False positive - SuperAntiSpyware.exe

My Avast is up to date, yet it keeps saying that my SAS is infected.
So, I checked it against Virustotal.com and here’s what they had to say:
http://www.virustotal.com/analisis/fdeb328e89bf990b6716cc2e5156a178
As you can see, false positive.

what is your VPS version?

Yes , I have the same response at Boot Up into my Win XP SP3 system , just now . I then did a On demand Scan of the C:\Program Files\SUPERAntiSpyware directory which gave the same Alert .

Program version: 4.8.1201
Information about current update:
Total time: 43 s

  • Vps: Already up to date
    (current version 080526-0)

I have emailed Avast! to virus@avast.com hoping the team can get an early heads up on this obvious FP .

Strange, avast! on my computers didn’t detect SAS as infected.

Program version: 4.8.1201
Vps: current version 080526-0

I am also getting the same with SAS along with c:\System Volume.…\A0105230.exe

VPS 0805260
Program version: 4.8.1201

Annie

rdmaloyjr:

Strange, avast! on my computers didn't detect SAS as infected.
That makes me wonder if SAS version is an issue , i.e. I updated the virus data base for SAS last boot , yesterday . First boot up today Avast! immediately detected SUPERANTISPYWARE.EXE , as the pic shows .

Well I just fired up SAS and no alert with VPS 080526-0, I didn’t get an alert yesterday either on my weekly scan and that would have been VPS 080525-0.

I’m Using SAS version 4.1.1046 (Core 3468 Trace 1459), I did an SAS signature update yesterday before my scan.

Updated my Avast today and went to fire up SAS and received a virus warning for Win32:trojan-gen {other}, it was found in my SAS.

Moved it the chest then SAS wouldn’t work. Tried restoring the file (just in case it was false positive) and it still wouldn’t work.

I’ve just run a full Avast system scan and its picked up two others:

C:\System Volume Information _restore{16492CF9-7C45-44C4-9AC8-F42C171D4F2E}\RP409 - Original file name = A0055926.exe

C:\System Volume Information _restore{16492CF9-7C45-44C4-9AC8-F42C171D4F2E}\RP410 - Original file name = A0055927.exe

Are these just the remnants in system restore and is it safe to delete them?

I am using the free version of SAS.

I opted to “ignore” when the alert by Avast! , i.e." C:\Program Files\SUPERAntiSpyware\ SUPERANTISPYWARE.EXE" is “Win32:Trojan-gen{other}” occurred ; seems that ‘something’ broke SUPERAntiSpyware though , or there’s some problem with it in general .
I had to “repair” the installation of SUPERAntiSpyware to get it to function , during which there were some warnings about having adequate permissions from the re-installer .
Weird , I think I’ll use GNU/Linux for a day or two … ;D

Just to let you all know there are others out here experiencing the exact same thing…

All was fine with my system (Vista running Avast! 4.8 Home Edition and SuperAntiSpyware)
until I booted this morning and it went haywire.

Got the exact same message from Avast! re: “Win32:Trojan-gen{other}” found in SAS.
Told it to ignore and then ran Avast! scan of system.
It said I had a trojan in active memory and asked if I wanted to run a boot scan, which I did.
It found SAS as the culprit and when I chose to “Repair” it gave me an error, so I told it to
“Ignore” and the scan and boot went on as normal.

SAS will not start at all now. It won’t let me open the program.

This sucks royally. I’ve always counted heavily on SAS and find it a wonderful program for many uses.
Are we going to have to re-install or what? Maybe this was a virus/trojan set to go off on Memorial Day??
Anyone have any suggestions as to what to do next??? Thanks for any input or ideas!!! ???

Hi guys

Today I also got Superantispyware.exe identified by Avast! as infected with Win32:Trojan-gen {Other}. I had been using version 4.0.0.1154 of SAS. I shifted the SAS .exe to the Chest & then deleted it. Then installed the latest SAS (version 4.1.0.1046). Then did a full scan with Avast, which claimed two restore points had been infected.

The Avast log shows the following for the supposed infections in Volume Info:
Volume Information_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP614\A0094272.exe" file.
26/05/2008 03:14:24 PM [my name] 2976 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\System Volume Information_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP615\A0094290.MSI\Cabs.w1.cab\SUPERAntiSpyware.exe” file.

I’m running XP with SP3, Avast Free, Spybot S&D, Superantispyware, Windows Defender & ZoneAlarm (all up to date). Also WinPatrol & CCleaner.

Looking at the other posts here, it does look like this is a false positive (touch wood). I wasn’t looking forward to endless system restores, or worse, if this had been a genuine trojan. Hopefully we can relax a bit.

Hello all,

I was away for few days, back to home yesterday, I powered and booted up my PC normally, and
then on my laptop, I updated my Avast signature database manually, and in doing so, I had SAS
detected as a infected file. I suspected this could be a false positive, nevertheless, I put the file
on the chest.

More surprisingly, at about the same time, I made the same Avast update on my PC, but SAS was
not detected as infected. The SAS update status on my 2 machines might be not the same. It is
only today when I tried to launch SAS on my PC, that Avast told me that SAS was infected.
I moved it into the chest as well.

Now what would be the best behavior to follow ? Download SAS again from it’s original site ? But
Avast might detect again it as an infected file. As I am using SAS time to time, this could be an
annoyance ?

My VPS version on both machines is : 080526-0. I am running XP Proon both machine also.

Thanks in advance for any comments.

I have the samething . I’m curious if this might have something to do with xp sp3 . I mean I never had problems before with Avast . Could sp3 cause Avast not to work correctly ? Just a thought .

To justalice: I don’t think so (that XP SP3 is part of the problem), since I’m not running XP - I’m running Windows Vista Home Premium

???

Yep, same for me. Got the false warning of SAS being infected with Trojan, (clicked ignore). But it looks like Avast broke the installation of SAS. Even though I said to ignore SAS, SAS won’t run. Says I don’t have adequate permissions. Just last week I downloaded and installed SAS. Strange.

BTW, I’m still on avast 4.7 with 080526-0 definitions. WinXP Media Ctr. with SP-2

You can click ignore until you are blue in the face, avast won’t let you run what it classes as an infected file period. So it hasn’t broken SAS. The ignore relates to that particular detection only. It doesn’t matter what version of avast you are using as it is a signature based detection and not a version based detection.

I would first ensure that you have the latest version of SAS even though you downloaded it last week. Uninstall the current version and install the latest version, if still detected continue with the steps below.

To get it to work you would have to exclude it from scans, however I would ensure that you have checked it is a bad detection by sending to virustotal. Then if proven to be an FP and only then should you exclude it from scans and send it to avast for analysis.

Thanks David,

Well, I tried to upload the file to both Virustotal and Jotti. It keeps telling me “O bytes uploaded”. Jotti told me it’s probably my Firewall (ZoneAlarm). I turned off Zone Alarm, but still get the same thing, “O bytes uploaded”. I think since avast modified it someway, I can’t upload it… but not sure.

I downloaded and installed SAS on May 18th, but I see from visiting their site that the latest version is now 4.1.1046. I have 4.0.0.1154.

What version do others have that is being detected by avast??

Thanks.

Well, since I couldn’t upload the suspected file (SuperAntispyware.exe), I uploaded the installation file – all 6 meg of it to VirusTotal. It said it had already been analayzed. Nothing found… even Avast says it’s not infected? BUT… the install file is packed so not sure if this is a good test or not.

Edit…

Also uploaded it to Jotti. Jotti unpacked and nothing found… even avast says clean. ???


BTW, I added the path of SAS to avast’s exclude list and I still can’t launch SAS. Says not ‘appropriate permissions’.

Okay, I decided to uninstall SAS (SuperAntiSpyware 4.0.0.1154) and install the latest (4.1.1046). During the uninstall, avast still sounded the alarm saying infected with sign of “Win32:Trojan-gen {Other}”. Even though I thought I excluded it from detection by avast, it still sounded the alarm.

Warning Log:

5/26/2008 2:58:35 PM Rick 1924 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE” file.

Update...

FYI: Installed the newest version of SAS (4.1.1046) and all is fine. Runs without avast detecting as trojan present. ;D

I know that this is off-topic, but I looked through the other boards and cannot find any other way to ask this question! sighs I apologize in advance.

How is it possible to contact another user or ask them a non-avast!-related question on here??? Is it possible??? I see that they have disabled the PM function.

I normally would just assume people wish to remain anonymous, but I’m sure that the person I want to ask something of would be tickled if my assumptions are correct.

Rick F has a euphonium photo as his icon. It made me wonder if he’s a euphoniumist. If so, he’d probably get a kick out of who my father is. :o

Again, I’m sorry if I have inconvenienced anyone with this question.