I am running Win 7 Pro Dell OEM 32 bit w/SP1 and using Windows Virtual PC and XP Mode. All has been running well since last August, but now I am getting problems with AVAST Free Anti-Virus and Virtual PC. AVAST is detecting a problem with VPCVMM.SYS “Win32:Alureon-AOV [Rtk]” and keeps moving it to it’s Virus Chest. Without VPCVMM.SYS Virutal PC is dead, so I keep restoring VPCVMM.SYS. All works for a while and then AVAST again removes VPCVMM.SYS. I originally thought I had a problem with VPCVMM.SYS so I un-installed Virtual PC and then re-installed it. AVAST always detects it as infected. I keep emailing AVAST reporting my problem as a “False Positive” to no avail. I have been going through this crap for two weeks with no relief in sight.
Today I ran VPCVMM.SYS through VirusScan.org to see what they could find. Here are my results:
VirSCAN.org Scanned Report :
Scanned time : 2012/01/08 23:15:46 (CST)
Scanner results: 44% Scanner(s) (16/36) found malware!
File Name : vpcvmm.sys
File Size : 296064 byte
File Type : PE32 executable for MS Windows (DLL) (native) Intel 80386 32
MD5 : 549fe66bbaf9e334d279b06b48fbb045
SHA1 : d5f32653d2d37d80220280c6425af121144025e2
Online report : http://r.virscan.org/e6677f8f2e7a332a0d8db0c79b9d82f1
since both Avira and Sophos detect this
i would upload the sample to them as a False Positive case and see what they say…as avast usually will not give a reply
Thank you for contacting Sophos Technical Support.
Please note that this is an automated response. If you have any questions, require assistance or clarification on this analysis, please feel free to reply to this email quoting this case number in the subject line.
The file(s) below are already detected with the latest version of Sophos Anti-Virus and the latest IDE definitions.
Yes, I uploaded it as a false positive a number of times over the past 2-3 weeks. In addition, I just received this response from Avira:
I was thinking of the upload you did yesterday to sophos?
if you did, you usually get a response like this…
…we did not find any false positive, detection is correct…
or…the detection is a false positive and signature will be removed in next update. Sorry for any inconvenience
According to our labs it is not a FP from what we scan.
It claims that it is from Windows Virtual PC, but MS detect this themselves as a Malware threat.
If you feel that this is safe for your environment then you can authorize it or add and exclusion with in your policy.
I already have the module identified in my exclusion list(s), but AVAST still blows it away. I must be doing something wrong within the exclusion list(s). The module runs as a “Required Service” when Windows 7 Virtual PC is operational. I do not have another PC running Windows 7 or I would activate Virtual PC there and grab its VPCVMM.SYS module and compare the two.
Anyway, this module is part of “Windows 7 Virtual PC” distribution and not to be confused with “Microsoft’s Virtual PC” which is a separate product. This Virtual PC is an option to turn on/off when customizing an operational Windows 7 system. It integrates Virtual PC functionality directly into Windows 7 and does not add another program product to your inventory. Microsoft does not recommend installing their Virtual PC product into Windows 7, but rather turning on the Virtual PC facilities already within Windows 7. Confusing, isn’t it?
I cannot believe I am the only one with this problem.
well, i sendt the file to Microsoft Malware Protection Center…and this is what they say - MALWARE
Analysis of the file(s) in Submission ID MMPC12010938735881 is now complete.
This is the final email that you will receive regarding this submission.
The Microsoft Malware Protection Center (MMPC) has investigated the following file(s) which we received on 1/9/2012 1:47:30 PM Pacific Time.
Below is the determination for your submission.
– 1/9/2012 2:26:01 PM –
We have reviewed the file and have determined that the file meets our criteria for detection. At this time detection will remain in place.
It should indeed be a great help if the poster would give us the original download link of the file. As malware detection/protection is improving, malcreants do everything to dress up their malcreations or spyware as respectable genuine programs to go under the detection radar. As the origin of this respectable downlaod may be oriental, seeing to these scan results: http://r.virscan.org/e6677f8f2e7a332a0d8db0c79b9d82f1
So the original download site scan could determine a lot more about what we have to deal with,
could be one of the most infamous and advanced kernelmode rootkits,
After a few sleepless nights going over my problem in my head I came to the conclusion that I do have a virus so I went about trying to figure our what virus was infecting me. I used this site and followed the directions listed to shoot my bug:
I uninstalled “Windows XP Mode” and turned off “Virtual PC” using “Turn Windows Features On Off” and followed the directions on daniweb exactly as delineated. After all that no virus or malware was discover by any product listed, including Microsoft’s. I re-downloaded and reinstalled “Windows XP Mode” and turn on “Virtual PC” and voila, the problem is back.
We found a new dialer in the attachment you have sent us.
The pattern recognition will be integrated in one of our next updates.
The pattern recognition of the dialer will be detected as TR/TDss.aowin.
We thank you for your assistance.
Attachment(s) you sent:
vpcvmm.7z
–
Freundliche Gruesse / Best regards
Avira Operations GmbH & Co. KG
TrojanDropper:Win32/Sirefef.B may also contact server 85.17.239.212 for the purpose of reporting infection statistics.
And then I land at this reported by the VW migration list for malware with status down now on
Down: NA RIPE NL abuse at -leaseweb.com 85.17.239.212 to 85.17.239.212 intensedive.com /http://intensedive.com/install/setup.php?m=d310b08f1d6d&i=1&id=110001800
'USS Arizona was a Pennsylvania-class battleship built for the United States Navy in the mid-1910s. Commissioned in 1916, the ship remained stateside during World War I.'
'During the Japanese attack on pearl harbor on 7 december 1941'