False Positive? ech.exe

First I would like to apologize for crossposting. My first post was in the wrong place. :-[

A couple of days ago Avast found Sign of "Win32:Trojan-gen in “ech.exe”. I believe I uploaded the file to Avast using the program. I have just updated iAVS, but Avast still find the program to be infected. At VirusTotal only Avast and Gdata found this.
My pc is a Packard Bell and the “Infected” program is from NEC Computers. As far as I know it has been there from day one.
Here is info from VirusTotal:
[i]File size: 40960 bytes
MD5…: 83f1a4de90182e630beb24ba5b618df2
SHA1…: 4982b1442a42104ab7e46858266c6b5687da487b
SHA256: 8a4b1b76261135b64f82d79b6d3d99c098fc76890f12a1f6a5d73cbd558466a8
ssdeep: 384:zcLGTDyFqVKkylHaY4fSbc8nE0Oc1sQyqli7roxIjWLrDssbCsDduvBIyFit
2Az4:zYGTDyFqV494qAfGCMQyl
PEiD…: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x14d0
timedatestamp…: 0x3f02a255 (Wed Jul 02 09:13:57 2003)
machinetype…: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x6c60 0x7000 5.54 e3f00e84db702c83c75034bc64e17044
.data 0x8000 0xce8 0x1000 0.00 620f0b67a91f7f74151bc5be745b7110
.rsrc 0x9000 0x8e8 0x1000 1.97 e2c015a46fd6b1449f617c3f487fa1c4

( 1 imports )

MSVBVM60.DLL: __vbaStrI2, _CIcos, _adj_fptan, __vbaVarMove, __vbaVarVargNofree, __vbaFreeVar, __vbaLenBstr, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaStrErrVarCopy, _adj_fprem1, __vbaStrCat, -, __vbaSetSystemError, -, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaVarCmpGe, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, -, __vbaBoolVarNull, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, __vbaVarTstEq, __vbaObjVar, DllFunctionCall, __vbaVarOr, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, __vbaVarAnd, EVENT_SINK_QueryInterface, __vbaVarMul, __vbaExceptHandler, __vbaStrToUnicode, -, _adj_fprem, _adj_fdivr_m64, -, -, __vbaFPException, __vbaStrVarVal, -, -, _CIlog, __vbaErrorOverflow, __vbaInStr, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, __vbaVarCmpLt, _adj_fdivr_m32, __vbaR8Var, _adj_fdiv_r, -, __vbaVarTstNe, __vbaVarSetVar, __vbaI4Var, __vbaVarCmpEq, -, __vbaLateMemCall, __vbaVarAdd, __vbaStrToAnsi, __vbaVarDup, -, __vbaVarLateMemCallLd, __vbaVarTstGe, __vbaVarCopy, _CIatan, __vbaStrMove, -, _allmul, -, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

( 0 exports )
RDS…: NSRL Reference Data Set

trid…: Win32 Executable Microsoft Visual Basic 6 (91.5%)
Win32 Dynamic Link Library (generic) (5.5%)
Generic Win/DOS Executable (1.4%)
DOS Executable Generic (1.4%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
pdfid.: -
sigcheck:
publisher…: NEC Computers International
copyright…: n/a
product…: ech
description…: n/a
original name: ech.exe
internal name: ech
file version.: 1.03.0001
comments…: n/a
signers…: -
signing date.: -
verified…: Unsigned[/i]

I hope this will be white listed soon.
Thank you for a great program. Keep up the good work. :slight_smile:

JR

Hi Jorgenr,

Ok, seems like a false positive, could you please report it to the ALWIL team/



To report a false positive:

You could also send the file in a password protected archive to virus(at)avast(dot)com with ‘potential false positive’ in the subject line and the password in the email body.

or

You could add the file to the user files of the virus chest and send it from there:

Right click avast icon in taskbar -->click start avast antivirus -->right click scanner background → click virus chest → navigate to user files → click add files →
right click file -->email to alwil software.

NOTE:
The file will actually be uploaded when the next update is performed (you can do a manual update to initiate the sending)


You could also add a link to this thread and some more information when you do.

-Scott-

p.s. A link to Virustotal would be easier for you to post, and has all of the detections also.
http://www.virustotal.com/analisis/8a4b1b76261135b64f82d79b6d3d99c098fc76890f12a1f6a5d73cbd558466a8-1255385530

Hi Scott

Thank you for your reply. I have just send the password protected zipped file by mail including a link to this post.

No problem :slight_smile:

Let us know when the detection is corrected (i.e. scan it periodically - after VPS updates)

-Scott-

Hi

The problem has gone with todays iAVS update!

JR

Good to hear, thanks for the update.
Well done ALWIL :slight_smile: