False Positive? Win32:Malware-Gen stacsv64.exe [Resolved?]

Viruses and worms
1

Update: 10/21/13
Thus far no malware person has looked at this that I’m aware of. See last post for the newest info.

Hi

I have Avast Internet Security and I ran a boot scan last night after the new update. It came up detecting three things it claims are infected with “Win32:Malware-Gen”.

I told two to move to the chest, the 3rd it said it was a windows system file and asked me again so I told it to ignore just to be on the safe side.

Looking at these files it appears they were created in 2012 back around the time I bought the computer, so I’m leaning towards this being a false positive because of how old these items appear, but I’m hoping someone here can tell me for certain.

The files are:
C:\Program Files\IDT\stacsv64.exe
C:\Program Files\IDT\WDM\stacsv64.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_b27a28765e622f18\stacsv64.exe

According to Avast’s virus chest the last time the top two were changed was in April of 2012. I run boot scans about once a week so I find it hard to believe this is real malware. I had last run one on 10/12 and had no problems.

Is anyone aware of a problem with the update or something? Or could these be legit files that somehow became infected? When I google them they look like audio files/drivers of some kind.

I’m on a Hewlett-Packard p7-1235 with Windows 7 Home Premium Service Pack 1.
This has Avast Internet Security Program Version 2014.9.0.2006
Virus Definitions 131017-1

Thanks for any help you can give!

2

Hi nacmomma08,

File an FP report from where it is being detected.
Read: http://www.shouldiblockit.com/stacsv64.exe-2602.aspx & http://www.runscanner.net/lib/stacsv64.exe.html
http://www.file.net/process/stacsv64.exe.html
Removing it could produce audo trouble…
If you think you could have malware problems, ask a qualified remover here to look into the issue…

pol

3

Hi Polonus

Yes I would like a malware person to look at it just to make sure. I submitted the two that were in the virus chest to avast as potential false positives, how do I submit the one it said was a system file? I was afraid to move it to the chest in case it would mess up my computer and make me not able to use it.

I just ran SuperAntiSpyware and it came up clean, I also ran Malwarebytes Anti Malware and that came up clean too. Just last night I ran Spybot Search & Destroy System Scan and it discovered a few low priority things like tracking cookies, nothing that jumped to my attention.

Here is the Malwarebytes Scan:
Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.10.17.09

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16721
FizCorg :: FIZCORG-HP [administrator]

10/17/2013 8:12:54 PM
mbam-log-2013-10-17 (20-12-54).txt

Scan type: Full scan (C:|D:|E:|F:|G:|H:|I:|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 368122
Time elapsed: 45 minute(s), 18 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Also I asked Malwarebytes to just scan the one that I haven’t put in the Chest yet and it said it was fine. So did SuperAntiSpyware.
Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.10.17.09

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16721
FizCorg :: FIZCORG-HP [administrator]

10/17/2013 8:59:36 PM
mbam-log-2013-10-17 (20-59-36).txt

Scan type: Custom scan (C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_b27a28765e622f18\stacsv64.exe|)
Scan options enabled: File System | Heuristics/Shuriken | PUP | PUM
Scan options disabled: Memory | Startup | Registry | Heuristics/Extra | P2P
Objects scanned: 1
Time elapsed: 3 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

I have MalwareBytes Anti rootkit on here so I’m going to update that and run it next.

[Edit]
Okay Malwarebytes Anti Rootkit and TDSSKiller found nothing either.

4

Same here. I submitted all 3 as false positives.

I was reading on bleepingcomputer that Dell and HP systems both have this problem, and that Dell have a specific IDT driver update for their systems, but HP do not.

5

Hi Simrick

Did you move it to the virus chest? I am wondering if I should, I don’t know any other way to submit it to see if it’s a false positive.

6

No, I just pasted the locations of the files directly into the report. BTW - you need to add one “slash” in your file:

C:\Program Files\IDT\stacsv64.exe
C:\Program Files[b]IDT\WDM[/b]\stacsv64.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_b27a28765e622f18\stacsv64.exe

Don’t ask me how I did it - I just updated to the 2014 version and spent 15 minutes trying to find the dang thing! grrrrrrr

(between this and the Yahoo mail updates, I’m about ready to throw my computer away! LOL)

p.s. don’t move them to your chest - your audio will be messed up if you do and you may have difficulty getting it back to working order, from what I’ve read.

7

if you move it to chest manually then file will remain at default location…only a copy is moved to chest
you can the send the file to avast lab from chest

8

You can upload files and report issues to avast here: http://www.avast.com/contact-form.php (select subject according to Your case)

you can use mail
send to virus@avast.com in a password protected zip file
mail subject: False Positive / undetected sample (select subject according to your case)
zip password: infected

or you can send files from avast chest
how to use the chest. http://www.avast.com/faq.php?article=AVKB21

9

Thanks Pondus and Simrick, I sent the last one via the contact form provided. Hopefully they can sort this out soon. What normally happens if it’s really false? Do they just do an update on Avast?

Also added the slash in right place, thanks Simrick!

10

Hi all

Can anyone tell me how long it normally takes to fix a false positive? Does Avast just update?

11

Depends on avast lab workload…

do you have the file in avast chest… right click and rescan, if not detected…restore
see my link above…how to use the chest

12

You’re welcome. :wink:
Normally the revisions come through in the definitions updates. No idea how long that takes. I usually just put an exception in the scan, make sure the original file is in place, and never look back.

13

Should be fixed tomorrow
today should not have anyone there
generally are rapid.
a maximum in 3 days depending problem

14

No two I did put in the chest, but the third one it said it was a system file and kept asking like “are you really sure?” so I left it where it was in case it would mess anything up. I have tried rescanning the file that I didn’t put in the chest and it still comes up as “threat”.

Thanks!

Cool I guess I’ll just keep looking for an update then and then rescan the file and see if it still pops up as bad.

15

So I was on the phone with Avast support and the guy did that thing where he took over my computer. He made that last file go into the Virus chest. I still don’t believe it’s real malware, but he said going of what avast said he thought we should put it in the chest just to be safe.

Honestly, I find it very very difficult to believe that this is malware and I wish someone could tell me a definitive yes or no. The guy on the phone pretty much just said to trust the software but literally EVERY time in the past I have had this happen it turned out that Avast was detecting legitimate safe software falsely.

I would really appreciate it if one of the malware guys could tell me if there is anything else I should scan the file with. I already did super anti spyware and malwarebytes.

I don’t bear your tech guy any ill will, but of course he tried to sell me on a tech support package. I think that is inappropriate in this situation, as I don’t even know if this is a real threat yet or not. He was very polite but still I think that’s a bit premature.

16

Agreed - inappropriate!
It’s not a virus. stacsv64.exe is part of C-Major Audio 1.X developed by SigmaTel; Reports to windows task manager as ‘IDT PC Audio’ on Windows 7 64 bit. I scanned all three versions of the file on a Win7-64bit machine with Defender, Malwarebytes and Superantispyware and they came up clean. I do not have this file on my Win8 machines.

If you’re still unsure, you could temporarily disable Avast and run an ESET online scan. http://www.eset.com/us/online-scanner/ Put the files back first, though, so it can scan them. If you come up clean after ESET, you’re golden. Just make a rule in Avast to designate them as exceptions, not to be scanned in the future.

Also, you could upload the files for scanning to Virus Total https://www.virustotal.com/

With your files being in the chest, are you having any audio issues? Just curious.

17

Hi Simrick

No I haven’t seen any audio issues, but the only thing i tried was to play a song in itunes.

I’ll try restoring the file and then putting it on that virustotal thing you said. Thanks again for your help.

18

Well interestingly enough Avast will not restore the file so I can submit it to virus total. I tried restoring three times and restarted the computer but the file is not back where it was previously. So I guess there is nothing I can do now to check it?

19

Reported for virus analyst

20

Hi, what does that mean? Does that mean someone can tell me how to restore it so I can scan it?

To be clear I right clicked the item in the virus chest and hit restore, and then avast asked to run and I clicked yes. Then nothing happened. I checked the file location and the item was not there. Tried three times and restarted computer to no avail. Not sure what happened. I just wanted to submit it to virus total to double check it.