kept trying to put it in the chest but it wouldn't do it and just kept alerting me. So I clicked on delete, I'm just wondering if there will be any problems now the file has been removed, do I need it?

No, you don't need it. It's compiled from mscorlib.dll on-the-fly.

but the one deleted was mscrolib.dll, which compile which? mscorlib.dll compiles another file or mscrolib.dll is compiled?

[doktornotor]

i deleted this file because avast told me to do, mscorlib.dll, it was a trojan? or i screwed up my system courtesy of avast 6?

You deleted mscorlib.dll or mscorlib.ni.dll?

[psikofunkster]

i deleted this file because avast told me to do, mscorlib.dll, it was a trojan? or i screwed up my system courtesy of avast 6?

You deleted mscorlib.dll or mscorlib.ni.dll?

as far as i remember it was mscorlib.dll

and not only that another OLE file in a temp folder was affected too (avast said it was corrupted).

[doktornotor]

Files in temporary folders don't matter. Deleting mscorlib.dll will break the particular .NET version it belonged to. Obviously blindly deleting some files is a bad thing - that's what the chest is for if you are unsure about the file.

[psikofunkster]

I have no problems with SP1 myself so definitely comes under the heading weird

i didn't have problems with SP1 (installed the day of the release), but TODAY the problem appeared simultaneously in two different pc's....

Files in temporary folders don't matter. Deleting mscorlib.dll will break the particular .NET version it belonged to.

so im screwed up? cause avast told me to delete exactly that file...

[doktornotor]

so im screwed up? cause avast told me to delete exactly that file...

As noted above, you should put the file into chest, not delete it if you don't know whether it's infected or not. You should have the library in these locations:

C:\Windows\Microsoft.NET\Framework\v2.0.50727
C:\Windows\Microsoft.NET\Framework\v4.0.30319