Is This A False Positive?

Viruses and worms
1

It detected 3 files and heres few screen shots
http://img.photobucket.com/albums/v210/nami05/thisthing.jpg
http://img.photobucket.com/albums/v210/nami05/moreinfo.jpg
and heres the results that they found
http://img.photobucket.com/albums/v210/nami05/avastresults.jpg

i restored one of them just now. should i restore them all?

2

Hi sooflymami,

Welcome to the forum. A few things.
The first two pictures don’t say much except that the files are part of your OS and need to be raplaced for the stability of the system.

So far not so good.

The last pic is the most important. Can you tell us the full name of the infection?
Also, what did you do with these files? (deleted them or sent them to the VirusChest?)

3

I sent them to the virus chest and then restored them and went to virustotal.com and typed in
c:\WINDOWS\system32\oembios.bin and C:\Windows\I386\OEMBIOS.BI_
but the results came out to be ok. Heres the exact file names http://smg.photobucket.com/albums/v210/nami05/?action=view&current=viruschest.jpg

4

sooflymami, it is a good idea to put the type of system and operating system you are using in the forum Profile in Forum Profile Information for your ID in the Signature: area to help in diagnosing problems or at least put this information in your topic:
http://forum.avast.com/index.php?action=profile

5

It’s not letting me write that information down in my profile for some reason. But I’m using Windows XP on laptop.

6

Sooflymami has Windows XP SP2. A Laptop is what is being used.

7

Can you please post the URL to the virustotal results for each of these files.

8

Windows XP SP3 has been available for almost a year and has several Critical Updates so in IE go to Tools then Windows Update and download all updates.

Go to Control Panel then Automatic Updates then enable Automatic (Recommended) to enable updates or at least set it to Notify me but don’t automatically download or install them.

Run Secunia Online Software Inspector to see what other applications are vulnerable:
http://secunia.com/vulnerability_scanning/online

Tuesday 14th of April is Patch Tuesday with several Critical Updates to be applied.

9

You have to have 20 posts, unfortunately YoKenny didn’t notice that when he suggested you edit your profile.

The problem comes from drive by spammers, who having registered put objectionable or commercial links in their profile signature to try and gain link promotion, etc.

There have also been cases of the PM function being abused to spam forum members, so you will notice that you can’t use the PM function either.

Unfortunately because of the actions of others legitimate members suffer by the actions to prevent this spamming.

10

http://www.virustotal.com/analisis/25e2144e959d4203228e374a36d8e141
http://www.virustotal.com/analisis/d127679723e648dd0acb5818b530ed19
those files turned out to be clean plus I scanned on SAS and didn’t detect anything so I think avast made false positive. Im afraid to run a scan on avast because Im worried if it detects those same files again or other files and makes mistakes. I’d like avast to fix this problem so it won’t gonna detect those 3 files again next time when I scan them…I highly doubt it’s an infection because SAS or Virustotal results turned out to be clean.

11

Avast doesn’t detect those files on that virustotal result. That strongly suggests that since the original detection the virus database has been updated, it was a FP, and has now been remedied.
To double check that right click any of the files in the chest and select scan. They will now almost certainly scan clean, and after restoring them (if you haven’t already), the entries can be deleted from the chest.

12

Do you mean that the files that avast detected shouldn’t detect them as virus anymore since new definition database has been updated?

13

Yep. That’s exactly it.
FP’s are often corrected very quickly via the database updates.
(I have mine set to check for updates every hour. the default is somewhat longer.)

14

I’m a little nervous…what if I scan it again on Avast and if it detects those same files again? What should I do?

15

If that happens, it will be fairly weird. But if it does, post back here, and let us know what database version you are using (which can be found by right clicking the system tray icon, and looking under “about Avast”.)
I can’t see how the virustotal results would be different from your own if you are up to date; virus total uses the latest definitions available.
Currently the version is dated 12/04/2009, file version 090412-0 on my installation.
[edit]
Just to confirm, scan them inside the chest first. If they scan clean there, they should also scan clean when in their original location.
I’m 99%~ certain you don’t have a virus, at this point.

16

It isn’t unusual to not have avast detect on VirusTotal when it does so on your system. VT isn’t able to update the VPS in real time as the user is and this is often the cause. Remember the point of submitting it to VT is to see what the other scanners find.

So it isn’t entirely correct that avast may have corrected the detection (they would have had to have had samples to do that). However the date in the VT results for avast showed 10 April 2009, which is now two days out of date.

Even if you were to scan again (outside the chest) it will only alert and give options, it doesn’t do anything automatically, you choose what options and in this case it would be No Action.

17

So do you think there is a likelihood of this being an actual virus, DavdR?
How should she proceed?

18

Unlikely, I believe that there is another topic (at least one) on this file c:\WINDOWS\system32\oembios.bin and the back-up copy at C:\Windows\I386\OEMBIOS.BI_.

So they should be submitted to avast for further analysis as a probable false positive.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and false positive/undetected malware in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already there) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.

Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.

19

Okay, I just went to the virus chest on Avast and then right clicked on those 3 files and then emailed to Alwil Software. Nothing popped up or any message showed up after I clicked that but I think its sent since I clicked on that. How many days should i wait so I can scan on Avast to see if its fixed or not? And would someone let me know if it’s a FP or not?

20

To be sure it has been sent, right click the tray icon, select “updating>iAVS update” and while it is checking for updates, (if I’ve read it correctly) the samples will be sent.