f/p for c:/program files/windows media connect 2/wmccds.exe

i’ve quarantined a COPY of the file, and sent it to avast for their consideration.

from virus total: 3/41 claim it is infected:
Avast 4.8.1351.0, 2010.07.11, Win32:Malware-gen
Avast5 5.0.332.0, 2010.07.11, Win32:Malware-gen
GData 21, 2010.07.11, Win32:Malware-gen

additional information:

File size: 855552 bytes
MD5…: cd99c9feae87c1963273f6b150251e33
SHA1…: cb5d1edc657ed4f7a44f8cd3a87d8c42b8d36c87
SHA256: 8eada8a4156f23a861ee2180145485c073a0ddebd924452caffc65188577a1d1
ssdeep: 24576:40hSik35fkZieeWQonYWMEW21BJgrbdQLD:WiEAKUY1sgrbdQLD

publisher…: Microsoft Corporation
copyright…: (c) Microsoft Corporation. All rights reserved.
product…: Microsoft_ Windows_ Operating System
description…: Windows Media Connect
original name: wmccds.exe
internal name: Windows Media Connect
file version.: 5.1.2600.2771 (xpsp(wmbla).051006-1809)

If only GData and avast detect it - GData uses avast as one of its two scanners so counts as 1 detection and almost certainly an FP.

avast are usually quick to correct an FP once analysed:

This assumes that you are using avast 5 and not avast 4.8.

  • In the meantime (if you accept the risk), add it to the exclusions lists:
    File System Shield, Expert Settings, Exclusions, Add and
    avast Settings, Exclusions

Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the File System Shield and avast Settings, exclusions lists.

DavidR

I had already added the folder to the file system shield exclusion list — which is how i was able to upload it to virus total.

as noted at the beginning of my post, i also sent a copy (from quarantine) to avast, so avast could analyze it.

thanks for the info that GDATA duplicates avast’s finding… i’m sure it’s a f/p.

by the way… when i tried to add just the one file, it wouldn’t let me… i had to add the entire folder. any idea what i’m doing wrong?
okay, just figured it out… i had to enter the path first… then edit it to add the filename.

You’re welcome.

Not advisable to exclude the whole folder, as that would leave a large hole in security.

As you have found you can either paste the complete path or you can go back in and edit the exclusion path, changing the * at the end of the path to \filename.exe of the suspect file.

Hopefully it won’t be long before it is resolved.

David,

I realize it’s not advisable to exclude the whole folder… i did so only for the sake of being able to access the file for upload to virus total… and as noted, subsequently found out how to limit exclusion to the one file only.

the file was originally detected using virus database 100711-0. I was out for a few hours, and when I logged back on, automatically received the update to 100711-1 … but unfortunately, the f/p hasn’t been fixed yet (unless avast is asserting it’s really a virus… which i still seroiusly doubt).

I also note several other threads today reporting other problems with win32:malware-gen

@ ky331

You could go to PROFILE then Modify Profile then Forum Profile Information then Please select your country: then Signature: and put information about your system just like my signature about your system just like my signature so that the helpers can offer pertinent advice like DavidR avast! Technical has in hs siganture.

In Account Related Settings select Hide email address from public to prevent scammers and spammers harvesting your yahoo.com email address.

Avast are quick to correct any FP when identified, perhaps not as quick as you hoped, the very next signature update. First they have to have received your sample submission and analyse it, if confirmed as an FP they have to correct the signature and then run that against their test data to see that it doesn’t create other problems. Then and only then can it be released.

The avast Win32:Malware-gen is generic signature (the -gen at the end of the malware name), so that is trying to catch multiple variants of the same type of malware and is a fine balance between detecting a new variant and detecting something valid as infected. This is why it is recommended to move detections to the chest and not delete.

YoKenny,

I have modified my signature per your suggestion… although I fail to see how any of the information requested would have any relevance on whether or not the file I’m questioning is a f/p.

David,
I am familiar with the meaning of generic (and heuristic) detections, and realize they are the “least reliable” and “most delicate” of virus/malware classifications. While merely a “Jr. Member” of the avast forum (in terms of my participation here), I am a long-time regular in the DELL virus/spyware forum. (Not that that necessarily proves anything… just letting you know I’m not a computer “newbie”.)

Windows Defender is un-necessay on XP Pro.

Using WOT is like using a used dish cloth that may be clean and maybe not. :wink:

Spybot’s HOSTS file is as un-reliable as Spybot S&D itself. ::slight_smile:
The hpHosts and MVPS HOSTS files are much more reliable and up to date.

I wasn’t making any judgement on your experience, just making a comment that this is a generic signature (as the malware name doesn’t make it very clear) if you weren’t aware of it. Not only that but it is also intended for those others reading the topic now (103 reads at the time of this post) and in the future.

what is wrong with using Windows Defender when you have XP and only have Windows firewall turned on?
and otherwise run avast! Free and WinPatrol with mvps hosts.

Surely then Windows Defender is a good option, provided it is kept up to date?

And whether you like it or not web 3.0 will be noted for its subjective potential - users will have more say
this means peopled by users like Shiw Liang, and others in the younger generation that I have come across, some of whom already rely on the internet to make a living, and so - as you say - they will need to bring subjective slant in sites like WOT up to standard
but their subjectivity will be important, they will need sites that build on the WOT concept

with the release of 100712-0, the file is now deemed clean.
thank you for your assistance.

You’re welcome, thanks for the feedback.

Thank you all for discussing this and making it so easy for me to find info when avast! detected the same malware ky331 discussed at Post 1, last night. On 64 bit XP Pro I don’t have the boot scan option and was quite concerned but I updated avast! 4.8 today and scanned the flagged file which I’d placed in the chest to find it was no longer detected. I’ve done full scans since then with no results so assume all’s well again. Please advise if you think I should panic. Many thanks for your helpful info and happy days to you all.

First, can you modify your post and remove the 90 or so blank lines as the end of your post.

Yes, if you have scanned it again in the chest and it is no longer detected, the signature has been corrected and you can right click on the file in the chest and select Restore. That will put it back in the original location, ensure that it is back in that location and you can remove the copy that remains in the chest.