Hi
Last thursday I did a full system scan on my Windows 7 64bit with my Avast! Free and it found a “Win32:Malware-gen” in the directory “C://Program Files(x86)/Microsoft/Bing Bar/7.1.361.0/MUExe/7.1.361.0/BingBarSetup-Partner.EXE”, so in a Bing Toolbar file, with regular Microsoft copyright. At the end of the analysis, suspecting it was a new false positive (my Avast had detected another FP just a few days before), I choosed to not automatically correct the problem. Instead, I analyzed the system with MBAM and the single file with the Kaspersky Virus Removal Tool, which didn’t detect anything suspect. So I tried to view the file’s properties but Avast blocked it again, indicating it as a malware and moving it to the virus chest.

Trying to understand something more, I restored the file from the virus chest and analyzed it using Virustotal, getting the following result:
https://www.virustotal.com/it/file/2cbb7875067792f6f08e6439fa7776c4fc0071c9736f11754a06594df1cfe25a/analysis/1424530069/

Until two days ago only one antivirus (Avast!) on the 57 of Virustotal’s analysis detected it as a malware, whereas the others viewed nothing suspect in it.
This fact makes me think about a FP, but I consider Avast responses to be very often reliable so I keep being suspicious, even more considering that, analyzing again the file, Avast keeps detecting it as a menace, and, cheking the Virustotal page about that file, I saw that it was updated yesterday with another user’s analysis of the same file and now the antivirus GData detects it as a menace too, a “Win32.Trojan.Agent.BJRVXJ”, as you can see in the Virustotal page at the link:
https://www.virustotal.com/it/file/2cbb7875067792f6f08e6439fa7776c4fc0071c9736f11754a06594df1cfe25a/analysis/

Two days ago I also sent the file from the virus chest to the Avast lab to analyze it and understand if I can actually consider it a FP or if it represents a true menace, but, until now, nothing changed.
Besides, I don’t understand from where this “virus” should come from. In fact, I’m always very prudent and cautious in these things.
As I said, the file appears as a legitimate Microsoft file that arrived on my computer with normal updates, as I can see on the Windows Update history, it’s been in the system from a very long time and never created any sort of problems.

I apologize for the lenght of the messagge but I don’t know what to think about this file and if i can consider this a true menace or just another FP.

Many Thanks

False Positive

First submission 2012-04-03 20:57:49 UTC ( 2 years, 10 months ago )

Copyright© Microsoft Corporation. All rights reserved. Publisher Microsoft Corporation Product Bing Bar Original name WEXTRACT.EXE Internal name Wextract File version 7.1.361.0 Description Bing Bar Setup

With only two hits on VT it is still likely to be an FP - the Win32:Malware-gen detection is also a generic detection trying to catch multiple samples of the same sort of malware group.

Whilst the BingBarSetup-Partner.EXE file and its location seem legit - however, if you didn’t actually elect to install the Bing Toolbar, then that would be different. I really do think that Bing (a.k.a. Microsoft) would be getting more out of the deal than you.

http://www.backgroundtask.eu/Systeemtaken/taakinfo/92029/BingBarSetup-Partner.exe/

Personally If you want to use the Bing search engine, you can easily change it in your browser, without having a toolbar that is running in the background - possibly gathering data for the other half of the Partnership and I have no idea what benefit you are supposed to get out of the deal/partnership.

If you do not like toolbars, and a lot of folks do not, then it is a valid detection.
I think it is a good thing Avast flags this for what it is - BHO.

pol

Many many thanks to everyone.
Now Avast doesn’t detect it as a menace anymore. It was really a FP.
Thanks