False positive? (mscorlib.ni.dll)

system · March 1, 2011, 11:25pm

Avast is currently flagging a file called mscorlib.ni.dll as Win32:Spyeye-BG (exact location: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll) on two of my computers (both running Windows 7). As one of these computers was clean last night (ran quick scan and full scan and both were clear) and the other has not been used for several days I suspect that this is an FP. The fact that the ‘last modified’ timestamp on the files in question corresponds in both cases with the installation of last week’s Windows updates on the computers would also seem to support this.

Am I right to think that this is a false positive?

Pondus · March 1, 2011, 11:29pm

upload the file(s) to www.virustotal.com and test with 43 malware scanners
when you have the result, copy the URL in the address bar and post it here

alternative
VirScan http://virscan.org/
Jotti http://virusscan.jotti.org/en

system · March 1, 2011, 11:39pm

This is the same thing I’ve just referred to in my very recent post so I’d be interested to see how this goes.

system · March 1, 2011, 11:42pm

I can’t access the folder C:\Windows\assembly\NativeImages_v2.0.50727_32. When I type the address in I get a message saying that Windows can’t find it. I suspect that it may be because it’s in the Assembly folder.

system · March 1, 2011, 11:46pm

I can only find the file in a Command prompt and it is 11 megabytes big. I can not find it through explorer or other normal means.

Can you update a file that large to that test site? And how do you access it to upload?

system · March 1, 2011, 11:48pm

guys there’s already a thread http://forum.avast.com/index.php?topic=72687.0

a mod can merge the posts here with the other thread and close the one here?

DavidR · March 2, 2011, 1:14am

It is created on the fly from mscorlib.dll, so it is only there for a short time, if you don’t send it to the chest and just block, the file would disappear anyway.

There has just been another VPS update 110302-0, so I don’t know if that resolves this problem.

EDIT:

system · March 2, 2011, 1:16am

Yeah, I was also just notified of this mscorlib.ni.dll when my Avast was updated today.
The file was moved to the Avast virus chest.

Avast told me it had originated in “Bitmeter” a network traffic monitor system from http://codebox.org.uk which I had installed a few days ago.

AFAIK, the Bitmeter still runs satisfactorily on my system…

-Tony King aqk.ca

jsejtko · March 2, 2011, 1:23am

Hi all,

This issue is fixed in the current vps update. I’m sorry for any inconvenience.

J.

False positive? (mscorlib.ni.dll)

Announcements