False warning ?

Hi,

This evening, while executing my weekly light scan (I run a deeper one on Sunday), I got this virus alert :

avast! [REZ-DE-CHAUSSEE] : Fichier “C:\Documents and Settings\Admin\Mes documents\Arrivages\Installés\Images\virtualdubmod_virtualdubmod_1.5.10.1_francais_45486.exe” est infecté par “Win32:Adware-gen [Adw]” virus.
“_ Mon analyse légère” tâche utilisée

The mentioned file is the installation program of the french version of virtualdub (or an add-on to localize it).
This is a well known video program.
What’s more surprising is the fact that it has been present for months on my disk, without any warning till today !

I’m not sure it’s possible to post files somewhere, in case someone would like to analyse it more thoroughly - in any case I wouldn’t post without having being invited to do so.
I doubt it contains really a virus - but I don’t use this program, I’ve just run it a few times just after installation, to see what it can do, and never again since this moment.

Can you submit the file to www.virustotal.com and check?

Thanks for this jet answer :slight_smile:

I was to www.virustotal.com.
My first attempts were without success, since the site answered it received 0 bytes…
till I realized that I had to stop Avast LOL

Here is the link to the result (or I’m supposed to post the text?)

http://www.virustotal.com/fr/analisis/d0de62c5114fa4310484d174afab80a443684a8054a116b3358c7b0c888bb85a-1256023016

wow 17 out of 41 :o
definitely is malware not false positive

Hi anaigeon,

Wasn’t the developer aware of this, read this link where he reported some work-arounds on the code and started flaming av vendors for detection: http://www.virtualdub.org/blog/pivot/entry.php?id=245
At least the issue is a little controversial, here where they report a worm:
http://www.prevx.com/filenames/1920631375628518756-X1/VIRTUALDUB-V1.6.17.EXE.html
This because of heuristics being used more and more and simply because in the software
UPX executable compressor was being used it is detected as a worm trojan.

You could check this at avast or ask this actually is the reason for it to be flagged,
typical for this is the flag “AdWare.Rabio.db (Not a Virus)” and Comodo’s
“Unclassified Malware” , all typical for a heuristic find.

According to google Virtual Dub might be bundled with malware,
but at unmasked parasites the site is given as clean…
This source may be secure: http://virtualdub.sourceforge.net/
Or use an alternative like: http://sourceforge.net/projects/camstudio/

polonus

Thank you very much I’ll probably delete this file, or consider getting the last (English) version, in which they seem to have taken this problem in account, if I understand correctly a comment on the sourceforge page.
Alain

Hi anaigeon,

Glad we could help with the additional info, welcome to the forums here,
stay safe and secure is the wish of,

polonus

Can be Notepad.exe false positive from Malwarebytes?

Here the logs:

Malwarebytes’ Anti-Malware 1.41
Database version: 3001
Windows 6.0.6002 Service Pack 2

10/20/2009 10:38:34 PM
mbam-log-2009-10-20 (22-38-30).txt

Scan type: Quick Scan
Objects scanned: 31578
Time elapsed: 3 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\scrfile\shell\open\command(default) (Broken.OpenCommand) → Bad: (NOTEPAD.EXE %1) Good: (“%1” /S) → No action taken.
HKEY_CLASSES_ROOT\regfile\shell\open\command(default) (Broken.OpenCommand) → Bad: (NOTEPAD.EXE %1) Good: (regedit.exe “%1”) → No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Submit it to www.virustotal.com to check.

Update MBAM to 3009 as it could be a False positive in your update but may have to be ignored:
http://www.malwarebytes.org/forums/index.php?showtopic=26770&hl=notepad