Author Topic: False positive Win32:malware-gen?  (Read 4310 times)

0 Members and 1 Guest are viewing this topic.

Offline Bristol

  • Newbie
  • *
  • Posts: 2
False positive Win32:malware-gen?
« on: July 18, 2011, 08:24:54 PM »
Boot time scan detected these on my computer, XP home edition

         Two files infected
1.   C:\System volume information\_restore………\A0441292.msi|>Data1.cab|>pcftofon.exe infected by Win32: malware-gen
2.    C:\Winnt\ downloaded installation……\x-Win32-7.1.msi.|>data1.cab| pcftofon.exe infected by Win32: malware-gen

Normal scan with AVAST does not report any problem. Are these false positives?

Thanks.

Addendum: I cannot force the infected files to repair, delete or put to Chest. The program returns that it cannot be done with an error number. Every time I do a boot time scan it reports the name of the two infected files but I cannot take any action.

x-Win32-7.1: I downloaded this software for a program called putty to connect to unix machines. I have uninstalled this program.



« Last Edit: July 19, 2011, 04:13:18 PM by aachari »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37055
Re: False positive Win32:malware-gen?
« Reply #1 on: July 18, 2011, 08:57:21 PM »
upload suspicious file(s) to www.virustotal.com and test with 43 malware scanners
when you have the result, copy the url in the address bar and post it here for us to see


alternative
Jotti    http://virusscan.jotti.org/en
VirSCAN  http://virscan.org/



File nr #1 is in system restore so i guess you can just clear that and it will be gone......you dont need a infected restore point
« Last Edit: July 18, 2011, 09:02:02 PM by Pondus »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85348
  • No support PMs thanks
Re: False positive Win32:malware-gen?
« Reply #2 on: July 18, 2011, 08:58:21 PM »
That also rather depends on the scan settings, as I'm not sure .msi files are considered archive files and not unpacked for scanning by default or Self-extracting win32 executables, which would be unpacked for scanning by default.

The file detected pcftofon.exe is effectively within two archives, the Data1.cab, which is within the x-Win32-7.1.msi file, so is pretty inert.

This is supposedly a font converter and it may be its actions which could be considered suspicious and why it is picked up by a generic signature, Win32: malware-gen (the -gen at the end), which are more prone to FP.

Do you actually know what this .msi file is, does this ring any bells, http://www.starnet.com/xwin32kb/Silent_installs_or_push_deployments ?

However, the one in the system restore, restore point is one and the same file (just given a different file name).

If you can extract the pcftofon.exe file using something like 7zip, then you could confirm the detection:
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here, post the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect\*
That will stop the File System Shield scanning any file you put in that folder.



Do
So if you can ex
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.5.2470 (build 21.5.6354.675) UI 1.0.646/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Cebini

  • Newbie
  • *
  • Posts: 4
Re: False positive Win32:malware-gen?
« Reply #3 on: August 08, 2011, 04:13:34 PM »
... Found this topic via the search board & posted a reply. Now I've noticed that this topic should not be in the avast! Free/Pro/Suite forum, but under viruses etc. So I'd like to apologise. I'll post a similar topic there (Didn't know how to delete my post here...)
« Last Edit: August 08, 2011, 04:30:45 PM by Cebini »