Win32:malware-gen F.P.? Could it be aswRegSvr64.exe or aswRunDll.exe?

[Tobias4051]

Hi,

Today during a quick scan Avast found this file, I took no action on the file and ran a boot scan.
When the file came up in the boot scan I put it in the chest:-

Win32:malware-gen
Size of file: 107056
Last changed: 12/05/2009  18:31:30
c:\system volume information\_restore{... \A0003951.exe

Is this is in system restore? Is the .exe file name is something that restore has changed it to?

After using a websearch with the file size and date created, I found the file might be to do with one of these:-
aswRegSvr64.exe  or  aswRunDll.exe
Could this be a false positive?

Yesterday the computer had several restarts and quick scans and found nothing.
There were no new system restore points created between re-starting yesterday followed by a quick scan that was clean, and turning the computer off last night, on this morning, running a quick scan and finding a file marked as a virus in sytem restore.

I have updated and done full scans with malwarebytes, and MS Defender, and another Avast bootscan, all are clean.
I don't see anything unusual on the hijackthis log I created today.


Had a similar incident on another computer, also today.
After turning on the second computer and doing a quick scan found:
Win32:malware-gen
c:\system volume information\_restore{...   A0003827.exe
last changed 12/05/2009 16:31:30
size 107056
Moved to chest and then did boot scan.
Same size as the file on the other computer, and last changed 2 hours before the other file.


Both computers are on Windows XP sp3

Avast version:
Definitions version 111001-0
Release Date 01/10/2011
Program 6.0.1289
I am in the UK (not sure if this affects dates / time)

Where could this file in system restore come from?
Has malware on the computer caused it to be there?
Is it a false positive?
Has anyone else found similar files of a size 107056, and date 12/05/2009, showing as win32:malware-gen?

Many thanks.

[DavidR]

Infected Restore Points:
There really is little benefit in chasing a detection in the system volume information folder. It is only there because it had previously been deleted or moved from the system folders, etc. and this is a back-up created by system restore.
- Worst case scenario it isn't infected and you delete it, you can't use that restore point in the future, not much of a loss and the older the restore point is the less of an issue it is.
 
- So if there is any suspicion about a restore point then it is best removed from the system volume information folder or it could bite you in the rear at some point in the future when you use system restore if it included that restore point.

[Tobias4051]

Thank you for your reply.
The file is in the chest.

I'm wondering what could have caused this file to be on the computers.
If the cause is malware there could be an undetected problem still there.

It seems odd that this would show up on both computers, in system restore, when there have been no new restore points made since it was scanned yesterday showing a clear scan.

It also seems strange that both computers have a file of the same size (107056) and exactly two hours apart for the time last changed (12/05/2009 18:31:30 and 12/05/2009 16:31:30) showing as win32:malware-gen.

I was wondering if others are seeing this too.

Thanks

[DavidR]

I really can't say as there really is insufficient information to form am opinion. If you had any infections previously and a file was moved to the chest or deleted, etc. then it is possible that system restore would save a copy of that file in a restore point.

The win32:malware-gen detection is a generic signature (the -gen at the end of the malware name), so that is trying to catch multiple variants of the same type of malware and is a fine balance between detecting a new variant and detecting something valid as infected.

[Tobias4051]

Thank you for your reply,

There have been no previous infections found.
The computer is scanned at least once a day.  It had a full format and reload near the end of August this year.
Avast has been updated since the first post. The files are still showing as win32:malware-gen when scanned in the chest. Definitions version 111001-1


To try find what this might be I did a web search for:-  file size 107056 malware 12/05/2009

There were two results, both from a .fr domain. The text of the first search result says:-

"EXE Base Size Version Path 0x01000000 0x100000 6.00.2900.5512 C:\WINDOWS\Explorer. .... 1.50.0001.0000 C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll ...... Files\Alwil Software\Avast5\aswRegSvr64.exe 12/05/2009 19:31 | 107056 .."

I followed this with a web search for:-  aswRegSvr64.exe 107056

Some of the text from the results:-

"5\aswRegSvr.exe 22016 bytes executable File Q:\Avast 5\aswRegSvr64.exe 46128 bytes executable File Q:\Avast 5\aswRunDll.exe 107056 bytes executable File"
"19/03/2010 20:10 22 016 aswRegSvr.exe 19/03/2010 20:10 46 128 aswRegSvr64.exe 12/05/2009 17:31 107 056 aswRunDll.exe .."
"... and Settings\maublanc\Mes documents\Téléchargements\SweetImSetup(4).exe ...... Files\Alwil Software\Avast5\aswRegSvr64.exe 12/05/2009 18:31 | 107056 "

I know it might be a coincidence that there are Avast5 files mentioned in these search results along with the same file size (107056) and dates of the system restore files Avast found in scans today. The files avast found in the scans were last modified at 16:31 and 18:31 on the date 12/05/2009, and these web search results mention the time 17:31 on the same day.

It could be that this issue is related to other issues where Avast files seem to be found as false positives.

The computer did have Avast5 on it at first, it was updated to Avast 6.  If these are Avast files, this could explain why the files are only in system restore.


Are the bits of information correct?
Were there files in Avast 5 called either aswRegSvr64.exe or aswRunDll.exe that had a file size of 107056 and was last changed on 12/05/2009 ?

(Not sure if this date is UK or US way round)

Many Thanks.

[hlecter]

I can confirm that aswRunDll.exe with size 107 056 bytes
from Avast 5 gives a FP here.
Avast 5.0.677 on XPSP3.

This answers your question in the other thread.
My version of the file is from 2010, but probably not significant here.

HL

[Tobias4051]

Thank you for the fast answer, it does answer my questions on both threads.

I believe that the version of avast put on the computer at first was 5.0.594 so it is quite possible that these results are FP.

Thank you very much for your help.  I shall wait for new avast virus definition versions and keep scanning the files in the chest. It seems that avast tends to fix FP results in definition updates, and that in the near future I might find they are fine.

Thanks.

[hlecter]

Thank you for the fast answer, it does answer my questions on both threads.

I believe that the version of avast put on the computer at first was 5.0.594 so it is quite possible that these results are FP.

Thank you very much for your help.  I shall wait for new avast virus definition versions and keep scanning the files in the chest. It seems that avast tends to fix FP results in definition updates, and that in the near future I might find they are fine.

Thanks.

Glad to help.

Rest assured it will be fixed in a VPS update soon.

HL

[Sirmer]

Hello,
sorry for your inconvenience this is a false positive and it will be fixed in next VPS.

[hlecter]

Hello,
sorry for your inconvenience this is a false positive and it will be fixed in next VPS.

Thanks a lot for a quick fix. 

HL