igfxdiag coming up as Win32:Malware-gen

Hi, I’d like some guidance.

While running a MBAM scan Avast! popped up to warn me about


C:\WINDOWS\system32\igfxdiag.exe

Specifically, that there was a sign of Win32:Malware-gen, I believe.

I put it in the chest, but would like to verify it. The file has a “last changed” date of 7/1/2004, although I suppose that could be faked. Rescanning in the chest still shows it as a virus, FileID:145.

How do I go about having this verified?

I hope I’m not being too dense, but I just want to make sure I know what I have. I’ve been pretty careful out there, but stuff can still happen.

Thanks.

[font=Segoe UI]To check it, send the file to VirusTotal

Thanks. It’s in the “Chest.” Do you know where that would be in my filesystem – or in the documentation?

Follow the details here, which should allow you to upload the file for checking:
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

I had this too while running a MBAM scan. I uploaded the file to Virustotal and only Avast and Gdata said it had signs of WIN32:Malware-gen. Is it a F/P then?

Thanks, DavidR – sorry to make you repeat yourself – I found your instructions in one of the other threads.

My VirusTotal results are the same as juiceUK. Under the circumstances I’m going to restore this file and cross my fingers.

Thanks again for everyone’s help!

EDIT: the VirusTotal analysis page for this file is .

EDIT 2: And I just emailed it to Alwil directly from the Chest.

[font=Segoe UI] Thank you for submitting the file. The result shows that it is a highly probable false positive, please send it to avast for analysis. Send it to virus@avast.com. The ideal way to send such files is to compress them as a ZIP file with the password virus

Sorry, .: L’ arc :. – looks like I made my second edit while you were replying. :-[

Anyway, I sent the file directly from the Chest, with a brief explanation and a reference to the forum posts. Hopefully, that will be good enough.

Thanks.

Yes almost certainly an FP as GData also uses avast as one of its two scanners.

Periodically scan the file within the chest, when it is no longer detected, you can conclude that the FP has been corrected in a VPS update.

In the meantime Restoration is fine, but you will first have to exclude the file and full path (C:\WINDOWS\system32\igfxdiag.exe) from the standard shield or when you move/restore it avast will alert again.

Avast found the same thing in C:\Program Files\Spyware Doctor\avdb\temp\7729802C.vbt

Spyware Doctor was running it’s scheduled scan and all of the sudden Avast pops up saying it found Win32:Malware-gen in that. This is a false positive isn’t it, should I restore it now an do a system restore or would restoring this type of file be enough.

Follow the above instructions in Reply #3 to confirm if it is or isn’t an FP and report the findings.

Never restore without confirming.

I followed the instructions and only 2 found something in it, Avast and GData.

Here’s the link to the VirusTotal Scan.
http://www.virustotal.com/analisis/3b771b858475b9eadacf602114a1efab59d8ed1306ea36ab754ee9559e8e8928-1260147688

EDIT
Had to rescan with VT since my link wasn’t working.

Yes looks that way, as I mentioned, GData also uses avast as one of its two scanners.

In the meantime Restoration should be OK, but you will first have to exclude the file and full path (C:\Program Files\Spyware Doctor\avdb\temp*.vbt) from the standard shield or when you move/restore it avast will alert again.

However, having had another look at this file name and path (shouldn’t have been so quick first time round) it looks like isn’t a false positive in the true sense as I suspect this may be bad practice on the part of Spyware Doctor by not encrypting its virus data base. That is why I have but the *.vbt in the path as if this is truly a temporary file the numbers are likely to change and the * is a wildcard that should take care of that.

So avast has been able to take a peek inside the avdb (AntiVirusDataBase) temp folder and .vbt file and found a pattern match to a virus signature.

Were you doing a Spyware Doctor scan or a Spyware Doctor update at the time of the alert ?

I don't know if in the light of what I have said above if this should be sent to avast for analysis, but it won't hurt:

You can send it from the Infected Files section of the Chest (select the file, right click, email to Alwil Software), as a Possible false positive, you could give a link to this topic to help. It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.

Spyware doctor was running a full scan, it is set to start scanning at 6:00pm central everyday. Is it safe for me to do what you said and exclude (C:\Program Files\Spyware Doctor\avdb\temp*.vbt), I guess I’m afraid of if a virus somehow gets its way in there an can’t be detected.

I right clicked the file an selected Email to Alwil Software and then I did a manual update. [Sorry that I sent twice, I wasn’t 100% sure I did it correctly first time so did again.]

-EDIT-
When I tell it to e-mail the file nothing appears, is that what it is supposed to do? Or should I of gotten a pop-up when I told it to e-mail?

Since I was done with the suspect folder I deleted the file in it, I guess I wasn’t thinking when I did that. Avast detected it when I deleted it, so I just let avast delete it after detecting it. That should be ok right since it’s still in the chest to restore to normal anyway.

Well I don’t use Spyware Doctor (SD), so I don’t know what the purpose of that Temp folder is within the avdb folder. I can’t even find any useful information on the .vbt file type to be of any help

It may be that for scans it unpacks it database to try and speed scans, or possibly like avast it uses the avast4 to unpack archives so their contents can be scanned. So it could be possible that something that SD opens to be scanned is first hooked by avast and scanned. After running an SD scan is that temp folder emptied of .vbt files (like avast empties the avast4 folder after a scan) ?

So there is more to this than first meets the eye and you need to seek confirmation from the SD support forum as to what this temp folder and the .vbt files are/do.

So contrary to my advice on the exclusion of the *.vbt until we know what the purpose of these files are it could be leaving a hole in security. Whilst it would be possible for a virus to get in there it would also have to have a .vbt file extension/type to also be excluded, so it is a risk but not I would say a high risk.

I just scanned the file in the Virus Chest an it says not infected, it must of been fixed with the last update. I restored it an scanned it again an Avast finds nothing wrong with it, thanks a bunch guys.

You’re welcome, thanks for the feedback.

Yep. Beat me to it, Avastiest .

What exactly is this false postiive? I had it in my start up services, but so far at least nothing has popped up from Avast? I did an MSConfig to uncheck it.

Jack