RESOLVED hpqdcmgr.exe false positive?

[slybo]

Just got a pop up and by the time I got to the computer it droped down so went to file system shield log and found this

3/8/2012 4:15:46 AM   C:\Program Files (x86)\hp\Digital Imaging\bin\Document Manager\hpqdcmgr.exe [L] Win32:Malware-gen (0)
While moving file to chest, error occurred: The process cannot access the file because it is being used by another process
During the file delete, error occurred: The process cannot access the file because it is being used by another process

went to virus total and ran and here are results

https://www.virustotal.com/file/9d24e4d630c7054bb13d2188b0cd77ff8ee902758e6a336364226d48aa359d7f/analysis/1331203064/

since virus total shows no hits I think it is a false positive. Need opinion and to report here so it can be fixed. slybo

[slybo]

Wanted to add that at the time the defs were at 7-1 and after I posted I restarted the computer and it updated to 8-0. I have Avast Pro 7.0.1426 on a windows 7 Hp desktop.

[DavidR]

Well it is strange that even avast doesn't detect it.

Ensure that the avast virus definitions are up to date and scan the file again. EDIT: Though you didn't say, presumably you have scanned the file after the update (if so what result) ?

What scan detected this ?

[slybo]

It was the file system shield that detected it the first time. Then I went to the folder under windows explorer and right clicked scan with avast and it detected it again after the def update. It shows up in the avast program under scan computer>scan logs but I can not copy paste from there. The first detection I pasted came from C:\ProgramData\AVAST Software\Avast\report. Where do you find it were you can copy and paste when you do a right click scan on a folder?

[slybo]

Can you tell me if I go to avast main UI and scan computer>scan logs and bring up that one it shows move to chest and a apply button at the middle bottom of the screen, can I just delete the log without it removing the file. This is the one where I did a right click scan with avast. Do not want to leave it and someone delete the file.

[slybo]

In about 30 minutes will be leaving for a doctor appointment, will be back in 4 or 5 hours and will check back. It may not be strange that virus total did not find it, if they are using older defs, how current do they stay? Hope someone comes up with something, do not forget about my question about can I delete the log file from the program without harm?

[DavidR]

The scan logs are 'historic' data, so you can take no action based on an old log ad the Apply button is inactive. So removing the log will have no impact on the file as as this is just data.

[slybo]

The log is set on move to chest, and the apply button would do this if I clicked it but as you say it would seem as long as I do not click the apply button and just delete the log then nothing should happen and the file will stay in place. I just wanted to be sure since I have not done this, so is the statement I have made all correct?

[polonus]

Probably FP, File Name: hpqdcmgr.exe

Process Name: HPDocumentManager
Company Name: Hewlett-PackardDevelopmentCo.L.P.
Part Of: HPDocumentManager
File Size: 163840 Bytes
Product Version: 010.000.012.319
File Path: C:\ProgramFiles\HP\DigitalImaging\bin\

polonus

[Pondus]

Well it is strange that even avast doesn't detect it.

avast does......if you click View latest 

https://www.virustotal.com/file/9d24e4d630c7054bb13d2188b0cd77ff8ee902758e6a336364226d48aa359d7f/analysis/

First seen by VirusTotal   2009-11-11 21:27:15 UTC ( 2 år, 3 måneder ago )

Sigcheck

publisher................: Hewlett-Packard Development Co. L.P.
product..................: HP Document Manager
internal name............: Hpqlchdm00
copyright................: Copyright (C) Hewlett-Packard Development Company, L.P. 1995-2005
original name............: Hpqlchdm00.EXE
comments.................: This is HP Document Manager Application for pre-launch
file version.............: 13.0.0.131
description..............: HP Document Manager Application

[DavidR]

If only GData and avast detect it - GData uses avast as one of its two scanners so counts as 1 detection and almost certainly an FP.
Send the sample to avast as a False Positive:
Open the chest and right click on the file and select 'Submit to virus lab...' complete the form and submit, the file will be uploaded during the next update. A link to this topic wouldn't hurt.

@@@@
- In the meantime (if you accept the risk), add the full path to the file to the exclusions lists (see Note below):
File System Shield, Expert Settings, Exclusions, Add and
avast Settings, Exclusions

Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the File System Shield and avast Settings, exclusions lists.

Note: When using the Browse button it only goes down to folder level accept that. Now open the entry in the exclusions and change the \* to \file_name.exe where file_name.exe is the file you want to exclude.

[slybo]

I did not know about clicking view latest, thanks for that information. On sending the sample if you notice the text from my log it says it did NOT put it in the chest due to an error. So I have NO file in the virus chest to right click. So How do I send the file to avast? How do I send it from windows explorer to avast?? I will now to and put it in the exceptions and check back. Thanks for your help, I just got back from the doctor. slybo

[Pondus]

So How do I send the file to avast?

put it in a password protected zip file and send to  virus @ avast.com
Mail subject:  false positive
zip password:  infected


you may add a link to this topic   

[slybo]

I got it put in my exceptions and did a right click scan of that folder and it did not show up, so everything good there. Now about sending zip file to avast, I have never did this before. I will need help. Do I just go and create a zip file in windows explorer and copy and paste it to the zip, or how do I do that?

[slybo]

also how do I password protect?