Author Topic: Windows 7 Service pack 1 installed. Virus warning is a FALSE POSITIVE  (Read 59532 times)

0 Members and 1 Guest are viewing this topic.

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88897
  • No support PMs thanks
Re: Windows 7 Service pack 1 installed. Virus warning is a FALSE POSITIVE
« Reply #60 on: March 02, 2011, 02:23:11 AM »
David,

Is there anything we can do for you to help facilitate a resolution? I'd be happy to share any information on my system you request.

Unfortunately not, I'm in the same boat as everyone else as I'm avast user like you all. The only thing is when detected send it to the chest and submit it from the chest to the virus labs for analysis as an FP.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

NickNZ

  • Guest
Re: Windows 7 Service pack 1 installed. Virus warning is a FALSE POSITIVE
« Reply #61 on: March 02, 2011, 02:23:44 AM »
Quick question, I'm looking for reassurance more than anything else I guess.  Is the file mentioned by the OP definitely a false positive, or could it be genuinely infected.  Can I restore it without risking my pc security/do I need to restore it?  Normally I'd think nothing of it but I do game online quite a bit and anything involving a keylogger, as the infected file is described here http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDropper:Win32/Spyeye, makes me worry about my account security.

My own two cents would be to argue in favour of it being a FP, based on the fact that it's only been picked up now, but then I don't know how the NativeImage service works.

Any help would be much appreciated  :)

To clarify, the file that got detected on my PC was mscorlib.ni.dll in C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a.  The final modification date of the file is within 24 hours of SP1 for win7 being installed

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88897
  • No support PMs thanks
Re: Windows 7 Service pack 1 installed. Virus warning is a FALSE POSITIVE
« Reply #62 on: March 02, 2011, 02:30:43 AM »
The other file plopana is mentioning mscorsvw.exe, may well not be covered in this VPS Update, so has anyone sent it off for analysis as an FP. I only have one instance of this file 65KB but not in the windows\assembly folder mne if in the windows\winsxs folder and also comes up clean

I don't think anyone reported mscorsvw.exe (the infamous .NET Runtime Optimization Service) binary to trigger a false positive. People were just reporting that it's eating their CPU for lunch. Yeah, it completely sucks, been like that for ages.

I think plopana did report it as a win32:spyeye detection also. Though the path has been concatenated, but it wasn't like the others C:\Windows\assembly\Native_v2050727...\mscorlib (see quote below) so my assumption (dangerous I know) was that his detection was on mscorsvw.exe not mscorlib.dll.

Same problem heare!!!:):)

Object:  C:\Windows\assembly\Native_v2050727...\mscorsw
Infection/; Win32.spyyey_BG[trj]

But it looks like a typing exercise rather than a copy and paste of the alert text, so confusion reigns.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Tyreman

  • Guest
Re: Windows 7 Service pack 1 installed. Virus warning is a FALSE POSITIVE
« Reply #63 on: March 02, 2011, 02:31:12 AM »
with update 110302.0 looks good now,  not showing an alert. ;D
I did restore the file first via right click, selecting restore while in the chest
Thanks

Offline MrMaxaMan

  • Full Member
  • ***
  • Posts: 195
Re: Windows 7 Service pack 1 installed. Virus warning is a FALSE POSITIVE
« Reply #64 on: March 02, 2011, 03:10:44 AM »
I got this alert earlier too, I kept trying to put it in the chest but it wouldn't do it and just kept alerting me. So I clicked on delete, I'm just wondering if there will be any problems now the file has been removed, do I need it?
Avast Free 20.3.2405 - Comodo 12.2.2.7036 Firewall with D+ - Winpatrol Free.
On demand - MBAM - Super Antispyware.
Windows 10 64bit - 16GB Ram.

doktornotor

  • Guest
Re: Windows 7 Service pack 1 installed. Virus warning is a FALSE POSITIVE
« Reply #65 on: March 02, 2011, 03:12:19 AM »
I got this alert earlier too, I kept trying to put it in the chest but it wouldn't do it and just kept alerting me. So I clicked on delete, I'm just wondering if there will be any problems now the file has been removed, do I need it?

No, you don't need it. It's compiled from mscorlib.dll on-the-fly.

Offline MrMaxaMan

  • Full Member
  • ***
  • Posts: 195
Re: Windows 7 Service pack 1 installed. Virus warning is a FALSE POSITIVE
« Reply #66 on: March 02, 2011, 03:14:55 AM »
Quote
No, you don't need it. It's compiled from mscorlib.dll on-the-fly.

Excellent, thanks for letting me know.
Avast Free 20.3.2405 - Comodo 12.2.2.7036 Firewall with D+ - Winpatrol Free.
On demand - MBAM - Super Antispyware.
Windows 10 64bit - 16GB Ram.

NickNZ

  • Guest
Re: Windows 7 Service pack 1 installed. Virus warning is a FALSE POSITIVE
« Reply #67 on: March 02, 2011, 03:17:54 AM »
I got this alert earlier too, I kept trying to put it in the chest but it wouldn't do it and just kept alerting me. So I clicked on delete, I'm just wondering if there will be any problems now the file has been removed, do I need it?

No, you don't need it. It's compiled from mscorlib.dll on-the-fly.

Doktor, can I take from this that I don't have to restore the file and can assume that the problem is fixed/my system is "safe"?  I'm still running a few scans (malwarebytes, spybot S&D, ad-aware), just don't want to unduly panic more than I have to :)  My original post is below
Quick question, I'm looking for reassurance more than anything else I guess.  Is the file mentioned by the OP definitely a false positive, or could it be genuinely infected.  Can I restore it without risking my pc security/do I need to restore it?  Normally I'd think nothing of it but I do game online quite a bit and anything involving a keylogger, as the infected file is described here http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDropper:Win32/Spyeye, makes me worry about my account security.

My own two cents would be to argue in favour of it being a FP, based on the fact that it's only been picked up now, but then I don't know how the NativeImage service works.

Any help would be much appreciated  :)

To clarify, the file that got detected on my PC was mscorlib.ni.dll in C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a.  The final modification date of the file is within 24 hours of SP1 for win7 being installed

Offline MrMaxaMan

  • Full Member
  • ***
  • Posts: 195
Re: Windows 7 Service pack 1 installed. Virus warning is a FALSE POSITIVE
« Reply #68 on: March 02, 2011, 03:20:27 AM »
Strangely enough I got this alert while using Windows Live Mail, I don't if that makes any difference.
Avast Free 20.3.2405 - Comodo 12.2.2.7036 Firewall with D+ - Winpatrol Free.
On demand - MBAM - Super Antispyware.
Windows 10 64bit - 16GB Ram.

psikofunkster

  • Guest
Re: Windows 7 Service pack 1 installed. Virus warning is a FALSE POSITIVE
« Reply #69 on: March 02, 2011, 03:33:35 AM »
i deleted this file because avast told me to do, mscorlib.dll, it was a trojan? or i screwed up my system courtesy of avast 6?

I got this alert earlier too, I kept trying to put it in the chest but it wouldn't do it and just kept alerting me. So I clicked on delete, I'm just wondering if there will be any problems now the file has been removed, do I need it?

No, you don't need it. It's compiled from mscorlib.dll on-the-fly.

but the one deleted was mscrolib.dll, which compile which? mscorlib.dll compiles another file or mscrolib.dll is compiled?
« Last Edit: March 02, 2011, 03:35:50 AM by psikofunkster »

doktornotor

  • Guest
Re: Windows 7 Service pack 1 installed. Virus warning is a FALSE POSITIVE
« Reply #70 on: March 02, 2011, 03:35:30 AM »
i deleted this file because avast told me to do, mscorlib.dll, it was a trojan? or i screwed up my system courtesy of avast 6?

You deleted mscorlib.dll or mscorlib.ni.dll?

psikofunkster

  • Guest
Re: Windows 7 Service pack 1 installed. Virus warning is a FALSE POSITIVE
« Reply #71 on: March 02, 2011, 03:36:17 AM »
i deleted this file because avast told me to do, mscorlib.dll, it was a trojan? or i screwed up my system courtesy of avast 6?

You deleted mscorlib.dll or mscorlib.ni.dll?

as far as i remember it was mscorlib.dll

and not only that another OLE file in a temp folder was affected too (avast said it was corrupted).
« Last Edit: March 02, 2011, 03:38:42 AM by psikofunkster »

doktornotor

  • Guest
Re: Windows 7 Service pack 1 installed. Virus warning is a FALSE POSITIVE
« Reply #72 on: March 02, 2011, 03:41:01 AM »
Files in temporary folders don't matter. Deleting mscorlib.dll will break the particular .NET version it belonged to. Obviously blindly deleting some files is a bad thing - that's what the chest is for if you are unsure about the file.
« Last Edit: March 02, 2011, 03:42:53 AM by doktornotor »

psikofunkster

  • Guest
Re: Windows 7 Service pack 1 installed a virus?
« Reply #73 on: March 02, 2011, 03:42:08 AM »
I have no problems with SP1 myself so definitely comes under the heading weird

i didn't have problems with SP1 (installed the day of the release), but TODAY the problem appeared simultaneously in two different pc's....

Files in temporary folders don't matter. Deleting mscorlib.dll will break the particular .NET version it belonged to.

so im screwed up? cause avast told me to delete exactly that file...

doktornotor

  • Guest
Re: Windows 7 Service pack 1 installed a virus?
« Reply #74 on: March 02, 2011, 03:50:26 AM »
so im screwed up? cause avast told me to delete exactly that file...


As noted above, you should put the file into chest, not delete it if you don't know whether it's infected or not. You should have the library in these locations:

C:\Windows\Microsoft.NET\Framework\v2.0.50727
C:\Windows\Microsoft.NET\Framework\v4.0.30319