Hi, during Update of AVPE i get the following warnign by avast on-acces…:

Sign of “Win32:Small-1700” has been found in “C:\Dokumente und Einstellungen\All
Users\Anwendungsdaten\AntiVir PersonalEdition Classic\TEMP\AVUPDATE_44d253fa\engine\avewin32.dll” file.

reproducible with each update (today…) .

false positive, isn’t it…? someone else has this…?

a short search in avpe/avast-board: zip…
I use avast as On-Access, AVPE only on-Demand (AVPE-Guard service is off)
*

my recent HJT-log (overloaded, I know, but hopefully nothing nasty…?)
haven’t had much time recently for IT/security…

Logfile of HijackThis v1.99.1
Scan saved at 22:32:33, on 03.08.2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Programme\0190Warn\w0svc.exe
C:\Programme\AntiVir\Avast\aswUpdSv.exe
C:\Programme\AntiVir\Avast\ashServ.exe
C:\WINNT\System32\svchost.exe
D:\Programs\KerioFW\persfw.exe
C:\WINNT\system32\HPZipm12.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
D:\Programs\system\MoBo_Monitor\MBM5.EXE
C:\PROGRA~1\AntiVir\Avast\ashDisp.exe
C:\PROGRA~1\0190WARN\WARN0190.EXE
D:\Programs\Spass\Folding\FAH502-Console.exe
D:\Programs\AntiSpam-K9\K9.exe
C:\Programme\Office\Office\1031\msoffice.exe
C:\Programme\SmartSurfer23\SmartSurfer.exe
D:\Programs\Netscape7\Netscp.exe
D:\Programs\Security\Ad-Aware\Ad-Aware.exe
C:\Programme\AntiVir\Avast\ashLogV.exe
C:\Programme\AntiVir\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
D:\Programs\Security\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat7\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre150_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM..\Run: [MBM 5] “D:\Programs\system\MoBo_Monitor\MBM5.EXE”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\AntiVir\Avast\ashDisp.exe
O4 - HKLM..\Run: [0190 Warner] C:\PROGRA~1\0190WARN\WARN0190.EXE
O4 - Startup: Folding@Home.lnk = D:\Programs\Spass\Folding\FAH502-Console.exe
O4 - Startup: Launch K9.lnk = D:\Programs\AntiSpam-K9\K9.exe
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat7\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre150_06\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre150_06\bin\ssv.dll
O15 - Trusted Zone: http://channel1.aolsvc.de
O15 - Trusted Zone: http://by13fd.bay13.hotmail.msn.com
O15 - Trusted Zone: http://www.pcpitstop.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdat...b?1122407243313
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupd...b?1130602417183
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_07) -
O17 - HKLM\System\CCS\Services\Tcpip..{C0E9508C-3004-4807-95C8-0575517A0630}: NameServer = 62.53.222.132 193.189.244.205
O23 - Service: 0190/0900 Warner Überwachungsdienst (0190_0900_Warner_MonitorService) - Mirko Böer - C:\Programme\0190Warn\w0svc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programme\AntiVir\Avast\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programme\AntiVir\Avast\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programme\AntiVir\Avast\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programme\AntiVir\Avast\ashWebSv.exe" /service (file missing)
O23 - Service: Verwaltungsdienst für die Verwaltung logischer Datenträger (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - D:\Programs\KerioFW\persfw.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe

Thanks for your feedback and help…

Hi Igor,
surely a false positive ??

(I trapped/moved the file with avast,
and got this from JOTTI):

File: avewin32.dll Status:
POSSIBLY INFECTED/MALWARE (Note: this file was only classified as malware by scanners known to generate more false positives than the average scanner. Do not consider these results definately accurate. Also, because of this, results of this scan will not be recorded in the database.)
MD5 1d79e357a5dcc4ed4d8ba2adc83ae266 Packers detected:

Scanner results
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found Win32:Small-1700
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
UNA
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

File has just been sent in to virus at avast dot com

Try VirusTotal - Multi engine on-line virus scanner as it has more AVs and it uses the windows versions of the virus engines.

Sorry not wanting to take this off-topic but how are you managing to get Antivir to work with avast many that have tried have failed to get it to work as a back-up scanner or vice versa without conflict ?

Hi David,

thanks for the tips…
I tried to try Virustotal yesterday, but the server queue of 30 min put me off…
(same just now…:
Your file “avewin32.dll” is queued in position: 398. Estimated start time is between 37 and 56 minutes.)

You don’t think that only one hit out of 15 is not a pretty sure indicatiopn of a false alarm…?

AVPE-analysts haven’t found anything in the file (surprise ;D or they wouldn’t have sent it out…)

As to the avast-AVPE conflict…:

I managed this
with a little help from Vlk:

http://forum.avast.com/index.php?topic=4679.0

→ Disabling and renaming the Antivir-Service helps.:

What avast is doing is that it’s checking the presence of the
“AntiVirService” service. If it is present, it’s assuming that H+BEDV is active.

What you could probably do (if you need this service) is rename it – by changing the key name in HKLM\System\CurrentControlSet\Services.

==> This works for me on W2k-SP4

Thanks for the info and the link.

You can submit a file by email and be emailed either the results saving you having to wait.

1 of 15 in Jotti is a good indication VirusTotal has 21 and using windows AV engines where some Linux AV engines might not detect the virus the windows ones might.

I had the same problem. Avewin32.dll would not update. I finally went into the Avast! on-access scanner->Standard Shield->Customize->Advanced and added the file’s download and runtime locations to the exclusion list there.

Also ran the Virus Total utility to find that Avast! is the only anti-virus program out of 27 that had a problem with this file. Great utility by the way, David!

With regard to getting Antivir working as an on-demand-only scanner along side of Avast!: I’m running Windows XP Home SP2, and I have my scheduler run a simple batch file whenever my computer starts up that deletes the avguard.exe from Antivir’s folder - a good option if you don’t like fiddling with the registry.

Yeah… I’ve tried a lot of systems and after all, AntiVir starts to mess the Windows Security Center… avast is not detected anymore, legacy drivers of Antivir started to be detected… :-
Well, my bad experience with this…

Yes, I’m also using AntiVir as a non-resident scanner and avast! detected Win32:Small-1700 this morning while AntiVir was updating.

I tried unsuccessfully to move the file to the chest three times but the file could not be found. I eventually opted to take no action and a subsequent avast! scan revealed no malware.

I’m taking this to be a false positive.

well,
I tried excluding this obvious false alarm, too, but that helps only once, as the temp-folder name is different for the next AVPE-Update…

I hope avast will correct this soon…

As DavidR is so keen on Virustotal results, here they are:
avast is the only AV who flags the file:

Virus Total

Scan results
File: avewin32.dll
Date: 08/06/2006 00:18:44 (CET)

AntiVir 6.35.1.0/20060805 found nothing
Authentium 4.93.8/20060804 found nothing
Avast 4.7.844.0/20060804 found [Win32:Small-1700]
AVG 386/20060805 found nothing
BitDefender 7.2/20060806 found nothing
CAT-QuickHeal 8.00/20060804 found nothing
ClamAV devel-20060426/20060805 found nothing
DrWeb 4.33/20060805 found nothing
eTrust-InoculateIT 23.72.87/20060804 found nothing
eTrust-Vet 12.6.2324/20060804 found nothing
Ewido 4.0/20060805 found nothing
Fortinet 2.77.0.0/20060805 found nothing
F-Prot 3.16f/20060804 found nothing
F-Prot4 4.2.1.29/20060804 found nothing
Ikarus 0.2.65.0/20060804 found nothing
Kaspersky 4.0.2.24/20060805 found nothing
McAfee 4822/20060804 found nothing
Microsoft 1.1508/20060804 found nothing
NOD32v2 1.1694/20060805 found nothing
Norman 5.90.23/20060804 found nothing
Panda 9.0.0.4/20060805 found nothing
Sophos 4.08.0/20060805 found nothing
Symantec 8.0/20060805 found nothing
TheHacker 5.9.8.186/20060804 found nothing
UNA 1.83/20060804 found nothing
VBA32 3.11.0/20060804 found nothing
VirusBuster 4.3.7:9/20060805 found nothing

Not so much keen but it does have 27 different scanners and if it gets through that lot you would know one way or another and it does as you say look like an FP.

Sending the sample zipped and password protected, marked as a false positive, to virus @ avast.com as there is no false positive feed back from VirusTotal (or Jotti).

Hi David,

thx, I already did that, no reply so far, and the FP is still popping up every AVPE-Update.
I guess I just have to wait then, and disable avast while updating AVPE

Still unresolved! avast False-positive during AVPE-Update: Small-1700

huhuu…? anybody looking here…?

No change despite avast-update today…

Is there a known/usual time-frame for resolving false positives by avast-team ?
Thanks

???

I have not had the problem since August 4. I just manually updated AntiVir before posting and got no alerts at all.

The mentioned file (avewin32.dll) contains uncrypted samples of viruses - so I’m afraid the only solution is to put this file (or the whole AVPE folder maybe) into the list of Standard Shield exclusions.

And of course the problem recurred for me this morning (maybe the sample was not included in yesterday’s update?).

Clicking “Take No Action” several times works too but makes the update process sort of a nuisance.

Take No Action only ignores that instance, any further accesses or extractions will obviously cause avast to alert again. The exclusions is the only real option to avoid the repetitive alert.

Thanks igor,
for the info…
I even managed to make the exclusion work by using
*\avewin32.dll

(excluding the AVPE-Update/Temp folder
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\AntiVir PersonalEdition Classic*
somehow didn’t work for me)

I think that there is a path character length restriction so the deeper the file is in the sub folders the more likely you are to hit the restriction. Unfortunately I don’t know what the character number is for the restriction.

I posted again in the AVPE/Avira-board concerning this:
http://forum.avira.de/thread.php?threadid=11179

awaiting feedback there… (or Avira’s next update of avewin32.dll, which will hopefully deal with this issue…