Are these FP?

Avast! detected one file as infected on quick default scan, and two more in the boot scan that was called, after the quick scan completed. Took about an hour for boot scan to complete, as there were some 580,000+ files to look at.

Attached below are .jpg files of Avast! Virus Chest captured today.

Note that one of the two are a backup copy found in System Restore files, and also note the artifacts on both .jpg’s. I have never seen that before.

I attempted to send the hp file to Virus Total, but alas, it seems to be down ATM. Jotti did open, but Avast! File System Shield intercepted upload of that file and quarantined it immediately before I could scan it. If needed, I can temporarily turn it off to complete this scan. The file was extracted from the chest and put on the desktop.

So no online scans to present ATM.

Since these files are all in backup folder categories (with the exception of hpfiui.exe), could these all be false positives? I never had Sality on this machine before.

I must note that the hp file is quite old, circa 2004, and previous scans found it to be clean, so…

Malwarebytes and SUPERAntispyware report the machine as clean on quick scans, current databases as of today.

Explorer.exe did crash today, and as that was a very rare occurrence, it caused me to look into my system a little further, i.e., run updated scans with anti-malware programs I have on this system. Explore.exe crash occurred after I reset the hp printer to default settings as it somehow (mysteriously) had sharing attributes set to it. A week ago I was fooling around with using a crossover CAT 5 cable connected to another XP system and set the printers to sharing at that point. I thought I had reset everything back to the way it was.

I restarted explorer.exe via Task Manager, rebooted, and restart was normal. No problems there.

A little perplexed here. :-\

Hi mchain,

That hpfiui.exe seems a avast FP - http://systemexplorer.net/db/hpfiui.exe.html

polonus

@ Polonus

That hpfiui.exe seems a avast FP - http://systemexplorer.net/db/hpfiui.exe.html

Thanks. As Avast! just updated to vb 111222-1, maybe a change, eh?

Nah, just checked w/scan in virus chest. Same result as before.

Should I submit to Avast!?

Printer seems to run just fine, so…

BTW, what do you think of the artifacts on the .jpg’s? There is a letter “M” maybe?? for ‘move to chest’ and a letter “C” for ‘close’. I do not see these icons when virus chest is viewed on the desktop or in real-time. Why would there be a difference?

Hi mchain,

Well it would not hurt submitting to avast or to contact then at virus AT avast dot com,

pol

@ Polonus,

Well it would not hurt submitting to avast or to contact then at virus AT avast dot com,

Done.

Attached find a report by McAfee over two years ago, the only relevant report since 2001 that I could find yesterday. I got this file at the HP website, BTW. Since Avast! board rules do not allow a .doc attachment, it has been converted to .txt to be able to attach.

I cannot find the link to this document today.

Virus Total Web site report here: http://www.virustotal.com/file-scan/report.html?id=c3aafae4fdfd9967249fec02ee7757bf0f078f89559d696f15cd908478e23137-1321709631

Since Avast! did not alert on this definition date, this could be a false positive.

I do not have a rogue AV or such running on my system. No malware symptoms whatsoever. Both Malwarebytes Free and SUPERAntispyware report the system as clean.

EDIT: I did not say I ran MBAM and SUPER first, then Avast!, if that is relevant. I do not run Avast! scans very often as File System Shield and Web Shield are quite effective in blocking malware they know about.

@Polonus,

Here is virus total scan of the actual file: http://www.virustotal.com/file-scan/report.html?id=c23774df1671d81d423d22df63725a29978bec34197701ed4512d3834b8d1031-1324666626

Turned off File System Shield for a moment, and sent to Virus Total. Extracted it from virus chest as before onto the desktop.

Looks as if it is indeed a FP, as only Avast! and Gdata report.

@Polonus,

Attached find .jpg for Avast File System Shield warning dialog.

Note the process called.

As I am not getting this artifact on any .jpg’s on other .jpg’s except for Avast!, could this be a program bug in Avast!?

Once again, File System Shield was effective. Just right-clicking the file (looking for file properties in drop-down) kicked it into action. Quarantined as before. ;D

Note the process called.

Attached find system scans re explorer.exe, with variations on .EXE and *.EXE.

Virus Total scan of actual file on system here: http://www.virustotal.com/file-scan/report.html?id=1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455-1324668265

File properties set to show hidden and system files during search.

No explorer.EXE found on system.

Perhaps this is where the error is coming from?

Merry Christmas everyone!

Virus Total scan of actual file on system here:

Just checked post on December 23, 2011, and found link is broken.

Here is the correct link for hpfiui.exe. Sorry about that. This happens sometimes.

Virus Total here: http://www.virustotal.com/file-scan/report.html?id=c23774df1671d81d423d22df63725a29978bec34197701ed4512d3834b8d1031-1324855383

Since the last scan, only Avast! Gdata, and Panda are reporting. On first link, Panda was not reporting. Since Avast! and Gdata use the same virus engine, not surprised there.

This is the actual file on my system. OEM date is September 20, 2001. Downloaded from HP site directly.

Have contacted Avast! twice via virus chest. So far, no change or response.

Hopefully Avast! will fix the definitions, as this file is needed here.

EDIT: Attached find two .jpg’s below.

Hi mchain,

Hope these FPs will soon be fixed. Did you check the MD5 of that HP file against what it should be?
You could download this free tool and check these executables yourself against their database:
download from here: http://www.backgroundtask.eu/Applications/FTR1_Index.php

polonus

Thank you for your kindly help. ;D

I have downloaded the file and will post back with the results here. If I find the MD5 has changed, then back to HP I go to install a fresh copy. If that does not work, maybe contact HP for a fix.

Hi mchain,

You are welcome. Well we sure will find a solution to these annoyances. And this will also help a lot of other users with a similar issue. So I wait for what you will report back here. Also take this up with avast, will you? Oh and you are certain you only have one resident av solution running on that machine, else that would explain the FP. That is an absolute no, no. It does not enhance protection as it cripples the detection capabilities of both solutions.

polonus

hi Polonus,

Oh and you are certain you only have one resident av solution running on that machine, else that would explain the FP. That is an absolute no, no. It does not enhance protection as it cripples the detection capabilities of both solutions.

I never have had anything else other than Avast! Free, beginning with version 4 (so long ago) on this machine since install date of 2/17/2011.

I ran Systinternals Autoruns yesterday and noticed that COMODO cav??.dll (don’t remember), an antivirus component of COMODO Internet Suite, was set to autorun in explorer.exe, not sure if that may conflict with Avast!. ATM, I have COMODO Firewall only on my system, but Defense + runs all the time, so that file may be an integral part of Defense +, so am going to leave that alone. I also run WD from Microsoft as well.

I have both COMODO and Avast! set to ignore the other for compatiblity reasons. Otherwise the system will slow to a crawl if this is not done, as real-time vectors will conflict.

Here are the links for the FileThreatChecks b[/b] here: http://www.backgroundtask.eu/Systeemtaken/Taakinfo.php?ID=93082&GHash=F5408ECE0C58FEA46B929D79F885B507

and here: http://www.backgroundtask.eu/Systeemtaken/Taakinfo.php?ID=93082&GHash=F5408ECE0C58FEA46B929D79F885B507

Attached find the actual scan results of this file (.jpg)

Not especially crazy about running Avast! with File System Shield disabled, not even for a moment, to be able to run FTR to upload and scan. Also, COMODO does not like this program, so had to temporarily allow COMODO to trust this file to run program.

Not crazy to have to run it in admin, either. It is good that FTR is digitally signed, however. I do not run files that are not digitally signed, ever. I think running in a limited account, as here, may help, though.

As always, Avast! alerted on hpfiui.exe when it found it on the desktop. I have removed all copies of it except for the original one from the virus chest, so I can (hopefully) restore it when Avast! gets around to updating their vps database to reflect that this is a clean file.

Anything else I should to to make Avast! aware of this, other than submit the hpfiui.exe file every few days from the virus chest?

Thanks.

EDIT: Install date was actually 2/17/2010.

Hi Polonus and Pondus,

Thank you for your expert help here.

Do not know when the vps for this file was updated, but Avast! did update and file is now said to be clean. Restored file back to it’s original location.

Much obliged.

;D ;D