False positive? Win32:32:Evo-gen(susp).

Hi

just updated avast free and got a message saying I have Rootkit. SVC:CCALib8>C:\CALMAIN.exe
Name Win32:Evo-gen(susp)

I followed instructions to remove and do a boot time scan. The laptop then restarted and after a few minutes I got the same message again.

I took a look at your forums and see many saying this is a false positive. Which I’m hoping to be the case. If Avast says it’s removed it, why has the message popped up again?

Any help appreciated.

I’m on Vista, I have ad-aware and spywareblaster as well as avast home free.

I just ran a quick scan which found no threat and says “everything is good”

I looked in the virus chest and there is nothing that relates to this message in there at all. If Avast removed this threat, wouldn’t it be in the chest?

Thanks

If Avast removed this threat, wouldn't it be in the chest?
No, there is a difference between removing (deleting) and moving.

The name of the file indicates it belongs to Canon software.
However the location is not where it normally is and that is at least suspicious.
Please follow the instructions as mentioned here: http://forum.avast.com/index.php?topic=53253.0

Thanks. I hope that isn’t as complicated as it looks :confused:

detection already reported by other user. http://forum.avast.com/index.php?topic=137616.0

Pondus

ahh does that mean I still have to go through the procedure recommended by Eddy or not? (sorry not very techy)

thanks

i would wait with that … follow instructions in the other post about how to report it to avast
you may give a link to this topic in case avast lab reply here

Pondus

I have right clicked “show last pop-up” and it is greyed out so I don’t know how or where to find the file to email avast(it’s not in the chest) ??

if using the chest option you need to manually move it to chest first (it will only be a copy) see how to use the chest below

You can upload files and report issues to avast here : http://www.avast.com/contact-form.php (select subject according to Your case)

You can use mail
send to virus@avast.com in a password protected zip file
mail subject: False Positive / undetected sample (select subject according to your case)
zip password: infected

or you can send files from avast chest
how to use the chest. http://www.avast.com/faq.php?article=AVKB21

thanks…but as I said “show last pop upmessage” is greyed out and therefore unavailable so I cannot access the file unless there is another way to find it.

do you find it here? C:\CALMAIN.exe

anyway the user in the other post have sendt it to avast lab

I haven’t tried to look!

Okay, I will see what happens tomorrow. If you have found it to be a clean file, hopefully the pop up will be fixed by avast.

I wonder why that line is greyed out though?

I wonder why that line is greyed out though?
have you rebooted since last pop-up ? anyway this is not where you find the file.

No I haven’t rebooted.

I just received the same message. I located the file (Calmain.exe) in the C:\Program Files\Canon folder and then scanned the file with both MBAM and Avast!. No threat was found. My conclusion is that on my computer this is a false positive.

I also received the same message. The file was found in C:\Program Files\Canon\CAL. So it was the proper location for the CALMAIN.exe, according to this info:

http://www.file.net/process/calmain.exe.html

I tested this file using following online testers, here are the results (it seemed that I wasn’t the only one who tested this file):

https://www.virustotal.com/en/file/1cf4ca789312b9ab20e00bbfcc20084e6daa797ce64faa78b5dee482d621a289/analysis/1382481053/
https://www.metascan-online.com/en/scanresult/file/9c575d9a4f2e43819a9ad7496f96e907
http://virusscan.jotti.org/en/scanresult/506ab555ded5e1710388d3a64bec87067cf14b3d/67b83c23af82b54ac97745dce79bddf735cbeff0

TL;DR: only Systweak in the metascan tagged it as malware.gen, in other cases nothing was found.

I just had the pop-up again shortly after I logged on.

trg

how do I look for the file. I’m on vista? thanks.