False Positive on winsrv.dll

Viruses and worms
1

Yesterday I started getting reports that winsrv.dll is infected with WIN32:Malware-gen. If I manually scan the file it says it is OK, but the real time shields report this virus, and automatically move it to the Virus Chest.
I am quite sure this is an uncorrupted file as distributed by Microsoft.

2

upload suspicious file(s) to www.virustotal.com and test with 43 malware scanners
when you have the result, copy the url in the address bar and post it here for us to see

alternative
Jotti http://virusscan.jotti.org/en
VirSCAN http://virscan.org/
Metascan http://www.metascan-online.com/

3

virustotal.com shows it as clean for all programs.
http://www.virustotal.com/file-scan/report.html?id=a68f49d17f9f6b19fc9670c67806c40fff2ed8281267b753cbe08cc7dc307d54-1319464389

jotti.org shows it as infected for Avast, but clean for all others.
http://virusscan.jotti.org/en/scanresult/7d8d5c8f6db8a192af009beefec9bbb7c8c04373/f0130e0d1f08e03e8cd5fe24f8159ed794a00899

4

it may be that they are on different update…one does not have the latest yet ???

The file is more then 2 month old at VT

First seen: 2011-08-09 17:48:02
Last seen : 2011-10-24 13:53:09

sigcheck:
publisher…: Microsoft Corporation
copyright…: (c) Microsoft Corporation. All rights reserved.
product…: Microsoft_ Windows_ Operating System
description…: Windows Server DLL
original name: winsrv.dll
internal name: winsrv
file version.: 5.1.2600.6125 (xpsp_sp3_gdr.110620-1711)
comments…: n/a
signers…: -
signing date.: -
verified…: Unsigned

5

If you want a analysis result you can upload to Avira or Sophos…or both, then you recive the result in mail

Avira http://analysis.avira.com/samples/
Sophos https://secure.sophos.com/support/samples

6

I’m confident the file is clean.
Avast needs to correct their detection.

7

The detection is not there for a while already - please make sure you’re using the latest definitions.

8

Hi ME27,

Consider this http://www.backgroundtask.eu/Systeemtaken/taakinfo/61688/winsrv.dll/
Then the MD5 hash is safe, that is MD5 95cf3446911a6e25ee4086df8a45b2aa
and here http://www.isthisfilesafe.com/sha1/984E2BB09F04ABEA4AE8ADA1BEFA52691BAB2413_details.aspx

polonus

9

Igor:
The problem was happening with the def intions which were current yesterday. However, when I tried today, it seems to be OK - not flagging as infected.

As noted, when I scanned the file it showed as being not infected. However, when accessing the file with Real Time Shields enabled, it would quarantine it. (My shield settings may be more strict than the default.)

It looks like the problem was fixed in today’s release. If it occurs again, I will re-post.

Thanks.