Since nobody else is reporting any false positives by Avast,
Someone has to be the first and with my luck it had to be me.
I would suspect that you have been infected by something new that slipped by Avast. Try scanning with Malwarebytes and see if it finds anything.
Well, to be honest I had my doubts it was something new. I ran a full Malwarebytes scan. Below is the Malwarebytes log with additional comment supplied by me on it's findings.
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6435
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180
2011-04-24 11:39:28 PM
mbam-log-2011-04-24 (23-38-52).txt
Scan type: Full scan (C:\|)
Objects scanned: 311655
Time elapsed: 2 hour(s), 40 minute(s), 22 second(s)
I believe the elapsed time to be inaccurate as it took longer then what's shown here.
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Videosoft (Trojan.DNSChanger) -> No action taken.
I'm not entirely sure about this one. I looked at this specific registry entry and all that is there are color space formats values (eg: YV12,YUY2,RGB24,RGB32,etc). I'm not familiar with "Videosoft", so I did a Google search and found a reference to something called zCODEC, which I think is a H.264 Decoder. I've not heard of zCODEC before and I do
NOT install CODEC packs, although it could have been slipped in with some other software.
Doing a search through the entire registry for "Videosoft" turned up something called, "VideoSoft VSPrinter 7.0" and that branch mentions "VSPRINT7.ocx". The properties for "VSPRINT7.ocx" says that the file dates back to the year 2000. Other hits for "VideoSoft" in the registry include "Vsflex7.ocx" and "vsflex7L.ocx", both also from the year 2000. It looks to be from something called, "VideoSoft FlexGrid 7.0 (Light)" which also doesn't sound familiar.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
I take this to mean nothing more than a general warning that Windows security is disabled. I have no use for the Windows versions with a hardware and software firewall, Avast and doing manual Windows updates.
Folders Infected:
(No malicious items detected)
Files Infected:
c:\WINDOWS\system32\WinDump.exe (Trojan.FraudLoad) -> No action taken.
This is a false positive and demonstrates what I believe to be a bug within Malwarebytes. Both a quick and full Malwarebytes scan repeatedly shows WinDump.exe to be malware. However, if I do a single scan through the right-click context menu with Malwarebytes on the file itself, it passes and no malware is found. Avast also green lights WinDump.exe. Also, the current downloadable version of WinDump.exe is byte for byte identical to the same version that I have, which Malwarebytes deems as malware.
So, in the end, the only questionable thing that Malwarebytes found is an old "Videosoft" registry entry.
Lastly, I'd like to take a moment to describe better the situation. I have a single directory that contains multiple sub-directories. Each sub-directory contains one piece of software that is necessary to do a complete re-install on a Laptop. Files like Avast, drivers, Firefox, WinAMP, etc are each contain in their own separate sub-directory. In addition to this Laptop archive directory, I also store duplicates, including the PAR2 files, on a separate hard drive that is disconnected from the system.
Take for example WinAMP. When I downloaded (at the time) the latest version of WinAMP in January 2011, I immediately created an associated PAR2 verification file. Each sub-directory contains one matching PAR2 file so I can test the archive's integrity at a later time.
When the WinAMP installer was destroyed and after changing the way Avast automatically sends things to the Virus Chest, I went to the the duplicate archive and tested the WinAMP installer with the PAR2 file and it passed. When the WinAMP installer was copied back to the Laptop directory, Avast displayed a warning dialog that it was infected with the Win32:Tenga virus. I closed the Avast warning, since there was no option to "Do Nothing", and the file was copied. I then checked the the copied file with the existing PAR2 file and it passed. I then checked with a binary compare program and the files were identical. Using the right-click context menu, I did a single scan on the WinAMP installer and it was supposedly infected. To me this has false positive written all over it.
Although some of the destroyed files were obvious, such as only being 180KB when it should have been 11 MB, it was through the use of these at the time created Par2 files that I verified the less obvious destroyed files and their eventual replacements.
Since my original post and subsequent reply, Avast's brain file has been updated to the latest 110425-0 version. A scan of the entire laptop archive directory now shows that there are
no Win32:Tenga virus. It would seem that the false positive, for the moment anyways, has been corrected.
Thanks for the reply.