Author Topic: SUSPICIOUS FILES FOUND (HEURISTIC METHOD) HOW DO I SEND  (Read 5670 times)

0 Members and 1 Guest are viewing this topic.

Nise5280

  • Guest
I rec'd a msg. box that said avast! found suspicious files during background heuristic method scan...these files have the word DRIVERS in file name. I looked for a way to say 'yes' to sending them to avast! lab, but the only options are 'ignore' and 'delete'. ALSO, is it safe to delete files with related to DRIVERS?? I am no tech and dont want to do damage I can't reverse please. Thank you!  Nise 5280

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40603
  • Dragons by Sasha
    • Malware fixes
Re: SUSPICIOUS FILES FOUND (HEURISTIC METHOD) HOW DO I SEND
« Reply #1 on: May 15, 2011, 06:11:31 PM »
What are the file names please - as that way a determination can be made

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 87289
  • No support PMs thanks
Re: SUSPICIOUS FILES FOUND (HEURISTIC METHOD) HOW DO I SEND
« Reply #2 on: May 15, 2011, 06:32:08 PM »
Sounds like the anti-rootkit scan, does the image look like the one attached ?

Whatever you do don't rush to deletion, post the details about the alert as essexboy asks and we can be more detailed in our advice.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.12.6044 (build 22.12.7758.768) UI 1.0.741/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline MikeBCda

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2248
Re: SUSPICIOUS FILES FOUND (HEURISTIC METHOD) HOW DO I SEND
« Reply #3 on: May 15, 2011, 10:56:31 PM »
Also see the current thread here, where I ran into the same thing and there's good discussion of it.
Intel Atom D2700, 2 gig RAM, Win 7 x64 SP1 & IE-11, Firefox 51.0
(default). 320 gig HD, 15Mb DSL, Win firewall, Avast 12.3.2280 free, SpywareBlaster, MBAM Prem., Crypto-Prevent

Nise5280

  • Guest
Re: SUSPICIOUS FILES FOUND (HEURISTIC METHOD) HOW DO I SEND
« Reply #4 on: May 16, 2011, 01:12:30 AM »
I thank you guys for the quick reply. Yes, the msg looks exactly like the example DavidR posted in his reply. For Essexboy, here are the file names as they are listed in the msg box FROM TODAY:
\SystemRoot\system32\DRIVERS\ivm.sys
\SystemRoot\system32\DRIVERS\R3dne2000.sys
\??\C:\WINDOWS\system32\vsdatant.sys
THIS IS THE MSG BOX FROM SATURDAY 5-14:
\SystemRoot\system32\DRIVERS\ivm.sys
    "           "    DRIVERS\R3dne2000.sys
    "           "    DRIVERS\ivm.sys
     "          "    DRIVERS\R3dne2000.sys
\??\C:\WINDOWS\system32\vsdatant.sys
I thank you for the assistance - and no worries regarding that quick-delete...I dont go near anything with the words
"registry" or "drivers" in them without help.  Nise5280

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 87289
  • No support PMs thanks
Re: SUSPICIOUS FILES FOUND (HEURISTIC METHOD) HOW DO I SEND
« Reply #5 on: May 16, 2011, 02:24:29 AM »
It is now almost 1:30am in the UK, essexboy will be back on the forums in the evening after work.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.12.6044 (build 22.12.7758.768) UI 1.0.741/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Nise5280

  • Guest
Re: SUSPICIOUS FILES FOUND (HEURISTIC METHOD) HOW DO I SEND
« Reply #6 on: May 16, 2011, 03:25:32 AM »
MikeBCda - Thank you for the link you provided. I also had nothing come up on any scan, and cant find any information in my avast program. I did learn some useful things from your link; but it's a bit out of my range (I still haven't figured out what a rootkit is). Thank you again!  Nise5280

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40603
  • Dragons by Sasha
    • Malware fixes
Re: SUSPICIOUS FILES FOUND (HEURISTIC METHOD) HOW DO I SEND
« Reply #7 on: May 16, 2011, 08:09:31 PM »
Two files are legit one is ZA and the other IBM

File Scanner
There are some files I need you to upload for checking

  • Make sure to use Internet Explorer for this
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into  the  "Suspicious files to scan" box on the top of the page:
    • C:\windows\system32\DRIVERS\R3dne2000.sys
  • Click on the Upload button
  • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.

miciotta62

  • Guest
Re: SUSPICIOUS FILES FOUND (HEURISTIC METHOD) HOW DO I SEND
« Reply #8 on: May 16, 2011, 08:17:11 PM »
here :

http://forum.avast.com/index.php?topic=78125.0

what is the problem from avast in this 3 days ?

the solution ? help me....


for 3 day it say suspect :  C:\WINDOWS\system32\Drivers\uphcleanhlp.sys

NOW, a new file :


ew_hwusbdev.sys

http://i51.tinypic.com/30djjfq.jpg




but i not found in system32/driver this file to scan into
VirusTotal online !!!

help me ....


Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40603
  • Dragons by Sasha
    • Malware fixes

miciotta62

  • Guest
Re: SUSPICIOUS FILES FOUND (HEURISTIC METHOD) HOW DO I SEND
« Reply #10 on: May 16, 2011, 08:21:19 PM »
yes i use hawei key.... is another false/positive of avast ? the solution ? help

Offline MikeBCda

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2248
Re: SUSPICIOUS FILES FOUND (HEURISTIC METHOD) HOW DO I SEND
« Reply #11 on: May 16, 2011, 08:49:29 PM »
One user (sorry, forget who) noted over in that other thread that this seems to happen about once a year on average, and is merely a glitch in the rootkit scanner.  For any given user the specific file warned of seems to be more or less random, so it's not a FP problem. It does, however, seem to be particularly sensitive to drivers (.sys files) for some reason.

While it's remotely possible, of course, that you really did pick up an "iffy" driver somewhere, you can almost certainly ignore these warnings.
Intel Atom D2700, 2 gig RAM, Win 7 x64 SP1 & IE-11, Firefox 51.0
(default). 320 gig HD, 15Mb DSL, Win firewall, Avast 12.3.2280 free, SpywareBlaster, MBAM Prem., Crypto-Prevent