AVAST Free Anti-Virus causing a problem with W7 32 Virtual PC.

I am running Win 7 Pro Dell OEM 32 bit w/SP1 and using Windows Virtual PC and XP Mode. All has been running well since last August, but now I am getting problems with AVAST Free Anti-Virus and Virtual PC. AVAST is detecting a problem with VPCVMM.SYS “Win32:Alureon-AOV [Rtk]” and keeps moving it to it’s Virus Chest. Without VPCVMM.SYS Virutal PC is dead, so I keep restoring VPCVMM.SYS. All works for a while and then AVAST again removes VPCVMM.SYS. I originally thought I had a problem with VPCVMM.SYS so I un-installed Virtual PC and then re-installed it. AVAST always detects it as infected. I keep emailing AVAST reporting my problem as a “False Positive” to no avail. I have been going through this crap for two weeks with no relief in sight.

Today I ran VPCVMM.SYS through VirusScan.org to see what they could find. Here are my results:

VirSCAN.org Scanned Report :
Scanned time : 2012/01/08 23:15:46 (CST)
Scanner results: 44% Scanner(s) (16/36) found malware!
File Name : vpcvmm.sys
File Size : 296064 byte
File Type : PE32 executable for MS Windows (DLL) (native) Intel 80386 32
MD5 : 549fe66bbaf9e334d279b06b48fbb045
SHA1 : d5f32653d2d37d80220280c6425af121144025e2
Online report : http://r.virscan.org/e6677f8f2e7a332a0d8db0c79b9d82f1

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.1.0.4 20120108222016 2012-01-08 0.30 Trojan-Dropper.Win32.Sirefef!IK
AhnLab V3 2012.01.09.00 2012.01.09 2012-01-09 2.97 -
AntiVir 8.2.8.18 7.11.20.194 2012-01-06 0.28 TR/TDss.aowin
Antiy 2.0.18 20120108.15530722 2012-01-08 0.02 -
Arcavir 2011 201201071152 2012-01-07 3.31 -
Authentium 5.1.1 201201071544 2012-01-07 1.45 -
AVAST! 4.7.4 120108-0 2012-01-08 0.02 Win32:Alureon-AOV [Rtk]
AVG 10.0.1405 2090/4130 2012-01-08 0.06 BackDoor.Generic14.CBJJ
BitDefender 7.90123.7942335 7.40512 2012-01-08 4.07 Trojan.Generic.KDV.473055
ClamAV 0.97.1 14272 2012-01-08 0.06 -
Comodo 5.1 11214 2012-01-08 2.14 -
CP Secure 1.3.0.5 2012.01.08 2012-01-08 0.08 -
Dr.Web 7.0.0.11250 2012.01.08 2012-01-08 17.74 -
F-Prot 4.6.2.117 20120107 2012-01-07 0.78 W32/FakeAlert.RL.gen!Eldorado (generic, not disinfectable)
F-Secure 7.02.73807 2012.01.06.06 2012-01-06 12.56 -
Fortinet 4.2.257 15.73 2012-01-07 0.11 -
GData 22.3386 20120108 2012-01-08 5.00 Trojan.Generic.KDV.473055 [Engine:A]
ViRobot 20120107 2012.01.07 2012-01-07 0.76 -
Ikarus T3.1.32.20.0 2012.01.08.80184 2012-01-08 4.83 Trojan-Dropper.Win32.Sirefef
JiangMin 13.0.900 2011.11.26 2011-11-26 2.02 -
Kaspersky 5.5.10 2012.01.08 2012-01-08 0.12 -
KingSoft 2009.2.5.15 2012.1.8.9 2012-01-08 0.89 -
McAfee 5400.1158 6582 2012-01-07 10.76 ZeroAccess.v
Microsoft 1.7903 2012.01.08 2012-01-08 12.27 TrojanDropper:Win32/Sirefef.B
NOD32 3.0.21 6776 2012-01-08 0.03 a variant of Win32/Rootkit.Kryptik.GG trojan
Panda 9.05.01 2012.01.08 2012-01-08 2.55 Generic Trojan
Trend Micro 9.500-1005 8.696.05 2012-01-08 0.03 -
Quick Heal 11.00 2012.01.07 2012-01-07 1.19 -
Rising 20.0 23.91.04.02 2012-01-06 2.34 -
Sophos 3.27.0 4.73 2012-01-08 4.52 Mal/ZAccess-G
Sunbelt 3.9.2525.2 11368 2012-01-08 0.86 Trojan.FakeAlert
Symantec 1.3.0.24 20120107.009 2012-01-07 0.50 -
nProtect 20120108.01 11894920 2012-01-08 1.28 -
The Hacker 6.7.0.1 v00373 2012-01-06 0.55 Trojan/Kryptik.gg
VBA32 3.12.16.4 20120106.1104 2012-01-06 5.92 Trojan.Genome.abate
VirusBuster 5.4.0.10 14.1.156.0/73399102012-01-08 0.00 -

Does anyone have a solution to this mess?

well…44% detection…looks suspicious…and 70% at Virustotal
http://www.virustotal.com/file-scan/report.html?id=629dd6e0327ffd3f152375f635bd5e48c6307684a94662cda1a480d16e8e2b1b-1326038361

since both Avira and Sophos detect this
i would upload the sample to them as a False Positive case and see what they say…as avast usually will not give a reply

Avira http://analysis.avira.com/samples/index.php
Sophos https://secure.sophos.com/support/samples

you should then receive an answer within 48 hours…Sophos have somtimes answered me after 30minutes :wink:

I just supplied VPCVMM.SYS to both Avira and Sophos. Let’s see what they say. I also added my problem to Microsoft’s TechNet Windows 7 forum.

see top right corner here MY MESSAGES

I just got this reply from Sophos:

Hello,

Thank you for contacting Sophos Technical Support.

Please note that this is an automated response. If you have any questions, require assistance or clarification on this analysis, please feel free to reply to this email quoting this case number in the subject line.

The file(s) below are already detected with the latest version of Sophos Anti-Virus and the latest IDE definitions.

vpcvmm.sys – already detected (Mal/ZAccess-G (all product versions))

Please update Sophos Anti-Virus,and run a Full System Scan to clean up this threat.

Now that’s a scary response.

you did upload it as a False Positive case ?

Yes, I uploaded it as a false positive a number of times over the past 2-3 weeks. In addition, I just received this response from Avira:

Dear Sir or Madam,

Thank you for your email to Avira’s virus lab.
Tracking number: INC00943034.

A listing of files alongside their results can be found below:

File ID Filename Size (Byte) Result 26486962 vpcvmm.sys 289.13 KB FALSE POSITIVE

Please find a detailed report concerning each individual sample below:

Filename Result vpcvmm.sys FALSE POSITIVE

The file ‘vpcvmm.sys’ has been determined to be ‘FALSE POSITIVE’.In particular this means that this file is not malicious but a false alarm.Detection will be removed from our virus definition file (VDF) with one of the next updates.
Alternatively you can see the analysis result here:
http://analysis.avira.com/samples/details.php?uniqueid=MwOjpvFAdQcMJDURbr8fjcDmR1zmzdBs&incidentid=943034

An overview of all your submissions can be found here:
http://analysis.avira.com/samples/details.php?uniqueid=MwOjpvFAdQcMJDURbr8fjcDmR1zmzdBs

Please note: If you have specific questions please address them to support@avira.com

Kind regards
Avira Virus Lab

you did upload it as a False Positive case ?

Yes, I uploaded it as a false positive a number of times over the past 2-3 weeks. In addition, I just received this response from Avira:


I was thinking of the upload you did yesterday to sophos?

if you did, you usually get a response like this…

…we did not find any false positive, detection is correct…
or…the detection is a false positive and signature will be removed in next update. Sorry for any inconvenience

OK i uploaded it to Sophos and got this response

According to our labs it is not a FP from what we scan.

It claims that it is from Windows Virtual PC, but MS detect this themselves as a Malware threat.
If you feel that this is safe for your environment then you can authorize it or add and exclusion with in your policy.

That is a good point… ???

I already have the module identified in my exclusion list(s), but AVAST still blows it away. I must be doing something wrong within the exclusion list(s). The module runs as a “Required Service” when Windows 7 Virtual PC is operational. I do not have another PC running Windows 7 or I would activate Virtual PC there and grab its VPCVMM.SYS module and compare the two.

Anyway, this module is part of “Windows 7 Virtual PC” distribution and not to be confused with “Microsoft’s Virtual PC” which is a separate product. This Virtual PC is an option to turn on/off when customizing an operational Windows 7 system. It integrates Virtual PC functionality directly into Windows 7 and does not add another program product to your inventory. Microsoft does not recommend installing their Virtual PC product into Windows 7, but rather turning on the Virtual PC facilities already within Windows 7. Confusing, isn’t it?

I cannot believe I am the only one with this problem.

where do you download it from…Microsoft ?

well, i sendt the file to Microsoft Malware Protection Center…and this is what they say - MALWARE

Analysis of the file(s) in Submission ID MMPC12010938735881 is now complete.

This is the final email that you will receive regarding this submission.

The Microsoft Malware Protection Center (MMPC) has investigated the following file(s) which we received on 1/9/2012 1:47:30 PM Pacific Time.
Below is the determination for your submission.

========
Submission ID MMPC12010938735881

Submitted Files

vpcvmm.sys [TrojanDropper:Win32/Sirefef.B]

The following links contain more information regarding the detections listed above:
http://go.microsoft.com/fwlink/?linkid=95666&Entry.aspx&name=TrojanDropper:Win32/Sirefef.B

Analyst Comments

– 1/9/2012 2:26:01 PM –
We have reviewed the file and have determined that the file meets our criteria for detection. At this time detection will remain in place.

So where did you download this program from ?

and how did Avira end up saying it was FP ?

Hi Pondus,

It should indeed be a great help if the poster would give us the original download link of the file. As malware detection/protection is improving, malcreants do everything to dress up their malcreations or spyware as respectable genuine programs to go under the detection radar. As the origin of this respectable downlaod may be oriental, seeing to these scan results: http://r.virscan.org/e6677f8f2e7a332a0d8db0c79b9d82f1
So the original download site scan could determine a lot more about what we have to deal with,
could be one of the most infamous and advanced kernelmode rootkits,

polonus

and the last one from me

Norman lab

Falsepos case on file vpcvmm.sys (549fe66bbaf9e334d279b06b48fbb045) has been processed. No False Positive found!

Malwarebytes added detection as - Backdoor.0Access

I loaded “Windows XP Mode” and “Virtual PC” from this Microsoft site:

http://www.microsoft.com/windows/virtual-pc/download.aspx

After a few sleepless nights going over my problem in my head I came to the conclusion that I do have a virus so I went about trying to figure our what virus was infecting me. I used this site and followed the directions listed to shoot my bug:

http://www.daniweb.com/hardware-and-software/microsoft-windows/viruses-spyware-and-other-nasties/threads/134865

I uninstalled “Windows XP Mode” and turned off “Virtual PC” using “Turn Windows Features On Off” and followed the directions on daniweb exactly as delineated. After all that no virus or malware was discover by any product listed, including Microsoft’s. I re-downloaded and reinstalled “Windows XP Mode” and turn on “Virtual PC” and voila, the problem is back.

I hate effen computers!!!

Dear Sir or Madam,

Thank you for your recent inquiry.

We found a new dialer in the attachment you have sent us.
The pattern recognition will be integrated in one of our next updates.
The pattern recognition of the dialer will be detected as TR/TDss.aowin.

We thank you for your assistance.

Attachment(s) you sent:
vpcvmm.7z


Freundliche Gruesse / Best regards
Avira Operations GmbH & Co. KG

Hi Omid Farhang,

TrojanDropper:Win32/Sirefef.B may also contact server 85.17.239.212 for the purpose of reporting infection statistics.
And then I land at this reported by the VW migration list for malware with status down now on
Down: NA RIPE NL abuse at -leaseweb.com 85.17.239.212 to 85.17.239.212 intensedive.com /http://intensedive.com/install/setup.php?m=d310b08f1d6d&i=1&id=110001800

Could that address not be the real originator of the malware we are discussing here. The history of Dutch Leaseweb dot com is questionable at least - http://www.malwaredomainlist.com/mdl.php?search=16265&colsearch=All&quantity=50

polonus

That file has some more info too:

'USS Arizona was a Pennsylvania-class battleship built for the United States Navy in the mid-1910s. Commissioned in 1916, the ship remained stateside during World War I.' 'During the Japanese attack on pearl harbor on 7 december 1941'

Hi Omid Farhang,

That is a so/called flag and circumstancial evidence for the malcreant-developer,

pol